A On the Parameterized Complexity and Kernelization of the Workflow Satisfiability Problem JASONCRAMPTON,RoyalHolloway,UniversityofLondon GREGORYGUTIN,RoyalHolloway,UniversityofLondon ANDERSYEO,UniversityofJohannesburg Aworkflowspecificationdefinesasetofstepsandtheorderinwhichthosestepsmustbeexecuted.Security requirementsmayimposeconstraintsonwhichgroupsofusersarepermittedtoperformsubsetsofthose steps.Aworkflow specificationissaidtobesatisfiableifthereexistsanassignmentofuserstoworkflow 3 stepsthat satisfiesall theconstraints. Analgorithmfor determining whethersuchan assignmentexists 1 isimportant,bothasastaticanalysistoolforworkflowspecifications,andfortheconstructionofrun-time 0 reference monitors forworkflow managementsystems.Findingsuchanassignmentisa hardproblem in 2 general, but work by Wang and Li in 2010 using the theory of parameterized complexity suggests that n efficient algorithms exist under reasonable assumptions about workflow specifications. In this paper, we a improvethecomplexityboundsfortheworkflowsatisfiabilityproblem.Wealsogeneralizeandextendthe J typesofconstraintsthatmaybedefinedinaworkflowspecificationandprovethatthesatisfiabilityproblem 9 remainsfixed-parametertractableforsuchconstraints.Finally,weconsiderpreprocessingfortheproblem and prove that in an important special case, in polynomial time, we can reduce the given input into an ] equivalent one, where the number of users is at most the number of steps. We also show that no such R reductionexistsfortwonaturalextensionsofthiscase,whichboundsthenumberofusersbyapolynomial C inthenumberofsteps,providedawidely-acceptedcomplexity-theoreticalassumptionholds. . CategoriesandSubjectDescriptors:D4.6[OperatingSystems]:SecurityandProtection—Accesscontrols; s c F2.2[AnalysisofAlgorithmsandProblemComplexity]:NonnumericalAlgorithmsandProblems;H2.0 [ [DatabaseManagement]:General—Security,integrityandprotection GeneralTerms:Algorithms,Security,Theory 3 v AdditionalKeyWordsandPhrases:authorizationconstraints,workflowsatisfiability,parameterizedcom- 2 plexity 5 ACMReferenceFormat: 8 Crampton,J.,Gutin,G.,Yeo,A.2013.OntheParameterizedComplexityoftheWorkflowSatisfiabilityProb- 0 lem.ACMV,N,ArticleA(JanuaryYYYY),31pages. . 5 DOI=10.1145/0000000.0000000http://doi.acm.org/10.1145/0000000.0000000 0 2 1. INTRODUCTION 1 Itisincreasinglycommonfororganizationstocomputerizetheirbusinessandmanage- : v mentprocesses.The co-ordinationof the tasks or steps that comprise a computerized i X business processis managed by a workflowmanagementsystem (or business process management system). Typically, the execution of these steps will be triggered by a r a ApreliminaryversionofthispaperappearedintheProceedingsofCCS2012. Author’s addresses: J. Crampton, Department of Mathematics, Royal Holloway, University of London; G. Gutin, Department of Computer Science, Royal Holloway, University of London; A. Yeo, Department of Mathematics,UniversityofJohannesburg. Permissiontomakedigitalorhardcopiesofpartorallofthisworkforpersonalorclassroomuseisgranted withoutfeeprovidedthatcopiesarenotmadeordistributedforprofitorcommercial advantageandthat copiesshowthisnoticeonthefirstpageorinitialscreenofadisplayalongwiththefullcitation.Copyrights forcomponentsofthisworkownedbyothersthanACMmustbehonored.Abstractingwithcredit isper- mitted.Tocopyotherwise,torepublish,topostonservers,toredistributetolists,ortouseanycomponent ofthisworkinotherworksrequirespriorspecificpermissionand/orafee.Permissionsmayberequested fromPublicationsDept.,ACM,Inc.,2PennPlaza,Suite701,NewYork,NY10121-0701USA,fax+1(212) 869-0481,[email protected]. (cid:13)c YYYYACM0000-0000/YYYY/01-ARTA$15.00 DOI10.1145/0000000.0000000 http://doi.acm.org/10.1145/0000000.0000000 ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:2 J.Cramptonetal. human user, or a software agent acting under the control of a human user, and the executionofeachstepwillberestrictedtosomesetofauthorizedusers. A