Table Of ContentA
On the Parameterized Complexity and Kernelization of the Workflow
Satisfiability Problem
JASONCRAMPTON,RoyalHolloway,UniversityofLondon
GREGORYGUTIN,RoyalHolloway,UniversityofLondon
ANDERSYEO,UniversityofJohannesburg
Aworkflowspecificationdefinesasetofstepsandtheorderinwhichthosestepsmustbeexecuted.Security
requirementsmayimposeconstraintsonwhichgroupsofusersarepermittedtoperformsubsetsofthose
steps.Aworkflow specificationissaidtobesatisfiableifthereexistsanassignmentofuserstoworkflow
3
stepsthat satisfiesall theconstraints. Analgorithmfor determining whethersuchan assignmentexists
1
isimportant,bothasastaticanalysistoolforworkflowspecifications,andfortheconstructionofrun-time
0
reference monitors forworkflow managementsystems.Findingsuchanassignmentisa hardproblem in
2
general, but work by Wang and Li in 2010 using the theory of parameterized complexity suggests that
n efficient algorithms exist under reasonable assumptions about workflow specifications. In this paper, we
a improvethecomplexityboundsfortheworkflowsatisfiabilityproblem.Wealsogeneralizeandextendthe
J typesofconstraintsthatmaybedefinedinaworkflowspecificationandprovethatthesatisfiabilityproblem
9 remainsfixed-parametertractableforsuchconstraints.Finally,weconsiderpreprocessingfortheproblem
and prove that in an important special case, in polynomial time, we can reduce the given input into an
] equivalent one, where the number of users is at most the number of steps. We also show that no such
R reductionexistsfortwonaturalextensionsofthiscase,whichboundsthenumberofusersbyapolynomial
C inthenumberofsteps,providedawidely-acceptedcomplexity-theoreticalassumptionholds.
. CategoriesandSubjectDescriptors:D4.6[OperatingSystems]:SecurityandProtection—Accesscontrols;
s
c F2.2[AnalysisofAlgorithmsandProblemComplexity]:NonnumericalAlgorithmsandProblems;H2.0
[ [DatabaseManagement]:General—Security,integrityandprotection
GeneralTerms:Algorithms,Security,Theory
3
v AdditionalKeyWordsandPhrases:authorizationconstraints,workflowsatisfiability,parameterizedcom-
2 plexity
5
ACMReferenceFormat:
8
Crampton,J.,Gutin,G.,Yeo,A.2013.OntheParameterizedComplexityoftheWorkflowSatisfiabilityProb-
0
lem.ACMV,N,ArticleA(JanuaryYYYY),31pages.
.
5 DOI=10.1145/0000000.0000000http://doi.acm.org/10.1145/0000000.0000000
0
2
1. INTRODUCTION
1
Itisincreasinglycommonfororganizationstocomputerizetheirbusinessandmanage-
:
v mentprocesses.The co-ordinationof the tasks or steps that comprise a computerized
i
X business processis managed by a workflowmanagementsystem (or business process
management system). Typically, the execution of these steps will be triggered by a
r
a
ApreliminaryversionofthispaperappearedintheProceedingsofCCS2012.
Author’s addresses: J. Crampton, Department of Mathematics, Royal Holloway, University of London; G.
Gutin, Department of Computer Science, Royal Holloway, University of London; A. Yeo, Department of
Mathematics,UniversityofJohannesburg.
Permissiontomakedigitalorhardcopiesofpartorallofthisworkforpersonalorclassroomuseisgranted
withoutfeeprovidedthatcopiesarenotmadeordistributedforprofitorcommercial advantageandthat
copiesshowthisnoticeonthefirstpageorinitialscreenofadisplayalongwiththefullcitation.Copyrights
forcomponentsofthisworkownedbyothersthanACMmustbehonored.Abstractingwithcredit isper-
mitted.Tocopyotherwise,torepublish,topostonservers,toredistributetolists,ortouseanycomponent
ofthisworkinotherworksrequirespriorspecificpermissionand/orafee.Permissionsmayberequested
fromPublicationsDept.,ACM,Inc.,2PennPlaza,Suite701,NewYork,NY10121-0701USA,fax+1(212)
869-0481,[email protected].
(cid:13)c YYYYACM0000-0000/YYYY/01-ARTA$15.00
DOI10.1145/0000000.0000000 http://doi.acm.org/10.1145/0000000.0000000
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
A:2 J.Cramptonetal.
human user, or a software agent acting under the control of a human user, and the
executionofeachstepwillberestrictedtosomesetofauthorizedusers.
