c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

Available online at www.sciencedirect.com

ScienceDirect
journal homepage: www.elsevier.com/locate/cose

Towards complexity analysis of User

Authorization Query problem in RBAC
Jianfeng Lu a,*, James B.D. Joshi b, Lei Jin b, Yiding Liu a
a
b

School of Mathematics-Physical & Information Engineering, Zhejiang Normal University, Jinhua, Zhejiang, China
School of Information Sciences, University of Pittsburgh, Pittsburgh, PA, USA

article info

abstract

Article history:

The User Authorization Query (UAQ) problem for RBAC is to determine whether there exists

Received 21 September 2013

an optimum set of roles to be activated to provide a particular set of permissions requested

Received in revised form 25 July 2014

by a user. It is a key issue related to efficiently handling users' access requests. Previous

Accepted 14 October 2014

definitions of the UAQ problem have considered only the optimization objective for the

Available online 5 November 2014

number of permissions whereas the optimization objective for the number of roles, which
is also equally important, has been largely ignored. Moreover, little attention has been

Keywords:

given to the computational complexity of the UAQ problem that considers the optimization

Access control

objectives for both the numbers of permissions and roles. In this paper, we propose a more

RBAC

comprehensive definition of the UAQ problem, which includes irreducibility, role-

User Authorization Query

cardinality and permission-cardinality constraints, and consider both these optimization

Computational complexity

objectives together. In particular, we study the computational complexity of the UAQ

Role-cardinality constraint

problem by dividing it into three subcases: exact match, safe match and available match, and

Permission-cardinality constraint

show that many instances in each subcase with additional constraints are intractable. We
also propose an approach for solving the intractable cases of the UAQ problem; the proposed approach incorporates static pruning, preprocessing and the depth-first search
based algorithm to significantly reduce the running time.
2014 Elsevier Ltd. All rights reserved.

1.

Introduction

Role based access control (RBAC) has established itself as a

well-accepted alternative to traditional discretionary and
mandatory access control (DAC and MAC) models (ANSI,
2004). In RBAC, permissions are not assigned directly to
users, but are assigned to roles. Users obtain permissions
through roles. The notion of the role provides a level of
indirection
to
simplify
the
fine-grained
privilege

management. Several beneficial features, such as policy

neutrality, support for least privilege and efficient access
control management are associated with RBAC models.
Such features make RBAC better suited for handling access
control requirements of diverse organizations (Joshi et al.,
2008).
A fundamental problem in RBAC is determining the set of
roles that should be activated in order to allow a user to acquire the set of permissions he has requested. That is, given
an input set of permissions that a user requests to have in a

* Corresponding author. Tel.: 86 0579 82298821; fax: 86 0579 82298897.

E-mail address: lujianfeng@zjnu.cn (J. Lu).

http://dx.doi.org/10.1016/j.cose.2014.10.003
0167-4048/ 2014 Elsevier Ltd. All rights reserved.

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

session to achieve a particular task in an RBAC system,1 the

problem is to determine whether there exists an optimum set
of roles to activate in the session. Zhang et al. introduce it as
the User Authorization Query (UAQ) problem in (Zhang and
Joshi, 2008). It has been shown that UAQ is very common in
complex and collaborative systems (Le et al., 2012). For
example, in a web-based RBAC system, the user-role assignments are based on users' credentials. Suppose a user requests a particular set of permissions in a single session to
carry out a particular task, the system should find a set of roles
from those available for the user that should be activated in a
session to provide those requested permissions. Ideally, the
chosen set of roles should exactly satisfy the user's requested
set of permissions. However, such an ideal solution may not
exist since we may not find any combination of roles that
collectively provide only the exact set of the requested permissions. Hence, it is necessary to find a set of roles that
provides a set of permissions that is as close as possible to
those requested by a user. One solution may be to ensure that
no permissions beyond the requested set of permissions is
available to the requesting user (Pavlich-Mariscal et al., 2010).
Another solution, which emphasizes the availability requirement (Li et al., 2010), is to ensure that all the requested permissions are available to the requesting user in his session,
while minimizing the number of possible extra set of permissions that are additionally available through the selected
role set.
There exist two optimization objectives that should be
included in the UAQ problem. One is the optimization of the
number of activated roles, which is an optimization objective
related to the system management. For example, minimizing
a set of roles activated in a user's session may allow an
administrator to more efficiently manage the system
(Mousavi and Tripunitara, 2012). Maximizing the number of
roles may be useful when security constraints, such as dynamic separation of duty (DSoD) or cardinality constraint
(Zhang and Joshi, 2008), make some roles to be unavailable,
and there still exists a set of roles that have the requested set
of permissions. For example, we assume that the roles in
{r1,r2} together having all the requested permissions, and a
DSoD constraint <{r1,r2},2> indicating that no single user can
activate both r1 and r2 in a single session. In this case, it may
be useful to maximize the number of available roles, such as
{r1,r2,r3,r4}, although they can activate the same permissions
as {r1,r2}. When r1 or r2 to be unavailable, the set {r1,r3,r4} or
{r2,r3,r4} of roles can also together activate the requested
permissions. The second is the optimization of the number of
permissions that can be acquired by the requesting user
within a session. For example, minimizing the number of
extra permissions beyond the requested permissions is
motivated by the principle of least privilege (Chen and
Crampton, 2007), as too many extra permissions may bring
the intolerable risk to the system. On the other hand, minimizing the number of missing permissions (i.e., permissions
1
We assume that a user requests to achieve a particular task,
which is associated with a set of permissions, that means the
users do not need to know what permissions he/she should
request, but just need to know what task he/she wants to
achieve.

117

allowed within the user's session do not include some of the

requested permissions) is important as the unavailability of
too many of the requested permissions may make it difficult
for the user to carry out the required task. In the definition of
UAQ in (Wickramaarachchi et al., 2009), there exists a lower
bound for the set of requested permissions, while these
permissions must be available for the session. We believe
minimizing the number of missing permissions is more
practically useful, since it ensures that at least some minimal
permissions are available for the session, and ensures the
tasks to be performed smoothly.
Previous definitions of the UAQ problem have considered
mainly the optimization objective for the number of permissions. Wickramaarachchi et al. (Wickramaarachchi et al.,
2009) consider the UAQ problem as an optimization of the
number of permissions to be allowed to a user. Du et al.
(Zhang and Joshi, 2008) define a subcase of the UAQ problem
by introducing the problem of minimization of the number of
roles; however, in their solution, there may not be a unique
minimal set of roles that is an ideal choice. A more important
issue is that there may not be a role set that has all the permissions requested by a user. Mousavi et al. (Mousavi and
Tripunitara, 2012) generalize UAQ by introducing the problem of optimizing the number of extra permissions in addition
to the number of roles. However, the options max or min
are not complete; this is because many instances may require
that the number of roles or permissions be restricted (Li et al.,
2007). Moreover, apart from the number of extra permissions,
the number of missing permissions should also be included in
the optimization objective focused on permissions.
Existing approaches to the UAQ problem primarily focus on
how to design approximate or exhaustive solutions
(Wickramaarachchi et al., 2009; Lu et al., 2012). Little attention
has been paid to the computational complexity of the UAQ
problem by considering the optimization objectives for both
the numbers of permissions and that of roles. Large companies can easily have thousands of users and hundreds of
roles in their RBAC systems (Sun et al., 2011). Additionally,
users typically request to use a set of permissions in a session
instead of specifying the specific set of roles that they want to
activate directly. Hence, it is important to understand the
complexity of the UAQ problem in RBAC systems. Moreover,
granting permissions requested by each user based on RBAC
policies in a large RBAC system is complex. However, several
existing work do not sufficiently or accurately analyze the
computational complexity of the UAQ problem. For example,
Du et al. (Du and Joshi, 2006) propose the inter-domain role
mapping (IDRM) problem, which is a subcase of UAQ. They try
to prove that the IDRM problem is NP-complete by showing
that determining whether the permissions authorized to the
role set R is equal to the requested permissions or not can be
done in polynomial time; but, they do not show how to
determine whether the cardinality of R is minimized in polynomial time. Hence, the IDRM problem has not been shown to
be in NP, thus, it is NP-hard, instead (Crampton and Huth,
2010).
In this paper, we address the UAQ problem more comprehensively by considering optimizations based on the number
of permissions as well as that of roles. Our contributions can
be summarized as follows:

118

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

 We propose a more comprehensive definition of the UAQ

problem, by considering irreducibility, role-cardinality and
permission-cardinality constraints. The irreducibility
constraint requires that there be no redundancy in a given
role set; the role-cardinality constraint specifies the number of roles to be restricted. Both irreducibility and role-cardinality constraints are related to optimization on the
number of roles that can be activated by the requesting
user. The permission-cardinality constraint specifies the
number of permissions that can be acquired by a user,
which is based on the optimization objective for the
number of permissions.
 We study the computational complexity of the UAQ problem into three subcases: exact match, safe match and available match. In each subcase, we combine the Core-UAQ
component with irreducibility, role-cardinality and/or
permission-cardinality constraints to form a ConstrainedUAQ. We show that many instances in each subcase are
intractable.
 We propose an approach to solve the intractable cases of
the UAQ problem. This approach uses static pruning, preprocessing and depth-first search based algorithm to
reduce the running time. The experimental evaluations
show the effectiveness of the proposed approach.
The rest of this paper is organized as follows. In Section 2,
we introduce the relevant background on RBAC and the definition of the UAQ problem. Section 3 studies the computational complexity of the UAQ problem into three subcases
mentioned above. In Section 4, we present an approach to
efficiently solve the intractable cases of the UAQ problem. We
discuss related work in Section 5, and conclude this paper in
Section 6.

