skip to main content
research-article

On the Workflow Satisfiability Problem with Class-Independent Constraints for Hierarchical Organizations

Authors Info & Claims
Published:22 October 2016Publication History
Skip Abstract Section

Abstract

A workflow specification defines a set of steps, a set of users, and an access control policy. The policy determines which steps a user is authorized to perform and imposes constraints on which sets of users can perform which sets of steps. The workflow satisfiability problem (WSP) is the problem of determining whether there exists an assignment of users to workflow steps that satisfies the policy. Given the computational hardness of WSP and its importance in the context of workflow management systems, it is important to develop algorithms that are as efficient as possible to solve WSP.

In this article, we study the fixed-parameter tractability of WSP in the presence of class-independent constraints, which enable us to (1) model security requirements based on the groups to which users belong and (2) generalize the notion of a user-independent constraint. Class-independent constraints are defined in terms of equivalence relations over the set of users. We consider sets of nested equivalence relations because this enables us to model security requirements in hierarchical organizations. We prove that WSP is fixed-parameter tractable (FPT) for class-independent constraints defined over nested equivalence relations and develop an FPT algorithm to solve WSP instances incorporating such constraints. We perform experiments to evaluate the performance of our algorithm and compare it with that of SAT4J, an off-the-shelf pseudo-Boolean SAT solver. The results of these experiments demonstrate that our algorithm significantly outperforms SAT4J for many instances of WSP.

References

  1. American National Standards Institute. 2004. ANSI INCITS 359-2004 for Role Based Access Control. American National Standards Institute.Google ScholarGoogle Scholar
  2. Thomas Bartz-Beielstein, Marco Chiarandini, Lus Paquete, and Mike Preuss (Eds.). 2010. Experimental Methods for the Analysis of Optimization Algorithms. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. David A. Basin, Samuel J. Burri, and Günter Karjoth. 2014. Obstruction-free authorization enforcement: Aligning security and business objectives. J. Comput. Security 22, 5 (2014), 661--698. DOI:http://dx.doi.org/10.3233/JCS-140500Google ScholarGoogle ScholarCross RefCross Ref
  4. Elisa Bertino, Elena Ferrari, and Vijayalakshmi Atluri. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 1 (1999), 65--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. D. F. C. Brewer and Michael J. Nash. 1989. The Chinese wall security policy. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 206--214.Google ScholarGoogle Scholar
  6. David Cohen, Jason Crampton, Andrei Gagarin, Gregory Gutin, and Mark Jones. 2014. Iterative plan construction for the workflow satisfiability problem. J. Artif. Intel. Res. 51 (2014), 555--577. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. David Cohen, Jason Crampton, Andrei Gagarin, Gregory Gutin, and Mark Jones. 2016. Algorithms for the workflow satisfiability problem engineered for counting constraints. J. Comb. Optim. 32, 1 (2016), 3--24. DOI:10.1007/s10878-015-9877-7 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Jason Crampton. 2005. A reference monitor for workflow systems with constrained task execution. In 10th Symposium on Access Control Models and Technologies (SACMAT'05), Elena Ferrari and Gail-Joon Ahn (Eds.). ACM, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Jason Crampton, Andrei Gagarin, Gregory Gutin, and Mark Jones. 2015. On the workflow satisfiability problem with class-independent constraints. In 10th International Symposium on Parameterized and Exact Computation (IPEC’15) (Leibniz International Proceedings in Informatics (LIPIcs)), Thore Husfeldt and Iyad Kanj (Eds.), Vol. 43. Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 66--77. DOI:http://dx.doi.org/10.4230/LIPIcs.IPEC.2015.66Google ScholarGoogle Scholar
  10. Jason Crampton and Gregory Gutin. 2013. Constraint expressions and workflow satisfiability. In SACMAT, Mauro Conti, Jaideep Vaidya, and Andreas Schaad (Eds.). ACM, 73--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Jason Crampton, Gregory Gutin, and Anders Yeo. 2013. On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Trans. Inf. Syst. Secur. 16, 1 (2013), 4. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Jörg Flum and Martin Grohe. 2006. Parameterized Complexity Theory. Springer Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Andrei Gagarin, Jason Crampton, Gregory Gutin, Mark Jones, and Magnus Wahlström. 2015. The pattern-backtracking FPT algorithm and experimental data set for the WSP with class-independent constraints. (2015). Figshare. http://dx.doi.org/10.6084/m9.figshare.1603424. Retrieved November 16, 2015.Google ScholarGoogle Scholar
  14. Gregory Gutin and Magnus Wahlström. 2016. Tight lower bounds for the workflow satisfiability problem based on the strong exponential time hypothesis. Inf. Process. Lett. 116, 3 (2016), 223--226. Preprint available at http://arxiv.org/abs/1508.06829. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Daniel Karapetyan, Andrei Gagarin, and Gregory Gutin. 2015. Pattern backtracking algorithm for the workflow satisfiability problem. In Frontiers in Algorithmics 2015 (Lecture Notes in Computer Science). Vol. 9130. Springer, 138--149.Google ScholarGoogle Scholar
  16. William Kocay and Donald L. Kreher. 2004. Graphs, Algorithms, and Optimization. Chapman 8 Hall/CRC Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Wendy Myrvold and William Kocay. 2011. Errors in graph embedding algorithms. J. Comput. Syst. Sci. 77, 2 (2011), 430--438. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Andreas Schaad, Jonathan D. Moffett, and Jeremy Jacob. 2001. The role-based access control system of a European bank: A case study and discussion. In SACMAT. 3--9. DOI:http://dx.doi.org/10.1145/373256.373257 Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Qihua Wang and Ninghui Li. 2010. Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur. 13, 4 (2010), 40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Ping Yang, Xing Xie, Indrakshi Ray, and Shiyong Lu. 2014. Satisfiability analysis of workflows with control-flow patterns and authorization constraints. IEEE Trans. Serv. Comput. 7, 2 (2014), 237--251. DOI:http://dx.doi.org/10.1109/TSC.2013.31Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. On the Workflow Satisfiability Problem with Class-Independent Constraints for Hierarchical Organizations

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!