User Authorization Query Research Articles

Towards Better Understanding of User Authorization Query Problem via Multi-variable Complexity Analysis

User authorization queries in the context of role-based access control have attracted considerable interest in the past 15 years. Such queries are used to determine whether it is possible to allocate a set of roles to a user that enables the user to complete a task, in the sense that all the permissions required to complete the task are assigned to the roles in that set. Answering such a query, in general, must take into account a number of factors, including, but not limited to, the roles to which the user is assigned and constraints on the sets of roles that can be activated. Answering such a query is known to be NP-hard. The presence of multiple parameters and the need to find efficient and exact solutions to the problem suggest that a multi-variate approach will enable us to better understand the complexity of the user authorization query problem (UAQ). In this article, we establish a number of complexity results for UAQ. Specifically, we show the problem remains hard even when quite restrictive conditions are imposed on the structure of the problem. Our fixed-parameter tractable (FPT) results show that we have to use either a parameter with potentially quite large values or quite a restricted version of UAQ. Moreover, our second FPT algorithm is complex and requires sophisticated, state-of-the-art techniques. In short, our results show that it is unlikely that all variants of UAQ that arise in practice can be solved reasonably quickly in general.

Supporting user authorization queries in RBAC systems by role–permission reassignment

The User Authorization Query (UAQ) Problem is a key issue related to efficient handling of users’ access requests in Role Based Access Control (RBAC) systems. However, there may not exist any solution to a given UAQ problem due to the limitation caused by the current system state, because missing any requested permission may thwart a task, while an extra permission may bring an intolerable risk to the system. Hence, update of the role–permission assignment is needed to support the feasibility of an UAQ problem. In this paper, we study fundamental problems related to role–permission reassignment, including the RVP problem the goal of which is to determine whether a given role–permission assignment satisfies all reassignment objectives and does not violate any prerequisite constraint or permission-capacity constraint, the RFP problem which verifies whether there exists a valid role–permission assignment, and the RGP problem which studies how to generate a valid role–permission assignment. We present the computational complexity analysis of RVP, RFP and RGP, showing that RVP is solvable in linear time, while both RFP and RGP are NP-hard. We also propose an approach for RGP, which incorporates a preprocessing to decrease the size of the problem, and reduce it to an SAT problem. Finally, experimental results show the validity and effectiveness of our proposed approach.

Towards an Efficient Approximate Solution for the Weighted User Authorization Query Problem

Towards an Efficient Approximate Solution for the Weighted User Authorization Query Problem

Specification and Enforcement of the General User Authorization Query Problem in Role Based Access Control System

Specification and Enforcement of the General User Authorization Query Problem in Role Based Access Control System

Towards complexity analysis of User Authorization Query problem in RBAC

The User Authorization Query (UAQ) problem for RBAC is to determine whether there exists an optimum set of roles to be activated to provide a particular set of permissions requested by a user. It is a key issue related to efficiently handling users' access requests. Previous definitions of the UAQ problem have considered only the optimization objective for the number of permissions whereas the optimization objective for the number of roles, which is also equally important, has been largely ignored. Moreover, little attention has been given to the computational complexity of the UAQ problem that considers the optimization objectives for both the numbers of permissions and roles. In this paper, we propose a more comprehensive definition of the UAQ problem, which includes irreducibility, role-cardinality and permission-cardinality constraints, and consider both these optimization objectives together. In particular, we study the computational complexity of the UAQ problem by dividing it into three subcases: exact match, safe match and available match, and show that many instances in each subcase with additional constraints are intractable. We also propose an approach for solving the intractable cases of the UAQ problem; the proposed approach incorporates static pruning, preprocessing and the depth-first search based algorithm to significantly reduce the running time.

Safety and Availability Checking for User Authorization Queries in RBAC

Abstract This paper introduces the notion of safety and availability checking for user authorization query processing, and develop a recursive algorithm use the ideas from backtracking-based search techniques to search for the optimal solution. For the availability checking, we introduce the notion of max activatable set (MAS), and show formally how MAS can be determined in a hybrid role hierarchy. For the safety checking, we give a formal definition of dynamic separation-of-duty (DSoD) policies, and show how to reduce the safety checking for DSoD to a SAT instance.