2.
The User Authorization Query problem in
RBAC
An RBAC state determines the set of roles for which a user is
assigned and the set of permissions for which a user is
authorized (ANSI, 2004). We define an RBAC state as follows,
based on (ANSI, 2004):
Definition 1. An RBAC state is a 6-tuple (U, R, P, UA, PA, RH),
where
 U, R, P denote the set of all users, the set of all roles, the set of all
permissions, respectively.
 UA 4 UR, a user-role assignment relation.
 PA 4 PR, a permission-role assignment relation.
 RH 4 RR, a partial order on R called the inheritance relation,
written as , where r1  r2 0Permr2 4Permr1 .
 Permr : R/2P , the mapping of role r onto a set of permissions in
the
presence
of
a
role
hierarchy;
formally,
Permr fp2Pjr  r' ; p; r'2PAg.
 PermS : R/2P , the mapping of a role set S onto a set of perS
Permr.
missions; formally, PermS
r2S

In this paper, we will assume that the role hierarchy has

been flattened by encoding all the authorized relationships

based on user-role and permission-role assignments and the

role hierarchy.
Inspired by the specification style of ANSI RBAC standard
(ANSI, 2004), we use the definition of the UAQ problem that includes two components: Core-UAQ and Constrained-UAQ. A
typical RBAC system may optionally include any Core-UAQ or
Constrained-UAQ; a Constrained-UAQ essentially is a Core-UAQ
with some constraints. To define the Core-UAQ, we divide UAQ
into three subcases: exact match, safe match and available
match. We first provide the formal definition of the Core-UAQ.
Definition 2. (Core-UAQ problem) Given R, P, and the requested
permission information (Preq, obj), where Preq 4P is a set of permissions requested by a user u, and obj2fexact; safe; availableg, the
Core-UAQ problem is to identify a role set Rsat 4R that can be activated by u while satisfying the following conditions:
 Exact match: Preq Perm(Rsat) if objexact;
 Safe match: Preq JPermRsat if objsafe2;
 Available match: Preq 4PermRsat if objavailable.
However, only finding a role set Rsat that can satisfy the
Core-UAQ with obj2fexact; safe; availableg is not enough. We
should also consider the optimization objectives based on
some additional constraints which may prevent a user from
activating the roles in Rsat. These may include irreducibility,
role-cardinality
or
permission-cardinality
constraints
(Mousavi and Tripunitara, 2012; Chen and Crampton, 2009).
An irreducibility constraint requires that there exists no
redundancy in Rsat; i.e., we cannot remove any role in Rsat
without changing Perm(Rsat); a role-cardinality constraint specifies the number of roles to be restricted in Rsat, and a permission-cardinality constraint specifies the number of permissions
that can be acquired by a user. Both irreducibility and role-cardinality constraints are related to optimization on the number
of roles that can be activated by the requesting user. But
permission-cardinality constraint is based on the optimization
of the number of permissions. We now formally define these
three constraints in the Constrained-UAQ problem as follows:
Definition 3. (Constrained-UAQ problem) The Constrained-UAQ
problems extend the Core-UAQ problem with the following three
types of constraints: irreducibility, role-cardinality and permissioncardinality.
 Irreducibility: An irreducibility constraint is denoted as irrS,
where S4R. We say that irrS is satisfied if and only if for all
S'3S, PermS'3PermS.
 Role-Cardinality: A role-cardinality constraint is denoted as
rcS; Or , where S4R, Or 2fk; ;  g, and k is a positive
integer. We say rcS; Or is satisfied if and only if the following
conditions hold:
- jSj k if Or k;
- jSj is maximized if Or ;
- jSj is minimized if Or .
2

We assume that every permission has the same impact of

weight, thus the optimization of the number of permissions that
can be acquired by the requesting user within a session is
meaningful.

119

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

 Permission-Cardinality: A permission-cardinality constraint is

denoted as pcS; Op , where S4R, Op 2ft ; t ; 0 ; 0 g, and t is a
positive integer denoting the number of extra/missing permissions. We say that S satisfies pcS; Op if and only if the following
conditions hold:


- PermSIPreq and PermS  Preq   t if Op t, where t is a
positive integer;


- PermS3Preq and Preq  PermS  t if Op t;
- PermSIPreq and for all S'4R, PermS'IPreq that
jPermS'j  jPermSj if Op 0;
- PermS3Preq , and for all S'4R, PermS'3Preq that
jPermS'j  jPermSj if Op 0.
Intuitively, a role-cardinality constraint specifies an optimization requirement of the number of activated roles, and a
permission-cardinality constraint specifies an optimization
requirement of the number of permissions that can be acquired by the requesting user. For the permission-cardinality
constraint, the parameter t specifies the number of extra/
missing permissions that the system wants to be able to
tolerate. For example, when missing any two requested permissions may cause the failure of this task, then t can be set to
1 for the case Op t. Similarly, when any three extra permissions may bring the intolerable risk to the system, then t
can be set to 2 for the case Op t.
To represent a subcase of Constrained-UAQ, we write the
Core-UAQ component followed by the list of constraints
within a pair of braces. Some of the constraints may be
combined with all the three cases of Core-UAQ. For example,
UAQexact irr denotes the subcase that combines the exact
match Core-UAQ with irreducibility constraint to form a
Constrained-UAQ. UAQsafe rc : k pc : t refers to the
constrained-UAQ problem related to finding the role set Rsat
that satisfies not only the safe match requirement of Core-UAQ,
but also the constraints rcRsat,k and pcRsat,t. Note that not
all the permission-cardinality constraints can be combined
with the three cases of Core-UAQ. For example, the exact match
UAQ problem needs to ensure that an exact set of requested
permissions is returned and hence the permission cardinality
constraint is not applicable. The permission-cardinality
constraint pcRsat,Op where Op 2ft ; 0 g cannot be combined
with the safe match UAQ problem, similarly, when Op 2ft ; 0 g,
the permission-cardinality constraint pcRsat,Op cannot be
combined with the available match UAQ problem.
It should also be noted that there may be conflicts between
the permission-cardinality constraint and the role-cardinality
constraint. For example, in an RBAC system, suppose that
R {r1,r2,r3}, P {p1,p2,p3,p4}, Perm(r1) {p1,p2}, Perm(r2) {p2,p3},
Perm(r3) {p4}, and let Preq {p2,p3,p4}. If we prioritize to satisfy
the permission-cardinality constraint pcS,0, the solution is
{r2,r3} as it includes no missing permission. But if we prioritize
to satisfy the role-cardinality constraint rcS,, the solution
is {r2}. This is because it has only one role and only one missing
permission {p4}. Motivated by Mousavi et al. (Mousavi and
Tripunitara, 2012), we can address this problem by assigning
a priority to each of these three constraints: irreducibility,
role-cardinality and permission-cardinality, such as pri(i),
pri(r) and pri(p). For example, pri(i) < pri(r) < pri(p) indicates that
the permission-cardinality constraint prioritizes over the
others, and the irreducibility constraint has the lowest

priority. As mentioned earlier, note that the optimization

objective for the number of permissions can be regarded as a
security issue, and that for the number of roles can be regarded as an issue related to the optimal management for an
RBAC system. In this paper, we assume that the security issue
is usually more critical than the efficiency in management and
thus we simply assign highest priority to the permissioncardinality constraints, the second-highest to the rolecardinality constraint, and the lowest to the irreducibility
constraint.

3.
The complexity of the User Authorization
Query problem
In this section, we present the computational complexity
analysis of various cases of the Constrained-UAQ problem.
Firstly, we present the complexity analysis of the exact match
UAQ problem and its subcases with constraints.
Theorem 1. The computational complexities of different constrained subcases of the exact match UAQ problems are as shown in
Table 1.
In Table 1, we show the computational complexity of exact
match UAQ problem in combination with the role-cardinality
and the irreducibility constraints. The proof for Theorem 1 is
in Appendix A, it consists of three parts. First, we show that
UAQexactrc:k, UAQexactrc:irr and UAQexactrc:
are NP-hard by proving Lemmas 1, 2 and 3. Second, we show
that UAQexactrc:kirr is in NP by proving Lemma 4. Finally,
we show that UAQexactirr and UAQexactrc: are in P by
proving Lemmas 5 and 6. Other results in Table 1 can be
implied from the proved cases.
Secondly, we present the complexity analysis of the safe
match UAQ problem and its subcases. Note that the
complexity of UAQsafeirrpc:Op is determined by UAQ
safeirr and UAQsafepc:Op. In other words, the irreducibility constraint and permission-cardinality constraints do
not affect each other. Hence, we only combine the rolecardinality constraint with the irreducibility constraint or
permission-cardinality constraint, as shown in Table 2.
Theorem 2. The computational complexities of different constrained subcases of the safe match UAQ problems are as shown in
Table 2.
The proof for Theorem 2 is in Appendix B, it is done in four
parts. First, we show that UAQsafepc:t, UAQsaferc:kirr,
UAQsaferc:pc:0, UAQsaferc:irr and UAQsaferc:pc:0 are NP-hard by proving Lemmas 7, 8, 9, 10 and 11.
Second, we show that UAQsafepc:t, UAQsaferc:kirr and

