Pattern Backtracking Algorithm for the Workflow Satisfiability Problem
PPattern Backtracking Algorithmfor the Workflow Satisfiability Problemwith User-Independent Constraints
D. Karapetyan , A. Gagarin , and G. Gutin University of Nottingham, UK
[email protected] Royal Holloway, University of London, UK { Andrei.Gagarin,G.Gutin } @rhul.ac.uk Abstract.
The workflow satisfiability problem (WSP) asks whether thereexists an assignment of authorised users to the steps in a workflow specifi-cation, subject to certain constraints on the assignment. (Such an assign-ment is called valid.) The problem is NP-hard even when restricted to thelarge class of user-independent constraints. Since the number of steps k isrelatively small in practice, it is natural to consider a parametrisation ofthe WSP by k . We propose a new fixed-parameter algorithm to solve theWSP with user-independent constraints. The assignments in our methodare partitioned into equivalence classes such that the number of classes isexponential in k only. We show that one can decide, in polynomial time,whether there is a valid assignment in an equivalence class. By exploit-ing this property, our algorithm reduces the search space to the space ofequivalence classes, which it browses within a backtracking framework,hence emerging as an efficient yet relatively simple-to-implement or gen-eralise solution method. We empirically evaluate our algorithm againstthe state-of-the-art methods and show that it clearly wins the competi-tion on the whole range of our test problems and significantly extendsthe domain of practically solvable instances of the WSP. In the workflow satisfiability problem (WSP), we aim at assigning authorisedusers to the steps in a workflow specification, subject to some constraints arisingfrom business rules and practices. The WSP has applications in information ac-cess control (e.g. see [1,2,3]), and it is extensively studied in the security researchcommunity [2,3,9,15]. In the WSP, we are given a set U of users , a set S of steps ,a set A = { A ( u ) : u ∈ U } of authorisation lists , where A ( u ) ⊆ S denotes the setof steps for which user u is authorised, and a set C of (workflow) constraints . Ingeneral, a constraint c ∈ C can be described as a pair c = ( T, Θ ), where T ⊆ S is the scope of the constraint and Θ is a set of functions from T to U whichspecifies those assignments of steps in T to users in U that satisfy the constraint(authorisations disregarded). Authorisations and constraints described in WSP a r X i v : . [ c s . D S ] M a r D. Karapetyan, A. Gagarin, and G. Gutin literature are relatively simple such that we may assume that all authorisationsand constraints can be checked in polynomial time (in | U | , | S | and | C | ).Given a workflow W = ( S, U, A , C ), W is satisfiable if there exists a function π : S → U such that – for all s ∈ S , s ∈ A ( π ( s )) (each step is allocated to an authorised user); – for all ( T, Θ ) ∈ C , π | T ∈ Θ (every constraint is satisfied).A function π : S → U is an authorised ( eligible , valid , respectively) complete plan if it satisfies the first condition above (the second condition, both conditions,respectively).For example, consider the following instance of WSP. The step and usersets are S = { s , s , s , s } and U = { u , u , . . . , u } . The authorisation listsare A ( u ) = { s , s , s , s } , A ( u ) = { s } , A ( u ) = { s } , A ( u ) = A ( u ) = { s , s } . The constraints are ( s , s , =) (the same user must be assigned to s and s ), ( s , s , (cid:54) =) ( s and s must be assigned to different users), ( s , s , (cid:54) =),and ( s , s , (cid:54) =). Since the function π assigning u to s and s , u to s , and u to s is a valid complete plan, the workflow is satisfiable.Clearly, not every workflow is satisfiable, and hence it is important to be ableto determine whether a workflow is satisfiable or not and, if it is satisfiable, tofind a valid complete plan. Unfortunately, the WSP is NP-hard [15] and, sincethe number k of steps is usually relatively small in practice (usually k (cid:28) n = | U | and we assume, in what follows, that k < n ), Wang and Li [15] introduced itsparameterisation by k . Algorithms for this parameterised problem were alsostudied in [5,6,7,10]. While in general the WSP is W[1]-hard [15], the WSP re-stricted to some practically important families of constraints is fixed-parametertractable (FPT) [6,10,15]. (Recall that a problem parameterised by k is FPT if itcan be solved by an FPT algorithm, i.e. an algorithm of running time O ∗ ( f ( k )),where f is an arbitrary function depending