On Role Mappings for RBAC-Based Secure Interoperation

The inter-domain role mapping is a basic method for facilitating interoperation in RBAC-based collaborating environments, where each domain employs role based access control (RBAC) to specify access control policies. Prior to concrete interoperation, one important problem is to establish role mappings. Two issues are involved in the establishing process. The first one is to generate role mappings while respecting RBAC states such as separation of duty (SoD) constraints. On the other hand, administrative works of RBAC policies are sometimes needed to generate mappings. This paper investigates these two problems, mostly from the computational perspective. In particular, we study how to find a set of roles appropriate for mappings and how to fulfill interoperation requests; it turns out that most of corresponding problems are NP-complete. Further, several useful subcases of these problems are identified. We also motivate and support partial interoperation by imposing constraints on interoperation requests. When administrative works are necessary, we examine how to minimize administrative cost; the result is that one subcase of the problem reduces to the "minimal set cover" (MSC) problem. We demonstrate that approaches to MSC can be applied to this problem, even though they are not totally equivalent. Finally, a discussion on how administrative operations made to RBAC states may influence interoperability is presented as well.