Table 1 e Computational complexities of different

subcases of the exact match UAQ problem.
Exact Match

None
Irreducibility

None

Role-cardinality
Or k

Or

Or 

NP-complete

P
NP-hard

NP-hard

120

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

Table 2 e Computational complexities of different subcases of the safe match UAQ problem.
Safe Match

None
Irreducibility
Permission-cardinality

None

P
Op t
Op 0

NP-complete
P

UAQsaferc:kpc:0 are in NP by proving Lemmas 12, 13 and

14. Third, we show that UAQsaferc:kpc:t is in NPNP by
proving Lemma 15. Finally, we show that UAQsaferc:k, UAQ
saferc:pc:0, and UAQsaferc:irr are in P by proving
Lemma 16. Other results in Table 2 can be implied from the
proved cases. Available Match UAQ and Constrained Subcases.
Thirdly, we present the complexity analysis of the available match UAQ problem and its subcases.
Theorem 3. The computational complexities of constrained subcases of the available match UAQ problems are as shown in Table 3.
The proof of Theorem 3 is given in Appendix 3, it consists of
four parts. First of all, we show that UAQavailablerc:k, UAQ
UAQavailablepc:0,
UAQavailaavailablepc:t,

blerc: irr and UAQavailablerc: are NP-hard. Secondly, we show that UAQavailablepc:t and UAQ
availablerc:k are in NP. Thirdly, we show that UAQ
availablerc:kpc:t is in NPNP. Finally, we show that UAQ
availableirr and UAQavailablerc: are in P. Other results
in Table 3 can be implied from the proved cases.

4.
An approach for the User Authorization
Query problem
The fact that UAQ is intractable, as shown in Section 3, means
that there exist difficult problem instances that take exponential time in the worst case. However, many instances that
will be encountered in practice may still be efficiently solvable. For example, UAQavailablepc:0 is NP-hard as shown
by Lemma 19. Wickramaarachchi et al. (Wickramaarachchi
et al., 2009) provided a general definition of UAQ, which includes the intractable subcase UAQavailablepc:0. We now
revisit the definition of the UAQ problem used in
(Wickramaarachchi et al., 2009).
Definition 4. Given R, P, and the requested permission information
(Pl,Pu,obj), where Pl ; Pu 4P, obj2fmax; ming, find a role set S4R
such that the following conditions hold:
 Pl 4PermS4Pu and jPermSj is maximized if obj max
(denoted as max-UAQ problem).

Role-cardinality
Or k

Or

Or 

P
NP-complete
NPNP
NP-complete

P
NP-hard

P
NP-hard

 Pl 4PermS4Pu and jPermSj is minimized if obj min

(denoted as min-UAQ problem).
In Corollary 1, we show that the max-UAQ problem can be
answered in polynomial time, and corollary 2 shows that the
min-UAQ problem is intractable (NP-hard). This is because UAQ
safepc:0 is in P and UAQavailablepc:0 is NP-hard, as
shown in Section 3. Obviously, our definition for the UAQ problem covers the max-UAQ problem and the min-UAQ problem.
Corollary 1. The max-UAQ problem and UAQsafepc:0 are
polynomial time Turing equivalent.
Proof. Let (Preq,R,0) be an instance of UAQsafepc:0 and
(Pl,Pu,R',max) be an instance of the max-UAQ problem. We first
show that there is a polynomial time Turing reduction from
the max-UAQ problem to UAQsafepc:0. Let PreqPu and
R R', then to answer the instance (Pl,Pu,R',max) of max-UAQ
problem, we only need to answer the instance (Preq,R,0) of
UAQsafepc:0, and determine whether PermRsat JPl .
Similarly, we now show that there is a polynomial time
Turing reduction from UAQsafepc:0 to the max-UAQ
problem. Let Pu Preq and R' R, then to answer the instance
(Preq,R,0) of UAQsafepc:0, we only need to answer the
instance (Pl,Pu,R,max) of max-UAQ problem.
Corollary 2. The min-UAQ problem and UAQavailablepc:0 are
polynomial time Turing equivalent.
Proof. The proof is similar to that for Corollary 1. Let (Pre

q,R,0 ) be an instance of UAQsafepc:0 and (Pl,Pu,R',min) be

an instance of the max-UAQ problem. We first show that there
exists a polynomial time Turing reduction from the min-UAQ
problem to UAQavailablepc:0. Let Preq Pl and
R fr2R' : Permr4Pu g, then to answer the instance
(Pl,Pu,R',min) of max-UAQ problem, we only need to answer the
instance (Preq,R,0) of UAQsafepc:0, and then determine
whether PermRsat JPl .
Similarly, we now show that there exists a polynomial time
Turing reduction from UAQavailablepc:0 to the min-UAQ
problem. Let Pl Preq and R' R, then to answer the instance
(Preq,R,0) of UAQavailablepc:0(R',Preq), we only need to
answer the instance (Pl,Pu,R,min) of min-UAQ problem.

Table 3 e Computational complexities of different subcases of the available match UAQ problem.
Available Match

None
Irreducibility
Permission-cardinality

None

Op t
Op 0

Role-cardinality
Or k

Or

Or 

NP-complete

NP-hard

NP-complete
NP-hard

NPNP

P
NP-hard
NP-hard

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

In the rest of this section, we first describe an efficient

approach for the subcase UAQavailablepc:0; the proposed
solution incorporates static pruning, preprocessing and the
depth-first search based algorithm. Next, we make a comparison of our approach with Wickramaarachchis, the result of
running the experiments shows the effective of our approach.
Finally, we show that our approach can be efficiently modified
to handle the other subcases of the UAQ problems.

4.1.

An approach for a subcase of the UAQ problem

In this section, we propose an approach for the subcase UAQ

availablepc:0. To address the efficiency issue we employ
various techniques as follows:
 We employ a static pruning technique that aims at
reducing the number of permissions that are provided to a
user requesting Preq in UAQavailablepc:0.
 We employ a preprocessing technique that aims at
reducing the number of available roles R that need to be
taken into account.
 We propose a depth-first search based algorithm to solve
UAQavailablepc:0.
Static Pruning Step: Given R, P, Preq 4P, a key goal of the
proposed approach is to first reduce the number of permissions that are provided to a user requesting Preq in UAQ
availablepc:0. To address this, we can construct a new
instance of UAQavailablepc:0 in polynomial time, by
replacing R and Preq with R' and P'req , where
R' {r2R : Permr?Preq } and P'req fp2Preq : p2PermR' g. We
can compute a role set R'sat 4R' where PermR'sat JP'req and


PermR'  is minimized to obtain an answer to UAQ
sat
availablepc:0. Such a reduction is characterized in the
following theorem.
Theorem 4. Given R, P and Preq 4P, Rsat is an answer to the
instance (Preq,R,0) of UAQavailablepc:0 if and only if R'sat is an
answer to the instance P'req ; R; 0 of UAQavailablepc:0, where
R'sat {r2Rsat : Permr?Preq } and P'req fp2PermRsat : p;Preq g.
Proof. For the only if part: Let Rsat be an answer to the
instance (Preq,R,0) of UAQavailablepc:0. This means
Rsat 4R, PermRsat JPreq and jPermRsat j is minimized. Suppose,
for the sake of contradiction, that R'sat is not an answer to the
of
UAQavailablepc:0.
Let
instance
P'req ; R; 0
Q fr2Rsat : Permr4Preq g be an available of Preq =P'req . Since
R'sat only adds elements from P'req , R'sat Q is not an available
match of Preq =P'req P'req . In other words, Rsat is not an available
match of Preq, which contradicts the assumption. Therefore,
R'sat is not an answer to the instance P'req ; R; 0 of UAQ
availablepc:0.
For the if part: Let R'sat be an answer to the instance
P'req ; R; 0 of UAQavailablepc:0; it means R'sat 4R,


PermR' 
and
is
minimized.
Let
PermR'sat JP'req
sat
R' fr2Rsat : Permr4Preq g and P'fp2PermRsat : p2Preq g. It
is easy to see that Rsat =R'sat is an answer to the instance (P',R',0)
of UAQexact, hence Rsat =R'sat R'sat is an answer to the instance
P'req P'; R; 0 of UAQavailablepc:0. In other words, Rsat is
an answer to the instance (Preq,R,0) of UAQavailablepc:0.