on k only, and O ∗ suppresses notonly constants, but also polynomial factors in k and other parameters of theproblem formulation.)Many business rules are not concerned with the identities of the users thatperform a set of steps. Accordingly, we say a constraint c = ( T, Θ ) is user-independent if, whenever θ ∈ Θ and φ : U → U is a permutation, then φ ◦ θ ∈ Θ .In other words, given a complete plan π that satisfies c and any permutation φ : U → U , the plan π (cid:48) : S → U , where π (cid:48) ( s ) = φ ( π ( s )), also satisfies c .The class of user-independent constraints is general enough in many practicalcases; for example, all the constraints defined in the ANSI RBAC standard [1]are user-independent. Most of the constraints studied in [5,7,10,15] and otherpapers are also user-independent. Classical examples of user-independent con-straints are the requirements that two steps are performed by either two differ-ent users ( separation-of-duty ), or the same user ( binding-of-duty ). More complex We use terminology of the recent monograph [11] on parameterised algorithms andcomplexity. While we consider special families of constraints, we do not restrict authorisationlists.attern Backtracking Algorithm for the Workflow Satisfiability Problem 3 constraints state that at least/at most/exactly r users are required to completesome sensitive set of steps (these constraints belong to the family of counting con-straints), where r is usually small. A simple reduction from Graph Colouring shows that the WSP restricted to the separation-of-duty constraints is alreadyNP-hard [15].The WSP is an important applied problem and is thoroughly studied in theliterature. However, as was shown by Cohen et al. [5], the methods developed sofar were capable of solving user-independent WSP instances only for relativelysmall values of k . In this paper we propose a new approach that, compared to theexisting solution methods, significantly extends the number of steps in practicallysolvable instances now covering the values of k expected in the majority ofreal-world instances. Importantly, the proposed method is relatively simple toimplement or extend with new constraints, such that its accessibility is similarto that of SAT-solvers used by practitioners [15].The proposed solution method is a deterministic algorithm that uses back-tracking to browse the space of all the equivalence classes of partial solutions.We show that it is possible to test efficiently if there exists an authorised planin a given equivalence class. This makes our algorithm FPT as the number ofequivalence classes is exponential in k only. A plan is a function π : T → U , where T ⊆ S (note that if T = S then π is acomplete plan). We define an equivalence relation on the set of all plans, whichis a special case of an equivalence relation defined in [6]. For user-independentconstraints, two plans π : T → U and π (cid:48) : T (cid:48) → U are equivalent , denoted by π ≈ π (cid:48) , if and only if T = T (cid:48) , and π ( s ) = π ( t ) if and only if π (cid:48) ( s ) = π (cid:48) ( t )for every s, t ∈ T . Assuming an ordering s , s , . . . , s k of steps S , every plan π : T → U can be encoded into a pattern P = P ( π ) = ( x , . . . , x k ) defined by: x i = s i / ∈ T, i = 1 and s ∈ T,x j if π ( s i ) = π ( s j ) and j < i, max { x , x , . . . , x i − } + 1 otherwise. (1)The pattern P ( π ) uniquely encodes the equivalence class of π , and P ( π ) = P ( π (cid:48) )for every π (cid:48) in that equivalence class [6]. The pattern P represents an assignmentof steps in T to some users in any plan of the equivalence class of π . We say thata pattern is complete if x i (cid:54) = 0 for i = 1 , , . . . , k .The state-of-the-art FPT algorithm for the WSP with counting constraintsproposed in [5] and called here User-Iterative (UI), iterates over the set of usersand gradually computes all encoded equivalence classes of valid plans until itfinds a complete solution to the problem, or all the users have been considered.Effectively, it uses the breadth-first search in the space of plans. In the breadth-first search tree, equivalent plans can be generated but they are detected effi-ciently using patterns and the corresponding search branches are then merged D. Karapetyan, A. Gagarin, and G. Gutin together. Since the UI algorithm generates a polynomial number of plans perequivalence class and the number of equivalence classes is exponential in k only,the UI algorithm is FPT. The results of [5,7] show that the generic user-iterativeFPT algorithm of [6] has a practical value, and its implementations are able tooutperform the well-known pseudo-Boolean SAT solver SAT4J [14].In this paper we propose a new FPT solution method for the WSP whichalso exploits equivalence classes and patterns but in a more efficient manner.Among other advantages, our algorithm never generates multiple plans withinthe same equivalence class. For further comparison of our algorithm with the UIalgorithm, see Section 4. We call our new method
