Role updating in information systems using model checking

Abstract

The role-based access control (RBAC) has significantly simplified the management of users and permissions in information systems. In dynamic environments, systems are constantly undergoing changes, and accordingly, the associated configurations need to be updated in order to reflect the systems’ security evolutions. However, such updating process is generally complicated as the resulting system state is expected to meet necessary constraints. This paper presents an approach for assisting administrators to make a desirable update, in light of changes in RBAC systems. We propose a formalization of the update approach, investigate its properties, and develop an updating algorithm based on model checking techniques. Our experimental results demonstrate the effectiveness of the proposed approach.

Appendix: Proofs

1.1 Proof of Lemma 1

The first claim follows from the fact that the two requests share the same update constraints and the same permission assignment demand.

If \(\mathrm {diff}(\mathrm {max}({{C}}), S ')=\emptyset \), then the second claim is obvious. Otherwise we suppose, for the sake of contradiction, that \(\mathrm {diff}(\mathrm {max}({{C}}), S ')\not \subset { PA _m}\), which derives that \(\mathrm {diff}(\mathrm {max}({{C}}), S ')\backslash { PA _m}\ne \emptyset \). That is, \( S '\) has all the assignments in \(\mathrm {diff}(\mathrm {max}({{C}}), S ')\backslash PA _m\) apart from a subset of the role-permission assignments of \(\mathrm {max}({{C}})\). Suppose \((r_{},p_{})\in \mathrm {diff}(\mathrm {max}({{C}}), S ')\backslash PA _m\); namely, \((r_{},p_{})\) belongs to \( S '\)’s role-permission relation but \(p_{}\not \in \mathrm {max\text {-}perms}_{}[r_{}]\). From the definition of \(\mathrm {max\text {-}perms}_{}[r_{}]\), it follows that \( S '\) does not \({C}\), a contradiction.

1.2 Proof of Lemma 2

First note that as for roles outside \(\mathsf {dR}\), the permission assignments at \(\langle PA \rangle \) are the same as at \(\langle PA _ can \rangle \). The “if” part: Suppose that \(\langle PA _ can \rangle \in \mathrm {sat}(\mathrm {com}({C}))\); we need to prove \(\langle PA \rangle \in \mathrm {sat}({C}_{})\), i.e., \(\langle PA \rangle \) satisfies any constraint \({}\langle R _{}, P _{},\varDelta _{}\rangle \in {C}\). If \(\varDelta _{}=\emptyset \) in the first place, then \(\mathrm {com}({}\langle R _{}, P _{},\varDelta _{}\rangle )={}\langle R _{}, P _{},\varDelta _{}\rangle \). As \(\langle PA _ can \rangle \) satisfies \(\mathrm {com}({}\langle R _{}, P _{},\varDelta _{}\rangle )\) and roles in \( R _{}\) are not dummy ones, \(\langle PA \rangle \) also satisfies \({}\langle R _{}, P _{},\varDelta _{}\rangle \). Otherwise \(\varDelta _{}\ne \emptyset \). In this case, \(\mathrm {com}({C})\) contains two constraints \({}\langle R _{}\cup \{\mathsf {dr}\}, P _{}\cup \varDelta _{},\emptyset \rangle \) and \({}\langle \{\mathsf {dr}\},\varDelta _{},\emptyset \rangle \), both of which are satisfied by \(\langle PA _ can \rangle \). Hence, from the definitions, \(\mathrm {perms}_{\langle PA _ can \rangle }[ R _{}\cup \{\mathsf {dr}\}]= P _{}\cup \varDelta _{}\) and \(\mathrm {perms}_{\langle PA _ can \rangle }[\mathsf {dr}]=\varDelta _{}\). Therefore, \( P _{}\subseteq \mathrm {perms}_{\langle PA _ can \rangle }[ R _{}]= P _{}\cup \varDelta _{}\). Since roles in \( R _{}\) have the same permission assignments at \(\langle PA \rangle \) as at \(\langle PA _ can \rangle \), it is true that \( P _{}\subseteq \mathrm {perms}_{\langle PA \rangle }[ R _{}]= P _{}\cup \varDelta _{}\); \(\langle PA \rangle \) satisfies the constraint \({}\langle R _{}, P _{},\varDelta _{}\rangle \).