workflow typically specifies the steps that comprise a business process and the order in which those steps should be performed. Moreover, it is often the case that some form of access control, often role-based, should be applied to limit the execu- tion of steps to authorized users. In addition, many workflows require controls on the users that perform groups of steps. The concept of a Chinese wall, for exam- ple, limits the set of steps that any one user can perform [BrewerandNash1989], as does separation-of-duty, which is a central part of the role-based access con- trol model [AmericanNationalStandardsInstitute2004]. Hence,it is important that workflowmanagementsystemsimplementsecuritycontrolsthatenforceauthorization rulesandbusinessrules,inordertocomplywithstatutoryrequirementsorbestprac- tice[Basinetal.2011].Itisthese“security-aware”workflowsthatwillbethefocusof theremainderofthispaper. A simple, illustrative example for purchase order processing [Crampton2005] is shown in Figure 1. In the first step of the workflow, the purchase order is created and approved (and then dispatched to the supplier). The supplier will submit an in- voiceforthe goodsordered,which is processedby the create paymentstep.When the supplierdeliversthe goods,a goodsreceivednote(GRN)mustbe signed andcounter- signed.Onlythenmaythepaymentbeapprovedandsenttothesupplier.Notethata workflowspecificationneednotbelinear:theprocessingoftheGRNandoftheinvoice canoccurinparallel,forexample. In addition to defining the order in which steps must be performed, the workflow specificationincludesrulestopreventfraudulentuseofthepurchaseorderprocessing system. In our example, these rules take the form of constraints on users that can perform pairs of steps in the workflow: the same user may not sign and countersign theGRN,forexample.(WeintroducemorecomplexrulesinSections2and5.) = s 6 s 3 5 = s s s s 1 2 3 5 = 6 = 6 = s s s s s 6 s 1 2 4 6 4 6 (a) Orderingonsteps (b) Constraints s1 createpurchaseorder s4 createpayment 6= differentusersmustperformsteps s2 approvepurchaseorder s5 countersignGRN = sameusermustperformsteps s3 signGRN s6 approvepayment (c) Legend Fig.1. Asimpleconstrainedworkflowforpurchaseorderprocessing It is apparent that it may be impossible to find an assignment of authorized users to workflow steps such that all constraints are satisfied. In this case, we say that ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. OntheParameterizedComplexityandKernelizationoftheWorkflowSatisfiabilityProblem A:3 the workflow specification is unsatisfiable. The WORKFLOW SATISFIABILITY PROB- LEM (WSP) is known to be NP-hard, even when the set of constraints only includes constraints that havea relatively simple structure (and that wouldarise regularlyin practice).1 It has been argued that it would be of practical value to be able to define con- straints in terms of organizational structures, rather than just the identity of par- ticular users [WangandLi2010]. One of the contributions of this paper is to in- troduce a model for hierarchical organizations based on the notion of equivalence classes and partition refinements. We demonstrate how to construct an instance of our model from a management structure and illustrate why constraints defined over such models are of practical value. The use of cardinality constraints in ac- cess control policies has also attracted considerable interest in the academic commu- nity [Joshietal.2005; Sandhuetal.1996; SimonandZurko1997]. Cardinality con- straints can encode a number of useful requirements that cannot be encoded using the constraints that have been used in prior work on WSP. A second contribution of this paper is to introduce counting constraints for workflows—a natural extension of cardinality constraints—and to examine WSP when such constraints form part of a workflowspecification. WangandLi[2010] observed