37 research outputs found
On the Parameterized Complexity and Kernelization of the Workflow Satisfiability Problem
A workflow specification defines a set of steps and the order in which those
steps must be executed. Security requirements may impose constraints on which
groups of users are permitted to perform subsets of those steps. A workflow
specification is said to be satisfiable if there exists an assignment of users
to workflow steps that satisfies all the constraints. An algorithm for
determining whether such an assignment exists is important, both as a static
analysis tool for workflow specifications, and for the construction of run-time
reference monitors for workflow management systems. Finding such an assignment
is a hard problem in general, but work by Wang and Li in 2010 using the theory
of parameterized complexity suggests that efficient algorithms exist under
reasonable assumptions about workflow specifications. In this paper, we improve
the complexity bounds for the workflow satisfiability problem. We also
generalize and extend the types of constraints that may be defined in a
workflow specification and prove that the satisfiability problem remains
fixed-parameter tractable for such constraints. Finally, we consider
preprocessing for the problem and prove that in an important special case, in
polynomial time, we can reduce the given input into an equivalent one, where
the number of users is at most the number of steps. We also show that no such
reduction exists for two natural extensions of this case, which bounds the
number of users by a polynomial in the number of steps, provided a
widely-accepted complexity-theoretical assumption holds
Constraint Expressions and Workflow Satisfiability
A workflow specification defines a set of steps and the order in which those
steps must be executed. Security requirements and business rules may impose
constraints on which users are permitted to perform those steps. A workflow
specification is said to be satisfiable if there exists an assignment of
authorized users to workflow steps that satisfies all the constraints. An
algorithm for determining whether such an assignment exists is important, both
as a static analysis tool for workflow specifications, and for the construction
of run-time reference monitors for workflow management systems. We develop new
methods for determining workflow satisfiability based on the concept of
constraint expressions, which were introduced recently by Khan and Fong. These
methods are surprising versatile, enabling us to develop algorithms for, and
determine the complexity of, a number of different problems related to workflow
satisfiability.Comment: arXiv admin note: text overlap with arXiv:1205.0852; to appear in
Proceedings of SACMAT 201
Polynomial Kernels and User Reductions for the Workflow Satisfiability Problem
The Workflow Satisfiability Problem (WSP) is a problem of practical interest
that arises whenever tasks need to be performed by authorized users, subject to
constraints defined by business rules. We are required to decide whether there
exists a plan -- an assignment of tasks to authorized users -- such that all
constraints are satisfied.
The WSP is, in fact, the conservative Constraint Satisfaction Problem (i.e.,
for each variable, here called task, we have a unary authorization constraint)
and is, thus, NP-complete. It was observed by Wang and Li (2010) that the
number k of tasks is often quite small and so can be used as a parameter, and
several subsequent works have studied the parameterized complexity of WSP
regarding parameter k.
We take a more detailed look at the kernelization complexity of WSP(\Gamma)
when \Gamma\ denotes a finite or infinite set of allowed constraints. Our main
result is a dichotomy for the case that all constraints in \Gamma\ are regular:
(1) We are able to reduce the number n of users to n' <= k. This entails a
kernelization to size poly(k) for finite \Gamma, and, under mild technical
conditions, to size poly(k+m) for infinite \Gamma, where m denotes the number
of constraints. (2) Already WSP(R) for some R \in \Gamma\ allows no polynomial
kernelization in k+m unless the polynomial hierarchy collapses.Comment: An extended abstract appears in the proceedings of IPEC 201
Tight lower bounds for the Workflow Satisfiability Problem based on the Strong Exponential Time Hypothesis
The Workflow Satisfiability Problem (WSP) asks whether there exists an
assignment of authorized users to the steps in a workflow specification,
subject to certain constraints on the assignment. The problem is NP-hard even
when restricted to just not equals constraints. Since the number of steps
is relatively small in practice, Wang and Li (2010) introduced a
parametrisation of WSP by . Wang and Li (2010) showed that, in general, the
WSP is W[1]-hard, i.e., it is unlikely that there exists a fixed-parameter
tractable (FPT) algorithm for solving the WSP. Crampton et al. (2013) and Cohen
et al. (2014) designed FPT algorithms of running time and
for the WSP with so-called regular and user-independent
constraints, respectively. In this note, we show that there are no algorithms
of running time and for the two
restrictions of WSP, respectively, with any , unless the Strong
Exponential Time Hypothesis fails
Algorithms for the workflow satisfiability problem engineered for counting constraints
The workflow satisfiability problem (WSP) asks whether there exists an
assignment of authorized users to the steps in a workflow specification that
satisfies the constraints in the specification. The problem is NP-hard in
general, but several subclasses of the problem are known to be fixed-parameter
tractable (FPT) when parameterized by the number of steps in the specification.
In this paper, we consider the WSP with user-independent counting constraints,
a large class of constraints for which the WSP is known to be FPT. We describe
an efficient implementation of an FPT algorithm for solving this subclass of
the WSP and an experimental evaluation of this algorithm. The algorithm
iteratively generates all equivalence classes of possible partial solutions
until, whenever possible, it finds a complete solution to the problem. We also
provide a reduction from a WSP instance to a pseudo-Boolean SAT instance. We
apply this reduction to the instances used in our experiments and solve the
resulting PB SAT problems using SAT4J, a PB SAT solver. We compare the
performance of our algorithm with that of SAT4J and discuss which of the two
approaches would be more effective in practice
The Authorization Policy Existence Problem
International audienceConstraints such as separation-of-duty are widely used to specify requirements that supplement basic authorization policies. However, the existence of constraints (and authorization policies) may mean that a user is unable to fulfill her/his organizational duties because access to resources is denied. In short, there is a tension between the need to protect resources (using policies and constraints) and the availability of resources. Recent work on workflow satisfiability and resiliency in access control asks whether this tension compromises the ability of an organization to achieve its objectives. In this paper, we develop a new method of specifying constraints which subsumes much related work and allows a wider range of constraints to be specified. The use of such constraints leads naturally to a range of questions related to“policy existence”, where a positive answer means that an organization’s objectives can be realized. We provide an overview of our results establishing that some policy existence questions, notably for those instances that are restricted to user-independent constraints, are fixed-parameter tractable