Valued Authorization Policy Existence Problem: Theory and Experiments

Recent work has shown that many problems of satisfiability and resiliency in workflows may be viewed as special cases of the authorization policy existence problem (APEP), which returns an authorization policy if one exists and ‘No’ otherwise. However, in many practical settings it would be more useful to obtain a ’least bad’ policy than just a ‘No’, where ’least bad’ is characterized by some numerical value indicating the extent to which the policy violates the base authorization relation and constraints. Accordingly, we introduce the Valued APEP, which returns an authorization policy of minimum weight, where the (non-negative) weight is determined by the constraints violated by the returned solution. We then establish a number of results concerning the parameterized complexity of Valued APEP. We prove that the problem is fixed-parameter tractable (FPT) if the set of constraints satisfies two restrictions, but is intractable if only one of these restrictions holds. (Most constraints known to be of practical use satisfy both restrictions.) We also introduce a new type of resiliency for workflow satisfiability problem, show how it can be addressed using Valued APEP and use this to build a set of benchmark instances for Valued APEP. Following a set of computational experiments with two mixed integer programming (MIP) formulations, we demonstrate that the Valued APEP formulation based on the user profile concept has FPT-like running time and usually significantly outperforms a naive formulation.

💡 Research Summary

The paper addresses a practical limitation of the Authorization Policy Existence Problem (APEP), which traditionally returns either a feasible authorization policy or “No”. In real‑world settings a perfect policy often does not exist, yet administrators need the “least bad” alternative that minimally violates the base authorization relation and the set of constraints. To this end the authors introduce the Valued APEP, a weighted optimisation variant where each violated constraint contributes a non‑negative cost, and the goal is to find a policy of minimum total weight. A weight of zero corresponds to a fully compliant policy.

The theoretical contribution is twofold. First, the authors identify two structural restrictions on the constraint set that together guarantee fixed‑parameter tractability (FPT) when the parameter is the number of resources (or workflow steps) k. The restrictions are (i) user‑independence – the satisfaction of a constraint does not depend on the identities of the users assigned, and (ii) t‑boundedness – any feasible solution uses at most t authorisations. Under both conditions the authors prove that Valued APEP can be solved in time O*(f(k)), i.e., FPT. The key technical device is the notion of a user profile: users that behave identically with respect to all constraints are grouped together, dramatically reducing the search space. By applying multivariate complexity analysis they obtain stronger FPT bounds than previous work on the un‑weighted APEP.

Second, they show that dropping either restriction leads to parameterised intractability. If constraints are only user‑independent but not t‑bounded, or vice‑versa, the problem becomes W