Heuristics for constrained role mining in the post-processing framework

Role mining techniques are frequently used to derive a set of roles representing the current organization of a company following the RBAC model and simplifying the definition and the implementation of security policies. Constraints on the resulting roles can be defined to have valid roles, that can be efficiently managed, limiting for example the number of permissions included in a role or the users a role can be assigned to. Since the associated problems are NP hard, several heuristics have been developed to find sub-optimal solutions adopting the concurrent or the post-processing approach. In the first case, assignment matrices are obtained satisfying the given constraints during the computation, while in the second case, the intermediate solutions are obtained without considering the constraints, that are enforced successively. In this paper we present two heuristics for the Permission Usage and Role Usage Cardinality Constraints in the post-processing approach: we consider constraints limiting the number of permissions that can be included in a role in the first case, and the number of roles that can include a permission in the second case, refining the roles produced by some other technique (not considering any constraint). For both heuristics we analyze their performance after their application to some standard datasets, showing the improved results obtained w.r.t. state of the art solutions.