121

Preprocessing Step: This step involves removing roles in R

that do not have at least one permission in Preq. Note that there
may not be an answer to the instance (Preq,R,0) of UAQ
availablepc:0 if and only if Preq ?PermR. The next theorem captures this process of removing such roles.
Theorem 5. Given R, P, Preq 4P, Rsat is an answer to the instance
(Preq,R,0) of UAQavailablepc:0 if and only if Rsat is an answer
to the instance (Preq,S,0) of UAQavailablepc:0, where
Sfr2R : PermrPreq sg.
Proof. For the only if part: let Rsat be an answer to the
instance (Preq,R,0) of UAQavailablepc:0; hence, we have
Rsat 4R, PermRsat JPreq and jPermRsat j is minimized. In order
to obtain a contradiction, suppose that Rsat is not an answer to
the instance (Preq,S,0) of UAQavailablepc:0, which means
there must exist an answer Rsat such that Rsat ?S,
PermRsat SPreq or jPermRsat j is not minimized. Suppose
Rsat ?S, there must be a role r2Rsat r;S. r;S indicates that
PermrPreq . Hence, Rsat is not an answer to (Preq,R,0),
which contradicts the initial assumption. Similarly, either
PermRsat SPreq or jPermRsat j is not minimized, Rsat is not an
available match solution to (Preq,R,0) either. Therefore, Rsat is
an answer to the instance (Preq,S,0) of UAQavailablepc:0.
For the if part: if Rsat is an answer to the instance (Pre
,S,0
) of UAQavailablepc:0, which means Rsat 4S,
q
PermRsat JPreq and jPermRsat j is minimized, because S4R, it
is easy to see that Rsat is an answer to the instance (Preq,S,0) of
UAQavailablepc:0.
A Depth-First Search Algorithm: We present a Depth-First
Search (DFS) algorithm (as shown in Fig. 1) to solve UAQ
availablepc:0. The notations used in this algorithm are
listed in Table 4. In order to improve the performance of the
search, this algorithm first removes the permissions covered
by Rexact from Preq based on Theorem 4, and then, after static
pruning, removes the roles which do not have at least one
permission in Preq based on Theorem 5. This algorithm
dynamically prunes the search space and hence improves the
efficiency of the search process. The current solution Ravail is
always updated to a more optimum solution which covers less
extra permissions than requested. In particular, it continues
to search for a better solution by removing the currently
selected role based on depth-first search. Finally, the union of
Rexact and Rsat is the answer to the instance (Prem, R) of UAQ
availablepc:0.

4.2.
A comparison of our approach to
Wickramaarachchi's
We have implemented the approach described in Section 4.1,
and performed several experiments using randomly generated instances. We make a comparison of our DFS algorithm
with the Backtracking-Based Search (BBS) algorithm proposed
by Wickramaarachchi et al. (Wickramaarachchi et al., 2009).
Our goals are to understand the effectiveness of the static
pruning and the preprocessing techniques, and to understand
how well our DFS algorithm scales with different parameters.
The implementation of our algorithm was written in C. All
the experiments have been carried out on a standard desktop
PC with a Pentium(R) Dual-Core CPU E5700 running at 3.0 GHz,

122

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

Fig. 1 e The Depth-First Search (DFS) algorithm for UAQavailablepc:0.

and with DDR3 2 GB 1067 MHz, running Microsoft Windows 7

Ultimate Editions. For each instance, 10 randomly generated
test cases are run, the maximum and minimum values are
removed and the averages of the test results are used to
generate the graphs. Table 5 gives the experimental settings
for the RBAC states, such as the different ratios between roles,
permissions and requested permissions. In order to implement the static pruning and the preprocessing techniques, we
first set R:P 1:5, and generated random test cases for

Table 4 e Notations used in the depth-first search

algorithm.
Notation
Preq
Ract
Pextra
Prem
Rsat
Ravail
Rexact

4.2.1.

Description
Set of all permissions requested by the user.
Set of roles which can be activated by the user.
Set of extra permissions beyond Preq.
Set of permissions that have not been covered by
the selected roles.
Set of roles which can satisfy UAQ
availablepc:0.
Set of roles which can satisfy UAQavailable.
Set of roles which covers no extra permissions
than Preq in UAQavailable.

Table 5 e Experimental settings indicating number of

permissions and number of requested permissions for
each role.
Experimental settings

Preq

Static pruning & preprocessing

1
1
1
1
1

5
[2,10]
2
10
2

[0.5, 4.5]
1
1
1
0.5

DFS Algorithm & BBS Algorithm

different ratios of requested permissions to permissions from

1:0.5 to 1:4.5. Secondly, we set R:Preq 1:1, and increase the
ratio of permissions to roles from 2:1 to 10:1. In order to
compare our DFS algorithm to the Backtracking-Based Search
(BBS) Algorithm from (Wickramaarachchi et al., 2009), we
generated random test cases with a varying number of permissions requested. In these experiments, the ratios of roles
to permissions are 1:2 and 1:10, and the ratios of permissions
requested to roles are 1:1 and 1:2. Thus, there exist four test
cases: (a) Preq:R:P 1:1:2; (b) Preq:R:P 1:1:10; (c) Preq:R:P 1:2:4
(d) Preq:R:P 1:2:20.

Effectiveness of static pruning

Fig. 2 shows the result of running the experiments for static

pruning. As shown in Fig. 2(a), with the increase in the ratio of
requested permissions to permissions, the static pruning becomes more effective; it can reduce about 44% requested
permissions when the ratio of requested permissions to permissions is 0.9:1. And in Fig. 2(b), we observe that the static
pruning is more effective when the ratio of the number of
permissions to that of roles is small, such as P:R 2:1. However, as the ratio of permissions to roles increases, the effectiveness of the static pruning process decreases. Therefore,
static pruning is more effective when the ratio of requested
permissions to permissions is very large and the ratio of permissions to roles is small.

4.2.2.

Effectiveness of preprocessing

Fig. 3 shows the result of running the experiments for the

preprocessing phase. In Fig. 3(a), the preprocessing method
performs quite well for smaller ratios of requested permissions to permissions. As the ratio of requested permissions to
permissions increases, the ratio of roles that can be reduced
decreases. However, by first doing static pruning, the preprocessing phase performs quite well, even for a larger ratio of

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

123

Fig. 2 e Effectiveness of the static pruning for different ratios of requested permissions to permissions and different ratios of
permissions to roles.

requested permissions to permissions. When the ratio of

requested permissions to permissions is small, such as
Preq:P 0.1:1, we can remove more roles that do not have at
least one permission in Preq from R. As the ratio increases,
static pruning becomes more effective, we can remove more
roles from R by preprocessing together with static pruning. In
fact, when Preq:P 0.9:1, we can remove only 1.24% roles from
R only by preprocessing, but the result is 9.67% in the same
case by employing both static pruning and preprocessing. This
is the reason why we employ preprocessing after static
pruning. Similarly, as shown in Fig. 3(b), For the test cases with
P:R 2:1, the result is only 21.13% by employing preprocessing
only, but it can reduce about 45.03% roles in the same case
when employing both static pruning and preprocessing. As
the ratio of permissions to roles increases, the static pruning
becomes less effective, and the overall effectiveness of the
preprocessing decreases.

4.2.3.

Comparison of DFS algorithm with BBS algorithm

Fig. 4 shows the results of running the experiments for the

four test cases: (a)Preq:R:P 1:1:2; (b)Preq:R:P 1:1:10; (c)
Preq:R:P 1:2:4; (d)Preq:R:P 1:2:20. The runtimes of these two
algorithms depend on the total number of requested

permissions Preq, available roles R and available permissions P.

In Fig. 4, both of these two algorithms produce comparable
results when the number of permissions requested is small.
However, as the number of permissions requested increases,
the overall CPU time taken increases exponentially, this
makes the BBS algorithm impractical for implementation in
dynamic systems. However, DFS algorithm takes a few seconds, even for a larger number of roles, permissions and
permissions requested. The reason is that the number of
requested permission can be reduced by the static pruning
technique, relatively few requested permissions need to be
considered, doing this can greatly decrease the runtime of the
DFS algorithm. It is worth noting that the DFS algorithm turns
out to be more effective when the ratio of permissions to roles
is small such as P:R 2:1 in Fig. 4(a) and (c). This is because
static pruning is more effective when the ratio of the number
of permissions to that of roles is small, and thus the DFS algorithm scales well as the number of requested permission
Preq increases. However, as the ratio of permissions to roles
increases, such as P:R 10:1 in Fig. 4(b) and (d), the DFS algorithm stops scaling as Preq becomes large. For example, the
DFS algorithm takes only 2.3535 s for Preq 25, but 12.3196 s for
Preq 27 in Fig. 4(b). A major reason is that the effectiveness of

Fig. 3 e Effectiveness of preprocessing for different ratios of requested permissions to permissions and different ratio of
permissions to roles.

124

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

Fig. 4 e Running time for Depth-First Search (DFS) algorithm and Backtracking-Based Search (BBS) algorithm.

the static pruning process will decrease as the ratio of permissions to roles increases. We point out also that the DFS
algorithm is more effective than the BBS algorithm, even
thought the ratio of permissions to roles is large. For example,
for Preq 25 in Fig. 4 (d), the DFS algorithm takes only 14.4673 s,
but the BBS algorithm takes 48.1962 s. Consequently, even
though the number of permissions in a large-scale RBAC
system may be huge, the DFS algorithm with static pruning
and preprocessing will be able to handle many queries if the
number of requested permissions is not too large.

4.3.

Handling the other subcases of the UAQ problems

The approach described in the previous subsection addresses

a subcase UAQavailablepc:0. An important observation is
that the DFS algorithm can be efficiently modified to handle
the other subcases of the UAQ problems. Techniques ranging
from greedy algorithms to SAT solvers have been used to
tackle the UAQ problem. However, it is very hard to modify
existing algorithms to handle different UAQ problems just
with little modification.

