Towards complexity analysis of User Authorization Query problem in RBAC
Introduction
Role based access control (RBAC) has established itself as a well-accepted alternative to traditional discretionary and mandatory access control (DAC and MAC) models (ANSI, 2004). In RBAC, permissions are not assigned directly to users, but are assigned to roles. Users obtain permissions through roles. The notion of the role provides a level of indirection to simplify the fine-grained privilege management. Several beneficial features, such as policy neutrality, support for least privilege and efficient access control management are associated with RBAC models. Such features make RBAC better suited for handling access control requirements of diverse organizations (Joshi et al., 2008).
A fundamental problem in RBAC is determining the set of roles that should be activated in order to allow a user to acquire the set of permissions he has requested. That is, given an input set of permissions that a user requests to have in a session to achieve a particular task in an RBAC system,1 the problem is to determine whether there exists an optimum set of roles to activate in the session. Zhang et al. introduce it as the User Authorization Query (UAQ) problem in (Zhang and Joshi, 2008). It has been shown that UAQ is very common in complex and collaborative systems (Le et al., 2012). For example, in a web-based RBAC system, the user-role assignments are based on users' credentials. Suppose a user requests a particular set of permissions in a single session to carry out a particular task, the system should find a set of roles from those available for the user that should be activated in a session to provide those requested permissions. Ideally, the chosen set of roles should exactly satisfy the user's requested set of permissions. However, such an ideal solution may not exist since we may not find any combination of roles that collectively provide only the exact set of the requested permissions. Hence, it is necessary to find a set of roles that provides a set of permissions that is as close as possible to those requested by a user. One solution may be to ensure that no permissions beyond the requested set of permissions is available to the requesting user (Pavlich-Mariscal et al., 2010). Another solution, which emphasizes the availability requirement (Li et al., 2010), is to ensure that all the requested permissions are available to the requesting user in his session, while minimizing the number of possible extra set of permissions that are additionally available through the selected role set.
There exist two optimization objectives that should be included in the UAQ problem. One is the optimization of the number of activated roles, which is an optimization objective related to the system management. For example, minimizing a set of roles activated in a user's session may allow an administrator to more efficiently manage the system (Mousavi and Tripunitara, 2012). Maximizing the number of roles may be useful when security constraints, such as dynamic separation of duty (DSoD) or cardinality constraint (Zhang and Joshi, 2008), make some roles to be unavailable, and there still exists a set of roles that have the requested set of permissions. For example, we assume that the roles in {r1,r2} together having all the requested permissions, and a DSoD constraint <{r1,r2},2> indicating that no single user can activate both r1 and r2 in a single session. In this case, it may be useful to maximize the number of available roles, such as {r1,r2,r3,r4}, although they can activate the same permissions as {r1,r2}. When r1 or r2 to be unavailable, the set {r1,r3,r4} or {r2,r3,r4} of roles can also together activate the requested permissions. The second is the optimization of the number of permissions that can be acquired by the requesting user within a session. For example, minimizing the number of extra permissions beyond the requested permissions is motivated by the principle of least privilege (Chen and Crampton, 2007), as too many extra permissions may bring the intolerable risk to the system. On the other hand, minimizing the number of missing permissions (i.e., permissions allowed within the user's session do not include some of the requested permissions) is important as the unavailability of too many of the requested permissions may make it difficult for the user to carry out the required task. In the definition of UAQ in (Wickramaarachchi et al., 2009), there exists a lower bound for the set of requested permissions, while these permissions must be available for the session. We believe minimizing the number of missing permissions is more practically useful, since it ensures that at least some minimal permissions are available for the session, and ensures the tasks to be performed smoothly.
Previous definitions of the UAQ problem have considered mainly the optimization objective for the number of permissions. Wickramaarachchi et al. (Wickramaarachchi et al., 2009) consider the UAQ problem as an optimization of the number of permissions to be allowed to a user. Du et al. (Zhang and Joshi, 2008) define a subcase of the UAQ problem by introducing the problem of minimization of the number of roles; however, in their solution, there may not be a unique minimal set of roles that is an ideal choice. A more important issue is that there may not be a role set that has all the permissions requested by a user. Mousavi et al. (Mousavi and Tripunitara, 2012) generalize UAQ by introducing the problem of optimizing the number of extra permissions in addition to the number of roles. However, the options “max” or “min” are not complete; this is because many instances may require that the number of roles or permissions be restricted (Li et al., 2007). Moreover, apart from the number of extra permissions, the number of missing permissions should also be included in the optimization objective focused on permissions.