The “only if” part: Suppose that \(\langle PA \rangle \in \mathrm {sat}({C}_{})\); we need to prove \(\langle PA _ can \rangle \in \mathrm {sat}(\mathrm {com}({C}))\), i.e., \(\langle PA _ can \rangle \) satisfies any constraint \({}\langle R _{}, P _{},\emptyset \rangle \in \mathrm {com}({C})\). If \( R _{}\cap \mathsf {dR}=\emptyset \), then \({}\langle R _{}, P _{},\emptyset \rangle \in {C}\). As \(\langle PA \rangle \) satisfies \({}\langle R _{}, P _{},\emptyset \rangle \), so does \(\langle PA _ can \rangle \). If \( R _{}\subseteq \mathsf {dR}\), then \( R _{}\) must be a singleton set of a dummy role; say, \( R _{}=\{\mathsf {dr}\}\). According to the definitions, \(\mathsf {dr}\) is assigned to the permissions in \( P _{}\) in \(\langle PA _ can \rangle \). Then, \(\langle PA _ can \rangle \) satisfies the constraint. Finally, if \( R _{}\cap \mathsf {dR}\ne \emptyset \) and \( R _{}\not \subseteq \mathsf {dR}\). Suppose that \( R _{}= R _{}'\cup \{\mathsf {dr}\}\). Then there exists another constraint \({}\langle \{\mathsf {dr}\}, P _{\mathsf {dr}},\emptyset \rangle \in \mathrm {com}({C})\) and a constraint \({}\langle R _{}', P _{}\backslash P _{\mathsf {dr}}, P _{\mathsf {dr}}\rangle \in {C}\). The former is satisfied by \(\langle PA _ can \rangle \), whereas the latter is satisfied by \(\langle PA \rangle \). Hence, \(\langle PA _ can \rangle \) also satisfies the constraint \({}\langle R _{}, P _{},\varDelta _{}\rangle \).

1.3 Proof of Theorem 1

Since roles outside \(\mathsf {dR}\) have the same permissions at \(\langle PA \rangle \) as at \(\langle PA _ can \rangle \), there exists \({R}_{}\subseteq T\) such that \(\mathrm {perms}_{\langle PA \rangle }[{R}_{}]={V}\) if and only if it is also the case at \(\langle PA _ can \rangle \). Then from Lemma 2, it follows that \(\langle PA \rangle \in \mathsf {upd}{\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle }\) if and only if \(\langle PA _ can \rangle \in \mathsf {upd}{\langle \mathsf {req}\langle S ,\mathrm {com}({C}),{V},T\rangle \rangle }\). Further from Lemma 1, it holds that \(\mathsf {upd}{\langle \mathsf {req}\langle S ,\mathrm {com}({C}),{V},T\rangle \rangle }=\mathsf {upd}{\langle \mathsf {req}\langle \mathrm {max}(\mathrm {com}({C})),\mathrm {com}({C}),{V},T\rangle \rangle }\). Hence, the claim is true.

