Informed Privilege-Complexity Trade-Offs in RBAC Configuration

Role-Based Access Control (RBAC) has the potential both to simplify administration and improve an organization's security. But for non-trivial configurations, there is a conflict between defining fine-grained roles which adhere to the principle of least privilege, and coarse-grained roles which simplify administration by reducing configuration complexity. In this paper we propose OnPar, a multi-objective role mining approach which introduces minimization of unnecessary privilege as a role mining objective, along with an associated unnecessary privilege metric. These allow an RBAC configuration's level of adherence to the principle of least privilege to be reasoned about and traded off against other objectives, including minimization of configuration complexity. A key feature of our approach is the elimination of user tuning of global optimization weights. We show experimentally that this tuning typically leads to the evaluation of sub-optimal candidates, while still missing many optimal candidates. To avoid these issues we leverage Pareto optimality and introduce multi-stage Pareto filtering and the hypervolume indicator to role mining. Their use allows OnPar to efficiently select a small set of candidates for evaluation by the administrator, which are equal best and representative of the full range of trade-offs that were found. Our experimental results demonstrate the effectiveness of this approach across a wide range of input configurations.