Abstract
We address the User Authorization Query problem (UAQ) in Role-Based Access Control (RBAC) which relates to sessions that a user creates to exercise permissions. Prior work has shown that UAQ is intractable (NP-hard). We give a precise formulation of UAQ as a joint optimization problem, and observe that in general, UAQ remains in NP. We then investigate two techniques to mitigate its intractability. (1) We efficiently reduce UAQ to boolean satisfiability in conjunctive normal form, a well-known NP-complete problem for which solvers exist that are efficient for large classes of instances. We point out that a prior attempt is not a reduction, is inefficient, and provides only limited support for joint optimization. (2) We show that UAQ is fixed-parameter polynomial in the upper-bound set of permissions under reasonable assumptions. We discuss an open-source implementation of (1) and (2), based on which we have conducted an empirical assessment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
zChaff (April 2012), http://www.princeton.edu/~chaff/zchaff.html
Armando, A., Ranise, S., Turkmen, F., Crispo, B.: Efficient run-time solving of RBAC user authorization queries: Pushing the envelope. In: Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY 2012). ACM (February 2012)
Arora, S., Barak, B.: Computational Complexity: A Modern Approach. Cambridge University Press (2009)
Chen, L., Crampton, J.: Set Covering Problems in Role-Based Access Control. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 689–704. Springer, Heidelberg (2009)
Cook, S.A.: The complexity of theorem-proving procedures. In: Proceedings of the Third Annual ACM Symposium on Theory of Computing, STOC 1971, pp. 151–158 (1971)
Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. The MIT Press (September 2009)
Downey, R.G., Fellows, M.R.: Fixed-parameter tractability and completeness I: Basic results. SIAM Journal on Computing 24(4), 873–921 (1995)
Du, S., Joshi, J.B.D.: Supporting authorization query and inter-domain role mapping in presence of hybrid role hierarchy. In: Proceedings of the ACM Symposium on Access Control Models and Technologies, SACMAT 2006, pp. 228–236. ACM, New York (2006)
Ferraiolo, D.F., Sandhu, R.S., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security 4(3), 224–274 (2001)
Garey, M.R., Johnson, D.S.: Computers and Intractability; A Guide to the Theory of NP-Completeness. W. H. Freeman & Co., New York (1990)
Komlenovic, M., Tripunitara, M., Zitouni, T.: An empirical assessment of approaches to distributed enforcement in role-based access control (rbac). In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 121–132. ACM, New York (2011)
Li, N., Tripunitara, M.V., Bizri, Z.: On mutually exclusive roles and separation-of-duty. ACM Trans. Inf. Syst. Secur., 10 (May 2007)
Mousavi, N., Tripunitara, M.V.: CNF-SAT and Fixed-Parameter Polynomial-Time Implementations for UAQ (April 2012), https://ece.uwaterloo.ca/~tripunit/uaq/
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Sinz, C.: Towards an Optimal CNF Encoding of Boolean Cardinality Constraints. In: van Beek, P. (ed.) CP 2005. LNCS, vol. 3709, pp. 827–831. Springer, Heidelberg (2005)
Wickramaarachchi, G.T., Qardaji, W.H., Li, N.: An efficient framework for user authorization queries in rbac systems. In: Proceedings of the ACM Symposium on Access Control Models and Technologies, SACMAT 2009, pp. 23–32. ACM, New York (2009)
Zhang, Y., Joshi, J.B.D.: Uaq: a framework for user authorization query processing in rbac extended with hybrid hierarchy and constraints. In: Proceedings of the ACM Symposium on Access Control Models and Technologies, SACMAT 2008, pp. 83–92. ACM, New York (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mousavi, N., Tripunitara, M.V. (2012). Mitigating the Intractability of the User Authorization Query Problem in Role-Based Access Control (RBAC). In: Xu, L., Bertino, E., Mu, Y. (eds) Network and System Security. NSS 2012. Lecture Notes in Computer Science, vol 7645. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34601-9_39
Download citation
DOI: https://doi.org/10.1007/978-3-642-34601-9_39
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34600-2
Online ISBN: 978-3-642-34601-9
eBook Packages: Computer ScienceComputer Science (R0)