towards complexity analysis of user auth query problem in rbac.pdf

ww.sciencedirect.com

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0Available online at wScienceDirect

journal homepage: www.elsevier .com/locate/coseTowards complexity analysis of UserAuthorization Query problem in RBACJianfeng Lu a,*, James B.D. Joshi b, Lei Jin b, Yiding Liu a

a School of Mathematics-Physical & Information Engineering, Zhejiang Normal University, Jinhua, Zhejiang, Chinab School of Information Sciences, University of Pittsburgh, Pittsburgh, PA, USAa r t i c l e i n f o

Article history:

Received 21 September 2013

Received in revised form 25 July 2014

Accepted 14 October 2014

Available online 5 November 2014

Keywords:

Access control

RBAC

User Authorization Query

Computational complexity

Role-cardinality constraint

Permission-cardinality constraint* Corresponding author. Tel.: 86 0579 82298E-mail address: [email protected] (J. Lu

http://dx.doi.org/10.1016/j.cose.2014.10.0030167-4048/ 2014 Elsevier Ltd. All rights resea b s t r a c t

The User Authorization Query (UAQ) problem for RBAC is to determine whether there exists

an optimum set of roles to be activated to provide a particular set of permissions requested

by a user. It is a key issue related to efficiently handling users' access requests. Previous

definitions of the UAQ problem have considered only the optimization objective for the

number of permissions whereas the optimization objective for the number of roles, which

is also equally important, has been largely ignored. Moreover, little attention has been

given to the computational complexity of the UAQ problem that considers the optimization

objectives for both the numbers of permissions and roles. In this paper, we propose a more

comprehensive definition of the UAQ problem, which includes irreducibility, role-

cardinality and permission-cardinality constraints, and consider both these optimization

objectives together. In particular, we study the computational complexity of the UAQ

problem by dividing it into three subcases: exact match, safe match and available match, and

show that many instances in each subcase with additional constraints are intractable. We

also propose an approach for solving the intractable cases of the UAQ problem; the pro-

posed approach incorporates static pruning, preprocessing and the depth-first search

based algorithm to significantly reduce the running time.

2014 Elsevier Ltd. All rights reserved.1. Introduction

Role based access control (RBAC) has established itself as a

well-accepted alternative to traditional discretionary and

mandatory access control (DAC and MAC) models (ANSI,

2004). In RBAC, permissions are not assigned directly to

users, but are assigned to roles. Users obtain permissions

through roles. The notion of the role provides a level of

indirection to simplify the fine-grained privilege821; fax: 86 0579 82298).

rved.management. Several beneficial features, such as policy

neutrality, support for least privilege and efficient access

control management are associated with RBAC models.

Such features make RBAC better suited for handling access

control requirements of diverse organizations (Joshi et al.,

2008).

A fundamental problem in RBAC is determining the set of

roles that should be activated in order to allow a user to ac-

quire the set of permissions he has requested. That is, given

an input set of permissions that a user requests to have in a897.

mailto:[email protected]://crossmark.crossref.org/dialog/?doi=10.1016/j.cose.2014.10.003&domain=pdfwww.sciencedirect.com/science/journal/01674048www.elsevier.com/locate/cosehttp://dx.doi.org/10.1016/j.cose.2014.10.003http://dx.doi.org/10.1016/j.cose.2014.10.003http://dx.doi.org/10.1016/j.cose.2014.10.003

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0 117session to achieve a particular task in an RBAC system,1 the

problem is to determine whether there exists an optimum set

of roles to activate in the session. Zhang et al. introduce it as

the User Authorization Query (UAQ) problem in (Zhang and

Joshi, 2008). It has been shown that UAQ is very common in

complex and collaborative systems (Le et al., 2012). For

example, in a web-based RBAC system, the user-role assign-

ments are based on users' credentials. Suppose a user re-quests a particular set of permissions in a single session to

carry out a particular task, the system should find a set of roles

from those available for the user that should be activated in a

session to provide those requested permissions. Ideally, the

chosen set of roles should exactly satisfy the user's requestedset of permissions. However, such an ideal solution may not

exist since we may not find any combination of roles that

collectively provide only the exact set of the requested per-

missions. Hence, it is necessary to find a set of roles that

provides a set of permissions that is as close as possible to

those requested by a user. One solution may be to ensure that

no permissions beyond the requested set of permissions is

available to the requesting user (Pavlich-Mariscal et al., 2010).

Another solution, which emphasizes the availability require-

ment (Li et al., 2010), is to ensure that all the requested per-

missions are available to the requesting user in his session,

while minimizing the number of possible extra set of per-

missions that are additionally available through the selected

role set.

There exist two optimization objectives that should be

included in the UAQ problem. One is the optimization of the

number of activated roles, which is an optimization objective

related to the systemmanagement. For example, minimizing

a set of roles activated in a user's session may allow anadministrator to more efficiently manage the system

(Mousavi and Tripunitara, 2012). Maximizing the number of

roles may be useful when security constraints, such as dy-

namic separation of duty (DSoD) or cardinality constraint

(Zhang and Joshi, 2008), make some roles to be unavailable,

and there still exists a set of roles that have the requested set

of permissions. For example, we assume that the roles in

{r1,r2} together having all the requested permissions, and a

DSoD constraint indicating that no single user canactivate both r1 and r2 in a single session. In this case, it may

be useful to maximize the number of available roles, such as

{r1,r2,r3,r4}, although they can activate the same permissions

as {r1,r2}. When r1 or r2 to be unavailable, the set {r1,r3,r4} or

{r2,r3,r4} of roles can also together activate the requested

permissions. The second is the optimization of the number of

permissions that can be acquired by the requesting user

within a session. For example, minimizing the number of

extra permissions beyond the requested permissions is

motivated by the principle of least privilege (Chen and

Crampton, 2007), as too many extra permissions may bring

the intolerable risk to the system. On the other hand, mini-

mizing the number of missing permissions (i.e., permissions1 We assume that a user requests to achieve a particular task,which is associated with a set of permissions, that means theusers do not need to know what permissions he/she shouldrequest, but just need to know what task he/she wants toachieve.allowed within the user's session do not include some of therequested permissions) is important as the unavailability of

too many of the requested permissions may make it difficult

for the user to carry out the required task. In the definition of

UAQ in (Wickramaarachchi et al., 2009), there exists a lower

bound for the set of requested permissions, while these

permissions must be available for the session. We believe

minimizing the number of missing permissions is more

practically useful, since it ensures that at least someminimal

permissions are available for the session, and ensures the

tasks to be performed smoothly.

Previous definitions of the UAQ problem have considered

mainly the optimization objective for the number of permis-

sions. Wickramaarachchi et al. (Wickramaarachchi et al.,

2009) consider the UAQ problem as an optimization of the

number of permissions to be allowed to a user. Du et al.

(Zhang and Joshi, 2008) define a subcase of the UAQ problem

by introducing the problem of minimization of the number of

roles; however, in their solution, there may not be a unique

minimal set of roles that is an ideal choice. A more important

issue is that there may not be a role set that has all the per-

missions requested by a user. Mousavi et al. (Mousavi and

Tripunitara, 2012) generalize UAQ by introducing the prob-

lem of optimizing the number of extra permissions in addition

to the number of roles. However, the options max or min

are not complete; this is because many instances may require

that the number of roles or permissions be restricted (Li et al.,

2007). Moreover, apart from the number of extra permissions,

the number of missing permissions should also be included in

the optimization objective focused on permissions.

Existing approaches to the UAQproblemprimarily focus on

how to design approximate or exhaustive solutions

(Wickramaarachchi et al., 2009; Lu et al., 2012). Little attention

has been paid to the computational complexity of the UAQ

problem by considering the optimization objectives for both

the numbers of permissions and that of roles. Large com-

panies can easily have thousands of users and hundreds of

roles in their RBAC systems (Sun et al., 2011). Additionally,

users typically request to use a set of permissions in a session

instead of specifying the specific set of roles that they want to

activate directly. Hence, it is important to understand the

complexity of the UAQ problem in RBAC systems. Moreover,

granting permissions requested by each user based on RBAC

policies in a large RBAC system is complex. However, several

existing work do not sufficiently or accurately analyze the

computational complexity of the UAQ problem. For example,

Du et al. (Du and Joshi, 2006) propose the inter-domain role

mapping (IDRM) problem, which is a subcase of UAQ. They try

to prove that the IDRM problem is NP-complete by showing

that determining whether the permissions authorized to the

role set R is equal to the requested permissions or not can be

done in polynomial time; but, they do not show how to

determine whether the cardinality of R is minimized in poly-

nomial time. Hence, the IDRM problem has not been shown to

be in NP, thus, it is NP-hard, instead (Crampton and Huth,

2010).

In this paper, we address the UAQ problem more compre-

hensively by considering optimizations based on the number

of permissions as well as that of roles. Our contributions can

be summarized as follows:

http://dx.doi.org/10.1016/j.cose.2014.10.003http://dx.doi.org/10.1016/j.cose.2014.10.003

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0118 We propose a more comprehensive definition of the UAQproblem, by considering irreducibility, role-cardinality and

permission-cardinality constraints. The irreducibility

constraint requires that there be no redundancy in a given

role set; the role-cardinality constraint specifies the num-

ber of roles to be restricted. Both irreducibility and role-car-

dinality constraints are related to optimization on the

number of roles that can be activated by the requesting

user. The permission-cardinality constraint specifies the

number of permissions that can be acquired by a user,

which is based on the optimization objective for the

number of permissions.

