Role-based access control (RBAC) offers significant advantages over lower-level access control policy representations, such as access control lists (ACLs). However, the effort required for a large organization to migrate from ACLs to RBAC can be a significant obstacle to adoption of RBAC. Role mining algorithms partially automate the construction of an RBAC policy from an ACL policy and possibly other information. These algorithms can significantly reduce the cost of migration to RBAC.
This paper defines a parameterized RBAC (PRBAC) framework in which users and permissions have attributes that are implicit parameters of roles and can be used in role definitions. Parameterization significantly enhances the scalability of RBAC, by allowing much more concise policies. This paper presents algorithms for mining such policies and reports the results of evaluating the algorithms on case studies. To the best of our knowledge, these are the first policy mining algorithms for a PRBAC framework. An evaluation on three small but non-trivial case studies demonstrates the effectiveness of our algorithms.