Existing approaches to the UAQ problem primarily focus on how to design approximate or exhaustive solutions (Wickramaarachchi et al., 2009, Lu et al., 2012). Little attention has been paid to the computational complexity of the UAQ problem by considering the optimization objectives for both the numbers of permissions and that of roles. Large companies can easily have thousands of users and hundreds of roles in their RBAC systems (Sun et al., 2011). Additionally, users typically request to use a set of permissions in a session instead of specifying the specific set of roles that they want to activate directly. Hence, it is important to understand the complexity of the UAQ problem in RBAC systems. Moreover, granting permissions requested by each user based on RBAC policies in a large RBAC system is complex. However, several existing work do not sufficiently or accurately analyze the computational complexity of the UAQ problem. For example, Du et al. (Du and Joshi, 2006) propose the inter-domain role mapping (IDRM) problem, which is a subcase of UAQ. They try to prove that the IDRM problem is NP-complete by showing that determining whether the permissions authorized to the role set R is equal to the requested permissions or not can be done in polynomial time; but, they do not show how to determine whether the cardinality of R is minimized in polynomial time. Hence, the IDRM problem has not been shown to be in NP, thus, it is NP-hard, instead (Crampton and Huth, 2010).
In this paper, we address the UAQ problem more comprehensively by considering optimizations based on the number of permissions as well as that of roles. Our contributions can be summarized as follows:
- •
We propose a more comprehensive definition of the UAQ problem, by considering irreducibility, role-cardinality and permission-cardinality constraints. The irreducibility constraint requires that there be no redundancy in a given role set; the role-cardinality constraint specifies the number of roles to be restricted. Both irreducibility and role-cardinality constraints are related to optimization on the number of roles that can be activated by the requesting user. The permission-cardinality constraint specifies the number of permissions that can be acquired by a user, which is based on the optimization objective for the number of permissions.
- •
We study the computational complexity of the UAQ problem into three subcases: exact match, safe match and available match. In each subcase, we combine the Core-UAQ component with irreducibility, role-cardinality and/or permission-cardinality constraints to form a Constrained-UAQ. We show that many instances in each subcase are intractable.
- •
We propose an approach to solve the intractable cases of the UAQ problem. This approach uses static pruning, preprocessing and depth-first search based algorithm to reduce the running time. The experimental evaluations show the effectiveness of the proposed approach.
The rest of this paper is organized as follows. In Section 2, we introduce the relevant background on RBAC and the definition of the UAQ problem. Section 3 studies the computational complexity of the UAQ problem into three subcases mentioned above. In Section 4, we present an approach to efficiently solve the intractable cases of the UAQ problem. We discuss related work in Section 5, and conclude this paper in Section 6.
Section snippets
The User Authorization Query problem in RBAC
An RBAC state determines the set of roles for which a user is assigned and the set of permissions for which a user is authorized (ANSI, 2004). We define an RBAC state as follows, based on (ANSI, 2004): Definition 1 An RBAC state is a 6-tuple (U, R, P, UA, PA, RH), where U, R, P denote the set of all users, the set of all roles, the set of all permissions, respectively. UA U×R, a user-role assignment relation. PA P×R, a permission-role assignment relation. RH R×R, a partial order on R called the inheritance
The complexity of the User Authorization Query problem
In this section, we present the computational complexity analysis of various cases of the Constrained-UAQ problem. Firstly, we present the complexity analysis of the exact match UAQ problem and its subcases with constraints. Theorem 1 The computational complexities of different constrained subcases of the exact match UAQ problems are as shown in Table 1.
In Table 1, we show the computational complexity of exact match UAQ problem in combination with the role-cardinality and the irreducibility constraints.
An approach for the User Authorization Query problem
The fact that UAQ is intractable, as shown in Section 3, means that there exist difficult problem instances that take exponential time in the worst case. However, many instances that will be encountered in practice may still be efficiently solvable. For example, UAQ〈available+pc:0+〉 is NP-hard as shown by Lemma 19. Wickramaarachchi et al. (Wickramaarachchi et al., 2009) provided a general definition of UAQ, which includes the intractable subcase UAQ〈available+pc:0+〉. We now revisit the
Related work
In this section, we present the related work in the literature, which is summarized in Table 7. We can see that the existing approaches have paid more attention to designing approximate or exhaustive algorithms for the UAQ problem rather than analyzing the computational complexity of the problem.