We study the computational complexity of the UAQ prob-lem into three subcases: exact match, safe match and avail-

able match. In each subcase, we combine the Core-UAQ

component with irreducibility, role-cardinality and/or

permission-cardinality constraints to form a Constrained-

UAQ. We show that many instances in each subcase are

intractable.

We propose an approach to solve the intractable cases ofthe UAQ problem. This approach uses static pruning, pre-

processing and depth-first search based algorithm to

reduce the running time. The experimental evaluations

show the effectiveness of the proposed approach.

The rest of this paper is organized as follows. In Section 2,

we introduce the relevant background on RBAC and the defi-

nition of the UAQ problem. Section 3 studies the computa-

tional complexity of the UAQ problem into three subcases

mentioned above. In Section 4, we present an approach to

efficiently solve the intractable cases of the UAQ problem. We

discuss related work in Section 5, and conclude this paper in

Section 6.2 We assume that every permission has the same impact ofweight, thus the optimization of the number of permissions thatcan be acquired by the requesting user within a session ismeaningful.2. The User Authorization Query problem inRBAC

An RBAC state determines the set of roles for which a user is

assigned and the set of permissions for which a user is

authorized (ANSI, 2004). We define an RBAC state as follows,

based on (ANSI, 2004):

Definition 1. An RBAC state is a 6-tuple (U, R, P, UA, PA, RH),

where

U, R, P denote the set of all users, the set of all roles, the set of allpermissions, respectively.

UA 4 UR, a user-role assignment relation. PA 4 PR, a permission-role assignment relation. RH 4 RR, a partial order on R called the inheritance relation,written as , where r1 r20Permr24Permr1.

Permr : R/2P, the mapping of role r onto a set of permissions inthe presence of a role hierarchy; formally,

Permr fp2Pjr r'; p; r'2PAg. PermS : R/2P, the mapping of a role set S onto a set of per-missions; formally, PermS S

r2SPermr.

In this paper, we will assume that the role hierarchy has

been flattened by encoding all the authorized relationshipsbased on user-role and permission-role assignments and the

role hierarchy.

Inspired by the specification style of ANSI RBAC standard

(ANSI, 2004), we use the definition of the UAQ problem that in-

cludes two components: Core-UAQ and Constrained-UAQ. A

typical RBAC system may optionally include any Core-UAQ or

Constrained-UAQ;aConstrained-UAQessentially isaCore-UAQ

with some constraints. To define the Core-UAQ, we divide UAQ

into three subcases: exact match, safe match and available

match. We first provide the formal definition of the Core-UAQ.

Definition 2. (Core-UAQ problem) Given R, P, and the requested

permission information (Preq, obj), where Preq4P is a set of permis-

sions requested by a user u, and obj2fexact; safe; availableg, theCore-UAQ problem is to identify a role set Rsat4R that can be acti-

vated by u while satisfying the following conditions:

Exact match: Preq Perm(Rsat) if objexact; Safe match: PreqJPermRsat if objsafe2; Available match: Preq4PermRsat if objavailable.

However, only finding a role set Rsat that can satisfy the

Core-UAQ with obj2fexact; safe;availableg is not enough. Weshould also consider the optimization objectives based on

some additional constraints which may prevent a user from

activating the roles in Rsat. These may include irreducibility,

role-cardinality or permission-cardinality constraints

(Mousavi and Tripunitara, 2012; Chen and Crampton, 2009).

An irreducibility constraint requires that there exists no

redundancy in Rsat; i.e., we cannot remove any role in Rsatwithout changing Perm(Rsat); a role-cardinality constraint spec-

ifies the number of roles to be restricted in Rsat, and a permis-

sion-cardinality constraint specifies the number of permissions

that can be acquired by a user. Both irreducibility and role-car-

dinality constraints are related to optimization on the number

of roles that can be activated by the requesting user. But

permission-cardinality constraint is based on the optimization

of the number of permissions. We now formally define these

three constraints in the Constrained-UAQ problem as follows:

Definition 3. (Constrained-UAQ problem) The Constrained-UAQ

problems extend the Core-UAQ problem with the following three

types of constraints: irreducibility, role-cardinality and permission-

cardinality.

Irreducibility: An irreducibility constraint is denoted as irrS,where S4R. We say that irrS is satisfied if and only if for all

S'3S, PermS'3PermS. Role-Cardinality: A role-cardinality constraint is denoted asrcS;Or, where S4R, Or2fk;;g, and k is a positiveinteger. We say rcS;Or is satisfied if and only if the following

conditions hold:

- jSj k if Or k;- jSj is maximized if Or ;- jSj is minimized if Or .


Table 1 e Computational complexities of differentsubcases of the exact match UAQ problem.

Exact Match None Role-cardinality

Or k Or Or None P NP-complete P NP-hard

Irreducibility NP-hard

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0 119 Permission-Cardinality: A permission-cardinality constraint isdenoted as pcS;Op, where S4R, Op2ft; t;0; 0g, and t is apositive integer denoting the number of extra/missing permis-

sions. We say that S satisfies pcS;Op if and only if the following

conditions hold:

- PermSIPreq andPermS Preq

t if Op t, where t is a

positive integer;

- PermS3Preq andPreq PermS

t if Op t;

- PermSIPreq and for all S'4R, PermS'IPreq thatjPermS'j jPermSj if Op 0;

- PermS3Preq, and for all S'4R, PermS'3Preq thatjPermS'j jPermSj if Op 0.

Intuitively, a role-cardinality constraint specifies an opti-

mization requirement of the number of activated roles, and a

permission-cardinality constraint specifies an optimization

requirement of the number of permissions that can be ac-

quired by the requesting user. For the permission-cardinality

constraint, the parameter t specifies the number of extra/

missing permissions that the system wants to be able to

tolerate. For example, when missing any two requested per-

missionsmay cause the failure of this task, then t can be set to

1 for the case Op t. Similarly, when any three extra per-missions may bring the intolerable risk to the system, then t

can be set to 2 for the case Op t.To represent a subcase of Constrained-UAQ, we write the

Core-UAQ component followed by the list of constraints

within a pair of braces. Some of the constraints may be

combined with all the three cases of Core-UAQ. For example,

UAQexact irr denotes the subcase that combines the exactmatch Core-UAQ with irreducibility constraint to form a

Constrained-UAQ. UAQsafe rc : k pc : t refers to theconstrained-UAQ problem related to finding the role set Rsatthat satisfies not only the safe match requirement of Core-UAQ,

but also the constraints rcRsat,k and pcRsat,t. Note that not

all the permission-cardinality constraints can be combined

with the three cases of Core-UAQ. For example, the exact match

UAQ problem needs to ensure that an exact set of requested

permissions is returned and hence the permission cardinality

constraint is not applicable. The permission-cardinality

constraint pcRsat,Op where Op2ft; 0g cannot be combinedwith the safe matchUAQproblem, similarly, whenOp2ft;0g,the permission-cardinality constraint pcRsat,Op cannot be

combined with the available match UAQ problem.

It should also be noted that theremay be conflicts between

the permission-cardinality constraint and the role-cardinality

constraint. For example, in an RBAC system, suppose that

R {r1,r2,r3}, P {p1,p2,p3,p4}, Perm(r1) {p1,p2}, Perm(r2) {p2,p3},Perm(r3) {p4}, and let Preq {p2,p3,p4}. If we prioritize to satisfythe permission-cardinality constraint pcS,0, the solution is{r2,r3} as it includes no missing permission. But if we prioritize

to satisfy the role-cardinality constraint rcS,, the solutionis {r2}. This is because it has only one role and only onemissing

permission {p4}. Motivated by Mousavi et al. (Mousavi and

Tripunitara, 2012), we can address this problem by assigning

a priority to each of these three constraints: irreducibility,

role-cardinality and permission-cardinality, such as pri(i),

pri(r) and pri(p). For example, pri(i) < pri(r) < pri(p) indicates thatthe permission-cardinality constraint prioritizes over the

others, and the irreducibility constraint has the lowestpriority. As mentioned earlier, note that the optimization

objective for the number of permissions can be regarded as a

security issue, and that for the number of roles can be regar-

ded as an issue related to the optimal management for an

RBAC system. In this paper, we assume that the security issue

is usuallymore critical than the efficiency inmanagement and

thus we simply assign highest priority to the permission-

cardinality constraints, the second-highest to the role-

cardinality constraint, and the lowest to the irreducibility

constraint.3. The complexity of the User AuthorizationQuery problem

In this section, we present the computational complexity

analysis of various cases of the Constrained-UAQ problem.

Firstly, we present the complexity analysis of the exact match

UAQ problem and its subcases with constraints.

Theorem 1. The computational complexities of different con-

strained subcases of the exact match UAQ problems are as shown in

Table 1.In Table 1, we show the computational complexity of exact

match UAQ problem in combination with the role-cardinality

and the irreducibility constraints. The proof for Theorem 1 is

in Appendix A, it consists of three parts. First, we show that

UAQexactrc:k, UAQexactrc:irr and UAQexactrc:are NP-hard by proving Lemmas 1, 2 and 3. Second, we show

that UAQexactrc:kirr is in NP by proving Lemma 4. Finally,we show that UAQexactirr andUAQexactrc: are in P byproving Lemmas 5 and 6. Other results in Table 1 can be

implied from the proved cases.