1.4 Proof of Theorem 3

While the “if ” part is obvious, we prove the “only if” part by construction. Suppose there exists \(r_{}\in \mathsf {R}\backslash {R}_{}\) such that \(\mathrm {perms}_{ S '}[r_{}]\ne \mathrm {perms}_{ S }[r_{}]\). That is, \(\mathrm {perms}_{ S '}[r_{}]\ne \mathrm {max\text {-}perms}_{}[r_{}]\). From Lemma 1, it follows that \(\mathrm {perms}_{ S '}[r_{}]\subset \mathrm {max\text {-}perms}_{}[r_{}]\). We denote as \( S ''\) the state after associating permissions in \(\mathrm {max\text {-}perms}_{}[r_{}]\backslash \mathrm {perms}_{ S '}[r_{}]\) with the role \(r_{}\) at \( S '\). It can be shown that \( S ''\in \mathsf {upd}\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle \). First, since \(r_{}\not \in {R}_{}\), \(\mathrm {perms}_{ S ''}[{R}_{}]=\mathrm {perms}_{ S '}[{R}_{}]={V}\). To verify that \( S ''\) satisfies \({C}\), we need only to check that \(\mathrm {perms}_{ S ''}[ R _{}]= P _{}=\mathrm {perms}_{ S }[u_{}]\) for each constraint \({}\langle R _{}, P _{},\varDelta _{}\rangle {}\in {C}\). It is obvious from the facts that \(\mathrm {perms}_{ S ''}[r_{}]=\mathrm {max\text {-}perms}_{}[r_{}]\) and that the permission assignments of roles in \( R _{}\backslash \{r_{}\}\) are the same at \( S '\) as at \( S ''\).

On the other hand, suppose that \((r_{},p_{})\in \mathrm {diff}({ S }, S ')\) and \(p_{}\in {V}\). From Lemma 1, each update of \(\mathsf {req}\langle { S },{C},{V},T\rangle \) can only be obtained by removing assignments from \({ S }\); it follows that \((r_{},p_{})\) is not included in \( S '\)’s role-permission relation; namely, \(p_{}\not \in \mathrm {perms}_{ S '}[r_{}]\). We denote as \( S ''\) the state after associating \(p_{}\) with \(r_{}\) in \( S '\). If \(r_{}\in {R}_{}\), it holds that \(\mathrm {perms}_{ S ''}[{R}_{}]={V}\), for \(p_{}\in {V}\). Otherwise \(r_{}\in \mathsf {R}\backslash {R}_{}\). As \((r_{},p_{})\in \mathrm {diff}({ S }, S ')\), we have \(p_{}\in \mathrm {max\text {-}perms}_{}[r_{}]\). In analogy to the above, the addition of \((r_{},p_{})\) would not contradict any constraint in \({C}\). Hence, \( S ''\) satisfies \({C}\) and \(\mathrm {perms}_{ S ''}[{R}_{}]={V}\). That is, \( S ''\in \mathsf {upd}\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle \).

1.5 Proof of Theorem 4

By \(\mathrm {diff}( S ,{ S '})=\mathrm {diff}(\mathbb {F}_{{R}_{}}( S ), S '_f)\), we mean that, in order to obtain \({ S '}\), the changes taking \(\mathbb {F}_{{R}_{}}( S )\) to \( S _f\) are also implemented at \( S \). Then roles in \(\mathsf {R}_{{R}_{}}\) at \({ S '}\) have the same permission assignments as at \( S '_f\), whereas roles in \(\mathsf {R}\backslash \mathsf {R}_{{R}_{}}\) at \({ S '}\) have the same assignments as at \( S \).

Since \( S '_f\) is an update of \(\mathbb {F}_{{R}_{}}(Q_{})\), there exists \({R}_{1}\subseteq {R}_{}\) such that \(\mathrm {perms}_{ S '_f}[{R}_{1}]={V}\). As a consequence, \(\mathrm {perms}_{{ S '}}[{R}_{1}]={V}\). Next we show that \({ S '}\) satisfies \({C}\). For a constraint \({}\langle R _{}, P _{},\emptyset \rangle \in {C}\), we differentiate three cases.

1. Case:

   \( R _{}\cap \mathsf {R}_{{R}_{}}=\emptyset \). In this case, roles in \( R _{}\) are assigned to the same permissions at \({ S '}\) as at \( S \). Hence, \({ S '}\) satisfies this constraint.

2. Case:

   \( R _{}\subseteq \mathsf {R}_{{R}_{}}\). In this case, the constraint is included in the set \(\mathbb {F}_{{R}_{}}({C})\). Thus, it is satisfied by \( S '_f\). Recall that roles in \( R _{}\) have the same permission sets at \({ S '}\) as at \( S '_f\). Consequently, \({ S '}\) also satisfies the constraint.

