Journal of Computer Security 23 (2015) 31–58 31 DOI 10.3233/JCS-140512 IOS Press The generalized temporal role mining problem Barsha Mitra a , Shamik Sural a,∗ , Vijayalakshmi Atluri b and Jaideep Vaidya b a School of Information Technology, IIT Kharagpur, Kharagpur, India E-mails: barsha.mitra@sit.iitkgp.ernet.in, shamik@sit.iitkgp.ernet.in b MSIS Department, Rutgers University, Piscataway, NJ, USA E-mails: atluri@rutgers.edu, jsvaidya@business.rutgers.edu Abstract. Role mining, the process of deriving a set of roles from the available user-permission assignments, is considered to be an essential step in successful implementation of Role-Based Access Control (RBAC) systems. Traditional role mining techniques, however, are not equipped to handle temporal extensions of RBAC like the Temporal-RBAC (TRBAC) model. In this paper, we formally define the problem of finding a minimal set of roles from temporal user-permission assignments, such that in the resulting TRBAC system, users acquire either the same or a subset of the permissions originally assigned to them for the complete or partial durations of time as specified in the input. We show that the problem is NP-complete and propose a greedy algorithm for solving it. Our algorithm first derives a set of candidate roles from the temporal user-permission assignments and then selects the least possible number of roles from the candidate role set. The final output consists of a set of roles, a user-to-role assignment relation, a role-to-permission assignment relation and a role enabling base describing the time durations for which each role is enabled. Performance of the proposed approach has been evaluated on a number of synthetic as well as real-world datasets. Keywords: TRBAC, temporal user-permission assignment, generalized temporal role mining, NP-complete, temporal mismatch, greedy algorithm 1. Introduction Over the years, Role-Based Access Control (RBAC) has become a well-accepted and successful model for enforcing secured access to sensitive information and restricted resources [10,34]. In RBAC, roles are defined by an organization to which users are assigned. One or more permissions are associated with each role. Users acquire necessary authorizations to access resources through these permissions by being members of appropriate roles. In an RBAC system, the set of permissions included in a role is at the disposal of any user assigned to that role for an unrestricted period of time until the role is revoked from the user, typically by an administrator. Thus, RBAC does not impose any constraint on the time duration for which roles can be available to the users. In many real-life scenarios, however, there is a need to restrict the availability of permissions to users only for specific periods of time. To achieve this, it is necessary to impose a constraint on the duration for which a user can assume a particular role assigned to him. Since the basic RBAC model cannot handle such a temporal dimension associated with roles, several extensions of RBAC have been proposed like the Temporal Role-Based Access Control (TRBAC) model [2] and the Generalized Temporal Role-Based Access Control (GTRBAC) model [23]. * Corresponding author. E-mail: shamik@sit.iitkgp.ernet.in. 0926-227X/15/$35.00  2015 – IOS Press and the authors. All rights reserved