Secondly, we present the complexity analysis of the safe

match UAQ problem and its subcases. Note that the

complexity of UAQsafeirrpc:Op is determined by UAQsafeirr and UAQsafepc:Op. In other words, the irreduc-ibility constraint and permission-cardinality constraints do

not affect each other. Hence, we only combine the role-

cardinality constraint with the irreducibility constraint or

permission-cardinality constraint, as shown in Table 2.

Theorem 2. The computational complexities of different con-

strained subcases of the safe match UAQ problems are as shown in

Table 2.

The proof for Theorem 2 is in Appendix B, it is done in four

parts. First, we show that UAQsafepc:t, UAQsaferc:kirr,UAQsaferc:pc:0, UAQsaferc:irr and UAQsafe-rc:pc:0 areNP-hard byproving Lemmas7, 8, 9, 10 and11.Second, we show that UAQsafepc:t, UAQsaferc:kirr and


Table 2 e Computational complexities of different subcases of the safe match UAQ problem.

Safe Match None Role-cardinality

Or k Or Or None P P P P

Irreducibility NP-complete NP-hard

Permission-cardinality Op t NP-complete NPNP NP-hardOp 0 P NP-complete P

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0120UAQsaferc:kpc:0 are in NP by proving Lemmas 12, 13 and14. Third, we show that UAQsaferc:kpc:t is in NPNP byproving Lemma 15. Finally, we show that UAQsaferc:k, UAQsaferc:pc:0, andUAQsaferc:irrare inPbyprovingLemma 16. Other results in Table 2 can be implied from the

proved cases. Available Match UAQ and Constrained Subcases.

Thirdly, we present the complexity analysis of the avail-

able match UAQ problem and its subcases.

Theorem 3. The computational complexities of constrained sub-

cases of the available match UAQ problems are as shown in Table 3.

The proof of Theorem 3 is given in Appendix 3, it consists of

four parts. First of all, we show that UAQavailablerc:k, UAQavailablepc:t, UAQavailablepc:0, UAQavaila-blerc:irr and UAQavailablerc: are NP-hard. Sec-ondly, we show that UAQavailablepc:t and UAQavailablerc:k are in NP. Thirdly, we show that UAQavailablerc:kpc:t is in NPNP. Finally, we show that UAQavailableirr andUAQavailablerc: are in P. Other resultsin Table 3 can be implied from the proved cases.4. An approach for the User AuthorizationQuery problem

The fact that UAQ is intractable, as shown in Section 3, means

that there exist difficult problem instances that take expo-

nential time in the worst case. However, many instances that

will be encountered in practice may still be efficiently solv-

able. For example, UAQavailablepc:0 is NP-hard as shownby Lemma 19. Wickramaarachchi et al. (Wickramaarachchi

et al., 2009) provided a general definition of UAQ, which in-

cludes the intractable subcase UAQavailablepc:0. We nowrevisit the definition of the UAQ problem used in

(Wickramaarachchi et al., 2009).

Definition 4. Given R, P, and the requested permission information

(Pl,Pu,obj), where Pl; Pu4P, obj2fmax;ming, find a role set S4Rsuch that the following conditions hold:

Pl4PermS4Pu and jPermSj is maximized if obj max(denoted as max-UAQ problem).Table 3 e Computational complexities of different subcases of

Available Match None

None P

Irreducibility

Permission-cardinality Op t NP-completeOp 0 NP-hard Pl4PermS4Pu and jPermSj is minimized if obj min(denoted as min-UAQ problem).

In Corollary 1, we show that the max-UAQ problem can be

answered in polynomial time, and corollary 2 shows that the

min-UAQ problem is intractable (NP-hard). This is because UAQ

safepc:0 is in P and UAQavailablepc:0 is NP-hard, asshown in Section 3. Obviously, our definition for the UAQ prob-

lem covers the max-UAQ problem and the min-UAQ problem.

Corollary 1. The max-UAQ problem and UAQsafepc:0 arepolynomial time Turing equivalent.

Proof. Let (Preq,R,0) be an instance of UAQsafepc:0 and

(Pl,Pu,R',max) be an instance of the max-UAQ problem.We firstshow that there is a polynomial time Turing reduction from

the max-UAQ problem to UAQsafepc:0. Let PreqPu andR R', then to answer the instance (Pl,Pu,R',max) of max-UAQproblem, we only need to answer the instance (Preq,R,0

) ofUAQsafepc:0, and determine whether PermRsatJPl.

Similarly, we now show that there is a polynomial time

Turing reduction from UAQsafepc:0 to the max-UAQproblem. Let Pu Preq and R' R, then to answer the instance(Preq,R,0

) of UAQsafepc:0, we only need to answer theinstance (Pl,Pu,R,max) of max-UAQ problem.

Corollary 2. The min-UAQ problem and UAQavailablepc:0 arepolynomial time Turing equivalent.

Proof. The proof is similar to that for Corollary 1. Let (Pre-

q,R,0) be an instance of UAQsafepc:0 and (Pl,Pu,R',min) be

an instance of themax-UAQproblem.We first show that there

exists a polynomial time Turing reduction from the min-UAQ

problem to UAQavailablepc:0. Let Preq Pl andR fr2R' : Permr4Pug, then to answer the instance(Pl,Pu,R',min) of max-UAQ problem,we only need to answer theinstance (Preq,R,0

) of UAQsafepc:0, and then determinewhether PermRsatJPl.

Similarly, we now show that there exists a polynomial time

Turing reduction from UAQavailablepc:0 to the min-UAQproblem. Let Pl Preq and R' R, then to answer the instance(Preq,R,0

) of UAQavailablepc:0(R',Preq), we only need toanswer the instance (Pl,Pu,R,min) of min-UAQ problem.the available match UAQ problem.

Role-cardinality

Or k Or Or NP-complete P NP-hard

NP-hard

NPNP NP-hard


c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0 121In the rest of this section, we first describe an efficient

approach for the subcase UAQavailablepc:0; the proposedsolution incorporates static pruning, preprocessing and the

depth-first search based algorithm. Next, we make a compar-

ison of our approach with Wickramaarachchis, the result of

running the experiments shows the effective of our approach.

Finally, we show that our approach can be efficiently modified

to handle the other subcases of the UAQ problems.4.1. An approach for a subcase of the UAQ problem

In this section, we propose an approach for the subcase UAQ

availablepc:0. To address the efficiency issue we employvarious techniques as follows:

We employ a static pruning technique that aims atreducing the number of permissions that are provided to a

user requesting Preq in UAQavailablepc:0. We employ a preprocessing technique that aims atreducing the number of available roles R that need to be

taken into account.

We propose a depth-first search based algorithm to solveUAQavailablepc:0.

Static Pruning Step: Given R, P, Preq4P, a key goal of the

proposed approach is to first reduce the number of permis-

sions that are provided to a user requesting Preq in UAQ

availablepc:0. To address this, we can construct a newinstance of UAQavailablepc:0 in polynomial time, byreplacing R and Preq with R

' and P'req, where

R' {r2R : Permr?Preq} and P'req fp2Preq : p2PermR'g. Wecan compute a role set R'sat4R

' where PermR'satJP'req andPermR'sat

is minimized to obtain an answer to UAQ

availablepc:0. Such a reduction is characterized in thefollowing theorem.

Theorem 4. Given R, P and Preq4P, Rsat is an answer to the

instance (Preq,R,0) of UAQavailablepc:0 if and only if R'sat is an

answer to the instance P'req;R;0 of UAQavailablepc:0, whereR'sat{r2Rsat : Perm r ?Preq} and P'reqfp2PermRsat : p;Preqg.

Proof. For the only if part: Let Rsat be an answer to the

instance (Preq,R,0) of UAQavailablepc:0. This means

Rsat4R, PermRsatJPreq and jPermRsatj is minimized. Suppose,for the sake of contradiction, that R'sat is not an answer to the

instance P'req;R; 0 of UAQavailablepc:0. LetQ fr2Rsat : Permr4Preqg be an available of Preq=P'req. SinceR'sat only adds elements from P

'req, R

'satQ is not an available

match of Preq=P'reqP'req. In other words, Rsat is not an availablematch of Preq, which contradicts the assumption. Therefore,

R'sat is not an answer to the instance P'req;R; 0 of UAQavailablepc:0.

For the if part: Let R'sat be an answer to the instance

P'req;R;0 of UAQavailablepc:0; it means R'sat4R,PermR'satJP'req and

PermR'sat

is minimized. Let

R' fr2Rsat : Permr4Preqg and P'fp2PermRsat : p2Preqg. Itis easy to see that Rsat=R'sat is an answer to the instance (P',R',0

)of UAQexact, hence Rsat=R'satR'sat is an answer to the instanceP'reqP';R;0 of UAQavailablepc:0. In other words, Rsat isan answer to the instance (Preq,R,0

) of UAQavailablepc:0.Preprocessing Step: This step involves removing roles in R

that do not have at least one permission in Preq. Note that there

may not be an answer to the instance (Preq,R,0) of UAQ

availablepc:0 if and only if Preq?PermR. The next theo-rem captures this process of removing such roles.