3. Case:

   \( R _{}\not \subseteq \mathsf {R}_{{R}_{}}\) and \( R _{}\cap \mathsf {R}_{{R}_{}}\ne \emptyset \). That means, \( R _{}\) consists of two subsets \( R _{1}\) and \( R _{2}\), where \( R _{1}\subseteq \mathsf {R}\backslash \mathsf {R}_{{R}_{}}\) and \( R _{2}\subseteq \mathsf {R}_{{R}_{}}\backslash {R}_{}\). Note that in this case there does not exists \(r_{}\in R _{}\) such that \(r_{}\in {R}_{}\); because otherwise \( R _{}\subseteq \mathsf {R}_{{R}_{}}\) according to the definition. On one hand, the permission assignments of roles in \( R _{1}\) would not violate the constraint, as they remain the same as at \( S \). On the other hand, for each role \(r_{}\in R _{2}\), a constraint \({}\langle \{r_{}\},\mathrm {perms}_{ S }[r_{}],\emptyset \rangle \) is enforced in \(\mathbb {F}_{{R}_{}}({C})\). From the fact that \( S '_f\) satisfies \(\mathbb {F}_{{R}_{}}({C})\), it follows that the permission assignments of \( R _{2}\) does not contradict the constraint. Therefore, \({ S '}\) satisfies the constraint.

1.6 Proof of Theorem 5

By \(\mathrm {diff}(\mathbb {F}_{{R}_{}}( S ), S '_f)=\mathrm {diff}( S ,{ S '})\), we mean that, in order to obtain \( S '_f\), the changes taking \( S \) to \( S '\) are also implemented at \(\mathbb {F}_{{R}_{}}( S )\). Then roles in \(\mathsf {R}_{{R}_{}}\) at \({ S '_f}\) have the same permission assignments as at \( S '\), whereas roles in \(\mathsf {R}\backslash \mathsf {R}_{{R}_{}}\) at \({ S '_f}\) have the same assignments as at \(\mathbb {F}_{{R}_{}}( S )\).

Since \(\mathrm {perms}_{ S '}[{R}_{0}]={V}\), \({R}_{}\supseteq {R}_{0}\), and the permission assignments of roles in \({R}_{}\) are the same at \({ S '_f}\) as at \( S '\), it holds that \(\mathrm {perms}_{ S '_f}[{R}_{0}]={V}\). We proceed to show that \( S '_f\) satisfies the constraints in \(\mathbb {F}_{{R}_{}}({C})\). Recall that \(\mathbb {F}_{{R}_{}}({C})=\{{}\langle R _{}, P _{},\varDelta _{}\rangle {}\in {C}\mid R _{}\subseteq \mathsf {R}_{{R}_{}}\}\cup \{{}\langle \{r_{}\},\mathrm {perms}_{ S }[r_{}],\emptyset \rangle \mid r_{}\in \mathsf {R}_{{R}_{}}\backslash {R}_{}\}\). Similar to the proof of Theorem 4, since roles in \(\mathsf {R}_{{R}_{}}\) have the same permissions at \( S '_f\) as at \( S '\), and \( S '\) satisfies all constraints in \({C}\), \( S '_f\) satisfies the constraints in \(\{{}\langle R _{}, P _{},\varDelta _{}\rangle {}\in {C}\mid R _{}\subseteq \mathsf {R}_{{R}_{}}\}\). For constraints in \(\{{}\langle \{r_{}\},\mathrm {perms}_{ S }[r_{}],\emptyset \rangle \}\), note that \(\mathrm {perms}_{ S '}[r_{}]=\mathrm {perms}_{ S }[r_{}]\) for \(r_{}\in \mathsf {R}\backslash {R}_{0}\) from the condition of the claim. Hence, \( S '_f\) also satisfies these constraints. To sum up, \( S '_f\) is an update of \(\mathbb {F}_{{R}_{}}(Q_{})\).

