Mitigating the Intractability of the User Authorization Query Problem in Role-Based Access Control (RBAC)

We address the User Authorization Query problem (UAQ) in Role-Based Access Control (RBAC) which relates to sessions that a user creates to exercise permissions. Prior work has shown that UAQ is intractable ( NP -hard). We give a precise formulation of UAQ as a joint optimization problem, and observe that in general, UAQ remains in NP . We then investigate two techniques to mitigate its intractability. (1) We efficiently reduce UAQ to boolean satisfiability in conjunctive normal form, a well-known NP -complete problem for which solvers exist that are efficient for large classes of instances. We point out that a prior attempt is not a reduction, is inefficient, and provides only limited support for joint optimization. (2) We show that UAQ is fixed-parameter polynomial in the upper-bound set of permissions under reasonable assumptions. We discuss an open-source implementation of (1) and (2), based on which we have conducted an empirical assessment.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Ronald L. Rivest,et al.  Introduction to Algorithms, third edition , 2009 .

[3]  Peter van Beek,et al.  Principles and Practice of Constraint Programming - CP 2005, 11th International Conference, CP 2005, Sitges, Spain, October 1-5, 2005, Proceedings , 2005, CP.

[4]  Sanjeev Arora,et al.  Computational Complexity: A Modern Approach , 2009 .

[5]  James B. D. Joshi,et al.  Supporting authorization query and inter-domain role mapping in presence of hybrid role hierarchy , 2006, SACMAT '06.

[6]  Peng Ning,et al.  Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings , 2009, ESORICS.

[7]  Marko Komlenovic,et al.  An empirical assessment of approaches to distributed enforcement in role-based access control (RBAC) , 2011, CODASPY '11.

[8]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[9]  Michael R. Fellows,et al.  FIXED-PARAMETER TRACTABILITY AND COMPLETENESS , 2022 .

[10]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[11]  Liang Chen,et al.  Set Covering Problems in Role-Based Access Control , 2009, ESORICS.

[12]  James B. D. Joshi,et al.  UAQ: a framework for user authorization query processing in RBAC extended with hybrid hierarchy and constraints , 2008, SACMAT '08.

[13]  Ninghui Li,et al.  An efficient framework for user authorization queries in RBAC systems , 2009, SACMAT '09.

[14]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[15]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[16]  Alessandro Armando,et al.  Efficient run-time solving of RBAC user authorization queries: pushing the envelope , 2012, CODASPY '12.

[17]  Carsten Sinz,et al.  Towards an Optimal CNF Encoding of Boolean Cardinality Constraints , 2005, CP.