The present application relates generally to access control systems, and more particularly to role discovery and simplification in access control systems.
In a simple access control system, access control lists (ACLs) are used. An ACL lists the user accounts (users) that have permission to use a given resource. The resource may be a file, or a network machine (with an internet protocol address), or a service provided by a port on a network machine, for example.
Such a set of ACLs may have a very large number of entries. As a simple example, if one thousand users each had permission to use one thousand different resources, then the ACL set would have a total of one million (one thousand multiplied by one thousand) entries. As the number of users and the number of resources grow, the size of this representation becomes extremely large and unwieldy. It becomes difficult to maintain, to check, to store, to present to an administrator, and to visualize on a graphics display. Ultimately, it becomes difficult, expensive, and error-prone to manage.
One way to reduce the size of the representation of the access permission is to utilize role-based access control (RBAC). In an RBAC system, a new kind of entity, the role, is introduced. Herein, a role may be defined as a set of permissions. Users may have or be assigned roles. A given role confers to its users permission to use certain resources. In a bipartite graphical representation of users and resources, wherein user-resource permissions are represented by edges drawn between vertices of a first type that represent users and vertices of a second type that represent resources, these roles may be represented as bicliques.
In order to migrate from using a set of ACLs to using RBAC, an appropriate set of roles need to be discovered from the ACL data. The present application relates to a computer-implemented method for obtaining a minimum biclique cover in a bipartite dataset that can be applied to role discovery in access control systems.
Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements.