| 摘要 |
Generating role-based access control policies is provided. A user-permission relation is generated by extracting users and permissions assigned to each of the users from a stored access control policy. A user-attribute relation is generated by mapping the users to attributes describing the users. A permission-attribute relation is generated by mapping the permissions to attributes describing the permissions. The set of risk-averse roles, assignment of the set of risk-averse roles to the users, and assignment of the permissions to the set of risk-averse roles are determined based on applying a risk-optimization function to the generated user-permission relation, the generated user-attribute relation, and the generated permission-attribute relation. A role-based access control policy that minimizes a risk profile of the set of risk-averse roles, the assignment of the set of risk-averse roles to the users, and the assignment of the permissions to the set of risk-averse roles is generated. |
| 主权项 |
1. A computer implemented method for generating role-based access control policies that minimize a risk profile of resulting risk-averse roles and assignments to those risk-averse roles, the computer implemented method comprising:
generating, by a computer, a user-permission relation from a stored access control policy by extracting users and permissions assigned to each of the users from the stored access control policy, wherein the user-permission relation defines a relationship between the users and their assigned permissions to access secure resources connected to a network to perform their assigned duties, and wherein a permission grants a user assigned to that permission an ability to at least one of read a secure document, write to a secure document, delete a secure document, modify a secure document, access a secure hardware device, access a secure software application, and access a secure network; generating, by the computer, a user-attribute relation by mapping the users to attributes describing each of the users; generating, by the computer, a permission-attribute relation by mapping the permissions to attributes describing each of the permissions; determining, by the computer, a set of risk-averse roles, assignment of the set of risk-averse roles to the users, and assignment of the permissions to the set of risk-averse roles based on applying a risk-optimization function to the generated user-permission relation, the generated user-attribute relation, and the generated permission-attribute relation; wherein a risk-averse role includes a set of users with their assigned permissions to perform their assigned duties on the secure resources and has a level of risk associated with the risk-adverse role; generating, by the computer, a role-based access control policy that minimizes a risk profile of the set of risk-averse roles, the assignment of the set of risk-averse roles to the users, and the assignment of the permissions to the set of risk-averse roles; wherein risk of misuse of user-permission assignments in a risk-averse role is calculated based on an aggregation of the attributes describing each of the users and the attributes describing each of the permissions assigned to the risk-averse role, and wherein the attributes describing each of the users used in calculating the risk of misuse of user-permission assignments in the risk-averse role include a security clearance level of a user that corresponds to a security clearance value for the user, and wherein the attributes describing each of the permissions used in calculating the risk of misuse of user-permission assignments in the risk-averse role include a sensitivity level of a permission that defines a level of damage caused by at least one of an abuse and a misuse of the permission by the user; and controlling, by the computer, the access to the secure resources by the users using the generated role-based access control policy to mitigate the risk to the secure resources. |
