{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T03:47:35Z","timestamp":1760240855791,"version":"build-2065373602"},"reference-count":40,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2019,9,19]],"date-time":"2019-09-19T00:00:00Z","timestamp":1568851200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"the Natural Science Foundation of China","award":["61501393"],"award-info":[{"award-number":["61501393"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Role-based access control (RBAC), which has been regarded as one of the most popular access-control mechanisms, is featured by the separation-of-duty constraints, mutually exclusive constraints, and the least-privileges principle. Role mining, a bottom-up role-engineering technology, is an effective method to migrate from a non-RBAC system to an RBAC system. However, conventional role-mining approaches not only do not consider the separation of duty constraints, but also cannot ensure the security of a constructed RBAC system when the corresponding mined results violate the separation of a duty constraint and\/or the least-privileges principle. To solve these problems, this paper proposes a novel method called role-mining optimization with separation-of-duty constraints and security detections for authorizations (RMO_SODSDA), which mainly includes two aspects. First, we present a role-mining-optimization approach for satisfying the separation of duty constraints, and we constructed different variants of mutually exclusive constraints to correctly implement the given separation of duty constraints based on unconstrained role mining. Second, to ensure the security of the constructed system and evaluate authorization performance, we reduced the authorization-query problem to a maximal-satisfiability problem. The experiments validate the effectiveness and efficiency of the proposed method.<\/jats:p>","DOI":"10.3390\/fi11090201","type":"journal-article","created":{"date-parts":[[2019,9,19]],"date-time":"2019-09-19T11:02:01Z","timestamp":1568890921000},"page":"201","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Role-Mining Optimization with Separation-of-Duty Constraints and Security Detections for Authorizations"],"prefix":"10.3390","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4399-3762","authenticated-orcid":false,"given":"Wei","family":"Sun","sequence":"first","affiliation":[{"name":"Center of Network Information and Computing, Xinyang Normal University, Xinyang 464000, China"}]},{"given":"Shiwei","family":"Wei","sequence":"additional","affiliation":[{"name":"School of Computer and Technology, Guilin University of Aerospace Technology, Guilin 541000, China"}]},{"given":"Huaping","family":"Guo","sequence":"additional","affiliation":[{"name":"School of Computer and Information Technology, Xinyang Normal University, Xinyang 464000, China"}]},{"given":"Hongbing","family":"Liu","sequence":"additional","affiliation":[{"name":"Center of Network Information and Computing, Xinyang Normal University, Xinyang 464000, China"}]}],"member":"1968","published-online":{"date-parts":[[2019,9,19]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"73147","DOI":"10.1109\/ACCESS.2018.2881268","article-title":"Fault-tolerant scheduling algorithm with re-allocation for divisible task","volume":"6","author":"Xuan","year":"2018","journal-title":"IEEE Access"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"483","DOI":"10.3233\/JCS-191315","article-title":"Deploying ABAC policies using RBAC systems","volume":"27","author":"Batra","year":"2019","journal-title":"J. Comput. Secur."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"778","DOI":"10.1109\/TPDS.2018.2870652","article-title":"A Thorough Trust and Reputation Based RBAC Model for Secure Data Storage in the Cloud","volume":"30","author":"Ghafoorian","year":"2019","journal-title":"IEEE Trans. Parallel Distrib. Syst."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"12240","DOI":"10.1109\/ACCESS.2018.2812844","article-title":"Rbac-sc: Role-based access control using smart contract","volume":"6","author":"Cruz","year":"2018","journal-title":"IEEE Access"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"40389","DOI":"10.1109\/ACCESS.2017.2782838","article-title":"An Approach for Hierarchical RBAC Reconfiguration with Minimal Perturbation","volume":"6","author":"Pan","year":"2018","journal-title":"IEEE Access"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"e4399","DOI":"10.1002\/cpe.4399","article-title":"An efficiency approach for RBAC reconfiguration with minimal roles and perturbation","volume":"30","author":"Pan","year":"2018","journal-title":"Concurr. Comput. Pract. Exp."