On the complexity of role updating feasibility problem in RBAC

https://doi.org/10.1016/j.ipl.2014.06.003Get rights and content

Highlights

  • We define RUFP to determine whether there exists a valid RP assignment.

  • Several subcases of RUFP are solvable in linear time.

  • RUFP is intractable (NP-complete) in the general case.

Abstract

In Role Based Access Control (RBAC) systems, it is necessary and important to update the role–permission assignments in order to reflect the evolutions of the system transactions. However, role updating is generally complex and challenging, especially for large-scale RBAC systems. This is because the resulting state is usually expected to meet various requirements and constraints. In this paper, we focus on a fundamental problem of role updating in RBAC, which determines whether there exists a valid role–permission assignment, i.e., whether it can satisfy all the requirements of the role updating and without violating any role–capacity or permission–capacity constraint. We formally define such a problem as the Role Updating Feasibility Problem (RUFP), and study the computational complexity of RUFP in different subcases. Our results show that although several subcases are solvable in linear time, this problem is NP-complete in the general case.

Introduction

Role based access control (RBAC) has received considerable attention over the past two decades. It has established itself as a well-accepted alternative to traditional discretionary and mandatory access control (DAC and MAC) models [1]. Several beneficial features, such as policy neutrality, support for least privilege and efficient self-management are associated with RBAC models. Such features make RBAC better suited for handling access control requirements of diverse organizations [2]. In RBAC systems, each task is associated with a set of permissions, the user–permission assignments are achieved via roles. In order to accomplish a task, a set of users should be assigned to appropriate roles so as to have such requested permissions for this task. Suppose a user requests a particular set of permissions in a single session to achieve a particular task in an RBAC system, one key issue is to determine whether there exists an appropriate set of roles to be activated in the session. It has been shown that such a process is very common in complex and collaborative systems [3]. Zhang et al. introduce it as the User Authorization Query (UAQ) problem in [4]. Ideally, the chosen set of roles to be activated to exactly satisfies the user's permissions request. However, such an ideal solution may not exist since we cannot find any combination of roles that can activate only the requested permissions. Existing works focus on finding a set of roles to activate a set of permissions that is as close as possible to those permissions requested by a user [5], [6]. However, missing any requested permissions may make the failure of this task while any extra permissions may bring the intolerable risk to the system. Towards addressing this problem, it is necessary to change the system configuration. Hu et al., refer to the updating of user–role, role–role and role–permission assignments as role updating [7]. In our observation, user–role assignments are business-driven, since user's role memberships are determined by their attributes, such as identities, duties, titles, and etc. When the role–role and role–permission assignments are renewed, administrators can accomplish the user–role assignments straightforwardly. Therefore, role updating only includes the updating of role–role and role–permission assignments.

Role updating is a necessary task in many access control scenarios, such as misconfiguration repair, proper satisfaction and role hierarchy transformation [2], [8]. However, such a task is generally complex and challenging, especially for large-scale RBAC systems. This is because the resulting state usually is expected to meet various requirements and constraints. For example, a requirement of role updating may require that there exists a subset of a given role set R, and the chosen set of roles can activate only the requested permissions after updating the system configuration. Obviously, such a requirement states an overall request which must be satisfied by any set of roles. And the set together activate the requested permissions, rather than restricting which roles are allowed to activate the individual permissions. Furthermore, a role–capacity constraint in an RBAC system may require that the role set RRC has to activate permissions belonging to a range from a lower bound Plb and an upper bound Pub. Here, Plb and Pub are two permission sets, such that PlbPub. In other words, if there exists a permission out of the range [Plb,Pub] can be activated by the role set RRC, the role–capacity constraint is not satisfied. Additionally, a permission–capacity constraint is satisfied in an RBAC system if and only if all the permission in a permission set PPC can be activated by the set Rlb of roles, and any role not included in Rub cannot activate any permission in PPC. Here, Rlb and Rub are the lower bound and the upper bound role sets of a defined range such that RlbRub. Both of role–capacity and permission–capacity constraints guarantee that any update of the role–role and role–permission assignments must be within the corresponding range of roles and permissions.

To help system managers understand and manage RBAC policies, various RBAC policy analysis tools have been developed [2], [9], [10], [11]. However, little effort has been devoted to answering whether the updating can satisfy the request. In this paper, we investigate the role updating in RBAC systems by introducing the requirements of the role updating, and two types of constraints: role–capacity and permission–capacity constraints. Our work can assist administrators to answer whether the role updates can satisfy all the requirements without violating any constraint. Our contributions can be summarized as follows:

  • We define the Role Updating Feasibility Problem (RUFP) under the requirements of the role updating, role–capacity constraints, and permission–capacity constraints. RUFP determines whether there exists a valid role–permission assignment, i.e., whether it can satisfy all the requirements and without violating any constraint.