that the number of steps in a workflow is likely to be small relative to the size of the input to the workflow satisfiability problem. This ob- servation led them to study the problem using tools from parameterized complexity and to prove that the problem is fixed-parameter tractable for certain classes of con- straints.TheseresultsdemonstratethatitisfeasibletosolveWSPformanyworkflow specifications in practice. However, Wang and Li also showed that for many types of constraintstheproblemisfixed-parameterintractableunlesstheparameterizedcom- plexity hypotheses FPT = W[1] fails, which is highly unlikely. (We provide a short 6 introductiontoparameterizedcomplexityinSection3.1.)Inthispaper,weextendthe resultsofWangandLiinseveraldifferentways. 1. First, weintroducethenotionofcountingconstraints,ageneralizationofcardinal- ityconstraints,andextendtheanalysisof WSP toincludesuchconstraints. 2. Our second contribution is to introduce a new approach to WSP, which makes use of a powerful, recent result in the area of exponential-time algo- rithms [Bjo¨rklundetal.2009]. We establish necessary and sufficientconditionson constraints that will admit the use of our approach. In particular, we show that counting constraints satisfy these conditions, as do the constraints considered by Wang and Li. This approach allows us to develop algorithms with a significantly better worst-case performance than those of Wang and Li. Moreover, we demon- strate that our result cannotbe significantly improved,provideda well-knownhy- pothesisaboutthecomplexityofsolving3-SATholds. 3. Our third extension to the work of Wang and Li is to define constraints in terms of hierarchical organizational structures and to prove, using our new technique, that WSP remains fixed-parameter tractable in the presence of such hierarchical structuresandhierarchy-relatedconstraints. 4. Our fourthcontribution is to instigate the systematic study of parameterizedcom- pression (also known as kernelization) of WSP instances.2 We show that a result of Fellowsetal.[2011, Theorem 3.3] on a problem equivalent to a special case of 1Inparticular,theGRAPHk-COLORABILITYproblemcanbereducedtoaspecialcaseofWSPinwhichthe workflowspecificationonlyincludesseparation-of-dutyconstraints[WangandLi2010]. 2KernelizationofWSPinstancescanbeextremelyusefulinspeedingupthesolutionofWSP:thecompressed instance can be solved using any suitable algorithm (such as a SAT solver), not necessarily by an FPT algorithm. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:4 J.Cramptonetal. WSP can be slightly extended and significantly improved using graph matchings. WealsoprovethattwonaturalfurtherextensionsoftheresultofFellowsetal.are impossiblesubjecttoawidely-acceptedcomplexity-theoreticalhypothesis. In the next section, we introduce the workflow satisfiability problem. In Section 3, we providea brief introduction to fixed-parametertractability, prove a general result characterizing the constraints forwhich WSP is fixed-parametertractable,and apply thisresulttocountingconstraints.InSection4weextendtheresultsofWangandLi, by improvingthe complexityofthe algorithmsused to solve WSP and by introducing constraints based on equivalencerelations. In Section 5, we introduce a modelfor an organizational hierarchy and a class of constraint relations defined in terms of such hierarchies. We demonstrate that WSP remains fixed-parameter tractable for work- flow specifications that include constraints defined over an organizational hierarchy. InSection6,wediscuss kernelizationof WSP and provethatin animportantspecial case, in polynomial time, we can transform the given input into an equivalent one, wherethenumberofusersisatmostthenumberofsteps.Wealsoshowthatnopoly- nomialtransformationexistsfortwonaturalextensionsofthiscase,whichboundsthe numberof usersby a polynomialin the numberof steps, unlessa certain complexity- theoreticalassumptionfails.Thepaperconcludeswithasummaryofourcontributions anddiscussionsofrelatedandfuturework. 