Pattern-Backtracking (PB) as it uses the backtrackingapproach to browse the search space of patterns. To describe it, we introduceseveral additional notations. We will say that a plan π : T → U is authorised if s ∈ A ( π ( s )) for every s ∈ T , eligible if it does not violate any constraintin C , and valid if it is both authorised and eligible. Similarly, a pattern P is authorised , eligible or valid if there exists a plan π such that P ( π ) = P and π is authorised, eligible or valid, respectively. By P ( s i ) we denote the value x i in P = ( x , x , . . . , x k ). We also use notations A − ( s ) = { u ∈ U : s ∈ A ( u ) } forthe set of users authorised for step s ∈ S and P − ( x i ) = { s ∈ S : P ( s ) = x i } for all the steps assigned to the same user encoded by the value of x i in P . Notethat P − ( x i ) (cid:54) = ∅ for i = 1 , , . . . , k for any complete pattern.In Section 3.1 we show how to find a valid plan for an eligible pattern, whichis an essential part of our algorithm, and in Section 3.2 we describe the algorithmitself. The PB algorithm searches the space of patterns; once an eligible completepattern P is found, we need to check if it is valid and, if it is, then to find a plan π such that P = P ( π ). The following theorem allows us to address these twoquestions efficiently.For a complete pattern P = ( x , x , . . . , x k ), let X = { x i : i = 1 , , . . . , k } (note that the cardinality of the set X may be smaller than k ). Let G = ( X ∪ U, E )be a bipartite graph, where ( x i , u ) ∈ E if and only if u ∈ A − ( s ) for each s ∈ P − ( x i ), x i ∈ X . Theorem 1.
A pattern P is authorised if and only if G has a matching of size | X | .Proof. Suppose M is a matching of size | X | in G . Construct a plan π as follows:for each edge ( x i , u ) ∈ M and s ∈ P − ( x i ), set π ( s ) = u . Since M covers x i forevery i = 1 , , . . . , k and P is a complete pattern, the above procedure defines π ( s ) for every step s ∈ S . Hence, π is a complete plan. Now observe that, for each attern Backtracking Algorithm for the Workflow Satisfiability Problem 5 x i ∈ X , all the steps P − ( x i ) are assigned to exactly one user, and if x i (cid:54) = x j forsome i, j ∈ { , , . . . k } , then π ( s i ) (cid:54) = π ( s j ) by definition of matching. Therefore P ( π ) = P . Observe also that π respects the authorisation lists; for each edge( x i , u ) ∈ M ⊆ E and each step s ∈ P − ( x i ), we guarantee that u ∈ A ( s ). Thus,plan π is authorised and, hence, pattern P = P ( π ) is also authorised.On the other hand, assume there exists an authorised plan π such that P ( π ) = P for a given pattern P . Let X = { x i : i = 1 , , . . . , k } . Construct a set M asfollows: M = { ( x i , u ) : x i ∈ X and ∃ s ∈ P − ( x i ) s.t. u = π ( s ) } . Consider apair ( x i , u ) ∈ M , and find some s ∈ P − ( x i ). Note that, as P = P ( π ) and bydefinition of pattern, π ( s (cid:48) ) = u for every s (cid:48) ∈ P − ( x i ). Since π is authorised, u ∈ A ( s (cid:48) ) for every s (cid:48) ∈ P − ( x i ), i.e. ( x i , u ) ∈ E and M ⊆ E . In other words, M is a subset of edges of G .Now notice that, for each x i ∈ X , there exists at most one edge ( x i , u ) ∈ M as π ( s (cid:48) ) = u for every s (cid:48) ∈ P − ( x i ). Moreover, for each u ∈ U , there exists atmost one edge ( x i , u ) ∈ M as otherwise there would exist some i, j ∈ { , , . . . , k } such that π ( s i ) = π ( s j ) and x i (cid:54) = x j , which violates P = P ( π ). Hence, the edgeset M is disjoint. Finally, | M | = | X | because P − ( x i ) is non-empty for every x i ∈ X . We conclude that M is a matching in G of size | X | . (cid:117)(cid:116) Theorem 1 implies that, to determine whether an eligible pattern P is valid,it is enough to construct the bipartite graph G = ( X ∪ U, E ) and to find amaximum size matching in G . It also provides an algorithm for converting amaximum matching M of size | X | in G into a valid plan π such that P ( π ) = P .The matching problem arising in Theorem 1 has some interesting properties: – The bipartite graph G = ( X ∪ U, E ) is highly unbalanced as | X | ≤ k , andwe assume that | U | (cid:29) k . It is easy to see that the maximum length of