Role Based Access Control (RBAC) is a flexible and powerful approach to access control which is widely used. We present approaches to finding the functional role hierarchy using access logs. We discuss a method to reconstruct the functional role hierarchy with knowledge of all access rights of all users. New methods of test data generation are introduced. We then present heuristics that work with partial logs to predict an approximate role hierarchy. A method to efficiently use background knowledge is also discussed. We show with empirical evidence that to reconstruct even half the hierarchy correctly with the heuristics; we need significant amount of access logs. We compare the two heuristics in terms of false positives, false negatives and number of correct predictions. The two heuristics are compared w. r. t. parent-child relations as well as ancestor-descendent relations.
展开▼