A workflow typically specifies the steps that comprise a business process and the
order in which those steps should be performed. Moreover, it is often the case that
some form of access control, often role-based, should be applied to limit the execu-
tion of steps to authorized users. In addition, many workflows require controls on
the users that perform groups of steps. The concept of a Chinese wall, for exam-
ple, limits the set of steps that any one user can perform [BrewerandNash1989],
as does separation-of-duty, which is a central part of the role-based access con-
trol model [AmericanNationalStandardsInstitute2004]. Hence,it is important that
workflowmanagementsystemsimplementsecuritycontrolsthatenforceauthorization
rulesandbusinessrules,inordertocomplywithstatutoryrequirementsorbestprac-
tice[Basinetal.2011].Itisthese“security-aware”workflowsthatwillbethefocusof
theremainderofthispaper.
A simple, illustrative example for purchase order processing [Crampton2005] is
shown in Figure 1. In the first step of the workflow, the purchase order is created
and approved (and then dispatched to the supplier). The supplier will submit an in-
voiceforthe goodsordered,which is processedby the create paymentstep.When the
supplierdeliversthe goods,a goodsreceivednote(GRN)mustbe signed andcounter-
signed.Onlythenmaythepaymentbeapprovedandsenttothesupplier.Notethata
workflowspecificationneednotbelinear:theprocessingoftheGRNandoftheinvoice
canoccurinparallel,forexample.
In addition to defining the order in which steps must be performed, the workflow
specificationincludesrulestopreventfraudulentuseofthepurchaseorderprocessing
system. In our example, these rules take the form of constraints on users that can
perform pairs of steps in the workflow: the same user may not sign and countersign
theGRN,forexample.(WeintroducemorecomplexrulesinSections2and5.)
=
s 6 s
3 5
=
s s
s s 1 2
3 5 =
6
=
6 =
s s s s s 6 s
1 2 4 6 4 6
(a) Orderingonsteps (b) Constraints
s1 createpurchaseorder s4 createpayment 6= differentusersmustperformsteps
s2 approvepurchaseorder s5 countersignGRN = sameusermustperformsteps
s3 signGRN s6 approvepayment
(c) Legend
Fig.1. Asimpleconstrainedworkflowforpurchaseorderprocessing
It is apparent that it may be impossible to find an assignment of authorized users
to workflow steps such that all constraints are satisfied. In this case, we say that
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
OntheParameterizedComplexityandKernelizationoftheWorkflowSatisfiabilityProblem A:3
the workflow specification is unsatisfiable. The WORKFLOW SATISFIABILITY PROB-
LEM (WSP) is known to be NP-hard, even when the set of constraints only includes
constraints that havea relatively simple structure (and that wouldarise regularlyin
practice).1
It has been argued that it would be of practical value to be able to define con-
straints in terms of organizational structures, rather than just the identity of par-
ticular users [WangandLi2010]. One of the contributions of this paper is to in-
troduce a model for hierarchical organizations based on the notion of equivalence
classes and partition refinements. We demonstrate how to construct an instance
of our model from a management structure and illustrate why constraints defined
over such models are of practical value. The use of cardinality constraints in ac-
cess control policies has also attracted considerable interest in the academic commu-
nity [Joshietal.2005; Sandhuetal.1996; SimonandZurko1997]. Cardinality con-
straints can encode a number of useful requirements that cannot be encoded using
the constraints that have been used in prior work on WSP. A second contribution of
this paper is to introduce counting constraints for workflows—a natural extension of
cardinality constraints—and to examine WSP when such constraints form part of a
workflowspecification.
WangandLi[2010] observed that the number of steps in a workflow is likely to be
small relative to the size of the input to the workflow satisfiability problem. This ob-
servation led them to study the problem using tools from parameterized complexity
and to prove that the problem is fixed-parameter tractable for certain classes of con-
straints.TheseresultsdemonstratethatitisfeasibletosolveWSPformanyworkflow
specifications in practice. However, Wang and Li also showed that for many types of
constraintstheproblemisfixed-parameterintractableunlesstheparameterizedcom-
plexity hypotheses FPT = W[1] fails, which is highly unlikely. (We provide a short
6
introductiontoparameterizedcomplexityinSection3.1.)Inthispaper,weextendthe
resultsofWangandLiinseveraldifferentways.
1. First, weintroducethenotionofcountingconstraints,ageneralizationofcardinal-
ityconstraints,andextendtheanalysisof WSP toincludesuchconstraints.
2. Our second contribution is to introduce a new approach to WSP, which
makes use of a powerful, recent result in the area of exponential-time algo-
rithms [Bjo¨rklundetal.2009]. We establish necessary and sufficientconditionson
constraints that will admit the use of our approach. In particular, we show that
counting constraints satisfy these conditions, as do the constraints considered by
Wang and Li. This approach allows us to develop algorithms with a significantly
better worst-case performance than those of Wang and Li. Moreover, we demon-
strate that our result cannotbe significantly improved,provideda well-knownhy-
pothesisaboutthecomplexityofsolving3-SATholds.