4.3.1. Handling the other subcases of the UAQ problem with

permission-cardinality constraints
Table 6 summarizes the differences among the components
used for the three different phases for the various subcases of
the UAQ problem with permission-cardinality constraints. We
can see that the major differences occur with regards to the

DFS algorithm part. To address UAQavailablepc:t, the DFS

algorithm needs to check the current solution Ravail whether


jPermRavail j  Preq  t; if the answer is yes, it will return
Ravail Rexact as the solution to UAQavailablepc:t and does
not always update to a more optimum solution. Otherwise,
the DFS algorithm continues to search for a better solution by
removing the currently selected role. And the DFS algorithm
searches for the minimal value of jPermRsat j for UAQsafepc:0, but for UAQsafepc:t, the continuing search will be


stopped if jPermRsat j  Preq   t. Note that static pruning may
not be available for UAQsafepc:0 and UAQsafepc:t. We
can remove every role r in R such that Permr?Preq from
preprocessing.

4.3.2. Handling the various subcases of the UAQ problem

with role-cardinality constraints
It is obvious that the UAQ problem with both permissioncardinality and role-cardinality constraints can be simplified
into two problems: one with the permission-cardinality
constraint only, and the other with role-cardinality constraints only. This is because we can assign higher priorities to
the permission-cardinality constraints. For example, taking
(Preq,R,0,) as an instance of UAQavailablepc:0rc:,
we can split it into two problems: UAQavailablepc:0 and
UAQexactrc:, where (Preq,R,0) is the instance of UAQ
availablepc:0. For UAQavailablepc:0rc:, we can first
search a solution Rsat using the proposed approach and then
make (Perm(Rsat),R,) an instance of UAQexactrc:. DFS

125

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

Table 6 e Key differences among the static pruning, preprocessing and DFS algorithm for various UAQ problem subcases
with permission-cardinality constraints.
Op

Static pruning

Preprocessing

DFS algorithm

t

unavailable

cr2R : PermrPreq
RRy{r}
cr2R : PermrPreq
RRy{r}
cr2R : Permr?Preq
RRy{r}
cr2R : Permr?Preq
RRy{r}

jPermRsat j is maximized

0

cr2R : Permr4Prem
PreqPreqyPerm(r)
cr2R : Permr4Prem
PreqPreqyPerm(r)
unavailable

algorithm also can be used to solve the UAQ problem by

comparing the number of roles instead of the number of
permissions. It is worth noting that there may not exist a
unique solution for UAQavailablepc:0. It means that we
have to find all of the solutions and generate an instance of
UAQexactrc: for each solution of UAQavailablepc:0.
After solving all the instances of UAQexactrc:, we can
choose the final solution to UAQavailablepc:0rc: from
them. Obviously, the exhaustive search may increase the cost
of computing. A more efficient approach will be to revise the
DFS algorithm as follows: if the current solution is Rsol such
that PermRsol JPreq , we check not only whether Perm(Rsol) is
maximized but also whether jRsol j is minimized. Detailed
analysis of the performances for these two different algorithms is beyond the scope of this paper.

4.3.3. Handling the various subcases of the UAQ problem

with irreducibility constraints
Given Rsat 4R, it is efficient to compute a subset R'sat 4Rsat such
that R'sat is irreducible based on Lemma 2: for each role r2Rsat ,
remove r from Rsat if PermRsat =frg PermRsat . Therefore, we
also can use the DFS algorithm for the UAQ problem without
irreducibility constraints to resolve the UAQ problem with
irreducibility constraints by computing a subset R'sat 4Rsat such
that R'sat is irreducibility, and replacing Rsat with R'sat .

5.

Related work

In this section, we present the related work in the literature,

which is summarized in Table 7. We can see that the existing



jPermRsat j  Preq  t
jPermRsat j is minimized


jPermRsat j  Preq   t

approaches have paid more attention to designing approximate or exhaustive algorithms for the UAQ problem rather
than analyzing the computational complexity of the problem.
The concept of UAQ was first proposed by Du et al. (Du and
Joshi, 2006), where they call it as the inter-domain role mapping (IDRM) problem. The definition of the IDRM problem from
Du et al. is basic and incomplete. There exist at least two
different reasons: first of all, there may not be a unique minimal set of roles, which is a better choice. A more important
issue is the fact that there may not be Rsat 4R such that
Perm(Rsat) Preq. Chen et al. (Chen and Crampton, 2007) redefine the IDRM problem definition. In their definition, two aspects of the IDRM problem are ensured. The first one is that all
requested permissions should be available while the second
one is that the principle of least privilege should be observed.
Later on, they introduce the minimal cover problem which is a
generalization of the well-known set cover problem. They use
it to determine the complexity of the IDRM problem (Chen and
Crampton, 2009). However, the IDRM problem defined by Chen
et al. is only a subcase of UAQ and it is equal to UAQ
availablepc:0. This is because they only consider the optimization of the number of permissions as a problem. In our
definition of UAQ, the permission-cardinality constraint can
be denoted as pcS,d, where S4R, d2ft ; t ; 0 ; 0 g, they only
take d 0 into consideration. And they also do not consider
the optimization of roles. Zhang et al. in (Zhang and Joshi,
2008) generalize the UAQ problem by dividing the problem
into three subcases: one where the exactly matched role set
exists; when this is impossible, availability or least privilege
concerns are used for the other two cases. Obviously, they
only consider the optimization of the number of roles for the

Table 7 e A summary of existing approaches related to the subcases of the UAQ problem. - denotes that the work
presents a heuristic solution to address the subcase of the UAQ problem indicated; + denotes that the work reports
computational complexity of the indicated subcase; DMER (Dynamic Mutual Exclusive Role), DSoD (Dynamic
Separation-of-Duty) and other constraints indicated shows that the proposed approach considers these in the policy.
Existing works

Some subcases of the UAQ problem

UAQexactrc:k

Du et al. (Du and Joshi, 2006)

Chen et al. (Garey and Johnson, 1979)
Chen et al. (Chen and Crampton, 2009)
Zhang et al. (Zhang and Joshi, 2008)
Wickramaarachchi et al. (Li et al., 2007)
Armando et al. (Armando et al., 2012)
Mousavi et al. (Mousavi and Tripunitara, 2012)
Lu et al. (Lu et al., 2012)

UAQexactrc:

UAQsafepc:0

UAQavailablepc:0

++ (irreducibility constraint)
-(DMER and cardinality constraints)
- (DMER and cardinality constraints)
- (multiple sessions and histories constraints)
-(role-cardinality constraints)
-(DSoD constraints)

126

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

exactly matched case of UAQ, and they only consider the

optimization of the number of permissions as a problem for
availability and least privilege cases of UAQ. Wickramaarachchi et al. in (Wickramaarachchi et al., 2009) provide a more
general definition of UAQ problem where the number of permissions granted is restricted to both a lower bound and an
upper bound.
Previous definitions of UAQ that only consider the optimization objective for permissions are less complete as the
number of roles is another important optimization objective.
To the best of our knowledge, the combination of the optimization of the number of roles and the number of permissions is first proposed by Mousavi et al. (Mousavi and
Tripunitara, 2012). However, they only consider the optimization objective for extra permissions, but omitted the
missing permissions for safe match UAQ. And they also did
not consider the k-cardinality optimization for both the roles
and permissions. Most of all, Mousavi et al. do not determine
the computational complexity of the UAQ problem. In this
paper, we give a formal definition of UAQ which is more
general than the work of Mousavi et al.
Inadequate attention has been given to computational
complexity analysis of the UAQ problem. Chen et al. (Chen and
Crampton, 2009) introduce the NP-hard minimal cover problem, and prove that the IDRM-safety problem is in P, and the
IDRM-availability problem is NP-hard based on the minimal
cover problem. To the best of our knowledge, we are the first to
determine the computational complexity of the UAQ problem
by considering the optimization objectives for both roles and
permissions. Most significantly, we study the computational
complexity of UAQ problems with associated irreducibility,
role-cardinality and permission-cardinality constraints, along
with the three subcases: exact match, safe match and available
match, shown that many instances are intractable.
Several researches have proposed appropriate or exhaustive
algorithms to compute a solution for the UAQ problem. Zhang
et al. propose a two-step algorithm for the UAQ problem.
However, this algorithm has some false negatives, such as
falsely rejecting some legal success requests. For example, the
algorithm finds a role set in the first step, but it may violate the
DSoD or Cardinality Constraints in the second step. In fact,
there exists a set of roles that satisfies both of these two constraints, but cannot be found in the first step by this two-step
algorithm. Wickramaarachchi et al. introduce two approaches
to address the UAQ problem. In the first approach, they propose
a Backtracking-Based Search (BBS) algorithm which extended
the DavisePutnameLogemanneLoveland (DPLL) algorithm for
solving the CNF-SAT problem (Sinz, 2007). It does a backtracking based search where the search tree is traversed
recursively. However, the algorithm is exponential-time in
design, thus it does not seem to scale to larger RBAC policies, as
pointed out by Armando et al. (Armando et al., 2012). In order to
overcome this problem and extend the types of authorization
constraints that can accommodate multiple sessions and histories, they describe a SAT-based technique to solve the UAQ
problem. Guneshi et al. also propose another approach that
reduces the UAQ problem to the MAXSAT problem and use
optimized off-the-shelf SAT solvers such as zChaff. However, as
pointed out by Mousavi et al. (Mousavi and Tripunitara, 2012),
the second approach is unsound, inefficient and offers only

limited support for the joint optimization of the number of roles

and extra permissions.
As shown above, existing algorithms focus on finding a set
of roles to activate a set of permissions that is as close as
possible to the set of those permissions requested by a user.
Sometimes, however, such a solution may not exist, this is
because missing any requested permissions may cause the
failure of this task while any extra permissions may bring the
intolerable risk to the system. Towards addressing this problem, it is necessary to change the system configuration. Hu
et al. (Hu et al., 2010a, 2010b) refer to the updating of user-role,
roleerole and role-permission assignments as role updating.
However, as pointed out by Lu et al. (Lu et al., 2014), role
updating should only include the updating of roleerole and rolepermission assignments. In their work, they define the Role
Updating Feasibility Problem (RUFP), which determines
whether there exists a valid role-permission assignment, i.e.,
whether it can satisfy all the requirements of the role updating and without violating any role-capacity or permissioncapacity constraint. They also study the computational
complexity of RUFP in different subcases, and show that
although several subcases are solvable in linear time, this
problem is NP-complete in the general case.

