Breaking the Trade-Off
Adaptive Optimization for Scalable, Minimal RBAC
C. KINDYNIS (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Georgios Smaragdakis – Mentor (TU Delft - Cyber Security)
Y. Zhauniarovich – Mentor (TU Delft - Organisation & Governance)
Megha Khosla – Graduation committee member (TU Delft - Multimedia Computing)
Eduardo Barbaro – Mentor (TU Delft - Organisation & Governance)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Role-Based Access Control (RBAC) is foundational to enterprise security, yet manual role engineering remains error-prone and unscalable. Although automated role mining addresses this, existing methods face a critical trade-off: exact approaches guarantee minimal roles but fail on real-world scales, while heuristics scale but lack formal guarantees. This inconsistency forces enterprises into suboptimal, insecure configurations—increasing vulnerability risks and compliance costs. We resolve this instability
through a four-level resource-aware framework that dynamically adapts: (1) a memory-light heuristic, (2) optimality-preserving reductions, (3) a greedy heuristic with logarithmic approximation bounds, and (4) an ILP-based exact solver. Notably, our approach eliminates more than 99% of edges in 26 out of 31 real-world systems, enabling globally optimal role configurations and achieving an average 53% simplification of existing RBAC systems. Our heuristics achieve near-optimal solutions, while providing significant speedups over prior heuristics. Beyond individual components, the unified, adaptive framework minimizes suboptimal decisions at any scale. We open-source this framework to enable minimal RBAC deployment at any scale.
Files
File under embargo until 31-10-2025