User authorization queries in the context of role-based access control have attracted considerable interest in the last 15 years. Such queries are used to determine whether it is possible to allocate a set of roles to a user that enables the user to complete a task, in the sense that all the permissions required to complete the task are assigned to the roles in that set. Answering such a query, in general, must take into account a number of factors, including, but not limited to, the roles to which the user is assigned and constraints on the sets of roles that can be activated. Answering such a query is known to be NP-hard. The presence of multiple parameters and the need to find efficient and exact solutions to the problem suggest that a multi-variate approach will enable us to better understand the complexity of the user authorization query problem (UAQ). In this paper, we establish a number of complexity results for UAQ. Specifically, we show the problem remains hard even when quite restrictive conditions are imposed on the structure of the problem. Our FPT results show that we have to use either a parameter with potentially quite large values or quite a restricted version of UAQ. Moreover, our second FPT algorithm is complex and requires sophisticated, state-of-the-art techniques. In short, our results show that it is unlikely that all variants of UAQ that arise in practice can be solved reasonably quickly in general.
翻译:在过去15年中,基于角色的出入控制方面的用户授权查询引起了相当大的兴趣。这种查询被用来确定是否有可能将一组角色分配给用户,使用户能够完成任务,因为完成任务所需的所有许可都指定给该套任务中的角色。在回答这种查询时,一般必须考虑到若干因素,包括(但不限于)用户被指派的角色和对可以启动的一系列角色的限制。回答这种查询已知是硬性的。存在多种参数和需要找到高效和准确的解决问题的办法,这意味着多变办法将使我们能够更好地了解用户授权查询问题的复杂性(UAQ ) 。在本文中,我们为UAQ确定了一系列复杂的结果。具体地说,我们表明问题仍然很困难,即使对问题的结构施加了相当严格的条件。我们的FPT结果显示,我们必须使用一个具有潜在较大价值或相当有限的UAQ版本的参数。此外,由于存在多种做法的存在和需要找到有效和准确的解决问题的办法,因此,多变式办法将使我们能够更好地了解用户授权查询问题的复杂性(UA ) 。在本文中,我们的第二个复杂变式算法是我们最不可能的复杂的结果。
相关内容
微信扫码咨询专知VIP会员