The concept of UAQ was first proposed by Du et al. (Du and Joshi, 2006), where they call it as the inter-domain role mapping (IDRM) problem. The definition of the IDRM problem from Du et al. is basic
Conclusion and future work
In this paper, we have given a more comprehensive definition of the UAQ problem in RBAC, considering the optimization of number of roles as well as number of permissions. We have defined the Core-UAQ problem and the Constrained-UAQ problem by introducing the irreducibility, role-cardinality, permission-cardinality constraints to Core-UAQ. It is worth noting that the definition of UAQ problem can be easily extended to support the RBAC systems with hybrid hierarchy types: I-hierarchy, A-hierarchy
Acknowledgments
This work is supported by National Natural Science Foundation of China under Grant 61402418, 61170108, MOE (Ministry of Education in China) Project of Humanity and Social Science under Grant 12YJCZH142, Zhejiang Provincial Natural Science Foundation of China under Grant LQ12F02005, LY13F020017, LQ13F020007, Opening Fund of Key Discipline of Computer Software and Theory of Zhejiang Province at ZJNU under Grant ZSDZZZZXK23.
Jianfeng Lu is an associate professor in the School of Mathematics-Physical and Information Engineering at Zhejiang Normal University. He received his B.S. degree in the School of Computer Science and Technology at Wuhan University of Science and Technology in 2005, and the PhD degree in the School of Computer Science and Technology at Huazhong University of Science and Technology in 2010. His research interests include distributed system security and access control.
References (22)
- et al.
An enhancement of the role-based access control model to facilitate information access management in context of team collaboration and workflow
J Biomed Inform
(2012) - et al.
On the complexity of role updating feasibility problem in RBAC
Inf Process Lett
(2014) - et al.
A framework of composable access control features: preserving separation of access control concerns from models to code
Comput Secur – COMPSEC
(2010) American national standard for information technology-role based access control
(2004)- et al.
Efficient run-time solving of RBAC user authorization queries: pushing the envelope
- et al.
Computational complexity: a modern approach
(2009) - et al.
Inter-domain role mapping and least privilege
- et al.
Set cover problems in role-based access control
- et al.
An authorization framework resilient to policy evaluation failures
- et al.
Supporting authorization query and inter-domain role mapping in presence of hybrid role hierarchy
Computers and intractability: a guide to the theory of NP-completeness
Cited by (13)
Supporting user authorization queries in RBAC systems by role–permission reassignment
2018, Future Generation Computer SystemsCitation Excerpt :This is introduced as the user authorization query (UAQ) problem by Y. Zhang et al. [4]. UAQ has been the subject of considerable researches in recent years, and widely accepted as a key issue related to efficient handling of users’ access requests in RBAC [5–11]. Ideally, the chosen set of roles to be activated needs to satisfy the user’s requested permissions exactly.
Unified Implementation and Simplification for Task-Based Authorization Security in Workflows
2023, IEEE Transactions on Services ComputingAn Efficient Solution to User Authorization Query Problem in RBAC Systems Using Hierarchical Clustering
2022, Journal of Cyber Security and MobilitySecure Conflicts Avoidance in Multidomain Environments: A Distributed Approach
2021, IEEE Transactions on Systems, Man, and Cybernetics: SystemsTowards Better Understanding of User Authorization Query Problem via Multi-variable Complexity Analysis
2021, ACM Transactions on Privacy and Security
Jianfeng Lu is an associate professor in the School of Mathematics-Physical and Information Engineering at Zhejiang Normal University. He received his B.S. degree in the School of Computer Science and Technology at Wuhan University of Science and Technology in 2005, and the PhD degree in the School of Computer Science and Technology at Huazhong University of Science and Technology in 2010. His research interests include distributed system security and access control.
James B.D. Joshi is an Associate Professor and the Director of the Laboratory for Education and Research on Security Assured Information Systems (LERSAIS) in the School of Information Sciences at the University of Pittsburgh. He received his MS in Computer Science and his PhD in Computer Engineering from Purdue University in 1998 and 2003, respectively. His research interests include role-based access control, trust management, and secure interoperability. He is a member of the IEEE and the ACM.
Lei Jin is currently working toward his PhD at the School of Information Sciences, University of Pittsburgh and is a member of the Laboratory of Education and Research on Security Assured Information Systems (LERSAIS). He received his MSE in Software Engineering from Tsinghua University and his BS in Computer Software from Tsinghua University in 2009 and 2006 respectively. His research interests include authentication, privacy and security in social computing and in mobile computing, usable privacy and security. He is a student member of the IEEE and the ACM.
Yiding Liu is currently a sophomore in the School of Mathematics-Physical and Information Engineering at Zhejiang Normal University. His research interests include network security and optimization algorithm.