The security of IT systems faces substantial risks from external and internal threats, emphasizing the need for access control. Role-based access control is widely used in IT systems, where permissions are assigned to users via roles. However, insufficient permission concepts and dynamic changes in user responsibilities often lead to errors in permission assignments. These issues can undermine key security principles such as Least Privilege and Segregation of Duties. Therefore, this study explores the application of machine learning-based access control (MLBAC) to address these challenges in the context of enterprise resource planning (ERP) systems. For this purpose, different ERP data sources, including permission concept data and records of user behavior, are described, and their suitability for MLBAC is investigated. This study further highlights the significant potential of MLBAC for predicting access decisions to evaluate existing permissions concepts and to assign permissions to new users. Moreover, this study demonstrates how combining permission concept data and records of user behavior can validate access decisions.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Machine Learning-Based Enhancement of Access Control in ERP Systems Using Real-World Data

  • Jonas Schnepf,
  • Simon Anderer,
  • Boris Grothues,
  • Bernd Scheuermann

摘要

The security of IT systems faces substantial risks from external and internal threats, emphasizing the need for access control. Role-based access control is widely used in IT systems, where permissions are assigned to users via roles. However, insufficient permission concepts and dynamic changes in user responsibilities often lead to errors in permission assignments. These issues can undermine key security principles such as Least Privilege and Segregation of Duties. Therefore, this study explores the application of machine learning-based access control (MLBAC) to address these challenges in the context of enterprise resource planning (ERP) systems. For this purpose, different ERP data sources, including permission concept data and records of user behavior, are described, and their suitability for MLBAC is investigated. This study further highlights the significant potential of MLBAC for predicting access decisions to evaluate existing permissions concepts and to assign permissions to new users. Moreover, this study demonstrates how combining permission concept data and records of user behavior can validate access decisions.