On the Parameterized Complexity and Kernelization of the Workflow Satisfiability Problem

A workflow specification defines a set of steps and the order in which those steps must be executed. Security requirements may impose constraints on which groups of users are permitted to perform subsets of those steps. A workflow specification is said to be satisfiable if there exists an assignment of users to workflow steps that satisfies all the constraints. An algorithm for determining whether such an assignment exists is important, both as a static analysis tool for workflow specifications, and for the construction of run-time reference monitors for workflow management systems. Finding such an assignment is a hard problem in general, but work by Wang and Li in 2010 using the theory of parameterized complexity suggests that efficient algorithms exist under reasonable assumptions about workflow specifications. In this paper, we improve the complexity bounds for the workflow satisfiability problem. We also generalize and extend the types of constraints that may be defined in a workflow specification and prove that the satisfiability problem remains fixed-parameter tractable for such constraints. Finally, we consider preprocessing for the problem and prove that in an important special case, in polynomial time, we can reduce the given input into an equivalent one, where the number of users is at most the number of steps. We also show that no such reduction exists for two natural extensions of this case, which bounds the number of users by a polynomial in the number of steps, provided a widely-accepted complexity-theoretical assumption holds.

💡 Research Summary

The paper investigates the Workflow Satisfiability Problem (WSP) from the viewpoint of parameterized complexity and kernelization. A workflow specification consists of a set of steps S, a set of users U, an authorization relation A⊆U×S that tells which user may perform which step, and a collection of constraints C that restrict which groups of users may be assigned to particular subsets of steps. The decision problem asks whether there exists an assignment of users to steps that respects both the authorizations and all constraints.

The authors first broaden the class of constraints that have been studied in the literature. Beyond the classic “same‑user” (=) and “different‑user” (≠) constraints, they introduce three families: (i) linear‑order constraints that impose a precedence relation among a subset of steps and limit the users that can respect that order; (ii) role‑based constraints where each user carries one or more roles and each step requires a set of roles, thus allowing a dynamic mapping from roles to admissible users; and (iii) range‑count constraints that bound the number of distinct users that may be simultaneously assigned to a given subset of steps. Formally, each constraint is a pair (T,R) with T⊆S and R⊆2^U, and a solution must assign to T a user set belonging to R.

With this generalized model, the paper proves that WSP remains fixed‑parameter tractable (FPT) when the parameter is the number of steps k=|S|. The core algorithm combines a novel constraint‑decomposition technique with a dynamic‑programming (DP) over subsets. The DP state is a bitmask representing which steps have already been assigned and which users have been used; transitions add a new step and test compatibility against all decomposed sub‑constraints in constant time after a preprocessing step. The running time is O*(2^{k·log k}), which, while slightly larger than the O*(2^{k}) bound for the original problem, is still practical for typical workflow sizes (k ≈ 20–30). The authors also show that the problem does not become W