6.

Conclusion and future work

In this paper, we have given a more comprehensive definition

of the UAQ problem in RBAC, considering the optimization of
number of roles as well as number of permissions. We have
defined the Core-UAQ problem and the Constrained-UAQ
problem by introducing the irreducibility, role-cardinality,
permission-cardinality constraints to Core-UAQ. It is worth
noting that the definition of UAQ problem can be easily
extended to support the RBAC systems with hybrid hierarchy
types: I-hierarchy, A-hierarchy and IA-hierarchy (Joshi et al.,
2008). This is because we can use the decomposition of a
hybrid hierarchy into the monotype components, namely, IDecomposition and A-Decomposition, as proposed in (Zhang
and Joshi, 2008), and encoding all the authorized relationships based on user-role and permission-role assignments
and the role hierarchy. Furthermore, we have presented the
computational complexity analysis of various subcases of the
Constrained-UAQ. We have shown that most instances of
UAQ problem are intractable. We have also proposed a depthfirst search based approach that employs static pruning and
preprocessing techniques to solve an instance of UAQ, and
have shown how it can be modified to handle the other subcases. This algorithm dynamically prunes the search space
and hence improves the efficiency of the search process.
Open problems. First of all, the set of roles selected by the
DFS algorithm may not satisfy the security constraints in the
system, and then the system will deny the user's request. It is
meaningful to study the computational complexity of the UAQ
problem by including other security constraints (e.g., separation of duty, cardinality constraints). Since security constraints affect the complexity of the UAQ problem, that is, the
UAQ problem with other security constraints is at least as
hard as itself, because any solution for the former problem is
also a solution for the later one.

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

Secondly, it is necessary to consider the impact of

different permissions, because it may not make any sense if
we just consider the number of extra permissions. For
example, a role set with a critical extra permission may not
be more optimized than a role set with two trivial extra
permissions.
Thirdly, with the limitation of space, we simply assign the
permission-cardinality constraints with higher priority in this
paper. It is useful to address the combination of the
permission-cardinality and role-cardinality constraints that
can conflict with each other. In particular, it will be useful to
address this problem by assigning a priority to the two constraints (Mousavi and Tripunitara, 2012).
Finally, some cases of the UAQ problems have been
reduced to SAT that benefit from SAT solvers to reduce the
running time. However, it is not easy to reduce an SAT solver
for one UAQ problem to handle the other UAQ problem.
Hence, it is very important to design a universal SAT solver
such that it can easily handle different subcases of the UAQ
problems.

Acknowledgments
This work is supported by National Natural Science Foundation of China under Grant 61402418, 61170108, MOE (Ministry
of Education in China) Project of Humanity and Social Science
under Grant 12YJCZH142, Zhejiang Provincial Natural Science
Foundation of China under Grant LQ12F02005, LY13F020017,
LQ13F020007, Opening Fund of Key Discipline of Computer
Software and Theory of Zhejiang Province at ZJNU under
Grant ZSDZZZZXK23.

Appendix A. Proofs for Theorem 1.

Lemma 1. UAQexact rc : k is NP-hard.
Proof. We show that UAQexactrc:k is NP-hard by
reducing the NP-complete set cover decision problem (Garey
and Johnson, 1979) to it. In the set cover decision problem,
the input is a finite set S, a family F {S1,,Sl} of subsets of S,
and a budget B. The goal is to determine whether there exists B
sets in F whose union is S. Let (S,F,B) be an instance of the set
cover decision problem, we transform it into an instance
(Preq,R,k) of UAQexactrc:k in the following way as follows: let
Preq S, R F and k B, then k members of R have all the
permissions in Preq if and only if B members of F cover S.
Lemma 2. UAQexact rc : irr is NP-hard.
Proof. We first show that UAQexactrc:irr is at least
as hard as UAQexactrc:kirr: by reducing UAQ
exactrc:kirr to UAQexactrc:irr. The only difference
is that we query the oracle and return yes for UAQ
exactrc:kirr if the cardinality of the role set Rsat returned by
the oracle is more than or equal to k.
We then show that UAQexactrc:kirr is polynomial time
Turing equivalent to the NP-hard problem UAQexactrc:k.
Clearly, any solution for UAQexactrc:kirr is a solution for
UAQexactrc:k, this is because UAQexactrc:kirr is a special case of UAQexactrc:k. Next, we show a polynomial time

127

Turing
reduction
from
UAQexactrc:k
to
UAQ
exactrc:kirr. Suppose there exists an oracle for UAQ
exactrc:k, we query the oracle to obtain a solution S for UAQ
exactrc:k. We can compute an irreducible set S of S as a
solution to UAQexactrc:kirr as follows. For each role r2S,
remove r from S if Perm(S/{r})Perm(S). Hence, UAQ
exactrc:kirr
is
NP-hard,
and
therefore
UAQ
exactrc:irr is also NP-hard.
Lemma 3. UAQexact rc :  is NP-hard.
Proof. We show UAQexactrc: is NP-hard by reducing
the NP-hard set cover optimization problem (Chen and
Crampton, 2009) to it. In the set cover optimization problem,
the inputs are a finite set S, a family F{S1,,Sl} of subsets of S.
The goal is to find the smallest sets in F whose union is S. The
reduction is as follows. Given F and S, we construct a role set R
and a requested permission set Preq, and then set R F and
Preq S. Clearly, a solution Rsat to the set cover optimization
problem provides a solution to UAQexactrc:.
Lemma 4. UAQexact rc : k irr is in NP.
Proof. We can see that UAQexactrc:k is in NP, because if
one correctly guess a subset Rsat of R as a solution to UAQ
exactrc:kirr, verifying whether Rsat is an exact match of
Preq such that jRsat j  k, which can be done in polynomial
time. There exists an efficient algorithm for checking
whether Rsat is an irreducible set as follows. For each role
r2Rsat , remove r from Rsat if Perm(Rsat/{r}) Perm(Rsat). If no
role can be removed from Rsat without changing Perm(Rsat),
then Rsat is an irreducible set. This can be done in polynomial
time with the time complexity of O(jRsat j), where jRsat j is the
number of roles in Rsat.
Lemma 5. UAQexact irr is in P.
Proof. Firstly, an answer to UAQexact can be computed as
follows. Given R, P and Preq 4P, for each r2RYPermr4 Preq ,
add r to Rsat so that Rsat Rsat frg, and then determine
whether Perm(Rsat) Preq. This can be done in polynomial time
with the time complexity of O(NR), where NR is the number of
roles in R. Hence, UAQexact is in P.
Secondly, we show that there exists a polynomial time
Turing reduction from UAQexactirr to UAQexact. Let Rsat
be a solution to UAQexact, for each role r2Rsat , remove r from
Rsat if Perm(Rsat/{r}) Perm(Rsat). This can be done in polynomial
time with the time complexity of O(N), where N is the number
of roles in Rsat. Hence, UAQexactirr is also in P.
Lemma 6. UAQexact rc : is in P.
Proof. Given R, P and Preq 4P, we first give an algorithm to
compute a solution Rsat to UAQexactrc: as follows. We
first assume that Rsat , for each r2RYPermr4 Preq , let
Rsat Rsat frg, and finally determine whether Perm(Rsat) Preq.
This can be done in polynomial time with the time
complexity of O(N), where N is the number of roles in R. We
then show that for any other exact match R'sat of Preq,
 ' 
R   jRsat j. Suppose, for the sake of contradiction, that
sat


jRsat j < R'sat . Then there must exist a role r2R'sat r;Rsat , thus
Permr?Preq , otherwise r2Rsat . This contradicts the
assumption that R'sat is an exact match of Preq, hence,
 ' 
R   jRsat j. Therefore, UAQexactrc: is in P.
sat

128

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

Appendix B. Proofs for Theorem 2.

