Abstract
The workflow satisfiability problem (WSP) asks whether there exists an assignment of authorized users to the steps in a workflow specification that satisfies the constraints in the specification. The problem is NP-hard in general, but several subclasses of the problem are known to be fixed-parameter tractable (FPT) when parameterized by the number of steps in the specification. In this paper, we consider the WSP with user-independent counting constraints, a large class of constraints for which the WSP is known to be FPT. We describe an efficient implementation of an FPT algorithm for solving this subclass of the WSP and an experimental evaluation of this algorithm. The algorithm iteratively generates all equivalence classes of possible partial solutions until, whenever possible, it finds a complete solution to the problem. We also provide a reduction from a WSP instance to a pseudo-Boolean (PB) SAT instance. We apply this reduction to the instances used in our experiments and solve the resulting PB SAT problems using SAT4J, a PB SAT solver. We compare the performance of our algorithm with that of SAT4J and discuss which of the two approaches would be more effective in practice.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
We would like to emphasize that even though the constraints considered in the theoretical part of Wang and Li’s paper are purely user-independent, the authors consider randomly generated relations between users for their experiments. Therefore the experimental tests in Wang and Li (2010) are done not in a user-independent environment.
Our computer is more powerful than the one used by Wang and Li (2010).
This experimental setup is different from the one used in our earlier work (Cohen et al. (2014)).
Schaad et al. investigated several case studies in which authorization constraints were relevant, including a loan origination process in a bank (see Schaad et al. (2006)) and the creation of electronic signatures in a law practice (see Schaad et al. (2005)). These two business processes used 13 and 12 steps, respectively.
References
American National Standards Institute (2004) ANSI INCITS 359–2004 for role based access control, ANSI, New York
Basin DA, Burri SJ, Karjoth G (2014) Obstruction-free authorization enforcement: aligning security and business objectives. J Comput Secur 22(5):661–698
Berend D, Tassa T (2010) Improved bounds on Bell numbers and on moments of sums of random variables. Probab Math Stat 30(2):185–205
Bertino E, Ferrari E, Atluri V (1999) The specification and enforcement of authorization constraints in workflow management systems. ACM Trans Inf Syst Secur 2(1):65–104
Chimani M, Klein K (2010) Algorithm engineering: concepts and practice. In: Bartz-Beielstein T, Chiarandini M, Paquete L, Preuss M (eds) Experimental methods for the analysis of optimization algorithms. Springer, Germany, pp 131–158
Cohen D, Crampton J, Gagarin A, Gutin G, Jones M (2014) Engineering algorithms for workflow satisfiability problem with user-independent constraints. In: Chen J, Hopcroft JE, Wang J (Eds.) Proceedings 8th International Frontiers of Algorithmics Workshop (FAW 2014), LNCS 8497. Springer, pp 48–59
Cohen D, Crampton J, Gagarin A, Gutin G, Jones M (2014) Iterative plan construction for the workflow satisfiability problem. J Artif Intell Res 51:555–577
Crampton J (2005) A reference monitor for workflow systems with constrained task execution. In: 9th SACMAT. ACM, New York, pp 38–47
Crampton J, Gutin G (2013) Constraint expressions and workflow satisfiability. In: 18th SACMAT. ACM, New York, pp 73–84
Crampton J, Gutin G, Karapetyan D (2015) Valued workflow satisfiability problem. In: 20th ACM SACMAT, to appear
Crampton J, Gutin G, Yeo A (2013) On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Trans Inf Syst Secur 16(1):4
Downey RG, Fellows MR (2013) Fundamentals of parameterized complexity. Springer, London
Durstenfeld R (1964) Algorithm 235: Random permutation. Commun ACM 7(7):420
Fisher RA, Yates F (1948) Statistical tables for biological, agricultural and medical research, 3rd edn. Oliver and Boyd, Edinburgh
Flum J, Grohe M (2006) Parameterized complexity theory. Springer, Berlin
Gligor VD, Gavrila SI, Ferraiolo DF (1998) On the formal definition of separation-of-duty policies and their composition. In: IEEE Symposium on Security and Privacy, IEEE Computer Society, 172–183
Karapetyan D, Gagarin A, Gutin G (2015) Pattern Backtracking Algorithm for the Workflow Satisfiability Problem with User-Independent Constraints. In: FAW 2015, Lect Notes Comput Sci, to appear
Le Berre D, Parrain A (2010) The SAT4J library, release 2.2. J Satisf Bool Model Comput 7:59–64
Myrvold W, Kocay W (2011) Errors in graph embedding algorithms. J Comput Syst Sci 77(2):430–438
Niedermeier R (2006) Invitation to fixed-parameter algorithms. Oxford University Press, Oxford
Reingold EM, Nievergelt J, Deo N (1977) Combinatorial algorithms: theory and practice. Prentice Hall, Englewood Cliffs
Schaad A, Spadone P, Weichsel H (2005) A case study of separation of duty properties in the context of the Austrian “eLaw” process. In: Proceedings the 2005 ACM Symposium on Applied Computing (SAC 2005), 1328–1332
Schaad a, Schaad A, Lotz V, Sohr K (2006) A model-checking approach to analysing organisational controls in a loan origination process. In: Ferraiolo DF, Ray I (eds) SACMAT. ACM, New York, pp 139–149
Wang Q, Li N (2010) Satisfiability and resiliency in workflow authorization systems. ACM Trans Inf Syst Secur 13(4):40
Wolter C, Schaad A (2007) Modeling of task-based authorization constraints in BPMN. BPM, LNCS 4714. Springer, Brisbane, pp 64–79
Acknowledgments
This research was supported by EPSRC grant EP/K005162/1. We are very grateful to the referees for several useful comments and suggestions and to Daniel Karapetyan for several helpful discussions.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cohen, D., Crampton, J., Gagarin, A. et al. Algorithms for the workflow satisfiability problem engineered for counting constraints. J Comb Optim 32, 3–24 (2016). https://doi.org/10.1007/s10878-015-9877-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10878-015-9877-7