Abstract
A workflow specification defines a set of steps, a set of users, and an access control policy. The policy determines which steps a user is authorized to perform and imposes constraints on which sets of users can perform which sets of steps. The workflow satisfiability problem (WSP) is the problem of determining whether there exists an assignment of users to workflow steps that satisfies the policy. Given the computational hardness of WSP and its importance in the context of workflow management systems, it is important to develop algorithms that are as efficient as possible to solve WSP.
In this article, we study the fixed-parameter tractability of WSP in the presence of class-independent constraints, which enable us to (1) model security requirements based on the groups to which users belong and (2) generalize the notion of a user-independent constraint. Class-independent constraints are defined in terms of equivalence relations over the set of users. We consider sets of nested equivalence relations because this enables us to model security requirements in hierarchical organizations. We prove that WSP is fixed-parameter tractable (FPT) for class-independent constraints defined over nested equivalence relations and develop an FPT algorithm to solve WSP instances incorporating such constraints. We perform experiments to evaluate the performance of our algorithm and compare it with that of SAT4J, an off-the-shelf pseudo-Boolean SAT solver. The results of these experiments demonstrate that our algorithm significantly outperforms SAT4J for many instances of WSP.
- American National Standards Institute. 2004. ANSI INCITS 359-2004 for Role Based Access Control. American National Standards Institute.Google Scholar
- Thomas Bartz-Beielstein, Marco Chiarandini, Lus Paquete, and Mike Preuss (Eds.). 2010. Experimental Methods for the Analysis of Optimization Algorithms. Springer. Google Scholar
Digital Library
- David A. Basin, Samuel J. Burri, and Günter Karjoth. 2014. Obstruction-free authorization enforcement: Aligning security and business objectives. J. Comput. Security 22, 5 (2014), 661--698. DOI:http://dx.doi.org/10.3233/JCS-140500Google Scholar
Cross Ref
- Elisa Bertino, Elena Ferrari, and Vijayalakshmi Atluri. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 1 (1999), 65--104. Google Scholar
Digital Library
- D. F. C. Brewer and Michael J. Nash. 1989. The Chinese wall security policy. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 206--214.Google Scholar
- David Cohen, Jason Crampton, Andrei Gagarin, Gregory Gutin, and Mark Jones. 2014. Iterative plan construction for the workflow satisfiability problem. J. Artif. Intel. Res. 51 (2014), 555--577. Google Scholar
Digital Library
- David Cohen, Jason Crampton, Andrei Gagarin, Gregory Gutin, and Mark Jones. 2016. Algorithms for the workflow satisfiability problem engineered for counting constraints. J. Comb. Optim. 32, 1 (2016), 3--24. DOI:10.1007/s10878-015-9877-7 Google Scholar
Digital Library
- Jason Crampton. 2005. A reference monitor for workflow systems with constrained task execution. In 10th Symposium on Access Control Models and Technologies (SACMAT'05), Elena Ferrari and Gail-Joon Ahn (Eds.). ACM, 38--47. Google Scholar
Digital Library
- Jason Crampton, Andrei Gagarin, Gregory Gutin, and Mark Jones. 2015. On the workflow satisfiability problem with class-independent constraints. In 10th International Symposium on Parameterized and Exact Computation (IPEC’15) (Leibniz International Proceedings in Informatics (LIPIcs)), Thore Husfeldt and Iyad Kanj (Eds.), Vol. 43. Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 66--77. DOI:http://dx.doi.org/10.4230/LIPIcs.IPEC.2015.66Google Scholar
- Jason Crampton and Gregory Gutin. 2013. Constraint expressions and workflow satisfiability. In SACMAT, Mauro Conti, Jaideep Vaidya, and Andreas Schaad (Eds.). ACM, 73--84. Google Scholar
Digital Library
- Jason Crampton, Gregory Gutin, and Anders Yeo. 2013. On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Trans. Inf. Syst. Secur. 16, 1 (2013), 4. Google Scholar
Digital Library
- Jörg Flum and Martin Grohe. 2006. Parameterized Complexity Theory. Springer Verlag. Google Scholar
Digital Library
- Andrei Gagarin, Jason Crampton, Gregory Gutin, Mark Jones, and Magnus Wahlström. 2015. The pattern-backtracking FPT algorithm and experimental data set for the WSP with class-independent constraints. (2015). Figshare. http://dx.doi.org/10.6084/m9.figshare.1603424. Retrieved November 16, 2015.Google Scholar
- Gregory Gutin and Magnus Wahlström. 2016. Tight lower bounds for the workflow satisfiability problem based on the strong exponential time hypothesis. Inf. Process. Lett. 116, 3 (2016), 223--226. Preprint available at http://arxiv.org/abs/1508.06829. Google Scholar
Digital Library
- Daniel Karapetyan, Andrei Gagarin, and Gregory Gutin. 2015. Pattern backtracking algorithm for the workflow satisfiability problem. In Frontiers in Algorithmics 2015 (Lecture Notes in Computer Science). Vol. 9130. Springer, 138--149.Google Scholar
- William Kocay and Donald L. Kreher. 2004. Graphs, Algorithms, and Optimization. Chapman 8 Hall/CRC Press. Google Scholar
Digital Library
- Wendy Myrvold and William Kocay. 2011. Errors in graph embedding algorithms. J. Comput. Syst. Sci. 77, 2 (2011), 430--438. Google Scholar
Digital Library
- Andreas Schaad, Jonathan D. Moffett, and Jeremy Jacob. 2001. The role-based access control system of a European bank: A case study and discussion. In SACMAT. 3--9. DOI:http://dx.doi.org/10.1145/373256.373257 Google Scholar
Digital Library
- Qihua Wang and Ninghui Li. 2010. Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur. 13, 4 (2010), 40. Google Scholar
Digital Library
- Ping Yang, Xing Xie, Indrakshi Ray, and Shiyong Lu. 2014. Satisfiability analysis of workflows with control-flow patterns and authorization constraints. IEEE Trans. Serv. Comput. 7, 2 (2014), 237--251. DOI:http://dx.doi.org/10.1109/TSC.2013.31Google Scholar
Cross Ref
Index Terms
On the Workflow Satisfiability Problem with Class-Independent Constraints for Hierarchical Organizations
Recommendations
Algorithms for the workflow satisfiability problem engineered for counting constraints
The workflow satisfiability problem (WSP) asks whether there exists an assignment of authorized users to the steps in a workflow specification that satisfies the constraints in the specification. The problem is NP-hard in general, but several subclasses ...
Tight lower bounds for the Workflow Satisfiability Problem based on the Strong Exponential Time Hypothesis
The Workflow Satisfiability Problem (WSP) is a problem used in access control.The WSP is parameterized by the number of steps.The WSP is considered for regular and user-independent constraints.Tight lower bounds are proved for WSP algorithms with the ...
Polynomial Kernels and User Reductions for the Workflow Satisfiability Problem
The workflow satisfiability problem (wsp) is a problem of practical interest that arises whenever tasks need to be performed by authorized users, subject to constraints defined by business rules. We are required to decide whether there exists a plan--an ...






Comments