Lemma 7. UAQsafe pc : t is NP-hard.
of
Proof.
Consider
a
subcase
UAQsafepc:t*

UAQsafe pc : t , where for each ri ; rj 2R, Permri
Permrj . We need to find a role set Rsat for UAQsafe

pc:t* such that PermRsat 4Preq and jPermRsat j Preq   t.
We now show that UAQsafepc:t* is NP-hard by reducing
the NP-complete subset sum problem (Arora and Barak, 2009)
to it. The subset sum problem can be depicted as follows.
Given a set A {ai : 1  i  n} (where n jRj) of positive integers
and a positive integer M, the goal is to determine whether
there exists a subset of A sum of whose elements equal to a
given integer M. Let (A, M) be an instance of the subset sum
problem, we transform it into an instance (Preq, R, t) of a special
case of UAQsafepc:t* where for each ri ; rj 2R we have
Permri Permrj . For each ri 2R, and ai 2A, let


jPermri j ai , and let Preq   tM. We prove that there exists a
such
that
PermRsat 4Preq
and
role
set
R
 sat
jPermRsat j Preq   t, if and only if the answer to the subset
sum problem is yes as follows:
For the only if part, if PermRsat 3Preq and


 
 S







permri   Preq   t M,
jPermRsat j Preq  t, then 

 ri 2Rsat
since each role in R has different sets of permissions and


 S

P


thus,
permri 

jpermri j
jpermri j ai ;
 ri 2Rsat
 ri 2Rsat
P
aj M. Hence, the answer to the subset sum
aj 2Ajij;ri 2Rsat;
problem is yes. For the if part, suppose there exists a
P
ai M; we can find a role set R' 4R,
subset A' 4A where
where

P
ri 2Rsat

ai 2A'

jpermri j M0

P
ri 2R'



jpermri jPreq   t, thus, R' is a

solution to the instance (Preq, R, t) of a special case of UAQ

safepc:t*.
Finally, we show that UAQsafepc:t is polynomial time
Turing equivalent to UAQsafepc:t*. We first show a polynomial time Turing reduction from UAQsafepc:t* to UAQ
safepc:t. Obviously, any solution to UAQsafepc:t* is
also a solution for UAQsafepc:t. We now show a polynomial time Turing reduction from UAQsafepc:t to UAQ
safepc:t*. Any solution S for UAQsafepc:t must satisfy




 
PermQ  Preq   t and jPermQj  Preq , thus UAQsafe

*

pc:t can be divided into t instances of UAQsafepc:t

(where t is a constant). We query an oracle and returns a list of
solutions for the instance (Preq, R, t) of UAQsafepc:t. Then to
solve

the

instance

P*req ; R* ; t*

of

UAQsafe pc : t

where Preq P*req and R R* , we simply need to check

whether the solution Rsat of (Preq, R, t) has cardinality equal to


 * 
Preq   t* .
Lemma 8. UAQsafe rc : k irr is NP-hard.
Proof. We show that UAQsaferc:kirr is polynomial time
Turing equivalent to the NP-hard problem UAQ
exactrc:kirr. Since UAQexactrc:kirr is a special case of
UAQsaferc:kirr, it is obvious that any solution for UAQ

exactrc:kirr is a solution for UAQsaferc:kirr. We now

show a polynomial time Turing reduction from UAQsaferc:kirr to UAQexactrc:kirr. Let (Preq,R,k) be an instance
of UAQsaferc:kirr, we construct a new instance of UAQ
saferc:kirr as follows: remove all the roles r from R where
Permr?Preq , and let Preq Perm(R). We now transform it
into an instance P'req ; R' ; k' of UAQexactrc:kirr as follows:
let P'req Preq, R' R and k' k. Hence, Rsat is a solution to the
instance (Preq,R,k) of UAQsaferc:kirr, of course is also a
solution to the instance P'req ; R' ; k' of UAQexactrc:k.
Lemma 9. UAQsafe rc : k pc : 0 is NP-hard.
Proof. We prove that UAQsaferc:kpc:0 is NP-hard by
reducing the NP-hard problem UAQexactrc:k to it. We first
remove all the roles r from R where Permr?Preq , then let
Preq Perm(R). In this case, UAQsaferc:kpc:0 is equal to the
NP-hard problem UAQexactrc:k. Hence, UAQsaferc:kpc:0 is NP-hard.
Lemma 10. UAQsafe rc : irr is NP-hard.
Proof. Clearly, we can use an algorithm that solves NP-hard
problem UAQexactrc:irr to solve UAQsaferc:irr.
We first remove all the roles r from R where Permr?Preq ,
then let Preq Perm(R). It is obvious that there exists a solution
Rsat to UAQexactrc:irr if and only if Perm(Rsat) Preq, jRsat j
is maximized and Rsat is irreducible. Obviously, Rsat is also a
solution to UAQsaferc:irr. Hence, UAQsaferc:irr
is NP-hard.
Lemma 11. UAQsafe rc :  pc : 0 is NP-hard.
Proof. We can use an algorithm that solves NP-hard problem UAQexactrc: to solve UAQsaferc:pc:0. We
first remove all the roles r from R where Permr4Preq , then let
Preq Perm(R). It is obvious that there exists a solution Rsat to
UAQexactrc: if and only if Perm(Rsat) Preq, jRsat j is minimized. Obviously, Rsat is also a solution to UAQsaferc:pc:0. Hence, UAQsaferc:pc:0 is NP-hard.
Lemma 12. UAQsafe pc : t is in NP.
Proof. If one correctly guesses a subset Rsat of R as a solution
to UAQsafepc:t, verifying that the guess is correct can be
done in polynomial time: by computing Perm(Rsat) and deter
 

mining whether or not PermRsat 4Preq PermRsat   Preq   t.
Lemma 13. UAQsafe rc : k irr is in NP.
Proof. It is easy to see that UAQsaferc:kirr is in NP,
because a nondeterministic algorithm needs only guess a
subset Rsat of R, and check in polynomial time whether
jRsat j k and Rsat is irreducibility. For each role r2Rsat , remove r
from Rsat if PermRsat =frg PermRsat . This can be done in
polynomial time with the time complexity of O(N), where N is
the number of roles in Rsat.
Lemma 14. UAQsafe rc : k pc : 0 is in NP.
Proof. A nondeterministic algorithm needs only guess a
subset Rsat of R, and check in polynomial time whether
jRsat j k, and check whether jPermRsat j is maximized by
adding all the roles r2R such that Permr4Preq to S, and
determine whether Perm(Rsat) Perm(S). This can be done in

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

polynomial time with the complexity of O(NR), where NR is the

number of roles in R.
Lemma 15. UAQsafe rc : k pc : t is in NPNP.
Proof. Assume that we have an oracle that decides UAQ
saferc:k, which, as we know, is NP-complete. We construct
a nondeterministic oracle Turing machine M that accepts the
role set R' when PermR'  Preq  t. M nondeterministically
selects k roles from R', and then queries the oracle. If the oracle
machine returns no, M rejects; otherwise, M accepts,
because it has found a set of roles Rsat 4R', where PermRsat 
Preq  t and jRsat j  k. The construction of M shows that UAQ
saferc:kpc:t is in NPNP.
Lemma 16. UAQsafe rc : k, UAQsafe rc : pc : 0 ;
UAQsafe rc :  irr, are in P.
Proof. First of all, for each role r2R, Permr4 Preq , add r to
Rsat until jRsat j> k. This can be done in polynomial time with
the time complexity of O(NR), where NR is the number of roles
in R. Hence, UAQsaferc:k is in P.
Secondly, one algorithm for UAQsaferc:pc:0 is as
follows. For each role r2R, Permr4 Preq , add r to Rsat. Then Rsat
is a solution to UAQsaferc:pc:0 and this algorithm has
the complexity of O(N), where N is the number of roles in R.
Hence, UAQsaferc:, UAQsafepc:0 and UAQsaferc:pc:0 are in P.
Finally, it is obvious that any single role r2R such
that Permr4 Preq is a solution to both UAQsafeirr and UAQ
saferc:irr.

Appendix C. Proofs for Theorem 3.