Theorem 5. Given R, P, Preq4P, Rsat is an answer to the instance

(Preq,R,0) of UAQavailablepc:0 if and only if Rsat is an answer

to the instance (Preq,S,0) of UAQavailablepc:0, where

Sfr2R : PermrPreqsg.Proof. For the only if part: let Rsat be an answer to the

instance (Preq,R,0) of UAQavailablepc:0; hence, we have

Rsat4R, PermRsatJPreq and jPermRsatj is minimized. In orderto obtain a contradiction, suppose that Rsat is not an answer to

the instance (Preq,S,0) of UAQavailablepc:0, which means

there must exist an answer Rsat such that Rsat?S,

Perm Rsat SPreq or jPermRsatj is not minimized. SupposeRsat?S, there must be a role r2Rsatr;S. r;S indicates thatPermrPreq . Hence, Rsat is not an answer to (Preq,R,0),which contradicts the initial assumption. Similarly, either

Perm Rsat SPreq or jPermRsatj is not minimized, Rsat is not anavailable match solution to (Preq,R,0

) either. Therefore, Rsat isan answer to the instance (Preq,S,0

) of UAQavailablepc:0.For the if part: if Rsat is an answer to the instance (Pre-

q,S,0) of UAQavailablepc:0, which means Rsat4S,

PermRsatJPreq and jPermRsatj is minimized, because S4R, itis easy to see that Rsat is an answer to the instance (Preq,S,0

) ofUAQavailablepc:0.

A Depth-First Search Algorithm: We present a Depth-First

Search (DFS) algorithm (as shown in Fig. 1) to solve UAQ

availablepc:0. The notations used in this algorithm arelisted in Table 4. In order to improve the performance of the

search, this algorithm first removes the permissions covered

by Rexact from Preq based on Theorem 4, and then, after static

pruning, removes the roles which do not have at least one

permission in Preq based on Theorem 5. This algorithm

dynamically prunes the search space and hence improves the

efficiency of the search process. The current solution Ravail is

always updated to amore optimumsolutionwhich covers less

extra permissions than requested. In particular, it continues

to search for a better solution by removing the currently

selected role based on depth-first search. Finally, the union of

Rexact and Rsat is the answer to the instance (Prem, R) of UAQ

availablepc:0.

4.2. A comparison of our approach toWickramaarachchi's

We have implemented the approach described in Section 4.1,

and performed several experiments using randomly gener-

ated instances. We make a comparison of our DFS algorithm

with the Backtracking-Based Search (BBS) algorithm proposed

by Wickramaarachchi et al. (Wickramaarachchi et al., 2009).

Our goals are to understand the effectiveness of the static

pruning and the preprocessing techniques, and to understand

how well our DFS algorithm scales with different parameters.

The implementation of our algorithm was written in C. All

the experiments have been carried out on a standard desktop

PCwith a Pentium(R) Dual-Core CPU E5700 running at 3.0 GHz,


Fig. 1 e The Depth-First Search (DFS) algorithm for UAQavailablepc:0.

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0122and with DDR3 2 GB 1067 MHz, running Microsoft Windows 7

Ultimate Editions. For each instance, 10 randomly generated

test cases are run, the maximum and minimum values are

removed and the averages of the test results are used to

generate the graphs. Table 5 gives the experimental settings

for the RBAC states, such as the different ratios between roles,

permissions and requested permissions. In order to imple-

ment the static pruning and the preprocessing techniques, we

first set R:P 1:5, and generated random test cases forTable 4 e Notations used in the depth-first searchalgorithm.

Notation Description

Preq Set of all permissions requested by the user.

Ract Set of roles which can be activated by the user.

Pextra Set of extra permissions beyond Preq.

Prem Set of permissions that have not been covered by

the selected roles.

Rsat Set of roles which can satisfy UAQ

availablepc:0.Ravail Set of roles which can satisfy UAQavailable.

Rexact Set of roles which covers no extra permissions

than Preq in UAQavailable.

Table 5 e Experimental settings indicating number ofpermissions and number of requested permissions foreach role.

Experimental settings R P Preq

Static pruning & preprocessing 1 5 [0.5, 4.5]

1 [2,10] 1

DFS Algorithm & BBS Algorithm 1 2 1

1 10 1

1 2 0.5different ratios of requested permissions to permissions from

1:0.5 to 1:4.5. Secondly, we set R:Preq 1:1, and increase theratio of permissions to roles from 2:1 to 10:1. In order to

compare our DFS algorithm to the Backtracking-Based Search

(BBS) Algorithm from (Wickramaarachchi et al., 2009), we

generated random test cases with a varying number of per-

missions requested. In these experiments, the ratios of roles

to permissions are 1:2 and 1:10, and the ratios of permissions

requested to roles are 1:1 and 1:2. Thus, there exist four test

cases: (a) Preq:R:P 1:1:2; (b) Preq:R:P 1:1:10; (c) Preq:R:P 1:2:4(d) Preq:R:P 1:2:20.

4.2.1. Effectiveness of static pruningFig. 2 shows the result of running the experiments for static

pruning. As shown in Fig. 2(a), with the increase in the ratio of

requested permissions to permissions, the static pruning be-

comes more effective; it can reduce about 44% requested

permissions when the ratio of requested permissions to per-

missions is 0.9:1. And in Fig. 2(b), we observe that the static

pruning is more effective when the ratio of the number of

permissions to that of roles is small, such as P:R 2:1. How-ever, as the ratio of permissions to roles increases, the effec-

tiveness of the static pruning process decreases. Therefore,

static pruning is more effective when the ratio of requested

permissions to permissions is very large and the ratio of per-

missions to roles is small.

4.2.2. Effectiveness of preprocessingFig. 3 shows the result of running the experiments for the

preprocessing phase. In Fig. 3(a), the preprocessing method

performs quite well for smaller ratios of requested permis-

sions to permissions. As the ratio of requested permissions to

permissions increases, the ratio of roles that can be reduced

decreases. However, by first doing static pruning, the pre-

processing phase performs quite well, even for a larger ratio of


Fig. 2 e Effectiveness of the static pruning for different ratios of requested permissions to permissions and different ratios of

permissions to roles.

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0 123requested permissions to permissions. When the ratio of

requested permissions to permissions is small, such as

Preq:P 0.1:1, we can remove more roles that do not have atleast one permission in Preq from R. As the ratio increases,

static pruning becomes more effective, we can remove more

roles from R by preprocessing together with static pruning. In

fact, when Preq:P 0.9:1, we can remove only 1.24% roles fromR only by preprocessing, but the result is 9.67% in the same

case by employing both static pruning and preprocessing. This

is the reason why we employ preprocessing after static

pruning. Similarly, as shown in Fig. 3(b), For the test caseswith

P:R 2:1, the result is only 21.13% by employing preprocessingonly, but it can reduce about 45.03% roles in the same case

when employing both static pruning and preprocessing. As

the ratio of permissions to roles increases, the static pruning

becomes less effective, and the overall effectiveness of the

preprocessing decreases.

4.2.3. Comparison of DFS algorithm with BBS algorithmFig. 4 shows the results of running the experiments for the

four test cases: (a)Preq:R:P 1:1:2; (b)Preq:R:P 1:1:10; (c)Preq:R:P 1:2:4; (d)Preq:R:P 1:2:20. The runtimes of these twoalgorithms depend on the total number of requestedFig. 3 e Effectiveness of preprocessing for different ratios of req

permissions to roles.permissions Preq, available roles R and available permissions P.

In Fig. 4, both of these two algorithms produce comparable

results when the number of permissions requested is small.

However, as the number of permissions requested increases,

the overall CPU time taken increases exponentially, this

makes the BBS algorithm impractical for implementation in

dynamic systems. However, DFS algorithm takes a few sec-

onds, even for a larger number of roles, permissions and

permissions requested. The reason is that the number of

requested permission can be reduced by the static pruning

technique, relatively few requested permissions need to be

considered, doing this can greatly decrease the runtime of the

DFS algorithm. It is worth noting that the DFS algorithm turns

out to bemore effective when the ratio of permissions to roles

is small such as P:R 2:1 in Fig. 4(a) and (c). This is becausestatic pruning is more effective when the ratio of the number

of permissions to that of roles is small, and thus the DFS al-

gorithm scales well as the number of requested permission

Preq increases. However, as the ratio of permissions to roles

increases, such as P:R 10:1 in Fig. 4(b) and (d), the DFS al-gorithm stops scaling as Preq becomes large. For example, the

DFS algorithm takes only 2.3535 s for Preq 25, but 12.3196 s forPreq 27 in Fig. 4(b). A major reason is that the effectiveness ofuested permissions to permissions and different ratio of


Fig. 4 e Running time for Depth-First Search (DFS) algorithm and Backtracking-Based Search (BBS) algorithm.

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0124the static pruning process will decrease as the ratio of per-

missions to roles increases. We point out also that the DFS

algorithm is more effective than the BBS algorithm, even

thought the ratio of permissions to roles is large. For example,

for Preq 25 in Fig. 4 (d), the DFS algorithm takes only 14.4673 s,but the BBS algorithm takes 48.1962 s. Consequently, even

though the number of permissions in a large-scale RBAC

system may be huge, the DFS algorithm with static pruning

and preprocessing will be able to handle many queries if the

number of requested permissions is not too large.