3. Our third extension to the work of Wang and Li is to define constraints in terms
of hierarchical organizational structures and to prove, using our new technique,
that WSP remains fixed-parameter tractable in the presence of such hierarchical
structuresandhierarchy-relatedconstraints.
4. Our fourthcontribution is to instigate the systematic study of parameterizedcom-
pression (also known as kernelization) of WSP instances.2 We show that a result
of Fellowsetal.[2011, Theorem 3.3] on a problem equivalent to a special case of
1Inparticular,theGRAPHk-COLORABILITYproblemcanbereducedtoaspecialcaseofWSPinwhichthe
workflowspecificationonlyincludesseparation-of-dutyconstraints[WangandLi2010].
2KernelizationofWSPinstancescanbeextremelyusefulinspeedingupthesolutionofWSP:thecompressed
instance can be solved using any suitable algorithm (such as a SAT solver), not necessarily by an FPT
algorithm.
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
A:4 J.Cramptonetal.
WSP can be slightly extended and significantly improved using graph matchings.
WealsoprovethattwonaturalfurtherextensionsoftheresultofFellowsetal.are
impossiblesubjecttoawidely-acceptedcomplexity-theoreticalhypothesis.
In the next section, we introduce the workflow satisfiability problem. In Section 3,
we providea brief introduction to fixed-parametertractability, prove a general result
characterizing the constraints forwhich WSP is fixed-parametertractable,and apply
thisresulttocountingconstraints.InSection4weextendtheresultsofWangandLi,
by improvingthe complexityofthe algorithmsused to solve WSP and by introducing
constraints based on equivalencerelations. In Section 5, we introduce a modelfor an
organizational hierarchy and a class of constraint relations defined in terms of such
hierarchies. We demonstrate that WSP remains fixed-parameter tractable for work-
flow specifications that include constraints defined over an organizational hierarchy.
InSection6,wediscuss kernelizationof WSP and provethatin animportantspecial
case, in polynomial time, we can transform the given input into an equivalent one,
wherethenumberofusersisatmostthenumberofsteps.Wealsoshowthatnopoly-
nomialtransformationexistsfortwonaturalextensionsofthiscase,whichboundsthe
numberof usersby a polynomialin the numberof steps, unlessa certain complexity-
theoreticalassumptionfails.Thepaperconcludeswithasummaryofourcontributions
anddiscussionsofrelatedandfuturework.
2. THEWORKFLOWSATISFIABILITYPROBLEM
In this section, we introduce our notation and definitions, derived from earlier work
byCrampton[2005]andWangandLi[2010],andthendefinetheworkflowsatisfiabil-
ityproblem.
A partially ordered set (or poset) is a pair (X,6), where 6 is a reflexive, anti-
symmetric and transitive binary relation defined over X. If (X,6) is a poset, then
we write x y if x and y are incomparable; that is, x 6 y and y 6 x. We may write
x>y whenekvery 6x.Wemayalsowritex<y whenev6erx6y an6dx=y.Finally,we
6
willwrite[n]todenote 1,...,n .
{ }
Definition 2.1. Aworkflowspecificationisapartiallyorderedsetofsteps(S,6).An
authorization policy for a workflow specification is a relation A S U. A workflow
⊆ ×
authorization schema is a tuple (S,U,6,A), where (S,6) is a workflow specification
andAisanauthorizationpolicy.
Ifs <s′ thensmustbeperformedbefores′ inanyinstanceoftheworkflow;ifs s′
thensands′maybeperformedineitherorder.Ourdefinitionofworkflowspecificatkion
doesnotpermitrepetitionoftasks(loops)orrepetitionofsub-workflows(cycles).User
uisauthorizedtoperformstepsonlyif(s,u) A.3Weassumethatforeverysteps S
∈ ∈
thereexistssomeuseru U suchthat(s,u) A.
∈ ∈
Definition 2.2. Let(S,U,6,A)beaworkflowauthorizationschema.Aplanisafunc-
tionπ :S U.Aplanπ isauthorizedfor(S,U,6,A)if(s,π(s)) Aforalls S.
→ ∈ ∈
The access control policy embodied in the authorization relation A imposes restric-
tions on the users that can perform specific steps in the workflow.A workflow autho-
rizationconstraintimposesrestrictionsontheexecutionofsetsofstepsinaworkflow.
3Inpractice,thesetofauthorizedstep-userpairs,A,willnotbedefinedexplicitly.Instead,Awillbeinferred
fromotheraccesscontroldatastructures.Inparticular,R2BAC–therole-and-relation-basedaccesscontrol
modelofWangandLi[2010]–introducesasetofrolesR,auser-rolerelationUR⊆U×Randarole-step
relationSA ⊆ R×S fromwhichitispossibletoderivethestepsforwhichusersareauthorized.Forall
commonaccesscontrolpolicies(includingR2BAC),itisstraightforwardtoderiveA.WeprefertouseAin
ordertosimplifytheexposition.