Lemma 17. UAQavailable rc : k is NP-hard.
Proof. We show a polynomial time transformation from the
NP-hard problem UAQexactrc:k to a special case of UAQ
availablerc:k. Let (Preq, R, k) be an instance of UAQ
exactrc:k, which determines whether there exists a role set
Rsat 4R such that Perm(Rsat) Preq and jRsat j  k. We transform it
into an instance P'req ; R' ; k' of a special case of UAQavailablerc:k where we let P'req PermR, R' R and k' k. We now
show that there exists a solution R'sat to UAQavailablerc:k if
and only if there exists a solution Rsat which is a solution to
UAQexactrc:k.
For the only if part: if there exists a role set R'sat which is a
solution to UAQavailablerc:k, then PermR'sat JPreq and
 ' 
R   k' .
Let
RsatR'sat ,
then
and
jRsat j  k' k,
sat
Perm(Rsat) PermR'sat P'req PermR, thus Rsat is a solution
to UAQexactrc:k.
For the if part: suppose there exists a role set Rsat that is a
solution to UAQexactrc:k, such that Perm(Rsat) Perm(R) and


and
jRsat j  k. Let R'sat Rsat , because R'sat   k k'
PermR'sat PermRJP'req , R'sat is a solution to UAQ
availablerc:k.
Lemma 18. UAQavailable pc : t is NP-hard.
Proof. We now show that UAQavailablepc:t is NP-hard
by reducing the NP-complete container decision problem
(Chen and Crampton, 2009) to it. In the container decision

129

problem, the inputs are a finite set X, a family C{C1,,Cl} of

subsets of X, V4X, and an integer k; the goal is to determine
whether there exists a container T of V such that
jTj  jVj k, where the container T denotes the union of all
elements in V. Let (Preq,R,Rsat,t) be an instance of UAQ
availablepc:t, we transform it into an instance (X,C,V,k) of
the container decision problem as follows: let Preq X, R C,
Rsat V and t k. We query an oracle to obtain a solution


Rsat of Preq such that jPermQj  Preq  t; then we simply
compute Permr, which is a container T of V such that
r2Rsat
jTj  jVj k.
Lemma 19. UAQavailable pc : 0 is NP-hard.
Proof. There exists a polynomial time Turing reduction
from the NP-hard problem UAQavailablepc:t to UAQ
availablepc:0. We query an oracle and return yes for UAQ
availablepc:t if the cardinality of the role set Rsat returned
by the oracle is less than or equal to t. Hence, UAQ
availablepc:0 is NP-hard.
Lemma 20. UAQavailable rc : irr is NP-hard.
Proof. The result follows from the fact that UAQ
exactrc:irr is NP-hard, and UAQexactrc:irr is a
special case of UAQavailablerc:irr, where we assume
that Preq Perm(R). It is easy to see that if there exists a role set
Rsat as an answer to UAQexactrc:irr, then Rsat must be
also an answer to UAQavailablerc:irr, and vice versa.
Lemma 21. UAQavailable rc :  is NP-hard.
Proof. The results follow from the fact that the associated
UAQavailablerc:k is NP-hard.
Lemma 22. UAQavailable pc : t is in NP.
Proof. We show that UAQavailablepc:t is in NP. A
nondeterministic algorithm needs only guess a subset Rsat of
R, and then can check in polynomial time whether


Preq 4PermRsat and jPermRsat j  Preq  t.
Lemma 23. UAQavailable rc : k is in NP.
Proof. It is easy to see that UAQavailablerc:k is in NP,
because a nondeterministic algorithm needs only guess a
subet Rsat of R and check whether PermRsat JPreq and jRsat j  k,
which can be done in polynomial time.
Lemma 24. UAQavailable rc : k pc : t is in NPNP.
Proof. Suppose there exists an oracle for NP-complete
problem UAQavailablepc:t (Lemma 18 shows that UAQ
availablepc:t is NP-hard, and Lemma 22 shows that UAQ
available pc:t is in NP). We construct a nondeterministic
oracle Turing machine M that accepts the role set Rsat when


and
M
nonPermRsat JPreq
jPermRsat j  Preq  t.
deterministically selects k roles from R, and then queries the
oracle. If the oracle machine returns no, M rejects; otherwise, M accepts, because it has found a set of roles Rsat, where


PermRsat JPreq , jPermRsat j  Preq  t and jRsat j  k. The construction of M shows that UAQavailablerc:kpc:t is in
NPNP.
Lemma 25. UAQavailable irr and UAQavailablerc: are
in P.

130

c o m p u t e r s & s e c u r i t y 4 8 ( 2 0 1 5 ) 1 1 6 e1 3 0

Proof. One algorithm for UAQavailableirr is as follows.

For each role r2R, remove r from R if Perm(R/{r}) Perm(R).
Then the remaining roles in R is a solution to UAQavailable
and UAQavailableirr. It is easy to see that the role set R is a
solution to UAQavailablerc:. Hence, UAQavailableirr
and UAQavailablerc: are in P.

references

ANSI. American national standard for information technologyrole based access control. 2004. ANSI INCITS 359-2004.
Armando A, Ranise S, Turkmen F, Crispo B. Efficient run-time
solving of RBAC user authorization queries: pushing the
envelope. In: Proc. ACM Conference on Data and Application
Security and Privacy, San Antonio, Texas, USA; 2012. p. 241e8.
Arora S, Barak B. Computational complexity: a modern approach.
Cambridge University Press; 2009.
Chen L, Crampton J. Inter-domain role mapping and least
privilege. In: Proc. 12th ACM Symposium on Access Control
Models and Technologies, Sophia Antipolis, France; 2007.
p. 157e62.
Chen L, Crampton J. Set cover problems in role-based access
control. In: Proc. 14th European Symposium on Research in
Computer Security, Saint Malo, France; 2009. p. 689e704.
Crampton J, Huth M. An authorization framework resilient to
policy evaluation failures. In: Proc. 15th European Symposium
on Research in Computer Security, Athens, Greece; 2010.
p. 472e87.
Du S, Joshi JBD. Supporting authorization query and inter-domain
role mapping in presence of hybrid role hierarchy. In: Proc.
11th ACM Symposium on Access Control Models and
Technologies, Lake Tahoe, California, USA; 2006. p. 228e36.
Garey MR, Johnson DJ. Computers and intractability: a guide to
the theory of NP-completeness. San Francisco, CA: Freeman;
1979.
Hu J, Zhang Y, Li R, Lu Z. Role updating for assignments. In: Proc.
15th ACM Symposium on Access Control Models and
Technologies, Pittsburgh, Pennsylvania, USA; 2010. p. 89e98.
Hu J, Zhang Y, Li R. Towards automatic update of access control
policy. In: Proc. The 24th USENIX Large Installation System
Administration Conference, San Jose, CA, USA; 2010. p. 59e74.
Joshi JBD, Bertino E, Ghafoor A, Zhang Y. Formal foundations for
hybrid hierarchies in GTRBAC. ACM Trans Inform Syst Secur
2008;10(4):1e39.
Le X, Doll T, Barbosu M, Luque A, Wang D . An enhancement of
the role-based access control model to facilitate information
access management in context of team collaboration and
workflow. J Biomed Inform 2012;45(6):1084e107.
Li N, Tripunitara M, Bizri Z. On mutually exclusive roles and
separation-of-duty. ACM Trans Inform Syst Secur
2007;10(2):1e36.
Li R, Lu J, Lu Z, Ma X. Consistency checking of safety and
availability in access control. IEICE Trans Inform Syst
2010;E93-D(3):491e502.
Lu J, Han J, Chen W, Hu J. Safety and availability checking for user
authorization queries in RBAC. Int J Comput Intell Syst
2012;5(5):860e7.

Lu J, Xu D, Jin L, Han J, Peng H. On the complexity of role updating

feasibility problem in RBAC. Inf Process Lett
2014;114(11):597e602.
Mousavi N, Tripunitara MV. Mitigating the intractability of the
user authorization query problem in role-based access control
(RBAC). In: Proc. 6th International Conference on Network and
System Security, Fujian, China; 2012. p. 516e29.
Pavlich-Mariscal JA, Demurjian SA, Michel LD. A framework of
composable access control features: preserving separation of
access control concerns from models to code. Comput Secur e
COMPSEC 2010;29(3):350e79.
Sinz C. Visualizing sat instances and runs of the DPLL algorithm.
J Autom Reason 2007;39(2):219e43.
Sun Y, Wang Q, Li N, Bertino E, Atallah MJ. On the complexity of
authorization in RBAC under qualification and security
constraints. IEEE Trans Depend Secur Comput
2011;8(6):883e97.
Wickramaarachchi TG, Wahbeh HQ, Li Ninghui. An efficient
framework for user authorization queries in RBAC systems. In:
Proc. 14th ACM Symposium on Access Control Models and
Technologies, Stresa, Italy; 2009. p. 23e32.
Zhang Y, Joshi JBD. UAQ: a framework for user authorization
query processing in RBAC extended with hybrid hierarchy and
constraints. In: Proc. 13th ACM Symposium on Access Control
Models and Technologies, New York, NY, USA; 2008. p. 83e92.
Jianfeng Lu is an associate professor in the School of
Mathematics-Physical and Information Engineering at Zhejiang
Normal University. He received his B.S. degree in the School of
Computer Science and Technology at Wuhan University of Science and Technology in 2005, and the PhD degree in the School of
Computer Science and Technology at Huazhong University of
Science and Technology in 2010. His research interests include
distributed system security and access control.
James B.D. Joshi is an Associate Professor and the Director of the
Laboratory for Education and Research on Security Assured Information Systems (LERSAIS) in the School of Information Sciences at the University of Pittsburgh. He received his MS in
Computer Science and his PhD in Computer Engineering from
Purdue University in 1998 and 2003, respectively. His research
interests include role-based access control, trust management,
and secure interoperability. He is a member of the IEEE and the
ACM.
Lei Jin is currently working toward his PhD at the School of Information Sciences, University of Pittsburgh and is a member of
the Laboratory of Education and Research on Security Assured
Information Systems (LERSAIS). He received his MSE in Software
Engineering from Tsinghua University and his BS in Computer
Software from Tsinghua University in 2009 and 2006 respectively.
His research interests include authentication, privacy and security in social computing and in mobile computing, usable privacy
and security. He is a student member of the IEEE and the ACM.
Yiding Liu is currently a sophomore in the School of MathematicsPhysical and Information Engineering at Zhejiang Normal University. His research interests include network security and optimization algorithm.