1.7 Proof of Corollary 1

We prove the first point. The “only if” part is obvious from Theorem 4. For the “if” part, suppose that \(\mathsf {upd}\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle \ne \emptyset \). According to Theorem 3, there is an update \( S '\) such that \(\mathrm {perms}_{ S '}[{R}_{}]={V}\) and \(\mathrm {perms}_{ S '}[r_{}]=\mathrm {perms}_{ S }[r_{}]\) for \(r_{}\in \mathsf {R}\backslash {R}_{}\). Observe that it is always true that \({R}_{}\subseteq \mathrm {core}( S ,{V})\). Then from Theorem 5, there is an update of \(\mathbb {F}_{\mathrm {core}( S ,{V})}(Q_{})\).

The second point is an obvious corollary of Theorem 4.

1.8 Proof of Corollary 2

While the “only if” part is obvious from Theorem 4, we prove the “if” part of the first claim. Suppose that \( S '\in \mathsf {upd}\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle \) and that \(\mathrm {perms}_{ S '}[{R}_{}]={V}\). If there exists \(D\in \mathscr {D}_{}\) such that \({R}_{}\subseteq D\), then the proof is done. Because, according to Theorem 5, we have \(\mathsf {upd}\langle \mathsf {req}\langle \mathbb {F}_{D}( S ),\mathbb {F}_{D}({C}),{V},T\rangle \rangle \ne \emptyset \). Otherwise, for all \(D\in \mathscr {D}_{}\), it is true that \({R}_{}\not \subseteq D\). However, as \(\mathrm {perms}_{ S '}[{R}_{}]={V}\), it holds that \({V}{}\subseteq \mathrm {perms}_{ S }[{R}_{}]\) (for \(Q_{}\) is normalized). Then there must exist \(D\in \mathscr {D}_{}\) such that \(D\subseteq {R}_{}\), for otherwise \(\mathscr {D}_{}\) does not make a decomposition (as a result of the condition 3). Split \({R}_{}\) into two proper subsets \({R}_{1}\) and \({R}_{2}\) where \({R}_{1}=D\) and \({R}_{2}={R}_{}\backslash {R}_{1}\). We now show that, based on \( S '\), one can construct an update \( S '_{1}\) of \(Q_{}\) such that \(\mathrm {perms}_{ S '_{1}}[{R}_{1}]={V}\). Let \( S '_{1}\) be the same as \( S '\) except for the permission assignments of roles in \({R}_{}\): For \(r_{}\in {R}_{1}\), let \(\mathrm {perms}_{ S '_{1}}[r_{}]=\mathrm {perms}_{ S }[r_{1}]\cap {V}\) and for \(r_{}\in {R}_{2}\), let \(\mathrm {perms}_{ S '_{1}}[r_{}]=\mathrm {perms}_{ S }[r_{}]\). Observe that for all role \(r_{}\in {R}_{}\), \(\mathrm {perms}_{ S '}[r_{}]\subseteq \mathrm {perms}_{ S '_{1}}[r_{}]\subseteq \mathrm {max\text {-}perms}_{}[r_{}]\). From the fact that \( S '\) satisfies the constraints in \({C}\), it follows that \( S '_{1}\) satisfies \({C}\) as well. It can also be shown that \(\mathrm {perms}_{ S '_{1}}[{R}_{1}]={V}\). Since \(D\in \mathscr {D}_{}\) and \({R}_{1}=D\), it holds that \({V}\subseteq \mathrm {perms}_{ S }[{R}_{1}]\). From the fact that \(\mathrm {perms}_{ S '_{1}}[r_{}]=\mathrm {perms}_{ S }[r_{}]\cap {V}\) for any \(r_{}\in {R}_{1}\), it follows that \(\mathrm {perms}_{ S '_{1}}[{R}_{1}]={V}\). Hence \( S '_{1}\) is an update of \(Q_{}\). Similar to the above, we have \(\mathsf {upd}\langle \mathsf {req}\langle \mathbb {F}_{D}( S ),\mathbb {F}_{D}({C}),{V},T\rangle \rangle \ne \emptyset \) for \(D={R}_{1}\).

