Abstract
Recent work has shown that many problems of satisfiability and resiliency in workflows may be viewed as special cases of the authorization policy existence problem (APEP), which returns an authorization policy if one exists and “No” otherwise. However, in many practical settings it would be more useful to obtain a “least bad” policy than just a “No,” where “least bad” is characterized by some numerical value indicating the extent to which the policy violates the base authorization relation and constraints. Accordingly, we introduce the Valued APEP, which returns an authorization policy of minimum weight, where the (non-negative) weight is determined by the constraints violated by the returned solution.
We then establish a number of results concerning the parameterized complexity of Valued APEP. We prove that the problem is fixed-parameter tractable (FPT) if the set of constraints satisfies two restrictions, but is intractable if only one of these restrictions holds. (Most constraints known to be of practical use satisfy both restrictions.) Our analysis is based on the novel concept of a user profile.
We also introduce a new type of resiliency problem in the context of workflow satisfiability, show how it can be addressed using Valued APEP, and use this to build a set of benchmark instances for Valued APEP. We describe two different formulations of this problem using mixed integer programming and report the results of computational experiments which solve the problem using these formulations as input to a general-purpose solver. Our results show that the formulation which employs the user profile concept, has FPT-like running time and usually significantly outperforms our naive formulation of the problem.
- [1] . 2012. Optimal workflow-aware authorizations. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 93–102.Google Scholar
Digital Library
- [2] . 2020. The authorization policy existence problem. IEEE Trans. Depend. Secure Comput. 17, 6 (2020), 1333–1344.Google Scholar
Cross Ref
- [3] . 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 1 (1999), 65–104.Google Scholar
Digital Library
- [4] . 2015. Automated synthesis of run-time monitors to enforce authorization policies in business processes. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, 297–308.Google Scholar
Digital Library
- [5] . 2018. Solving multi-objective workflow satisfiability problems with optimization modulo theories techniques. In Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies. ACM, 117–128.Google Scholar
Digital Library
- [6] . 2011. Risk-aware role-based access control. In Proceedings of the International Workshop on Security and Trust Management(
Lecture Notes in Computer Science , Vol. 7170). Springer, 140–156.Google Scholar - [7] . 2014. Iterative plan construction for the workflow satisfiability problem. J. Artif. Intell. Res. 51 (2014), 555–577.
DOI: Google ScholarCross Ref
- [8] . 2005. Supermodular functions and the complexity of MAX CSP. Discret. Appl. Math. 149, 1–3 (2005), 53–72.
DOI: Google ScholarCross Ref
- [9] . 2021. Valued authorization policy existence problem. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. ACM, 83–94.
DOI: Google ScholarDigital Library
- [10] . 2016. Resiliency policies in access control revisited. In Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies. ACM, 101–111.
DOI: Google ScholarDigital Library
- [11] . 2013. On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Trans. Inf. Syst. Secur. 16, 1 (2013), 4.
DOI: Google ScholarDigital Library
- [12] . 2015. Valued workflow satisfiability problem. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. ACM, 3–13.Google Scholar
Digital Library
- [13] . 2017. The bi-objective workflow satisfiability problem and workflow resiliency. J. Comput. Secur. 25, 1 (2017), 83–115.Google Scholar
Cross Ref
- [14] . 2015. Parameterized Algorithms. Springer.Google Scholar
Cross Ref
- [15] . 2004. Using trust and risk in role-based access control policies. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. ACM, 156–162.Google Scholar
- [16] . 2017. Automatically finding execution scenarios to deploy security-sensitive workflows. J. Comput. Secur. 54, 3 (2017), 255–282.Google Scholar
- [17] . 2013. Fundamentals of Parameterized Complexity. Springer.Google Scholar
Cross Ref
- [18] . 2019. Results in workflow resiliency: Complexity, new formulation, and ASP encoding. In Proceedings of the ACM Conference on Data and Application Security and Privacy. ACM, 185–196.Google Scholar
Digital Library
- [19] . 1999. Complexity of k-SAT. In Computational Complexity Conference. IEEE Computer Society, 237–240.Google Scholar
Cross Ref
- [20] . 2001. Extremal Combinatorics—with Applications in Computer Science. Springer, Berlin.Google Scholar
Cross Ref
- [21] . 2021. Solving the workflow satisfiability problem using general purpose solvers. arXiv:2105.03273 (2021).Google Scholar
- [22] . 2019. Pattern-based approach to the workflow satisfiability problem with user-independent constraints. J. Artif. Intell. Res. 66 (2019), 85–122.
DOI: Google ScholarCross Ref
- [23] . 1956. Variants of the Hungarian method for assignment problems. Naval Res. Logist. Quart. 3, 4 (1956), 253–258.Google Scholar
Cross Ref
- [24] . 2009. Resiliency policies in access control. ACM Trans. Inf. Syst. Secur. 12, 4 (2009).Google Scholar
Digital Library
- [25] . 2011. Lower bounds based on the exponential time hypothesis. Bull. EATCS 105 (2011), 41–72.Google Scholar
- [26] . 2014. Quantitative workflow resiliency. In Proceedings of the European Symposium on Research in Computer Security(
Lecture Notes in Computer Science , Vol. 8712). Springer, 344–361.Google ScholarDigital Library
- [27] . 2014. Rumpole: An introspective break-glass access control language. ACM Trans. Inf. Syst. Secur. 17, 1 (2014), 2:1–2:32.Google Scholar
Digital Library
- [28] . 2014. Break-Glass—Handling Exceptional Situations in Access Control. Springer.Google Scholar
- [29] . 1978. The complexity of satisfiability problems. In Proceedings of the 10th Annual ACM Symposium on Theory of Computing (STOC’78). Association for Computing Machinery, New York, NY, 216–226.
DOI: Google ScholarDigital Library
- [30] . 2010. Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur. 13, 4 (2010), 40.Google Scholar
Digital Library
- [31] . 2019. Last man standing: Static, decremental and dynamic resiliency via controller synthesis. J. Comput. Secur. 27, 3 (2019), 343–373.Google Scholar
Digital Library
Index Terms
Valued Authorization Policy Existence Problem: Theory and Experiments
Recommendations
The Authorization Policy Existence Problem
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyConstraints such as separation-of-duty are widely used to specify requirements that supplement basic authorization policies. However, the existence of constraints (and authorization policies) may mean that a user is unable to fulfill her/his ...
Valued Authorization Policy Existence Problem
SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and TechnologiesProblems of satisfiability and resiliency in workflows have been widely studied in the last decade. Recent work has shown that many such problems may be viewed as special cases of the authorization policy existence problem (APEP), which returns an ...
Policy administration in tag-based authorization
FPS'12: Proceedings of the 5th international conference on Foundations and Practice of SecurityTag-Based Authorization (TBA) is a hybrid access control model that combines the ease of use of extensional access control models with the expressivity of logic-based formalisms. The main limitation of TBA is that it lacks support for policy ...






Comments