Mining meaningful and rare roles from web application usage patterns

Nurit Gal-Oz, Yaron Gonen, Ehud Gudes

Research output: Contribution to journalArticlepeer-review

16 Scopus citations


Role mining refers to the problem of discovering an optimal set of roles from existing user permissions. Most role mining algorithms, use the full set of user-permission assignments (UPA) as input, and generate a hierarchy of roles consistent with this UPA as output. While in some scenarios such as legacy systems or dynamic environments, the complete UPA is unknown, it can be partially inferred from actual web-application usage information. We may collect this information by monitoring users’ access to an application over a period of time. The limited time period makes the data collected a sample which is susceptible to noise pollution. Specifically, not all existing permissions may be reflected in the sample, and thus a subtractive noise is introduced. In previous work, we presented an algorithm which uses the session permission usage information and overcomes the inherent subtractive noise by eliminating roles with very little usage. However some roles are rare by nature, they are either defined for a very small group of users or contain permissions to data that are rarely used. In this paper we present an algorithm that distinguishes between noise and rare roles. Our method enables role mining while controlling the trade-off between a minimality criteria and the ability to discover rare roles. The algorithm is tested by a simulation based on a real-life role hierarchy, and its effectiveness is demonstrated through the identification of correct roles, even if rare, under different levels of noise.

Original languageEnglish
Pages (from-to)296-313
Number of pages18
JournalComputers and Security
StatePublished - 1 May 2019


  • Data mining
  • Integrity
  • Protection
  • Security
  • Web-based services

ASJC Scopus subject areas

  • General Computer Science
  • Law


Dive into the research topics of 'Mining meaningful and rare roles from web application usage patterns'. Together they form a unique fingerprint.

Cite this