anaugmenting path in G is | X | ≤ k and, hence, the time complexity of theHungarian and Hopcroft-Karp methods are O ( k ) and O ( k . ), respectively. – We are interested only in matchings of size | X | . If the maximum matchingis of a smaller size, we do not need to retrieve it. – Once a matching of size | X | is found, the PB algorithm terminates since avalid plan is found. However, the algorithm might test an exponential number(in k ) of graphs with the maximum matching of size smaller than | X | . Hence,we are mainly interested in time of checking whether the maximum matchingis smaller than | X | .To exploit the above features, we use the Hungarian method with a speed-upheuristic provided by the following proposition. Proposition 1. If M = { ( x χ (1) , u ψ (1) ) , . . . , ( x χ ( t ) , u ψ ( t ) ) } , t < | X | , is a match-ing in the graph G = ( X ∪ U, E ) such that there exists no M -augmenting pathin G starting at a vertex x χ ( t +1) ∈ X , then there is no matching covering allvertices of X in G .Proof. W.l.o.g, assume that M = { ( x , u ) , . . . , ( x t , u t ) } and x χ ( t +1) = x t +1 .Now suppose that G has a matching M (cid:48) = { ( x , y ) , ( x , y ) , . . . , ( x k , y k ) } , y i ∈ U, i = 1 , , . . . , k D. Karapetyan, A. Gagarin, and G. Gutin covering all of X . Consider the symmetric difference of two matchings H = ( M ∪ M (cid:48) ) \ ( M ∩ M (cid:48) ). Since every vertex of H has degree at most 2, the graph inducedby H consists of some disjoint paths and even cycles having edges alternatingbetween M and M (cid:48) . Since x t +1 is not in M but covered by M (cid:48) , it is an endpoint of one of the alternating paths in H , say P t +1 . Now, it is possible to seethat P t +1 is an augmenting path in G with respect to the matching M ; since,starting at x t +1 , every time we use an edge of M (cid:48) to go from a vertex in X toa vertex in U , P t +1 must have an end point in a vertex of U not covered by M ( M (cid:48) covers all the vertices in X ). This contradicts the fact that there is noaugmenting path in G starting at x t +1 with respect to M . (cid:117)(cid:116) The result of Proposition 1 allows us to terminate the Hungarian algorithmas soon as a vertex x i ∈ X is found such that no augmenting path starting from x i can be obtained. Construction of the graph takes O ( kn ) time, and solvingthe maximum matching problem in G with the Hungarian method takes O ( k )time. The PB algorithm uses a backtracking technique to search the space of patterns,and for each eligible pattern, it verifies whether such a pattern is valid. If avalid pattern P is found, the algorithm returns a complete plan π such that P ( π ) = P , see Section 3.1 for details. If no valid pattern is found during thesearch, the instance is unsatisfiable.The calling procedure for the PB algorithm is shown in Algorithm 1, whichin turn calls the recursive search function in Algorithm 2. The recursive functiontries all possible extensions P (cid:48) of the current pattern P by adding one new step s to it (line 12). The step s is selected heuristically (line 9), where function ρ ( s )is an empirically tuned function indicating the importance of step s in narrowingdown the search space. The implementation of ρ ( s ) depends on the specific typesof constraints involved in the instance and should reflect the intuition regardingthe structure of the problem. See (2) in Section 5 for a particular implementationof ρ ( s ) for the types of constraints we used in our computational study. Notethat our branching heuristic dynamically changes the steps ordering used in thepattern definition in Section 2. Nevertheless, this does not affect any theoreticalproperties of the pattern.We use a heuristic (necessary but not sufficient) test (lines 13–15 of Algo-rithm 2) to check whether the pattern P (cid:48) can be authorised; that allows us toprune branches which are easily provable to include no authorised patterns.In line 16, the algorithm checks whether the new pattern P (cid:48) violates anyconstraints and, if not, then executes the recursive call. In this section we analyse the time and memory complexity of the PB algorithmand compare it to the UI algorithm. attern Backtracking Algorithm for the Workflow Satisfiability Problem 7
Algorithm 1:
Backtracking search initialisation (entry procedure of PB) input : WSP instance W = ( S, U, A , C ) output : Valid plan π or UNSAT Initialise P ( s ) ← s ∈ S ; π ← Recursion( P ); return π ( π may be UNSAT here); Observe that each internal node (corresponding to an incomplete plan) in thesearch tree of the PB algorithm has at least two children, and each leaf in this treecorresponds to a complete pattern. Thus, the total number of patterns consideredby the PB algorithm is less than twice the number of complete patterns. Observethat the number of complete patterns equals the number of partitions of a setof size k , i.e. the k th Bell number B k . Finally, observe that the PB algorithmspends time polynomial in n on each node of the search tree. Thus, the timecomplexity of the PB algorithm is O ∗ ( B k ). The PB algorithm follows the depth-first search order and, hence, stores only one pattern at a time. At each leafnode, it also solves the matching problem generating a graph with O ( kn ) edges.Hence, the memory complexity of the algorithm is O ( kn ).It is interesting to compare the PB algorithm to the UI algorithm (brieflydescribed in Section 2). Despite both algorithms using the idea of equivalenceclasses and being FPT, they have very different working principles and proper-ties.1. Observe that, in the worst case, the UI algorithm may store all patterns, andthe number of patterns is B k +1 . Indeed, consider a pattern P = ( x , . . . , x k )and a set { s , . . . , s k , s k +1 } . Then each partition of the set corresponds to apattern of P , where x i = 0 if and only if s i and s k +1 are in the same subsetof the partition. Therefore, the UI algorithm takes O ( kB k +1 ) memory, whichis in sharp contrast to the PB algorithm that requires very little memory.Considering that, e.g. B = 51 724 158 235 372, memory consumption posesa serious bottleneck for the UI algorithm as the RAM capacity of any main-stream machine is well below the value of B . Moreover, the UI algorithmaccesses a large volume of data in a non-sequential order, which might havea dramatic effect on the algorithm’s performance when implemented on areal machine as shown in [13].2. From the practical point of view, the PB algorithm considers less patternsthan the UI algorithm ( O ( B k ) vs. O ( B k +1 )) as the PB algorithm assigns thesteps in a strict order, avoiding generation of duplicate patterns. Moreover,the PB algorithm generates each pattern at most once, while the UI algo-rithm is likely to generate a pattern several times rejecting the duplicatesafterwards.3. Both algorithms use heuristics to determine the order in which the searchtree is explored. However, while the UI algorithm has to use a certain fixed Assuming that the WSP instance does not include any exotic constraints. D. Karapetyan, A. Gagarin, and G. Gutin
Algorithm 2:
Recursion( P ) (recursive function for backtracking search) input : Pattern P output : Eligible plan or UNSAT if no eligible plan exists in this branch of thesearch tree Initialise the set S (cid:48) ⊆ S of assigned steps S (cid:48) ← { s ∈ S : P ( s ) (cid:54) = 0 } ; if S (cid:48) = S then Verify if pattern P is valid (using the matching algorithm of Theorem 1); if pattern P is valid then return plan π realising P ; else return UNSAT ; else Select unassigned step s ∈ S \ S (cid:48) that maximises ρ ( s ); Calculate k (cid:48) ← s ∈ S P ( s ); for x = 1 , , . . . , k (cid:48) do Set P ( s ) ← x to obtain a new pattern P (cid:48) ; Compute the set of steps Q assigned to x : Q = { t ∈ S : P (cid:48) ( t ) = x } ; if | (cid:84) t ∈ Q A − ( t ) | = 0 then Proceed to the next value of x (reject P (cid:48) ); if P (cid:48) is an eligible pattern then π ← Recursion( P (cid:48) ); if π (cid:54) = UNSAT then return π ; return UNSAT (for a particular branch of recursion; does not mean that thewhole instance is unsat) ; order of users for all the search branches, the PB algorithm has the flexibilityof changing the order of steps in each branch of the search. Note that theorder of assignments is crucial to the algorithm’s performance as it can helpto prune branches early. In this section we empirically verify the efficiency of the PB algorithm. Wecompare the following WSP solvers: PB The algorithm proposed in this paper; UI Another FPT algorithm proposed in [6] and evaluated in [5,7];
SAT4J