  • To better understand how different kinds of requirements and constraints may affect the complexity of RUFP, we present the complexity analysis of RUFP in different subcases. Our results show that although several subcases are solvable in linear time, this problem is NP-complete in the general case.

The rest of this paper is organized as follows. Section 2 gives a formal definition of RUFP in RBAC systems. Section 3 studies the computational complexities of RUFP in different subcases. Section 4 concludes this paper with a summary of our contributions and a discussion of future work.

Section snippets

Definition of the role updating feasibility problem in RBAC

In this section, we formally define the Role Updating Feasibility Problem (RUFP) under the requirements of the role updating, role–capacity constraints, and permission–capacity constraints.

The complexity of role updating feasibility problem

Here, we present the complexity analysis of RUFP in different subcases. To represent a subcase of RUFP, we write the RUFP component followed by three parameters: no.UR, no.RC, and no.PC denoting the numbers of updating requirements, role–capacity constraints, and permission–capacity constraints, respectively. For example, the subcase RUFPno.UR=k,no.RC=m,no.PC=n has the form RUFPk:m:n, which denotes the subcase that combines k updating requirements with m role–capacity constraints and n

Conclusion and future work

In this paper, we have defined the updating requirements, role–capacity constraints, and permission–capacity constraints, and given a formally definition of the Role Updating Feasibility Problem (RUFP) under such requirements and constraints. In addition, we studied the computational complexity of RUFP in different subcases, and showed that RUFP is intractable (NP-complete) in general. The fact that RUFP is intractable means that there exist difficult problem instances that take exponential

Acknowledgements

This work is supported by National Natural Science Foundation of China under Grant 61170108, MOE (Ministry of Education in China) Project of Humanity and Social Science under Grant 12YJCZH142, Zhejiang Provincial Natural Science Foundation of China under Grant LQ12F02005, LQ13F020007, LY13F020017, Opening Fund of Key Discipline of Computer Software and Theory of Zhejiang Province at ZJNU under Grant ZSDZZZZXK23.

References (14)

  • X. Le et al.

    An enhancement of the role-based access control model to facilitate information access management in context of team collaboration and workflow

    J. Biomed. Inform.

    (2012)
  • ANSI

    American National Standard for Information technology-role based access control, 2004

    (2004)
  • J.B.D. Joshi et al.

    Formal foundations for hybrid hierarchies in GTRBAC

    ACM Trans. Inf. Syst. Secur.

    (2008)
  • Y. Zhang et al.

    Uaq: a framework for user authorization query processing in RBAC extended with hybrid hierarchy and constraints

  • T. Guneshi et al.

    An efficient framework for user authorization queries in RBAC systems

  • A. Armando et al.

    Efficient run-time solving of RBAC user authorization queries: pushing the envelope

  • J. Hu et al.

    Role updating for assignments

There are more references available in the full text version of this article.

Cited by (6)

  • Optimization of Access Control Policies

    2022, Journal of Information Security and Applications
    Citation Excerpt :

    Hu et al. [82] define a tool and a process which aid the automatic updating of role-permission assignments by checking whether an update is achievable with a given set of constraints. Lu et al. [101] and Hu et al. [99] evaluate role updating algorithmically to determine the complexity of automatic checking for role-permission and role-role assignments. Lu et al. [102] propose a role generalization algorithm that aims to optimize roles for automatic assignment via user authentication queries.

  • Towards complexity analysis of User Authorization Query problem in RBAC

    2015, Computers and Security
    Citation Excerpt :

    Hu et al. (Hu et al., 2010a, 2010b) refer to the updating of user-role, role–role and role-permission assignments as role updating. However, as pointed out by Lu et al. (Lu et al., 2014), role updating should only include the updating of role–role and role-permission assignments. In their work, they define the Role Updating Feasibility Problem (RUFP), which determines whether there exists a valid role-permission assignment, i.e., whether it can satisfy all the requirements of the role updating and without violating any role-capacity or permission-capacity constraint.

  • Contemporaneous Update and Enforcement of ABAC Policies

    2022, Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
  • Supporting user authorization queries in RBAC systems by role-permission reassignment

    2017, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
  • FARBAC: A fine-grained administrative RBAC model

    2015, 2015 International Conference and Workshop on Computing and Communication, IEMCON 2015
View full text