Satisfiability and resiliency in workflow systems

  • Authors:

  • Qihua Wang;Ninghui Li

  • Affiliations:

  • Center for Education and Research in Information Assurance and Security and Department of Computer Science, Purdue University;Center for Education and Research in Information Assurance and Security and Department of Computer Science, Purdue University

  • Venue:
  • ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

We propose the role-and-relation-based access control (R2BAC) model for workflow systems. In R2BAC, in addition to a user's role memberships, the user's relationships with other users help determine whether the user is allowed to perform a certain step in a workflow. For example, a constraint may require that two steps must not be performed by users who have a conflict of interest. We also study the workflow satisfiability problem, which asks whether a set of users can complete a workflow. We show that the problem is NP-complete for R2BAC, and is NP-complete for any workflow model that supports certain simple types of constraints (e.g., constraints that state certain two steps must be performed by two different users). After that, we apply tools from parameterized complexity theory to better understand the complexities of this problem. We show that the problem is fixed-parameter tractable when the only relations used are = and ≠, and is fixed-parameter intractable when user-defined binary relations can be used. Finally, we study the resiliency problem in workflow systems, which asks whether a workflow can be completed even if a number of users may be absent. We formally define three levels of resiliency in workflow systems, namely, static resiliency, decremental resiliency and dynamic resiliency, and study computational problems related to these notions of resiliency.