4.3. Handling the other subcases of the UAQ problems

The approach described in the previous subsection addresses

a subcase UAQavailablepc:0. An important observation isthat the DFS algorithm can be efficiently modified to handle

the other subcases of the UAQ problems. Techniques ranging

from greedy algorithms to SAT solvers have been used to

tackle the UAQ problem. However, it is very hard to modify

existing algorithms to handle different UAQ problems just

with little modification.

4.3.1. Handling the other subcases of the UAQ problem withpermission-cardinality constraintsTable 6 summarizes the differences among the components

used for the three different phases for the various subcases of

the UAQproblemwith permission-cardinality constraints.We

can see that the major differences occur with regards to theDFS algorithm part. To address UAQavailablepc:t, the DFSalgorithm needs to check the current solution Ravail whether

jPermRavailj Preq

t; if the answer is yes, it will return

RavailRexact as the solution to UAQavailablepc:t and doesnot always update to a more optimum solution. Otherwise,

the DFS algorithm continues to search for a better solution by

removing the currently selected role. And the DFS algorithm

searches for the minimal value of jPermRsatj for UAQsafe-pc:0, but for UAQsafepc:t, the continuing search will bestopped if jPermRsatj

Preq

t. Note that static pruning may

not be available for UAQsafepc:0 and UAQsafepc:t. Wecan remove every role r in R such that Perm r ?Preq frompreprocessing.

4.3.2. Handling the various subcases of the UAQ problemwith role-cardinality constraintsIt is obvious that the UAQ problem with both permission-

cardinality and role-cardinality constraints can be simplified

into two problems: one with the permission-cardinality

constraint only, and the other with role-cardinality con-

straints only. This is becausewe can assign higher priorities to

the permission-cardinality constraints. For example, taking

(Preq,R,0,) as an instance of UAQavailablepc:0rc:,

we can split it into two problems: UAQavailablepc:0 andUAQexactrc:, where (Preq,R,0) is the instance of UAQavailablepc:0. For UAQavailablepc:0rc:, we can firstsearch a solution Rsat using the proposed approach and then

make (Perm(Rsat),R,) an instance of UAQexactrc:. DFS


Table 6 e Key differences among the static pruning, preprocessing and DFS algorithm for various UAQ problem subcaseswith permission-cardinality constraints.

Op Static pruning Preprocessing DFS algorithm

0 cr2R : Permr4PremPreqPreqyPerm(r)

cr2R : PermrPreq RRy{r}

jPermRsatj is maximized

t cr2R : Permr4PremPreqPreqyPerm(r)

cr2R : PermrPreq RRy{r}

jPermRsatj Preq

t

0 unavailable cr2R : Perm r ?PreqRRy{r}

jPermRsatj is minimized

t unavailable cr2R : Perm r ?PreqRRy{r}

jPermRsatj Preq

t

c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0 125algorithm also can be used to solve the UAQ problem by

comparing the number of roles instead of the number of

permissions. It is worth noting that there may not exist a

unique solution for UAQavailablepc:0. It means that wehave to find all of the solutions and generate an instance of

UAQexactrc: for each solution of UAQavailablepc:0.After solving all the instances of UAQexactrc:, we canchoose the final solution to UAQavailablepc:0rc: fromthem. Obviously, the exhaustive search may increase the cost

of computing. A more efficient approach will be to revise the

DFS algorithm as follows: if the current solution is Rsol such

that PermRsolJPreq, we check not only whether Perm(Rsol) ismaximized but also whether jRsolj is minimized. Detailedanalysis of the performances for these two different algo-

rithms is beyond the scope of this paper.

4.3.3. Handling the various subcases of the UAQ problemwith irreducibility constraintsGiven Rsat4R, it is efficient to compute a subset R'sat4Rsat such

that R'sat is irreducible based on Lemma 2: for each role r2Rsat,

remove r from Rsat if PermRsat=frg PermRsat. Therefore, wealso can use the DFS algorithm for the UAQ problem without

irreducibility constraints to resolve the UAQ problem with

irreducibility constraints by computing a subset R'sat4Rsat such

that R'sat is irreducibility, and replacing Rsat with R'sat.5. Related work

In this section, we present the related work in the literature,

which is summarized in Table 7. We can see that the existingTable 7 e A summary of existing approaches related to the supresents a heuristic solution to address the subcase of the UAcomputational complexity of the indicated subcase; DMER (DSeparation-of-Duty) and other constraints indicated shows tha

Existing works

UAQexactrc:k UDu et al. (Du and Joshi, 2006) +

Chen et al. (Garey and Johnson, 1979)

Chen et al. (Chen and Crampton, 2009) + (irreducibility constrain

Zhang et al. (Zhang and Joshi, 2008) -

Wickramaarachchi et al. (Li et al., 2007) -

Armando et al. (Armando et al., 2012)

Mousavi et al. (Mousavi and Tripunitara, 2012) -

Lu et al. (Lu et al., 2012)approaches have paid more attention to designing approxi-

mate or exhaustive algorithms for the UAQ problem rather

than analyzing the computational complexity of the problem.

The concept of UAQwas first proposed by Du et al. (Du and

Joshi, 2006), where they call it as the inter-domain role map-

ping (IDRM) problem. The definition of the IDRMproblem from

Du et al. is basic and incomplete. There exist at least two

different reasons: first of all, there may not be a unique min-

imal set of roles, which is a better choice. A more important

issue is the fact that there may not be Rsat4R such that

Perm(Rsat) Preq. Chen et al. (Chen and Crampton, 2007) rede-fine the IDRM problem definition. In their definition, two as-

pects of the IDRM problem are ensured. The first one is that all

requested permissions should be available while the second

one is that the principle of least privilege should be observed.

Later on, they introduce theminimal cover problemwhich is a

generalization of the well-known set cover problem. They use

it to determine the complexity of the IDRMproblem (Chen and

Crampton, 2009). However, the IDRMproblemdefined by Chen

et al. is only a subcase of UAQ and it is equal to UAQ

availablepc:0. This is because they only consider the opti-mization of the number of permissions as a problem. In our

definition of UAQ, the permission-cardinality constraint can

be denoted as pcS,d, where S4R, d2ft; t;0;0g, they onlytake d 0 into consideration. And they also do not considerthe optimization of roles. Zhang et al. in (Zhang and Joshi,

2008) generalize the UAQ problem by dividing the problem

into three subcases: one where the exactly matched role set

exists; when this is impossible, availability or least privilege

concerns are used for the other two cases. Obviously, they

only consider the optimization of the number of roles for thebcases of the UAQ problem. - denotes that the workQ problem indicated; + denotes that the work reportsynamic Mutual Exclusive Role), DSoD (Dynamict the proposed approach considers these in the policy.

Some subcases of the UAQ problem

AQexactrc: UAQsafepc:0 UAQavailablepc:0-

- -

t)

(DMER and cardinality constraints)

(DMER and cardinality constraints)

- (multiple sessions and histories constraints)

(role-cardinality constraints)

-(DSoD constraints)


c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0126exactly matched case of UAQ, and they only consider the

optimization of the number of permissions as a problem for

availability and least privilege cases of UAQ. Wickramaar-

achchi et al. in (Wickramaarachchi et al., 2009) provide a more

general definition of UAQ problem where the number of per-

missions granted is restricted to both a lower bound and an

upper bound.

Previous definitions of UAQ that only consider the opti-

mization objective for permissions are less complete as the

number of roles is another important optimization objective.

To the best of our knowledge, the combination of the opti-

mization of the number of roles and the number of permis-

sions is first proposed by Mousavi et al. (Mousavi and

Tripunitara, 2012). However, they only consider the optimi-

zation objective for extra permissions, but omitted the

missing permissions for safe match UAQ. And they also did

not consider the k-cardinality optimization for both the roles

and permissions. Most of all, Mousavi et al. do not determine

the computational complexity of the UAQ problem. In this

paper, we give a formal definition of UAQ which is more

general than the work of Mousavi et al.

Inadequate attention has been given to computational

complexity analysis of theUAQproblem. Chen et al. (Chen and

Crampton, 2009) introduce the NP-hard minimal cover prob-

lem, and prove that the IDRM-safety problem is in P, and the

IDRM-availability problem is NP-hard based on the minimal

cover problem. To the best of our knowledge, we are the first to

determine the computational complexity of the UAQ problem

by considering the optimization objectives for both roles and

permissions. Most significantly, we study the computational

complexity of UAQ problems with associated irreducibility,

role-cardinality and permission-cardinality constraints, along

with the three subcases: exact match, safe match and available

match, shown that many instances are intractable.

Several researcheshaveproposed appropriate or exhaustive

algorithms to compute a solution for the UAQ problem. Zhang

et al. propose a two-step algorithm for the UAQ problem.

However, this algorithm has some false negatives, such as

falsely rejecting some legal success requests. For example, the

algorithm finds a role set in the first step, but it may violate the

DSoD or Cardinality Constraints in the second step. In fact,

there exists a set of roles that satisfies both of these two con-

straints, but cannot be found in the first step by this two-step

algorithm. Wickramaarachchi et al. introduce two approaches

to address theUAQproblem. In thefirst approach, they propose

a Backtracking-Based Search (BBS) algorithm which extended

the DavisePutnameLogemanneLoveland (DPLL) algorithm for

solving the CNF-SAT problem (Sinz, 2007). It does a back-

tracking based search where the search tree is traversed

recursively. However, the algorithm is exponential-time in

design, thus it does not seem to scale to larger RBAC policies, as

pointed out byArmando et al. (Armando et al., 2012). In order to

overcome this problem and extend the types of authorization

constraints that can accommodate multiple sessions and his-

tories, they describe a SAT-based technique to solve the UAQ

problem. Guneshi et al. also propose another approach that

reduces the UAQ problem to the MAXSAT problem and use

optimizedoff-the-shelf SATsolvers suchaszChaff.However, as

pointed out by Mousavi et al. (Mousavi and Tripunitara, 2012),

the second approach is unsound, inefficient and offers onlylimited support for the joint optimizationof thenumberof roles

and extra permissions.