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
OntheParameterizedComplexityandKernelizationoftheWorkflowSatisfiabilityProblem A:5
A constraint is defined by some suitable syntax and its meaning is provided by the
restrictionsthe constraintimposeson the usersthat executethe sets of stepsdefined
in the constraint. In other words, constraint satisfaction is defined with reference to
a plan; a valid plan is one that is authorized and allocates users in such a way that
theconstraintissatisfied.Averysimpleexampleofaconstraintisonerequiringthat
stepssands′ areexecutedbydifferentusers.Thenavalidplanπ(withrespecttothis
constraint) has the property that π(s) = π(s′). A constrained workflow authorization
6
schema is a tuple (S,U,6,A,C), where C is a set of workflow constraints.4 A plan is
validforanauthorizationschemaifitisauthorizedandsatisfiesallconstraintsinC.
WedefineparticulartypesofconstraintsinSection2.2and2.3.
We may now define the workflow satisfiability problem, as defined
byWangandLi[2010].
WORKFLOW SATISFIABILITY PROBLEM (WSP)
Input:Aconstrainedworkflowauthorizationschema(S,U,6,A,C)
Output:Avalidplanπ :S U orananswerthatthereexistsnovalidplan
→
We will write c, n and k to denote the number of constraints, users and steps, re-
spectively, in an instance of WSP. We will analyze the complexity of the workflow
satisfiabilityproblemintermsoftheseparameters.
2.1. ApplicationsofWSP
Analgorithmthatsolves WSP canbeusedbyaworkflowmanagementsysteminone
of three ways, depending on how users are allocated to steps in an instance of the
workflow. Some systems allocate an authorized user to each step when a workflow
instanceisgenerated.Othersystemsallocateuserstoonlythosestepsthatareready
tobeperformedinaninstanceoftheworkflow.(Astepisreadyonlyifallitsimmediate
predecessorstepshavebeencompleted.)Thethirdpossibilityistoallowuserstoselect
astep toexecutefromapoolofreadystepsmaintainedbytheworkflowmanagement
system.
Forthefirsttypeofsystem,itisimportanttoknowthataworkflowissatisfiableand
an algorithm that solves WSP can simply be used as a static analysis tool. The NP-
hardness of the problem suggests that the worst-case run-time of such an algorithm
willbeexponentialinthesizeoftheinput.Hence,itisimportanttofindanalgorithm
thatisasefficientaspossible.
Forthesecondandthirdcases,thesystemmustguaranteethatthechoiceofuserto
executeastep (whetherit is allocated by the system or selectedby the user)doesnot
prevent the workflow instance from completing. This analysis needs to be performed
each time a user is allocated to, or selects, a step in a workflow instance. The ques-
tioncan be resolvedby solvinga newinstance of WSP, in whichthose steps to which
users have been allocated are assumed to have a single authorized user (namely, the
user that has beenallocated to the task) [Crampton2005, 3.2]. Assuming that these
§
checksshouldincur aslittle delayaspossible,particularly in thecase whenusersse-
lect steps in real time [KohlerandSchaad2008], it becomes even more important to
findanalgorithmthatcandecideWSP asefficientlyaspossible.
The definition of workflow satisfiability given above assumes that the set of users
and the authorization relation are given. This notion of satisfiability is appropriate
whentheworkflowschemaisdesigned“in-house”.Anumberoflargeinformationtech-
nologycompaniesdevelopbusiness processsystems which are then configuredby the
4The set of constraints defines what has been called a history-dependent authorization pol-
icy[Basinetal.2012];therelationAdefinesahistory-independentpolicy.
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
A:6 J.Cramptonetal.
endusersofthosesystems.Partofthatconfigurationincludestheassignmentofusers
tostepsinworkflowschemas.Thedeveloperofsuchaschemamaywishtobeassured
that the schema is satisfiable for some set of users and some authorization relation,
since the schema is of no practical use if no such user set and authorization relation
exist.The desiredassurance can be providedby solvingan instance of WSP in which
there are k users, each of which is authorized for all steps. The developer may also
determinetheminimumnumberofusersrequiredforaworkflowschematobesatisfi-
able.Theminimumnumbermustbebetween1andk and,usingabinarysearch,can
bedeterminedbyexamining log k instancesofWSP.
⌈ 2 ⌉
2.2. ConstraintTypes
In this paper, we consider two forms of constraint: counting constraints and entail-
ment constraints. A counting constraint has the form (t ,t ,S′), where 1 6 t 6
ℓ r ℓ
t 6 k and S′ S. A counting constraint is a generalization of the cardinality con-
r
⊆
straints introduced in the RBAC96 model [Sandhuetal.1996] and widely adopted
by subsequent access control models [AmericanNationalStandardsInstitute2004;
Bertinoetal.2001;Joshietal.2005].
