Towards Better Understanding of User Authorization Query Problem via Multi-variable Complexity Analysis

TL;DR

This paper analyzes the multi-variable complexity of user authorization queries in role-based access control, revealing inherent NP-hardness and limitations of fixed-parameter tractability, thus deepening understanding of the problem's computational challenges.

Contribution

The paper provides new complexity results for UAQ, demonstrating its hardness under various conditions and introducing advanced FPT algorithms with significant technical complexity.

Findings

UAQ remains NP-hard under restrictive conditions

FPT algorithms require large parameters or restricted problem versions

Most practical UAQ variants are unlikely to be solved efficiently

Abstract

User authorization queries in the context of role-based access control have attracted considerable interest in the last 15 years. Such queries are used to determine whether it is possible to allocate a set of roles to a user that enables the user to complete a task, in the sense that all the permissions required to complete the task are assigned to the roles in that set. Answering such a query, in general, must take into account a number of factors, including, but not limited to, the roles to which the user is assigned and constraints on the sets of roles that can be activated. Answering such a query is known to be NP-hard. The presence of multiple parameters and the need to find efficient and exact solutions to the problem suggest that a multi-variate approach will enable us to better understand the complexity of the user authorization query problem (UAQ). In this paper, we establish a number of complexity results for UAQ. Specifically, we show the problem remains hard even when quite restrictive conditions are imposed on the structure of the problem. Our FPT results show that we have to use either a parameter with potentially quite large values or quite a restricted version of UAQ. Moreover, our second FPT algorithm is complex and requires sophisticated, state-of-the-art techniques. In short, our results show that it is unlikely that all variants of UAQ that arise in practice can be solved reasonably quickly in general.