2 research outputs found
A Survey on Workflow Satisfiability, Resiliency, and Related Problems
Workflows specify collections of tasks that must be executed under the
responsibility or supervision of human users. Workflow management systems and
workflow-driven applications need to enforce security policies in the form of
access control, specifying which users can execute which tasks, and
authorization constraints, such as Separation of Duty, further restricting the
execution of tasks at run-time. Enforcing these policies is crucial to avoid
frauds and malicious use, but it may lead to situations where a workflow
instance cannot be completed without the violation of the policy. The Workflow
Satisfiability Problem (WSP) asks whether there exists an assignment of users
to tasks in a workflow such that every task is executed and the policy is not
violated. The WSP is inherently hard, but solutions to this problem have a
practical application in reconciling business compliance and business
continuity. Solutions to related problems, such as workflow resiliency (i.e.,
whether a workflow instance is still satisfiable even in the absence of users),
are important to help in policy design. Several variations of the WSP and
similar problems have been defined in the literature and there are many
solution methods available. In this paper, we survey the work done on these
problems in the past 20 years
Results in Workflow Resiliency: Complexity, New Formulation, and ASP Encoding
First proposed by Wang and Li in 2007, workflow resiliency is a policy
analysis for ensuring that, even when an adversarial environment removes a
subset of workers from service, a workflow can still be instantiated to satisfy
all the security constraints. Wang and Li proposed three notions of workflow
resiliency: static, decremental, and dynamic resiliency. While decremental and
dynamic resiliency are both PSPACE-complete, Wang and Li did not provide a
matching lower and upper bound for the complexity of static resiliency.
The present work begins with proving that static resiliency is
-complete, thereby bridging a long-standing complexity gap in the
literature. In addition, a fourth notion of workflow resiliency, one-shot
resiliency, is proposed and shown to remain in the third level of the
polynomial hierarchy. This shows that sophisticated notions of workflow
resiliency need not be PSPACE-complete. Lastly, we demonstrate how to reduce
static and one-shot resiliency to Answer Set Programming (ASP), a modern
constraint-solving technology that can be used for solving reasoning tasks in
the lower levels of the polynomial hierarchy. In summary, this work
demonstrates the value of focusing on notions of workflow resiliency that
reside in the lower levels of the polynomial hierarchy