A plan π : S L satisfies counting constraint (t ,t ,S′) if a user performs either
ℓ r
no steps in S′ or→between t and t steps. In other words, no user is assigned to more
ℓ r
than t steps in S′ and each user (if involved in the execution of steps in S′) must
r
perform at least t steps. Many requirements give rise to counting constraints of the
ℓ
form(t,t,S′),whichwewillabbreviateto (t,S′).Anumberofrequirementsthatarise
intheliteratureandinpracticecanberepresentedbycountingconstraints.
Separationofduty. Theconstraint(1, s′,s′′ )requiresthatnouserexecutesboths′
ands′′.Moregenerally,theconstraint{(1, S′} 1,S′)requiresthatnouserexecutes
allthestepsinS′. | |−
Bindingofduty. The constraint (2, s′,s′′ ) requires that the same user executes
both s′ and s′′. More generally,the c{onstra}int (S′ ,S′) requiresthat all steps in S′
| |
areexecutedbythesameuser.
Divisionofduty. The constraint ( S′ /v , S′ /v ,S′) requiresthat the steps in S′
are split as equally as possible b⌊e|tw|een⌋v⌈|dif|fere⌉nt users. The special case (1,S′)
requiresthatadifferentuserperformseachstepinS′.
Thresholdconstraints. The constraint(1,t,S′)requiresthatnouser executesmore
thantstepsinS′.5
Generalizedthresholdconstraints. Theconstraint(t ,t ,S′)requiresthateachuser
ℓ r
(involvedintheexecutionofstepsinS′)performsbetweent andt ofthosesteps.
ℓ r
Counting constraints are notable to encodecertain types of requirements.For this
reason,wealsoconsiderentailmentconstraints,whichhavetheform(ρ,S′,S′′),where
ρ U U andS′,S′′ S.Aplanπsatisfiesentailmentconstraint(ρ,S′,S′′)ifandonly
if⊆ther×e exists s′ S′⊆and s′′ S′′ such that (π(s′),π(s′′)) ρ. A plan π satisfies a set
∈ ∈ ∈
ofconstraintsC (whichmaybeamixtureofcountingandentailmentconstraints)ifπ
satisfieseachconstraintinC.
Countingconstraintsrepresent“universal”restrictionsontheexecutionofsteps(in
the sense that every user in a plan must satisfy the requirement stipulated). In con-
trast, entailmentconstraintsare “existential” in nature:theyrequirethe existenceof
5These constraints are similar in structure and analogous in meaning to SMER (statically, mutually-
exclusive,role)constraints[Lietal.2007];theSMERconstraint(t,S′)requiresthatnouserisauthorized
fortormore roles inthesetofroles S′.Theseconstraintsarealsosimilartothecardinalityconstraints
definedinRBAC96[Sandhuetal.1996].
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
OntheParameterizedComplexityandKernelizationoftheWorkflowSatisfiabilityProblem A:7
apairofstepsforwhichaconditiononthetwouserswhoexecutethosesteps(defined
bythebinaryrelationρ)issatisfied.
We could write δ to the denote the diagonal relation (u,u):u U and δ to de-
{ ∈ }
note (U U) δ. However, we will prefer to use the less formal, but more intuitive,
× \
notation (=,S′,S′′) and (=,S′,S′′) to denote the constraints (δ,S′,S′′) and (δ,S′,S′′),
6
respectively.
Therearesomerequirementsthatcanberepresentedbyacountingconstraintoran
entailmentconstraint.Thecountingconstraint(1, s ,s ),forexample,issatisfiedby
1 2
{ }
plan π if and only if the entailmentconstraint (=, s , s ) is satisfied. We say that
1 2
twoconstraintsγandγ′areequivalentifaplanπ6 sa{tis}fie{sγ}ifandonlyifitsatisfiesγ′.
Thus(1, s ,s )isequivalentto(=, s , s ).Similarly,(2, s ,s )isequivalentto
1 2 1 2 1 2
{ } 6 { } { } { }
(=, s , s ).Nevertheless,thereisnocountingconstraint(orsetofsuchconstraints)
1 2
{ } { }
that is equivalent to (=,S ,S ). Equally, there is no entailment constraint (or set of
1 2
suchconstraints)thatisequivalentto(t,S′).
2.3. EntailmentConstraintSubtypes
Previous work on workflow satisfiability has not considered counting constraints.
Moreover, our definition of entailment constraint is more general than prior defini-
tions.Thus, we study more generalconstraints for WSP than have beeninvestigated
before.