As shown above, existing algorithms focus on finding a set

of roles to activate a set of permissions that is as close as

possible to the set of those permissions requested by a user.

Sometimes, however, such a solution may not exist, this is

because missing any requested permissions may cause the

failure of this task while any extra permissions may bring the

intolerable risk to the system. Towards addressing this prob-

lem, it is necessary to change the system configuration. Hu

et al. (Hu et al., 2010a, 2010b) refer to the updating of user-role,

roleerole and role-permission assignments as role updating.

However, as pointed out by Lu et al. (Lu et al., 2014), role

updating should only include the updating of roleerole and role-

permission assignments. In their work, they define the Role

Updating Feasibility Problem (RUFP), which determines

whether there exists a valid role-permission assignment, i.e.,

whether it can satisfy all the requirements of the role updat-

ing and without violating any role-capacity or permission-

capacity constraint. They also study the computational

complexity of RUFP in different subcases, and show that

although several subcases are solvable in linear time, this

problem is NP-complete in the general case.6. Conclusion and future work

In this paper, we have given a more comprehensive definition

of the UAQ problem in RBAC, considering the optimization of

number of roles as well as number of permissions. We have

defined the Core-UAQ problem and the Constrained-UAQ

problem by introducing the irreducibility, role-cardinality,

permission-cardinality constraints to Core-UAQ. It is worth

noting that the definition of UAQ problem can be easily

extended to support the RBAC systems with hybrid hierarchy

types: I-hierarchy, A-hierarchy and IA-hierarchy (Joshi et al.,

2008). This is because we can use the decomposition of a

hybrid hierarchy into the monotype components, namely, I-

Decomposition and A-Decomposition, as proposed in (Zhang

and Joshi, 2008), and encoding all the authorized relation-

ships based on user-role and permission-role assignments

and the role hierarchy. Furthermore, we have presented the

computational complexity analysis of various subcases of the

Constrained-UAQ. We have shown that most instances of

UAQ problem are intractable. We have also proposed a depth-

first search based approach that employs static pruning and

preprocessing techniques to solve an instance of UAQ, and

have shown how it can be modified to handle the other sub-

cases. This algorithm dynamically prunes the search space

and hence improves the efficiency of the search process.

Open problems. First of all, the set of roles selected by the

DFS algorithm may not satisfy the security constraints in the

system, and then the system will deny the user's request. It ismeaningful to study the computational complexity of the UAQ

problem by including other security constraints (e.g., separa-

tion of duty, cardinality constraints). Since security con-

straints affect the complexity of the UAQ problem, that is, the

UAQ problem with other security constraints is at least as

hard as itself, because any solution for the former problem is

also a solution for the later one.


c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0 127Secondly, it is necessary to consider the impact of

different permissions, because it may not make any sense if

we just consider the number of extra permissions. For

example, a role set with a critical extra permission may not

be more optimized than a role set with two trivial extra

permissions.

Thirdly, with the limitation of space, we simply assign the

permission-cardinality constraints with higher priority in this

paper. It is useful to address the combination of the

permission-cardinality and role-cardinality constraints that

can conflict with each other. In particular, it will be useful to

address this problem by assigning a priority to the two con-

straints (Mousavi and Tripunitara, 2012).

Finally, some cases of the UAQ problems have been

reduced to SAT that benefit from SAT solvers to reduce the

running time. However, it is not easy to reduce an SAT solver

for one UAQ problem to handle the other UAQ problem.

Hence, it is very important to design a universal SAT solver

such that it can easily handle different subcases of the UAQ

problems.

Acknowledgments

This work is supported by National Natural Science Founda-

tion of China under Grant 61402418, 61170108, MOE (Ministry

of Education in China) Project of Humanity and Social Science

under Grant 12YJCZH142, Zhejiang Provincial Natural Science

Foundation of China under Grant LQ12F02005, LY13F020017,

LQ13F020007, Opening Fund of Key Discipline of Computer

Software and Theory of Zhejiang Province at ZJNU under

Grant ZSDZZZZXK23.

Appendix A. Proofs for Theorem 1.

Lemma 1. UAQexact rc : k is NP-hard.Proof. We show that UAQexactrc:k is NP-hard by

reducing the NP-complete set cover decision problem (Garey

and Johnson, 1979) to it. In the set cover decision problem,

the input is a finite set S, a family F {S1,,Sl} of subsets of S,and a budget B. The goal is to determinewhether there exists B

sets in F whose union is S. Let (S,F,B) be an instance of the set

cover decision problem, we transform it into an instance

(Preq,R,k) of UAQexactrc:k in the followingway as follows: letPreq S, R F and k B, then k members of R have all thepermissions in Preq if and only if B members of F cover S.

Lemma 2. UAQexact rc : irr is NP-hard.Proof. We first show that UAQexactrc:irr is at least

as hard as UAQexactrc:kirr: by reducing UAQexactrc:kirr to UAQexactrc:irr. The only differenceis that we query the oracle and return yes for UAQ

exactrc:kirr if the cardinality of the role set Rsat returned bythe oracle is more than or equal to k.

We then show that UAQexactrc:kirr is polynomial timeTuring equivalent to the NP-hard problem UAQexactrc:k.Clearly, any solution for UAQexactrc:kirr is a solution forUAQexactrc:k, this is because UAQexactrc:kirr is a spe-cial case of UAQexactrc:k. Next, we show a polynomial timeTuring reduction from UAQexactrc:k to UAQexactrc:kirr. Suppose there exists an oracle for UAQexactrc:k, we query the oracle to obtain a solution S for UAQexactrc:k. We can compute an irreducible set S of S as asolution to UAQexactrc:kirr as follows. For each role r2S,remove r from S if Perm(S/{r})Perm(S). Hence, UAQexactrc:kirr is NP-hard, and therefore UAQexactrc:irr is also NP-hard.

Lemma 3. UAQexact rc : is NP-hard.Proof. We show UAQexactrc: is NP-hard by reducing

the NP-hard set cover optimization problem (Chen and

Crampton, 2009) to it. In the set cover optimization problem,

the inputs are a finite set S, a family F{S1,,Sl} of subsets of S.The goal is to find the smallest sets in F whose union is S. The

reduction is as follows. Given F and S, we construct a role set R

and a requested permission set Preq, and then set R F andPreq S. Clearly, a solution Rsat to the set cover optimizationproblem provides a solution to UAQexactrc:.

Lemma 4. UAQexact rc : k irr is in NP.Proof. We can see that UAQexactrc:k is in NP, because if

one correctly guess a subset Rsat of R as a solution to UAQ

exactrc:kirr, verifying whether Rsat is an exact match ofPreq such that jRsatj k, which can be done in polynomialtime. There exists an efficient algorithm for checking

whether Rsat is an irreducible set as follows. For each role

r2Rsat, remove r from Rsat if Perm(Rsat/{r}) Perm(Rsat). If norole can be removed from Rsat without changing Perm(Rsat),

then Rsat is an irreducible set. This can be done in polynomial

time with the time complexity of O(jRsatj), where jRsatj is thenumber of roles in Rsat.

Lemma 5. UAQexact irr is in P.Proof. Firstly, an answer to UAQexact can be computed as

follows. Given R, P and Preq4P, for each r2RYPermr4 Preq,add r to Rsat so that Rsat Rsatfrg, and then determinewhether Perm(Rsat) Preq. This can be done in polynomial timewith the time complexity of O(NR), where NR is the number of

roles in R. Hence, UAQexact is in P.

Secondly, we show that there exists a polynomial time

Turing reduction from UAQexactirr to UAQexact. Let Rsatbe a solution to UAQexact, for each role r2Rsat, remove r from

Rsat if Perm(Rsat/{r}) Perm(Rsat). This can be done in polynomialtime with the time complexity of O(N), where N is the number

of roles in Rsat. Hence, UAQexactirr is also in P.

Lemma 6. UAQexact rc : is in P.Proof. Given R, P and Preq4P, we first give an algorithm to

compute a solution Rsat to UAQexactrc: as follows. Wefirst assume that Rsat , for each r2RYPermr4 Preq, letRsat Rsatfrg, and finally determine whether Perm(Rsat) Preq.This can be done in polynomial time with the time

complexity of O(N), where N is the number of roles in R. We

then show that for any other exact match R'sat of Preq,R'sat

jRsatj. Suppose, for the sake of contradiction, that

jRsatj k. This can be done in polynomial time withthe time complexity of O(NR), where NR is the number of roles

in R. Hence, UAQsaferc:k is in P.Secondly, one algorithm for UAQsaferc:pc:0 is as

follows. For each role r2R, Permr4 Preq, add r to Rsat. Then Rsatis a solution to UAQsaferc:pc:0 and this algorithm hasthe complexity of O(N), where N is the number of roles in R.

Hence, UAQsaferc:, UAQsafepc:0 and UAQsafe-rc:pc:0 are in P.