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"294","DOI":"10.1049\/iet-ifs.2016.0258","article-title":"Migrating from RBAC to temporal RBAC","volume":"11","author":"Mitra","year":"2017","journal-title":"IET Inf. Secur."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1007\/s12599-014-0343-3","article-title":"Modeling Support for Role-Based Delegation in Process-Aware Information Systems","volume":"6","author":"Strembeck","year":"2014","journal-title":"Bus. Inf. Syst. Eng."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"148","DOI":"10.1016\/j.istr.2013.03.003","article-title":"Bridging the gap between role mining and role engineering via migration guides","volume":"17","author":"Baumgrass","year":"2013","journal-title":"Inf. Sec. Techn. Rep."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Narouei, M., and Takabi, H. (2015, January 1\u20133). Towards an Automatic Top-down Role Engineering Approach Using Natural Language Processing Techniques. Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria.","DOI":"10.1145\/2752952.2752958"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1016\/j.cose.2019.01.005","article-title":"Mining meaningful and rare roles from web application usage patterns","volume":"82","author":"Gonen","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"8085303","DOI":"10.1155\/2019\/8085303","article-title":"RMMDI: A Novel Framework for Role Mining Based on the Multi-Domain Information","volume":"2019","author":"Bai","year":"2019","journal-title":"Secur. Commun. Netw."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"121","DOI":"10.3233\/JCS-17989","article-title":"Mining hierarchical temporal roles with multiple metrics","volume":"26","author":"Stoller","year":"2018","journal-title":"J. Comput. Secur."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2871148","article-title":"A Survey of Role Mining","volume":"48","author":"Mitra","year":"2016","journal-title":"ACM Comput. Surv."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1016\/j.cose.2016.04.002","article-title":"Mining temporal roles using many-valued concepts","volume":"60","author":"Mitra","year":"2016","journal-title":"Comput. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"336","DOI":"10.1016\/j.future.2014.10.018","article-title":"Role mining using answer set programming","volume":"55","author":"Ye","year":"2016","journal-title":"Future Gener. Comp. Syst."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Vaidya, J., Atluri, V., and Guo, Q. (2007, January 20\u201322). The role mining problem: Finding a minimal descriptive set of roles. Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France.","DOI":"10.1145\/1266840.1266870"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Lu, H., Vaidya, J., and Atluri, V. (2008, January 7\u201312). Optimal boolean matrix decomposition: Application to role engineering. Proceedings of the 24th International Conference on Data Engineering, Canc\u00fan, Mexico.","DOI":"10.1109\/ICDE.2008.4497438"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"1","DOI":"10.3233\/JCS-130484","article-title":"An optimization framework for role mining","volume":"22","author":"Lu","year":"2014","journal-title":"J. Comput. Secur."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"107","DOI":"10.3233\/JCS-140519","article-title":"Towards user-oriented RBAC model","volume":"23","author":"Lu","year":"2015","journal-title":"J. Comput. Secur."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"1510","DOI":"10.1109\/ACCESS.2017.2665586","article-title":"Achieving flexible and self-contained data protection in cloud computing","volume":"5","author":"Lang","year":"2017","journal-title":"IEEE Access"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1016\/j.cose.2017.03.012","article-title":"A simple model of separation of duty for access control models","volume":"68","author":"Ultra","year":"2017","journal-title":"Comput. Secur."},{"key":"ref_23","first-page":"131","article-title":"Emergency role-based access control (E-RBAC) and analysis of model specifications with alloy","volume":"45","author":"Nazerian","year":"2019","journal-title":"J. Inf. Sec. Appl."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1237500.1237501","article-title":"On mutually exclusive roles and separation-of-duty","volume":"10","author":"Li","year":"2007","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1007\/s10878-013-9633-9","article-title":"Handling least privilege problem and role mining in RBAC","volume":"30","author":"Huang","year":"2015","journal-title":"J. Comb. Optim."