Efficient Policy Analysis for Administrative Role Based Access Control

Administrative RBAC (ARBAC) policies specify how Role-Based Access Control (RBAC) policies may be changed by each administrator. It is often difficult to fully understand the effect of an ARBAC policy by simple inspection, because sequences of changes by different administrators may interact in unexpected ways. ARBAC policy analysis algorithms can help by answering questions, such as user-role reachability, which asks whether a given user can be assigned to given roles by given administrators. This problem is intractable in general. This paper identifies classes of policies of practical interest, develops analysis algorithms for them, and analyzes their parameterized complexity, showing that the algorithms may have high complexity with respect to some parameter k characterizing the hardness of the input (such that k is often small in practice) but have polynomial complexity in terms of the overall input size when the value of k is fixed.