Crampton[2005] defined entailment constraints in which S and S are singleton
1 2
sets:wewillreferto constraintsofthisformasType1constraints;forbrevitywewill
write (ρ,s ,s ) for the Type 1 constraint (ρ, s , s ). WangandLi[2010] defined
1 2 1 2
{ } { }
constraints in which at least one of S and S is a singleton set: we will refer to con-
1 2
straints of this form as Type 2 constraints and we will write (ρ,s ,S ) in preference
1 2
to (ρ, s ,S ). The Type 2 constraint (ρ,s ,S ) is equivalent to (ρ,S ,s ) if ρ is sym-
1 2 1 2 2 1
{ }
metric,inwhichcasewewillwrite(ρ,s ,S )inpreferenceto(ρ,S ,s ).Notethatboth
1 2 2 1
δ and δ are symmetric binary relations. Constraints in which S and S are arbitrary
1 2
setswillbecalledType3constraints.
We note that Type 1 constraints can expressrequirementsof the form described in
Section 1, where we wish to restrict the combinations of users that perform pairs of
steps.Theplanπsatisfiesconstraint(=,s,s′),forexample,ifthesameuserisassigned
tobothstepsbyπ,andsatisfies constraint(=,s,s′)if differentusersareassignedtos
ands′. 6
Type 2 constraints provide greater flexibility, although Wang and Li, who intro-
duced these constraints, do not provide a use case for which such a constraint
would be needed. However, there are forms of separation-of-duty requirements that
are most naturally encoded using Type 3 constraints. Consider, for example, the
requirement that a set of steps S′ S must not all be performed by the same
user [Armandoetal.2009]. We may e⊆ncode this as the constraint (=,S′,S′), which
issatisfiedbyaplanπonlyifthereexiststwostepsinS′thatarealloc6atedtodifferent
usersbyπ.6Thebinding-of-dutyconstraint(=,S′,S′′)cannotbedirectlyencodedusing
Type2constraintsorcountingconstraints.
Now consider a business rule of the form “two steps must be performed by mem-
bers of the same organizational unit”. The constraint relations = and = do not allow
6
us to define such constraints. In Section 4, we model constraints of this form using
6ItisinterestingtonotethataType3constraint(6=,S′,S′′)canbeencodedasaType2constraint,thereby
providingretrospectivemotivationfortheintroductionofType2constraintsbyWangandLi.Inparticular,
we may encode (6=,S′,S′′) as (6=,s,S′ ∪S′′ \{s}) for some s ∈ S′ ∪S′′. The equivalence of these two
constraintsisleftasanexercisefortheinterestedreader.(Notethatwemayalsoencodethisrequirement
asthecountingconstraint(1,|S′|−1,S′).)
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
A:8 J.Cramptonetal.
equivalence relations defined on the set of users. In Section 5, we introduce a model
for hierarchical organizational structures, represented in terms of multiple, related
equivalencerelationsdefinedonthesetofusers.Wethenconsiderconstraintsderived
from such equivalence relations and the complexity of WSP in the presence of such
constraints.
Henceforth,wewillwrite WSP(ρ ,...,ρ )to denoteaspecialcase of WSP in which
1 t
all constraints have the form (ρ ,S′,S′′) for some ρ ρ ,...,ρ and for some
i i 1 t
S′,S′′ S. We will write WSP (ρ ,...,ρ ) to denote a spe∈cia{l case of W} SP(ρ ,...,ρ ),
i 1 t 1 t
⊆
in which there are no constraints of Type j for j > i. So WSP (=,=), for example,
1
6
indicatesaninstanceof WSP inwhichallconstraintsareofType1andonlyincludes
constraints of the form (=,s ,s ) or (=,s ,s ) for some s ,s S. For ease of exposi-
1 2 1 2 1 2
6 ∈
tion,wewillconsidercountingconstraintsandentailmentconstraintsseparately.Our
results,however,holdwhenaworkflowspecificationincludesbothtypesofconstraints.
3. WSP ANDFIXED-PARAMETERTRACTABILITY
Inordertomakethepaperself-contained,wefirstprovideashortoverviewofparam-
eterizedcomplexity,whatitmeansforaproblemtobe fixed-parametertractable,and
summarizetheresultsobtainedbyWangandLiforWSP.Wethenintroducethenotion
ofaneligiblesetofsteps.Theidentificationofeligiblesetsiscentraltoourmethodfor
solving WSP. In the final part of this section, we state and prove a “master” theorem
from which a number of useful results follow as corollaries.The master theorem also
providesuseful insights into the structure of constraints that will result in instances
ofWSPthatarefixed-parametertractable.
3.1. ParameterizedComplexity
A na¨ıve approach to solving WSP would consider every possible assignment of users
to steps in the workflow. There are nk such assignments if there are n users and k
steps, so an algorithm of this form would have (worst-case) complexityO(cnk), where
c is the numberof constraints.Moreover,Wang and Li showedthat WSP is NP-hard,
by reducing GRAPH k-COLORABILITY to WSP(=) [WangandLi2010, Lemma 3]. In
6
short, WSP is hard to solve in general. The importance of finding an efficient algo-
rithmforsolving WSP ledWangandLitolookattheproblemfromtheperspectiveof
parameterizedcomplexity[WangandLi2010, 4].