2. THEWORKFLOWSATISFIABILITYPROBLEM In this section, we introduce our notation and definitions, derived from earlier work byCrampton[2005]andWangandLi[2010],andthendefinetheworkflowsatisfiabil- ityproblem. A partially ordered set (or poset) is a pair (X,6), where 6 is a reflexive, anti- symmetric and transitive binary relation defined over X. If (X,6) is a poset, then we write x y if x and y are incomparable; that is, x 6 y and y 6 x. We may write x>y whenekvery 6x.Wemayalsowritex<y whenev6erx6y an6dx=y.Finally,we 6 willwrite[n]todenote 1,...,n . { } Definition 2.1. Aworkflowspecificationisapartiallyorderedsetofsteps(S,6).An authorization policy for a workflow specification is a relation A S U. A workflow ⊆ × authorization schema is a tuple (S,U,6,A), where (S,6) is a workflow specification andAisanauthorizationpolicy. Ifs <s′ thensmustbeperformedbefores′ inanyinstanceoftheworkflow;ifs s′ thensands′maybeperformedineitherorder.Ourdefinitionofworkflowspecificatkion doesnotpermitrepetitionoftasks(loops)orrepetitionofsub-workflows(cycles).User uisauthorizedtoperformstepsonlyif(s,u) A.3Weassumethatforeverysteps S ∈ ∈ thereexistssomeuseru U suchthat(s,u) A. ∈ ∈ Definition 2.2. Let(S,U,6,A)beaworkflowauthorizationschema.Aplanisafunc- tionπ :S U.Aplanπ isauthorizedfor(S,U,6,A)if(s,π(s)) Aforalls S. → ∈ ∈ The access control policy embodied in the authorization relation A imposes restric- tions on the users that can perform specific steps in the workflow.A workflow autho- rizationconstraintimposesrestrictionsontheexecutionofsetsofstepsinaworkflow. 3Inpractice,thesetofauthorizedstep-userpairs,A,willnotbedefinedexplicitly.Instead,Awillbeinferred fromotheraccesscontroldatastructures.Inparticular,R2BAC–therole-and-relation-basedaccesscontrol modelofWangandLi[2010]–introducesasetofrolesR,auser-rolerelationUR⊆U×Randarole-step relationSA ⊆ R×S fromwhichitispossibletoderivethestepsforwhichusersareauthorized.Forall commonaccesscontrolpolicies(includingR2BAC),itisstraightforwardtoderiveA.WeprefertouseAin ordertosimplifytheexposition. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. OntheParameterizedComplexityandKernelizationoftheWorkflowSatisfiabilityProblem A:5 A constraint is defined by some suitable syntax and its meaning is provided by the restrictionsthe constraintimposeson the usersthat executethe sets of stepsdefined in the constraint. In other words, constraint satisfaction is defined with reference to a plan; a valid plan is one that is authorized and allocates users in such a way that theconstraintissatisfied.Averysimpleexampleofaconstraintisonerequiringthat stepssands′ areexecutedbydifferentusers.Thenavalidplanπ(withrespecttothis constraint) has the property that π(s) = π(s′). A constrained workflow authorization 6 schema is a tuple (S,U,6,A,C), where C is a set of workflow constraints.4 A plan is validforanauthorizationschemaifitisauthorizedandsatisfiesallconstraintsinC. WedefineparticulartypesofconstraintsinSection2.2and2.3. We may now define the workflow satisfiability problem, as defined byWangandLi[2010]. WORKFLOW SATISFIABILITY PROBLEM (WSP) Input:Aconstrainedworkflowauthorizationschema(S,U,6,A,C) Output:Avalidplanπ :S U orananswerthatthereexistsnovalidplan → We will write c, n and k to denote the number of constraints, users and steps, re- spectively, in an instance of WSP. We will analyze the complexity of the workflow satisfiabilityproblemintermsoftheseparameters. 2.1. ApplicationsofWSP Analgorithmthatsolves WSP canbeusedbyaworkflowmanagementsysteminone of three ways, depending on how users are allocated to steps in an instance of the workflow. Some systems allocate an authorized user to each step when a workflow instanceisgenerated.Othersystemsallocateuserstoonlythosestepsthatareready tobeperformedinaninstanceoftheworkflow.