The second point is a straightforward corollary of Theorem 4.

1.9 Proof of Theorem 6

Suppose that \( S '\in \mathsf {upd}\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle \). Then \( S '\) satisfies \({C}\) and there exists \({R}_{}\subseteq T\) such that \(\mathrm {perms}_{ S '}[{R}_{}]={V}\). Then there is a state \(A_{ S '}\in S_{Q_{}}\) such that,

• \(x\textsf {-}r_{}\textsf {-}p_{}\in A_{ S '}\) if and only if \(p_{}\in \mathrm {perms}_{ S '}[r_{}]\), and

• \(y\textsf {-}{r_{}}\in A_{ S '}\) for all \(r_{}\in {R}_{}\).

Since \(\varTheta _{Q_{}}=S_{Q_{}}\times S_{Q_{}}\), the transition from \(A_{ S }\) to \(A_{ S '}\) is a counter-example of \(\varPhi _{Q_{}}\). Hence, \(I_{Q_{}}\not \subseteq \{s\in S_{Q_{}}\mid (M_{Q_{}},s)\models \varPhi _{Q_{}}\}\).

On the other hand, suppose that \((M_{Q_{}},A_{ S })\not \models \varPhi _{Q_{}}\). Then there is a path \([s_0, s_1, \ldots , s_\ell ]\) such that \(s_0=A_{ S '}\) and \((M_{Q_{}},s_\ell )\models \)(6). As \(\varTheta _{Q_{}}=S_{Q_{}}\times S_{Q_{}}\), this path can be shortened as \([s_0,s_\ell ]\). From \(s_\ell \), we derive an RBAC state \( S '\) and a set \({R}_{}\) of roles:

• \( S '=\langle PA '\rangle \) such that \((r_{},p_{})\in PA '\) if and only if \(x\textsf {-}r_{}\textsf {-}p_{}\in s_{\ell }\cap Pr_x\);

• \(r_{}\in {R}_{}\) if and only if \(y\textsf {-}{r_{}}\in A_{\ell }\cap Pr_y\).

From the fact that \(s_\ell \in S_{Q_{}}\), it follows that formula (2) is true in \(s_\ell \). Consequently, \( S '\) satisfies \({C}\). From \((M_{Q_{}},s_\ell )\models \)(6), it holds that \(\mathrm {perms}_{ S '}[{R}_{}]={V}\). Therefore, \( S '\in \mathsf {upd}\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle \).

1.10 Proof of Theorem 7

Suppose that \( S '\in \mathsf {upd}_{\mathscr {S}}\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle \); then \( S '\in \mathsf {req}\langle S ,{C},{V},T\rangle \) and \( S \xrightarrow []{*}_{\mathscr {S}} S '\). From \( S '\in \mathsf {req}\langle S ,{C},{V},T\rangle \), it follows that \( S '\) satisfies \({C}\) and that there exists \({R}_{}\subseteq T\) such that \(\mathrm {perms}_{ S '}[{R}_{}]={V}\). If we can show that \( S '\) satisfies \({C}(\mathscr {S})\) as well, then \( S '\in \mathsf {upd}{\langle \mathsf {req}\langle S ,{C}\cup {C}(\mathscr {S}),{V},T\rangle \rangle }\). \({C}(\mathscr {S})\) consists of two sets of constraints. The first set contains the constraint \({}\langle \{r_{}\},\emptyset , MP (r_{})\cap \mathrm {max\text {-}perms}_{}[r_{}]\rangle \) for each \(r_{}\in \mathsf {R}\). \( S '\) meets such a constraint if and only if \(\mathrm {perms}_{ S '}[r_{}]\subseteq MP (r_{})\cap \mathrm {max\text {-}perms}_{}[r_{}]\), i.e., \(\mathrm {perms}_{ S '}[r_{}]\subseteq \mathrm {max\text {-}perms}_{}[r_{}]\) and \(\mathrm {perms}_{ S '}[r_{}]\subseteq MP (r_{})\). The former one follows from the fact that \( S '\in \mathsf {req}\langle S ,{C},{V},T\rangle \). On the other hand, as \( S \xrightarrow []{*}_{\mathscr {S}} S '\), from the definition of \( MP (r_{})\), we have \(\mathrm {perms}_{ S '}[r_{}]\subseteq MP (r_{})\). The second set contains a constraint \({}\langle \{r_{}\},\mathrm {perms}_{ S }[r_{}],\mathsf {P}\rangle \) for each role \(r_{}\) such that \(\varPsi ^{-}_{\mathscr {S}}({r_{}})\ne \emptyset \). That is, no permission may be revoked from such a role when migrating from \( S \) to \( S '\). \( S '\) satisfies these constraints from the fact that \( S \xrightarrow []{*}_{\mathscr {S}} S '\). Hence, \( S '\) satisfies all constraints in \({C}(\mathscr {S})\).