A pseudo-Boolean SAT formulation [5,7] of the problem solved withSAT4J.Due to the difficulty of acquiring real-world WSP instances [5,15], we use therandom instance generator described in [5]. Three families of user-independent attern Backtracking Algorithm for the Workflow Satisfiability Problem 9 constraints are used: not-equals (also called separation-of-duty ) constraints ( s, t, (cid:54) =), at-most- r constraints ( r, Q, (cid:54) ) and at-least- r constraints ( r, Q, (cid:62) ). A not-equalsconstraint ( s, t, (cid:54) =) is satisfied by a complete plan π if and only if π ( s ) (cid:54) = π ( t ).An at-most- r constraint ( r, Q, (cid:54) ) is satisfied if and only if | π ( Q ) | ≤ r , where Q is the scope of the constraint. Similarly, an at-least- r constraint ( r, Q, (cid:62) ) issatisfied if and only if | π ( Q ) | ≥ r . We do not explicitly consider the widely usedbinding-of-duty constraints, that require two steps to be assigned to one user,as those can be trivially eliminated during preprocessing. While the binding-of-duty and separation-of-duty constraints provide the basic modelling capabilities,the at-most- r and at-least- r constraints impose more general “confidentiality”and “diversity” requirements on the workflow, which can be important in somebusiness environments.The instance generator (available for downloading [12]) takes four parame-ters: the number of steps k , the number of not-equals constraints e , the num-ber of at-most and at-least constraints c and the random generator seed value.Each instance has n = 10 k users. For each user u ∈ U , it generates a uni-formly random authorisation list A ( u ) such that | A ( u ) | is selected uniformlyfrom { , , . . . , (cid:100) . k (cid:101)} at random. It also generates e distinct not-equals, c at-most and c at-least constraints uniformly at random. All at-most and at-leastconstraints are of the form (3 , Q, σ ), where | Q | = 5 and σ ∈ { (cid:54) , (cid:62) } .Our test machine is based on two Intel Xeon CPU E5-2630 v2 (2.6 GHz) andhas 32 GB RAM installed. Hyper-threading is enabled, but we never run morethan one experiment per physical CPU core concurrently. The PB algorithm isimplemented in C s ∈ S that maximises a ranking function ρ ( s ): ρ ( s ) = c (cid:54) = ( P ) + αc ≤ ( P ) + βc ≤ ( P ) + γc ≤ ( P ) , (2)where c (cid:54) = ( P ) is the number of not-equals constraints involving step s , c i ≤ ( P ) isthe number of at-most- r constraints involving s such that r − i distinct usersare already assigned to it, and α , β and γ are parameters. The intuition isthat the steps s that maximise ρ ( s ) are tightening the search space quickly.The parameters α , β and γ were selected empirically. We found out that thealgorithm is not very sensitive to the values of these parameters, and settleddown at α = 100, β = 2 and γ = 1. Note that the function does not accountfor at-least constraints. This reflects our empirical observation that the at-leastconstraints are usually relatively weak in our instances and rarely help in pruningbranches of search.We started from establishing what parameter values make the instances hard.However, due to the lack of space, we provide only the conclusions drawn fromthis series of experiments. As it could be expected, greatly under- and over-subscribed instances are easier to solve than the instances in the region between those two extremes. The behaviour of the analysed solvers is consistent in thisregard. The particular values of the number of not-equals constraints e andthe number c of at-most and at-least constraints that make the instances mostchallenging depend on k . Thus, in our final experiment, which is to establishthe maximum size k of instances practically solvable by each of the methods, weconsidered several instances with a range of parameters to ensure that at leastone of them is hard. In particular, we fixed the density of not-equals constraints,calculated as d = ek ( k − · d = 10% and the number c of at-most andat-least constraints at each of c = 1 . k , c = 1 . k and c = 1 . k , producing threeinstances for each k and seed value.Each solver is given one hour limitation for each instance from the set. If asolver fails on at least one of the instances (could not terminate within 1 hour),we say that it fails on the whole set. The intention is to make sure that the solvercan tackle hard satisfiable and unsatisfiable instances within a reasonable time.The results are presented in Figure 1 in the form of boxplots. The percentageof runs in which the solver succeeded is shown as the width of the box. Thisinformation is also provided at the bottom of Figure 1.The PB algorithm, being faster than the two other methods by several ordersof magnitude, reliably solves all the instances of size up to k = 49. Compare itto the UI and SAT4J solvers that succeed only for k ≤
23 and k ≤
15, respec-tively. Moreover, its running time grows slower than that of the UI and SAT4Jsolvers, which indicates that it has higher potential if more computational poweris allocated. In other words, thanks to our new solution method, the previouslyunapproachable problem instances of practical sizes can now be routinely tack-led.
