User authorization queries in the context of role-based access control have
attracted considerable interest in the last 15 years. Such queries are used to
determine whether it is possible to allocate a set of roles to a user that
enables the user to complete a task, in the sense that all the permissions
required to complete the task are assigned to the roles in that set. Answering
such a query, in general, must take into account a number of factors,
including, but not limited to, the roles to which the user is assigned and
constraints on the sets of roles that can be activated. Answering such a query
is known to be NP-hard. The presence of multiple parameters and the need to
find efficient and exact solutions to the problem suggest that a multi-variate
approach will enable us to better understand the complexity of the user
authorization query problem (UAQ). In this paper, we establish a number of
complexity results for UAQ. Specifically, we show the problem remains hard even
when quite restrictive conditions are imposed on the structure of the problem.
Our FPT results show that we have to use either a parameter with potentially
quite large values or quite a restricted version of UAQ. Moreover, our second
FPT algorithm is complex and requires sophisticated, state-of-the-art
techniques. In short, our results show that it is unlikely that all variants of
UAQ that arise in practice can be solved reasonably quickly in general.Comment: Accepted for publication in ACM Transactions on Privacy and Security
(TOPS