On the other hand, suppose that \( S '\in \mathsf {upd}{\langle \mathsf {req}\langle S ,{C}\cup {C}(\mathscr {S}),{V},T\rangle \rangle }\). It is obvious that \( S '\in \mathsf {upd}{\langle \mathsf {req}\langle S ,{C},{V},T\rangle \rangle }\). We now prove \( S \xrightarrow []{*}_{\mathscr {S}} S '\). Suppose that \( S =\langle PA \rangle \) and \( S '=\langle PA '\rangle \).

We discuss the assignments \((r_{},p_{})\in \mathrm {diff}( S , S ')\). If \((r_{},p_{})\in PA \), that means \((r_{},p_{})\not \in PA '\). In other words, the permission \(p_{}\) is revoked from the role \(r_{}\). Suppose, for the sake of contradiction, that no rule in \(\varPsi ^{-}_{\mathscr {S}}({r_{}})\) permits this revocation, i.e., \(\varPsi ^{-}_{\mathscr {S}}({r_{}})=\emptyset \). Then, a constraint \({}\langle r_{},\mathrm {perms}_{ S }[r_{}],\mathsf {P}\rangle \) is included in \({C}(\mathscr {S})\). However, \( S '\) does not satisfy this constraint for \(p_{}\not \in \mathrm {perms}_{ S '}[r_{}]\) while \(p_{}\in \mathrm {perms}_{ S }[r_{}]\). We reach a contradiction. Therefore, \( S \xrightarrow []{*}_{\mathscr {S}} S '\).

If \((r_{},p_{})\not \in PA \), that means \((r_{},p_{})\in PA '\). In other words, \(p_{}\) is added to \(r_{}\)’ permission set. Then it is true that \(\varPsi ^{+}_{\mathscr {S}}({r_{}'})\ne \emptyset \). In this case, because of the constraint \({}\langle \{r_{}\},\emptyset , MP (r_{})\cap \mathrm {max\text {-}perms}_{}[r_{}]\rangle \in {C}(\mathscr {S})\), the permission \(p_{}\) belongs to \( MP (r_{})\). From the definition of \( MP (r_{})\), there must be a rule \(\langle ar,c,r_{}\rangle \in \varPsi ^{+}_{\mathscr {S}}({r_{}})\) such that either \(p_{}\models _{ S }c\) or there exists \( S _{1}\) such that \( S \xrightarrow []{*} S _{1}\), \( S _{1}\xrightarrow []{*} S '\), and \(p_{}\models _{ S _{1}}c\). If \(p_{}\models _{ S }c\), then it is true that \( S \xrightarrow []{*} S '\). Otherwise, the transitions in \( S \xrightarrow []{*} S _{1}\) assign necessary permissions to roles until c is satisfied. From the definition of \( MP (r_{})\), this can be done. The transitions in \( S _{1}\xrightarrow []{*} S '\) applies the rule \(\langle ar,c,r_{}\rangle \) and revoke the permissions that were assigned previously. Recall the assumption that \(\varPsi ^{-}_{\mathscr {S}}({r_{}})\ne \emptyset \) as long as \(\varPsi ^{+}_{\mathscr {S}}({r_{}})\ne \emptyset \). Thus the actions that take \( S _{1}\) to \( S '\) are all allowed. Hence, \( S \xrightarrow []{*} S '\).