We proposed a new FPT algorithm for the WSP with user-independent con-straints. Our experimental analysis have shown that the new algorithm out-performs all the methods in the literature by several orders of magnitude andsignificantly extends the domain of practically solvable instances. Another ad-vantage of the new FPT algorithm is that it is relatively easy to implement andextend; for example, it is straightforward to parallelise it.Future research is needed to establish further potential to improve the al-gorithm’s performance. Particular attention has to be paid to the branchingheuristic. Thorough empirical analysis has to be conducted to investigate theperformance of the algorithms on easy and hard instances.Another relevant subject was recently studied in [8]; the paper introduces anoptimisation version of WSP and proposes an FPT branch and bound algorithminspired by Pattern Backtracking.
Acknowledgment.
This research was partially supported by EPSRC grant EP/K005162/1. The source codes of the Pattern Backtracking algorithm and theinstance generator are publicly available [12]. attern Backtracking Algorithm for the Workflow Satisfiability Problem 1110 − − − R unn i n g t i m e , s e c PB UI SAT4J10 15 20 25 30 35 40 45 50 55 60 65050100 Number of steps k S o l v e d , % Fig. 1.
Running time vs. number of steps k . For each k , we generate 50 instance setswith different seed values. The distributions are presented in the boxplot form, wherethe width of a box is proportional to the number of instance sets on which the solversucceeded. The plot at the bottom of the figure also shows the success rate of eachsolver.2 D. Karapetyan, A. Gagarin, and G. Gutin References
1. American National Standards Institute.
ANSI INCITS 359-2004 for Role BasedAccess Control , 2004.2. Basin, D.A., Burri, S.J., Karjoth, G.: Obstruction-free authorisation enforcement:Aligning security and business objectives. Journal of Computer Security 22(5),661–698 (2014).3. Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authori-sation constraints in workflow management systems. ACM Trans. Inf. Syst. Secur.2(1), 65–104 (1999)4. Chimani, M., Klein, K.: Algorithm engineering: Concepts and practice. In: Bartz-Beielstein, T., Chiarandini, M., Paquete, L., Preuss, M. (eds.) Experimental meth-ods for the analysis of optimization algorithms, pp. 131–158 (2010)5. Cohen, D., Crampton, J., Gagarin, A., Gutin, G., Jones, M.: Engineering algo-rithms for workflow satisfiability problem with user-independent constraints. Proc.8th International Frontiers of Algorithmics Workshop (FAW 2014), J. Chen, J.E.Hopcroft, and J. Wang (Eds.), 2014, LNCS 8497, Springer, pp. 48–59.6. Cohen, D., Crampton, J., Gagarin, A., Gutin, G., Jones, M.: Iterative plan con-struction for the workflow satisfiability problem.
Journal of Artificial IntelligenceResearch
51, pp. 555–577 (2014)7. Cohen, D., Crampton, J., Gagarin, A., Gutin, G., Jones, M.: Algorithms for theworkflow satisfiability problem engineered for counting constraints, to appear in J.of Combin. Optim., (2014)8. Crampton, J., Gutin, G., Karapetyan, D.: Valued Workflow Satisfiability Problem,to appear in proc. of ACM symposium on Access control models and technologies(SACMAT), 13 June, Vienna, Austria. ACM (2015)9. Crampton, J.: A reference monitor for workflow systems with constrained taskexecution. In: Ferrari, E., Ahn, G.J. (eds.) SACMAT. pp. 38–47. ACM (2005)10. Crampton, J., Gutin, G., Yeo, A.: On the parameterized complexity and kernel-ization of the workflow satisfiability problem. ACM Trans. Inf. Syst. Secur. 16(1),4 (2013)11. Downey, R.G., Fellows, M.R.: Foundations of Parameterized Complexity. Springer(2013)12. Karapetyan, D., Gutin, G., Gagarin, A.: Source codes of the Pattern Backtrack-ing algorithm and the instance generator. DOI:10.6084/m9.figshare.1360237