Evaluating the risk of adopting RBAC roles

Authors:
Alessandro Colantonio;Roberto Di Pietro;Alberto Ocello;Nino Vincenzo Verde
Affiliations:
Engiweb Security, Roma, Italy and Università di Roma Tre, Roma, Italy;Università di Roma Tre, Roma, Italy;Engiweb Security, Roma, Italy;Università di Roma Tre, Roma, Italy
Venue:
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
Year:
2010

Citing 6
Cited 0

Role engineering

RBAC '95 Proceedings of the first ACM Workshop on Role-based access control
Access control policies and languages

International Journal of Computational Science and Engineering
A formal framework to elicit roles with business meaning in RBAC systems

Proceedings of the 14th ACM symposium on Access control models and technologies
Evaluating role mining algorithms

Proceedings of the 14th ACM symposium on Access control models and technologies
Role Engineering for Enterprise Security Management

Role Engineering for Enterprise Security Management
A new role mining framework to elicit business roles and to mitigate enterprise risk

Decision Support Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

We propose a framework to evaluate the risk incurred when managing users and permissions through RBAC. The risk analysis framework does not require roles to be defined, thus making it applicable before the role engineering phase. In particular, the proposed approach highlights users and permissions that markedly deviate from others, and that might consequently be prone to error when roles are operating. By focusing on such users and permissions during the role definition process, it is possible to mitigate the risk of unauthorized accesses and role misuse.