Finally, it is obvious that any single role r2R such

that Permr4 Preq is a solution to both UAQsafeirr and UAQsaferc:irr.Appendix C. Proofs for Theorem 3.

Lemma 17. UAQavailable rc : k is NP-hard.Proof.We show a polynomial time transformation from the

NP-hard problem UAQexactrc:k to a special case of UAQavailablerc:k. Let (Preq, R, k) be an instance of UAQexactrc:k, which determines whether there exists a role setRsat4R such that Perm(Rsat) Preq and jRsatj k. We transform itinto an instance P'req; R'; k' of a special case of UAQavaila-blerc:k where we let P'req PermR, R' R and k' k. We nowshow that there exists a solution R'sat to UAQavailablerc:k ifand only if there exists a solution Rsat which is a solution to

UAQexactrc:k.For the only if part: if there exists a role set R'sat which is a

solution to UAQavailablerc:k, then PermR'satJPreq andR'sat

k'. Let RsatR'sat, then jRsatj k'k, and

Perm(Rsat) PermR'sat P'req PermR, thus Rsat is a solutionto UAQexactrc:k.

For the if part: suppose there exists a role set Rsat that is a

solution to UAQexactrc:k, such that Perm(Rsat) Perm(R) andjRsatj k. Let R'sat Rsat, because

R'sat

k k' and

PermR'sat PermRJP'req, R'sat is a solution to UAQavailablerc:k.

Lemma 18. UAQavailable pc : t is NP-hard.Proof. We now show that UAQavailablepc:t is NP-hard

by reducing the NP-complete container decision problem

(Chen and Crampton, 2009) to it. In the container decisionproblem, the inputs are a finite set X, a family C{C1,,Cl} ofsubsets of X, V4X, and an integer k; the goal is to determine

whether there exists a container T of V such that

jTj jVj k, where the container T denotes the union of allelements in V. Let (Preq,R,Rsat,t) be an instance of UAQ

availablepc:t, we transform it into an instance (X,C,V,k) ofthe container decision problem as follows: let Preq X, R C,Rsat V and t k. We query an oracle to obtain a solutionRsat of Preq such that jPermQj

Preq

t; then we simply

compute r2Rsat

Permr, which is a container T of V such thatjTj jVj k.

Lemma 19. UAQavailable pc : 0 is NP-hard.Proof. There exists a polynomial time Turing reduction

from the NP-hard problem UAQavailablepc:t to UAQavailablepc:0. We query an oracle and return yes for UAQavailablepc:t if the cardinality of the role set Rsat returnedby the oracle is less than or equal to t. Hence, UAQ

availablepc:0 is NP-hard.

Lemma 20. UAQavailable rc : irr is NP-hard.Proof. The result follows from the fact that UAQ

exactrc:irr is NP-hard, and UAQexactrc:irr is aspecial case of UAQavailablerc:irr, where we assumethat Preq Perm(R). It is easy to see that if there exists a role setRsat as an answer to UAQexactrc:irr, then Rsat must bealso an answer to UAQavailablerc:irr, and vice versa.

Lemma 21. UAQavailable rc : is NP-hard.Proof. The results follow from the fact that the associated

UAQavailablerc:k is NP-hard.

Lemma 22. UAQavailable pc : t is in NP.Proof. We show that UAQavailablepc:t is in NP. A

nondeterministic algorithm needs only guess a subset Rsat of

R, and then can check in polynomial time whether

Preq4PermRsat and jPermRsatj Preq

t.

Lemma 23. UAQavailable rc : k is in NP.Proof. It is easy to see that UAQavailablerc:k is in NP,

because a nondeterministic algorithm needs only guess a

subet Rsat of R and check whether PermRsatJPreq and jRsatj k,which can be done in polynomial time.

Lemma 24. UAQavailable rc : k pc : t is in NPNP.Proof. Suppose there exists an oracle for NP-complete

problem UAQavailablepc:t (Lemma 18 shows that UAQavailablepc:t is NP-hard, and Lemma 22 shows that UAQavailable pc:t is in NP). We construct a nondeterministicoracle Turing machine M that accepts the role set Rsat when

PermRsatJPreq and jPermRsatj Preq

t. M non-

deterministically selects k roles from R, and then queries the

oracle. If the oracle machine returns no, M rejects; other-

wise,M accepts, because it has found a set of roles Rsat, where

PermRsatJPreq, jPermRsatj Preq

t and jRsatj k. The con-

struction of M shows that UAQavailablerc:kpc:t is inNPNP.

Lemma 25. UAQavailable irr and UAQavailablerc: arein P.


c om p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6e1 3 0130Proof. One algorithm for UAQavailableirr is as follows.For each role r2R, remove r from R if Perm(R/{r}) Perm(R).Then the remaining roles in R is a solution to UAQavailable

and UAQavailableirr. It is easy to see that the role set R is asolution to UAQavailablerc:. Hence, UAQavailableirrand UAQavailablerc: are in P.r e f e r e n c e s

ANSI. American national standard for information technology-role based access control. 2004. ANSI INCITS 359-2004.

Armando A, Ranise S, Turkmen F, Crispo B. Efficient run-timesolving of RBAC user authorization queries: pushing theenvelope. In: Proc. ACM Conference on Data and ApplicationSecurity and Privacy, San Antonio, Texas, USA; 2012. p. 241e8.

Arora S, Barak B. Computational complexity: a modern approach.Cambridge University Press; 2009.

Chen L, Crampton J. Inter-domain role mapping and leastprivilege. In: Proc. 12th ACM Symposium on Access ControlModels and Technologies, Sophia Antipolis, France; 2007.p. 157e62.

Chen L, Crampton J. Set cover problems in role-based accesscontrol. In: Proc. 14th European Symposium on Research inComputer Security, Saint Malo, France; 2009. p. 689e704.

Crampton J, Huth M. An authorization framework resilient topolicy evaluation failures. In: Proc. 15th European Symposiumon Research in Computer Security, Athens, Greece; 2010.p. 472e87.

Du S, Joshi JBD. Supporting authorization query and inter-domainrole mapping in presence of hybrid role hierarchy. In: Proc.11th ACM Symposium on Access Control Models andTechnologies, Lake Tahoe, California, USA; 2006. p. 228e36.

Garey MR, Johnson DJ. Computers and intractability: a guide tothe theory of NP-completeness. San Francisco, CA: Freeman;1979.

Hu J, Zhang Y, Li R, Lu Z. Role updating for assignments. In: Proc.15th ACM Symposium on Access Control Models andTechnologies, Pittsburgh, Pennsylvania, USA; 2010. p. 89e98.

Hu J, Zhang Y, Li R. Towards automatic update of access controlpolicy. In: Proc. The 24th USENIX Large Installation SystemAdministration Conference, San Jose, CA, USA; 2010. p. 59e74.

Joshi JBD, Bertino E, Ghafoor A, Zhang Y. Formal foundations forhybrid hierarchies in GTRBAC. ACM Trans Inform Syst Secur2008;10(4):1e39.

Le X, Doll T, Barbosu M, Luque A, Wang D . An enhancement ofthe role-based access control model to facilitate informationaccess management in context of team collaboration andworkflow. J Biomed Inform 2012;45(6):1084e107.

Li N, Tripunitara M, Bizri Z. On mutually exclusive roles andseparation-of-duty. ACM Trans Inform Syst Secur2007;10(2):1e36.

Li R, Lu J, Lu Z, Ma X. Consistency checking of safety andavailability in access control. IEICE Trans Inform Syst2010;E93-D(3):491e502.

Lu J, Han J, Chen W, Hu J. Safety and availability checking for userauthorization queries in RBAC. Int J Comput Intell Syst2012;5(5):860e7.Lu J, Xu D, Jin L, Han J, Peng H. On the complexity of role updatingfeasibility problem in RBAC. Inf Process Lett2014;114(11):597e602.

Mousavi N, Tripunitara MV. Mitigating the intractability of theuser authorization query problem in role-based access control(RBAC). In: Proc. 6th International Conference on Network andSystem Security, Fujian, China; 2012. p. 516e29.

Pavlich-Mariscal JA, Demurjian SA, Michel LD. A framework ofcomposable access control features: preserving separation ofaccess control concerns from models to code. Comput Secur eCOMPSEC 2010;29(3):350e79.

Sinz C. Visualizing sat instances and runs of the DPLL algorithm.J Autom Reason 2007;39(2):219e43.

Sun Y, Wang Q, Li N, Bertino E, Atallah MJ. On the complexity ofauthorization in RBAC under qualification and securityconstraints. IEEE Trans Depend Secur Comput2011;8(6):883e97.

Wickramaarachchi TG, Wahbeh HQ, Li Ninghui. An efficientframework for user authorization queries in RBAC systems. In:Proc. 14th ACM Symposium on Access Control Models andTechnologies, Stresa, Italy; 2009. p. 23e32.

Zhang Y, Joshi JBD. UAQ: a framework for user authorizationquery processing in RBAC extended with hybrid hierarchy andconstraints. In: Proc. 13th ACM Symposium on Access ControlModels and Technologies, New York, NY, USA; 2008. p. 83e92.

Jianfeng Lu is an associate professor in the School ofMathematics-Physical and Information Engineering at ZhejiangNormal University. He received his B.S. degree in the School ofComputer Science and Technology at Wuhan University of Sci-ence and Technology in 2005, and the PhD degree in the School ofComputer Science and Technology at Huazhong University ofScience and Technology in 2010. His research interests includedistributed system security and access control.