1.11 Proof of Theorem 8

Suppose that \( S '\in \mathsf {upd}\langle \mathsf {req}\langle S _{1},{C}_{1},{V},T\rangle \rangle \) but \( S '\not \in \mathsf {upd}\langle \mathsf {req}\langle S _{2},{C}_{2},{V},T\rangle \rangle \). Since \({C}_{1}={C}_{2}\), it holds that \(\mathrm {comp}({C}_{1})=\mathrm {comp}({C}_{2})\). From \( S '\in \mathrm {comp}({C}_{1})\), it follows that \( S '\in \mathrm {comp}({C}_{2})\). Then, from the assumption \( S '\not \in \mathsf {upd}\langle \mathsf {req}\langle S _{2},{C}_{2},{V},T\rangle \rangle \), there does not exist a set \({R}\subseteq T\) such that \(\mathrm {perms}_{ S '}[{R}]={V}\), a contradiction with \( S '\in \mathsf {upd}\langle \mathsf {req}\langle S _{1},{C}_{1},{V},T\rangle \rangle \).

1.12 Proof Theorem 9

Suppose \( S '_{2}\in \mathsf {upd}\langle \mathsf {req}\langle S ,{C}_{2},{V},T\rangle \rangle \). That is, \( S '\) is \({C}_{2}\)-satisfying and there exists \({R}\subseteq T\) such that \(\mathrm {perms}_{ S '_{2}}[{R}]={V}\). Let \( S '_{1}=\mathrm {flat}({ S '_{2}})\). From the definitions, since \( RH _2= newRH _2\), it holds that, for all \((r',r)\in newRH _2\) and \(p\in S .P\), \((r,p)\in PA _1\implies (r',p)\in PA _1\). Also, for any user \(u_{}\in \mathsf {U}\) and any role \(r_{}\in \mathsf {R}\), \(\mathrm {roles}_{ S '_{1}}[u_{}]=\mathrm {roles}_{ S '_{2}}[u_{}]\) and \(\mathrm {perms}_{ S '_{1}}[r_{}]=\mathrm {perms}_{ S '_{2}}[r_{}]\). Hence, \(\mathrm {perms}_{ S '_{1}}[{R}]={V}\) and, from \( newRH _1=\emptyset \), it follows that \( S '_{1}\) is also \({C}_{1}\)-satisfying. That is, \( S '_{1}\in \mathsf {upd}\langle \mathsf {req}\langle S ,{C}_{1},{V},T\rangle \rangle \)

On the other hand, suppose that \( S '_{1}\in \mathsf {upd}\langle \mathsf {req}\langle S ,{C}_{1},{V},T\rangle \rangle \) such that \((r,p)\in PA _1\implies (r',p)\in PA _1\) for all \((r',r)\in newRH _2\) and \(p\in \mathsf {P}\). Then, we can construct a state \( S '_{2}\) such that \(\mathrm {flat}({ S '_{2}})= S '_{1}\) and \( RH _2= newRH _2\). Since users have the same roles and roles have the same permissions in \( S '_{1}\) and \( S '_{2}\), \( S '_{2}\) is \({C}_{2}\)-satisfying and there exists \({R}\subseteq T\) such that \(\mathrm {perms}_{ S '_{2}}[{R}]={V}\). That is, \( S '_{2}=\mathsf {upd}\langle \mathsf {req}\langle S ,{C}_{2},{V},T\rangle \rangle \). This completes the proof.