Satisfiability and Resiliency in Workflow Systems

We propose the role-and-relation-based access control (RBAC) model for workflow systems. In RBAC, in addition to auser’s role memberships, the user’s relationships with other users help determine whether the user is allowed to perform acertain step in a workflow. For example, a constraint may require that two steps must not be performed by users who havea conflict of interest. We also study the workflow satisfiability problem, which asks whether a set of users can complete aworkflow. We show that the problem is NP-complete for RBAC, and is NP-complete for any workflow model that supportscertain simple types of constraints (e.g., constraints that state certain two steps must be performed by two different users). Af-ter that, we apply tools from parameterized complexity theory to better understand the complexities of this problem. We showthat the problem is fixed-parameter tractable when the only relations used are = and 6=, and is fixed-parameter intractablewhen user-defined binary relations can be used. Finally, we study the resiliency problem in workflow systems, which askswhether a workflow can be completed even if a number of users may be absent. We formally define three levels of resiliency inworkflow systems, namely, static resiliency, decremental resiliency and dynamic resiliency, and study computational problemsrelated to these notions of resiliency.