Suppose we have an algorithm that solves a§n NP-hard problem in time O(f(k)nd),
where n denotes the size of the input to the problem, k is some (small) parameter of
the problem, f is some function in k only, and d is some constant (independent of k
andn).Thenwesaythealgorithmisafixed-parametertractable(FPT)algorithm.Ifa
problemcanbesolvedusinganFPT algorithmthenwesay thatitis anFPT problem
andthatitbelongstotheclassFPT.
Wang and Li showed, using an elementary argument, that WSP (=) is FPT
2
and can be solved in time O(kk+1N), where N is the size of the entir6e input to
the problem [WangandLi2010, Lemma 8]. They also showed that WSP (=,=) is
2
6
FPT [WangandLi2010, Theorem 9], using a rather more complex approach: specif-
ically,theyconstructedanalgorithmthatrunsintimeO(kk+1(k 1)k2k−1N);itfollows
−
thatWSP (=,=)isFPT.
2
6
WhentheruntimeO(f(k)nd)isreplacedbythemuchmorepowerfulO(nf(k)),weob-
tain theclass XP, whereeach problemis polynomial-timesolvable for any fixedvalue
ofk.Thereisaninfinitecollectionofparameterizedcomplexityclasses,W[1],W[2],...,
with FPT W[1] W[2] XP. Informally, a parameterized problem belongs
⊆ ⊆ ⊆ ··· ⊆
to the complexity class W[i] if there exists an FPT algorithm that transforms every
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
OntheParameterizedComplexityandKernelizationoftheWorkflowSatisfiabilityProblem A:9
instance of the problem into an instance of WEIGHTED CIRCUIT SATISFIABILITY for
a circuit of weft i. It can be shown that FPT is the class W[0]. The problems INDE-
PENDENT SET and DOMINATING SET areinW[1]andW[2],respectively.Itiswidely-
believedandoftenassumedthatFPT=W[1].ForamoreformalintroductiontotheW
6
familyofcomplexityclasses,seeFlumandGrohe[2006].
WangandLi[2010, Theorem 10] proved that WSP (for arbitrary relations de-
fined on the user set) is W[1]-hard in general, using a reduction from INDEPEN-
DENT SET. By definition, FPT is a subset of W[1] and a parameterized analog of
Cook’sTheorem[DowneyandFellows1999]aswellastheExponentialTime Hypoth-
esis [FlumandGrohe2006; Impagliazzoetal.2001] strongly supportthe widely held
view that FPT is not equal to W[1]. One of the main contributions of this paper is to
extendthesetofspecialcasesofWSPthatareknowntobeFPT.
Henceforth, we often write O(T) instead of O(T logdT) for any constant d. That
e
is, we use the notation O to suppress polylogarithmic factors. This notation is often
used in the literature oen algorithms—see, for example, Bjo¨rklundetal.[2009] and
Kaufmanetal.[2004]—toavoidcumbersomeruntimebounds.
3.2. EligibleSets
The basic idea behind our results is to construct a valid plan by partitioning the set
ofsteps S into blocks of steps, each of which is allocated to a single (authorized)user.
Moreformally,letπ be avalid plan for a workflow(S,U,6,A,C) and definean equiv-
alence relation on S, where s s′ if and only if π(s) = π(s′). We denote the set
π π
∼ ∼
ofequivalenceclasses of byS/π andwrite[s] todenotetheequivalenceclasscon-
π π
∼
taining s. An equivalence class in S/π comprises the set of steps that are assigned to
a single user by plan π. It is easy to see that there are certain “forbidden” subsets
S′ of S for which there cannot exist a valid plan π such that S′ S/π. Consider, for
example, the constraint (=,s,s′): then, for any valid plan π, it m∈ust be the case that
[s] = [s′] ; in otherwords6 ,there doesnot exista valid plan π such that s,s′ S/π.
π π
6 { } ∈
Thismotivatesthefollowingdefinition.
Definition 3.1. Givenaworkflow(S,U,6,A,C)andaconstraintγ C,asetF S
∈ ⊆
isγ-ineligibleifany planπ : S U such that F S/π violatesγ.We say F iseligible
→ ∈
if and only if it is notineligible.We say F S is C-ineligibleor simply ineligibleif F
⊆
isγ-ineligibleforsomeγ C.
∈
A necessary condition for a valid plan is that no equivalence class is an ineligible
set; equivalently, every equivalence class in a plan must be an eligible set. For many
constraintsγ,wecandeterminewhetherF Sisγ-ineligibleornotintimepolynomial
⊆
in the number of steps. Consider,for example,the requirementthat no user executes
morethantsteps:thenF S iseligibleifandonlyif F 6t.Similarly,wecantestfor
⊆ | |
theineligibilityofF withrespectto(=, s ,s )bydeterminingwhetherF s ,s .
