for Security Administration
using Data Mining Technology
SYSTOR Security Solutions GmbH
D 50858 Cologne
SMF TEAM IT-Security Consulting
Am Waldweg 23
D 75173 Pforzheim
In this paper we describe the work devising a new technique for role-finding to implement Role-Based Security Administration. Our results stem from industrial projects, where large-scale customers wanted to migrate to Role-Based Access Control
(RBAC) based on already existing access rights patterns in their production IT-systems.
The core of this paper creates a link between the use of well established data mining technology and RBAC. We present a
process for detecting patterns in a data base of access rights and for deriving enterprise roles from these patterns. Moreover, a tool (the SAM Role Miner) is described. The result allows an
organized migration process to RBAC with the goal of building a single point of administration and control, using a cross-platform administration tool.
Categories and Subject Descriptors
D.4.6 [Operating Systems]: Security and Protection – Access Controls; H.2.0 [Information Systems]: General – Security, Integrity, and Protection; K.6.5 [Management of Computing
and Information Systems]: Security and Protection.
Role-Based Access Control, Enterprise Systems Management,
Provisioning, Identity Management, Data Mining, Migration,
Role Engineering, Security Administration, Security Data
Models, Security Management, Single Point of Administration
For several years now, many large-scale enterprises have been realizing savings through a reduction of the overall workload and through quality improvements in their enterprise wide identitybased security administration. The notions of provisioning and
identity management stand for automation, productivity increase and security policy compliance. Enterprises have demonstrated how to cope with the complexity and dynamics of granting access rights to huge user populations across diverse computing
platforms accessing a multitude of legacy and new applications. A key factor is the availability of commercial software for enterprise wide identity management to build a uniform single point of
administration and control  .
A case study from a real-life organization may be helpful to clarify the situation. This large bank has over 45.000 employees working at headquarters, several associated companies and 1.4000 branch offices serving 5 million customers. They are running over 40 highly diverse productive systems with 65.000 User-Ids and 47.000 user groups. In a first step, a cross-platform administration tool was implemented as a single point of administration and control. Over time this bank has migrated to RBAC using
different methods to define roles. Today a user obtains role assignments based on attributes, such as function key, company and department. To minimize manual intervention, the role
assignment process has been integrated and automated using an import system from their HR database into their central
Their benefits are:
- changes in user authorizations may take place at short notice, - a high degree of consistency in terms of cross platform
- gains in end-user productivity and reduced error rate in
When the first tools for cross-platform security administration appeared on the market around the middle of the nineties, it became apparent that the abstraction of the access control concept using role semantics was necessary to exploit the full potential of these administration tools . At the same time, research
Permission to make digital or hard copies of all or part of this work for personal or classroom use is...