James B.D. Joshi is an Associate Professor and the Director of theLaboratory for Education and Research on Security Assured In-formation Systems (LERSAIS) in the School of Information Sci-ences at the University of Pittsburgh. He received his MS inComputer Science and his PhD in Computer Engineering fromPurdue University in 1998 and 2003, respectively. His researchinterests include role-based access control, trust management,and secure interoperability. He is a member of the IEEE and theACM.

Lei Jin is currently working toward his PhD at the School of In-formation Sciences, University of Pittsburgh and is a member ofthe Laboratory of Education and Research on Security AssuredInformation Systems (LERSAIS). He received his MSE in SoftwareEngineering from Tsinghua University and his BS in ComputerSoftware from Tsinghua University in 2009 and 2006 respectively.His research interests include authentication, privacy and secu-rity in social computing and in mobile computing, usable privacyand security. He is a student member of the IEEE and the ACM.

Yiding Liu is currently a sophomore in the School of Mathematics-Physical and Information Engineering at Zhejiang Normal Uni-versity. His research interests include network security and opti-mization algorithm.

http://refhub.elsevier.com/S0167-4048(14)00149-7/sref1http://refhub.elsevier.com/S0167-4048(14)00149-7/sref1http://refhub.elsevier.com/S0167-4048(14)00149-7/sref2http://refhub.elsevier.com/S0167-4048(14)00149-7/sref2http://refhub.elsevier.com/S0167-4048(14)00149-7/sref2http://refhub.elsevier.com/S0167-4048(14)00149-7/sref2http://refhub.elsevier.com/S0167-4048(14)00149-7/sref2http://refhub.elsevier.com/S0167-4048(14)00149-7/sref3http://refhub.elsevier.com/S0167-4048(14)00149-7/sref3http://refhub.elsevier.com/S0167-4048(14)00149-7/sref4http://refhub.elsevier.com/S0167-4048(14)00149-7/sref4http://refhub.elsevier.com/S0167-4048(14)00149-7/sref4http://refhub.elsevier.com/S0167-4048(14)00149-7/sref4http://refhub.elsevier.com/S0167-4048(14)00149-7/sref4http://refhub.elsevier.com/S0167-4048(14)00149-7/sref5http://refhub.elsevier.com/S0167-4048(14)00149-7/sref5http://refhub.elsevier.com/S0167-4048(14)00149-7/sref5http://refhub.elsevier.com/S0167-4048(14)00149-7/sref5http://refhub.elsevier.com/S0167-4048(14)00149-7/sref6http://refhub.elsevier.com/S0167-4048(14)00149-7/sref6http://refhub.elsevier.com/S0167-4048(14)00149-7/sref6http://refhub.elsevier.com/S0167-4048(14)00149-7/sref6http://refhub.elsevier.com/S0167-4048(14)00149-7/sref6http://refhub.elsevier.com/S0167-4048(14)00149-7/sref7http://refhub.elsevier.com/S0167-4048(14)00149-7/sref7http://refhub.elsevier.com/S0167-4048(14)00149-7/sref7http://refhub.elsevier.com/S0167-4048(14)00149-7/sref7http://refhub.elsevier.com/S0167-4048(14)00149-7/sref7http://refhub.elsevier.com/S0167-4048(14)00149-7/sref8http://refhub.elsevier.com/S0167-4048(14)00149-7/sref8http://refhub.elsevier.com/S0167-4048(14)00149-7/sref8http://refhub.elsevier.com/S0167-4048(14)00149-7/sref9http://refhub.elsevier.com/S0167-4048(14)00149-7/sref9http://refhub.elsevier.com/S0167-4048(14)00149-7/sref9http://refhub.elsevier.com/S0167-4048(14)00149-7/sref9http://refhub.elsevier.com/S0167-4048(14)00149-7/sref10http://refhub.elsevier.com/S0167-4048(14)00149-7/sref10http://refhub.elsevier.com/S0167-4048(14)00149-7/sref10http://refhub.elsevier.com/S0167-4048(14)00149-7/sref10http://refhub.elsevier.com/S0167-4048(14)00149-7/sref11http://refhub.elsevier.com/S0167-4048(14)00149-7/sref11http://refhub.elsevier.com/S0167-4048(14)00149-7/sref11http://refhub.elsevier.com/S0167-4048(14)00149-7/sref11http://refhub.elsevier.com/S0167-4048(14)00149-7/sref12http://refhub.elsevier.com/S0167-4048(14)00149-7/sref12http://refhub.elsevier.com/S0167-4048(14)00149-7/sref12http://refhub.elsevier.com/S0167-4048(14)00149-7/sref12http://refhub.elsevier.com/S0167-4048(14)00149-7/sref12http://refhub.elsevier.com/S0167-4048(14)00149-7/sref13http://refhub.elsevier.com/S0167-4048(14)00149-7/sref13http://refhub.elsevier.com/S0167-4048(14)00149-7/sref13http://refhub.elsevier.com/S0167-4048(14)00149-7/sref13http://refhub.elsevier.com/S0167-4048(14)00149-7/sref14http://refhub.elsevier.com/S0167-4048(14)00149-7/sref14http://refhub.elsevier.com/S0167-4048(14)00149-7/sref14http://refhub.elsevier.com/S0167-4048(14)00149-7/sref14http://refhub.elsevier.com/S0167-4048(14)00149-7/sref15http://refhub.elsevier.com/S0167-4048(14)00149-7/sref15http://refhub.elsevier.com/S0167-4048(14)00149-7/sref15http://refhub.elsevier.com/S0167-4048(14)00149-7/sref15http://refhub.elsevier.com/S0167-4048(14)00149-7/sref16http://refhub.elsevier.com/S0167-4048(14)00149-7/sref16http://refhub.elsevier.com/S0167-4048(14)00149-7/sref16http://refhub.elsevier.com/S0167-4048(14)00149-7/sref16http://refhub.elsevier.com/S0167-4048(14)00149-7/sref17http://refhub.elsevier.com/S0167-4048(14)00149-7/sref17http://refhub.elsevier.com/S0167-4048(14)00149-7/sref17http://refhub.elsevier.com/S0167-4048(14)00149-7/sref17http://refhub.elsevier.com/S0167-4048(14)00149-7/sref17http://refhub.elsevier.com/S0167-4048(14)00149-7/sref18http://refhub.elsevier.com/S0167-4048(14)00149-7/sref18http://refhub.elsevier.com/S0167-4048(14)00149-7/sref18http://refhub.elsevier.com/S0167-4048(14)00149-7/sref18http://refhub.elsevier.com/S0167-4048(14)00149-7/sref18http://refhub.elsevier.com/S0167-4048(14)00149-7/sref19http://refhub.elsevier.com/S0167-4048(14)00149-7/sref19http://refhub.elsevier.com/S0167-4048(14)00149-7/sref19http://refhub.elsevier.com/S0167-4048(14)00149-7/sref20http://refhub.elsevier.com/S0167-4048(14)00149-7/sref20http://refhub.elsevier.com/S0167-4048(14)00149-7/sref20http://refhub.elsevier.com/S0167-4048(14)00149-7/sref20http://refhub.elsevier.com/S0167-4048(14)00149-7/sref20http://refhub.elsevier.com/S0167-4048(14)00149-7/sref21http://refhub.elsevier.com/S0167-4048(14)00149-7/sref21http://refhub.elsevier.com/S0167-4048(14)00149-7/sref21http://refhub.elsevier.com/S0167-4048(14)00149-7/sref21http://refhub.elsevier.com/S0167-4048(14)00149-7/sref21http://refhub.elsevier.com/S0167-4048(14)00149-7/sref22http://refhub.elsevier.com/S0167-4048(14)00149-7/sref22http://refhub.elsevier.com/S0167-4048(14)00149-7/sref22http://refhub.elsevier.com/S0167-4048(14)00149-7/sref22http://refhub.elsevier.com/S0167-4048(14)00149-7/sref22http://dx.doi.org/10.1016/j.cose.2014.10.003http://dx.doi.org/10.1016/j.cose.2014.10.003

Towards complexity analysis of User Authorization Query problem in RBAC1. Introduction2. The User Authorization Query problem in RBAC3. The complexity of the User Authorization Query problem4. An approach for the User Authorization Query problem4.1. An approach for a subcase of the UAQ problem4.2. A comparison of our approach to Wickramaarachchi's4.2.1. Effectiveness of static pruning4.2.2. Effectiveness of preprocessing4.2.3. Comparison of DFS algorithm with BBS algorithm

4.3. Handling the other subcases of the UAQ problems4.3.1. Handling the other subcases of the UAQ problem with permission-cardinality constraints4.3.2. Handling the various subcases of the UAQ problem with role-cardinality constraints4.3.3. Handling the various subcases of the UAQ problem with irreducibility constraints

5. Related work6. Conclusion and future workAcknowledgmentsAppendix A. Proofs for Theorem 1.Appendix B. Proofs for Theorem 2.Appendix C. Proofs for Theorem 3.References

towards complexity analysis of user auth query problem in rbac.pdf

Documents

access control rbac

fundamental problem

rbac models

usaa r t i c

available match

number of roles

permissionsthrough roles

rights resea b s t r