1 2 1 2
6 { } ⊇{ }
Definition 3.2. Wesayaconstraintγ isregularifanyplanπ inwhicheachequiva-
lenceclass[s] isaneligiblesetsatisfiesγ.
π
Theregularityofaconstraintisasufficientconditiontoguaranteethatwecancon-
structa valid plan usingeligible sets. With oneexception,allconstraints weconsider
areregular.
PROPOSITION 3.3. All counting constraints are regular and all entailment con-
straintsoftheform(=,S ,S )areregular.Entailmentconstraintsoftheform(=,S ,S )
1 2 1 2
6
areregularifatleastoneofS andS isasingletonset.
1 2
PROOF. Theresultistrivialforcountingconstraints.
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
A:10 J.Cramptonetal.
Givenanentailmentconstraint(=,S ,S ),aplanπ inwhichallequivalenceclasses
1 2
6
are eligible, and [s] for some s S S , we have that [s] S S (since, by
π 1 2 π 1 2
assumption,[s] iseligible).Hence∈,ther∪eexistsan elements′ S6⊇ S∪with s′ [s] .
π 1 2 π
∈ ∪ 6∈
SincetheequivalenceclassesinS/π formapartitionofS,thereexistsanequivalence
class [s′] = [s] . Hence, the constraint is satisfied (since each equivalence class is
π π
6
assignedtoadifferentuser).Thustheconstraintisregular.
We demonstrate,by exhibiting a counterexample,that a partition of S into eligible
sets doesnot guarantee the satisfaction of a Type 3 constraint of the form (=,S ,S ).
1 2
Consider,forexample,S = s ,s ,s ,s andtheconstraint(=, s ,s , s ,s ).Then
1 2 3 4 1 2 3 4
{ } { } { }
s ,..., s areeligiblesets,butaplaninwhichu isassignedtos isnotvalid.
1 4 i i
{ } { }
Finally,considertheType2constraint(=,s ,S ).Anyeligiblesetforthisconstraint
1 2
that contains s must contain an element of S . Hence a partition of S into eligible
1 2
sets ensures that the constraint will be satisfied (and hence that the constraint is
regular).
3.3. ReducingWSPtoMAXWEIGHTEDPARTITION
We now state and prove our main result. We believe this result subsumes existing
results in the literature on the complexity of WSP. Moreover, the result considerably
enhancesourunderstandingofthetypesofconstraintsthatcanbeusedinaworkflow
specification if we wish to preserve fixed-parameter tractability of WSP. We explore
theconsequencesandapplicationsofourresultinSections4and5.
THEOREM 3.4. LetW =(S,U,6,A,C)beaworkflowspecificationsuchthat(i)each
constraint γ is regular and (ii) there exists an algorithm that can determine whether
F S isγ-eligibleintimepolynomialink.Thentheworkflowsatisfiabilityproblemfor
⊆
W canbesolvedintimeO(2k(c+n2)).
e
The proof of this result reduces an instance of WSP to an instance of the MAX
WEIGHTED PARTITION problem,which, by a result of Bjo¨rklundetal.[2009], is FPT.
Westatetheproblemandtherelevantresult,beforeprovingTheorem3.4.
MAX WEIGHTED PARTITION
Input:AsetS ofk elementsandnfunctionsφ ,i [n],from2S tointegersfrom
i
∈
therange[ M,M](M 1).
Output:Ann-partit−ion(F ,...,≥F )ofS thatmaximizes n φ (F ).
1 n Pi=1 i i
THEOREM 3.5 (BJO¨RKLUND ET AL. [2009]). MAX WEIGHTED PARTITION can be
solvedintimeO(2kn2M).
e
PROOF OF THEOREM 3.4. We construct a binary matrix with n rows (indexed by
elementsofU)and2k columns(indexedbyelementsof2S):everyentryinthecolumn
labeled by the empty set is defined to be 1; the entry indexed by u U and F S
∈ ⊆
is defined to be 0 if and only if F = is C-ineligible or there exists s F such that
6 ∅ ∈
(s,u) A. In other words, the non-zero matrix entry indexed by u and F defines a
6∈
C-eligiblesetanduisauthorizedforallstepsinF,andthusrepresentsasetofsteps
thatcouldbeassignedtoasingleuserinavalidplan.
Thematrixdefinedaboveencodesafamilyoffunctions φ ,φ :2S 0,1 .We
{ u}u∈U u →{ }
nowsolveMAX WEIGHTED PARTITIONoninputS and{φu}u∈U.Giventhatφu(F)61,
φ (F ) 6 n, with equality if and only if we can partition S into different C-
Pu∈U u u
eligible blocks and assigned them to different users. Since each γ is regular, W is
satisfiableifandonlyifMWPreturnsapartitionhavingweightn.
ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.