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"1313","DOI":"10.1002\/cpe.1731","article-title":"Specifying and enforcing the principle of least privilege in role-based access control","volume":"23","author":"Ma","year":"2011","journal-title":"Concurr. Comput. Pract. Exp."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Zhang, Y., and Joshi, J.B.D. (2008, January 11\u201313). Uaq: A framework for user authorization query processing in rbac extended with hybrid hierarchy and constraints. Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA.","DOI":"10.1145\/1377836.1377850"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"707","DOI":"10.1016\/j.future.2018.01.010","article-title":"Supporting user authorization queries in RBAC systems by role-permission reassignment","volume":"88","author":"Lu","year":"2018","journal-title":"Future Gener. Comp. Syst."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Fu, Z., and Malik, S. (2006, January 12\u201315). On Solving the Partial MAX-SAT Problem. Proceedings of the 9th International Conference on Theory and Applications of Satisfiability Testing, Seattle, WA, USA.","DOI":"10.1007\/11814948_25"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S.B., and Lobo, J. (2008, January 11\u201313). Mining roles with semantic meanings. Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA.","DOI":"10.1145\/1377836.1377840"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Zhang, D., Ramamohanarao, K., and Ebringer, T. (2007, January 20\u201322). Role engineering using graph optimisation. Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France.","DOI":"10.1145\/1266840.1266862"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Ene, A., Horne, W.G., Milosavljevic, N., Rao, P., Schreiber, R., and Tarjan, R.E. (2008, January 11\u201313). Fast exact and heuristic methods for role minimization problems. Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA.","DOI":"10.1145\/1377836.1377838"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Kumar, R., Sural, S., and Gupta, A. (2010, January 17\u201319). Mining RBAC Roles under Cardinality Constraint. Proceedings of the 6th International Conference on Information Systems Security, Gandhinagar, India.","DOI":"10.1007\/978-3-642-17714-9_13"},{"key":"ref_34","unstructured":"Hingankar, M., and Sural, S. (March, January 28). Towards role mining with restricted user-role assignment. Proceedings of the 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace and Electronic Systems Technology, Chennai, India."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"John, J.C., Sural, S., Atluri, V., and Vaidya, J. (2012, January 4\u20136). Role Mining under Role-Usage Cardinality Constraint. Proceedings of the 27th IFIP TC 11 Information Security and Privacy Conference on Information Security and Privacy Research, Heraklion, Greece.","DOI":"10.1007\/978-3-642-30436-1_13"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"71","DOI":"10.1109\/TDSC.2014.2309117","article-title":"Meeting Cardinality Constraints in Role Mining","volume":"12","author":"Harika","year":"2015","journal-title":"IEEE Trans. Depend. Sec. Comput."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Wickramaarachchi, G.T., Qardaji, W.H., and Li, N. (2009, January 3\u20135). An efficient framework for user authorization queries in RBAC systems. Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, Stresa, Italy.","DOI":"10.1145\/1542207.1542213"},{"key":"ref_38","first-page":"95","article-title":"QMaxSAT: A partial Max-SAT solver","volume":"8","author":"Koshimura","year":"2012","journal-title":"J. Satisf. Boolean Model. Comput."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Li, R., Li, H., Wei, W., Ma, X., and Gu, X. (2013, January 12\u201314). RMiner: A tool set for role mining. Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands.","DOI":"10.1145\/2462410.2462431"},{"key":"ref_40","unstructured":"Le Berre, D. (2019, August 10). Sat4j: A Satisfiability Library for Java. Available online: http:\/\/www.sat4j.org."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/11\/9\/201\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:21:56Z","timestamp":1760188916000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/11\/9\/201"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,9,19]]},"references-count":40,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2019,9]]}},"alternative-id":["fi11090201"],"URL":"https:\/\/doi.org\/10.3390\/fi11090201","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2019,9,19]]}}}