L E A R N M O R E
Michael MarksProduct Manager, Core Security
Alessandro Colantonio Data Scientist, Core Security
AGENDA
• What is Core Role Designer?• How does it work?• Demo• What’s coming in future releases?• Q&A
Current Role Mining Solutions Make the Wrong Choice
Black Box
Role A
Role B
Role C
Issues with this approach:
• Are these roles even right?
• How do you know you haven’t over-‐ or under-‐ provisioned?
• Are the people getting these roles similar enough?
Everything is an integer…§ Entities can be represented with ordinal numbers• Users: 0=Alice, 1=Bob, 2=Carl, 3=Daniel, …
• Entitlements: 0=SU01, 1=FB03, 2=F-‐91, 3=MIGO, …
§ Subsets of entities are represented by integer sets• A role made up of transactions FB03 and MIGO assigned to Bob and Carl is represented by the sets {1, 3} and {1, 2}
What is the best algorithm for set intersection?
5 7 10 34 35 51 76
7 34 51 76 90 97∩
=7 34 51 76
• It is “optimal” because you iterate (at most) over all elements of the two sets only once
• BUT ONLY FROM THEORETICAL POINT OF VIEW!
Compressed bitmaps§ Bit arrays (bitmaps) significantly speed up integer set operations
• Exploits bit-level parallelism in hardware to speed up operations• {3, 7, 8, 15} = 1000000110001000• {0, 7, 8, 10} = 0000010110000001• {3, 7, 8, 15} ∩ {0, 7, 8, 10} = 1000000110001000 AND 0000010110000001
§ However, bitmaps usually use a large storage space.• Bitmap compression algorithm that trades some space to allow for fast bitwise
operations without decompressing bitmaps• Colantonio, A., Di Pietro, R. (2010). CONCISE: COmpressed ’N’ Composable
Integer SEt. Information Processing Letters, 110(16), 644-650.
How to perform set intersection?
32 00100001000101010010101010000101 128 00000000000000011111111111111111
128 00100001000101010010101010000101 160 00100001000101010010101010000101
∩
=128 00000000000000010010101010000101
§ It is a mix of the two approaches:• Use sorted-array intersection to identify two words with the same offset• Use bitwise AND to intersect bits in the words
Main algorithms in Sonar§Most of the data mining algorithms are based on set operations àyou can boost the performance of all of them
§ Algorithms implemented in Sonar that benefit from Concise• Role mining (pattern enumeration + optimal set)• Matrix visualization• Segregation of Duties• Missing & Outlier detection• Role Matching• Minability index• Category Marginality/Variance• Overlapping and role refactoring• AHP (Analytic Hierarchy Process)
Binary matrices§ Relationships between entities can be represented by binary matrices§ A binary matrix can be seen as a set of rows, each row represented by a compressed bitmap
§Only non-‐zero rows need to be represented§Matrix operations (e.g., multiplication) can be easily reduced to a sequence of set operations (mainly intersections) on the compressedrepresentations of rows
§Most matrix operations can be naturally parallelized by “distributingrows” across all the available cores
Multiplication of BMs = indirect relationships
1 1 0 0 0
1 1 0 1 1
1 1 0 1 1
1 1 1 1 0
1 1 1 1 0
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 1 0 0 0
0 0 0 1 1
0 0 1 1 0
spen
d >$500
teach stud
ents
supe
rvise
thesis
Basic UserFull ProfessorExternal Teacher
internet
spen
d >$500
teach stud
ents
supe
rvise
thesis
internet
Basic
User
Full Professor
External Te
ache
r
Back to authorization models…
Profiles Accounts Groups ResourcesOrgUnit
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
Parent
OrgUnit
Child OrgUnit
OrgUnit
Profile
Profile
Account
Accoun
t
Group
Parent
Grou
p
Child Group
Grou
p
Resource
Accoun
t
Resource
Resources assigned to users belonging to each OU…
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
Parent
OrgUnit
Child OrgUnit
OrgUnit
Profile
Profile
Account
Accoun
t
Group
Parent
Grou
p
Child Group
Grou
p
Resource
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1
Child OrgUnit
OrgUnit
Profile
Profile
AccountAc
coun
tResource
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1Org
Unit
Resource
1 0 0
1 1 0
1 1 0
1 0 1
1 0 1Org
Unit
Resource
+1 0 0
1 1 0
1 1 0
1 0 1
1 0 1Org
Unit
Resource
OrgUnits which contain profiles thathave resources assigned to theiraccounts through groups
OrgUnits which contain profiles thathave resources directly assigned to their accounts
OrgUnits which contain profiles thathave resources assigned to theiraccounts, directly or indirectlythrough groups
Odata API§Open Data Protocol (OData) enables the creation and consumptionof REST APIs• allows resources, identified by URLs and defined in a data model, to be published• uses simple HTTP messages
§ producers are services that expose their data using the ODataprotocol
§ consumers are simply applications that consume data exposed usingthe OData protocol
§More info:• http://www.odata.org/getting-‐started/understand-‐odata-‐in-‐6-‐steps/• http://www.odata.org/getting-‐started/basic-‐tutorial/
Example: requesting an entity§ GET http://ODATA_SERVICE/Roles § Response:
{…'value': [
{'@odata.id': 'http://ODATA_SERVICE/Roles(‘rid1’),'@odata.etag': 'etag_rid1',…'ID': 'rid1','property1': 'value11','property2': 'value12',…
},{
'@odata.id': 'http://ODATA_SERVICE/Roles(‘rid2’),'@odata.etag': 'etag_rid2',…'ID': 'rid2', 'property1': 'value21','property2': 'value22',…
},…
]}
Core Role Designer Tactical Roadmap
2017 2018Jul Aug Sep Oct Nov Dec 2018
Initial Launch
Q3 Q4 Q1 Q2
SaaS SOD Multi-‐level Entitlement