(Astepisreadyonlyifallitsimmediate predecessorstepshavebeencompleted.)Thethirdpossibilityistoallowuserstoselect astep toexecutefromapoolofreadystepsmaintainedbytheworkflowmanagement system. Forthefirsttypeofsystem,itisimportanttoknowthataworkflowissatisfiableand an algorithm that solves WSP can simply be used as a static analysis tool. The NP- hardness of the problem suggests that the worst-case run-time of such an algorithm willbeexponentialinthesizeoftheinput.Hence,itisimportanttofindanalgorithm thatisasefficientaspossible. Forthesecondandthirdcases,thesystemmustguaranteethatthechoiceofuserto executeastep (whetherit is allocated by the system or selectedby the user)doesnot prevent the workflow instance from completing. This analysis needs to be performed each time a user is allocated to, or selects, a step in a workflow instance. The ques- tioncan be resolvedby solvinga newinstance of WSP, in whichthose steps to which users have been allocated are assumed to have a single authorized user (namely, the user that has beenallocated to the task) [Crampton2005, 3.2]. Assuming that these § checksshouldincur aslittle delayaspossible,particularly in thecase whenusersse- lect steps in real time [KohlerandSchaad2008], it becomes even more important to findanalgorithmthatcandecideWSP asefficientlyaspossible. The definition of workflow satisfiability given above assumes that the set of users and the authorization relation are given. This notion of satisfiability is appropriate whentheworkflowschemaisdesigned“in-house”.Anumberoflargeinformationtech- nologycompaniesdevelopbusiness processsystems which are then configuredby the 4The set of constraints defines what has been called a history-dependent authorization pol- icy[Basinetal.2012];therelationAdefinesahistory-independentpolicy. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:6 J.Cramptonetal. endusersofthosesystems.Partofthatconfigurationincludestheassignmentofusers tostepsinworkflowschemas.Thedeveloperofsuchaschemamaywishtobeassured that the schema is satisfiable for some set of users and some authorization relation, since the schema is of no practical use if no such user set and authorization relation exist.The desiredassurance can be providedby solvingan instance of WSP in which there are k users, each of which is authorized for all steps. The developer may also determinetheminimumnumberofusersrequiredforaworkflowschematobesatisfi- able.Theminimumnumbermustbebetween1andk and,usingabinarysearch,can bedeterminedbyexamining log k instancesofWSP. ⌈ 2 ⌉ 2.2. ConstraintTypes In this paper, we consider two forms of constraint: counting constraints and entail- ment constraints. A counting constraint has the form (t ,t ,S′), where 1 6 t 6 ℓ r ℓ t 6 k and S′ S. A counting constraint is a generalization of the cardinality con- r ⊆ straints introduced in the RBAC96 model [Sandhuetal.1996] and widely adopted by subsequent access control models [AmericanNationalStandardsInstitute2004; Bertinoetal.2001;Joshietal.2005]. A plan π : S L satisfies counting constraint (t ,t ,S′) if a user performs either ℓ r no steps in S′ or→between t and t steps. In other words, no user is assigned to more ℓ r than t steps in S′ and each user (if involved in the execution of steps in S′) must r perform at least t steps. Many requirements give rise to counting constraints of the ℓ form(t,t,S′),whichwewillabbreviateto (t,S′).Anumberofrequirementsthatarise intheliteratureandinpracticecanberepresentedbycountingconstraints. Separationofduty. Theconstraint(1, s′,s′′ )requiresthatnouserexecutesboths′ ands′′.Moregenerally,theconstraint{(1, S′} 1,S′)requiresthatnouserexecutes allthestepsinS′. | |− Bindingofduty. The constraint (2, s′,s′′ ) requires that the same user executes both s′ and s′′. More generally,the c{onstra}int (S′ ,S′) requiresthat all steps in S′ | | areexecutedbythesameuser. Divisionofduty. The constraint ( S′ /v , S′ /v ,S′) requiresthat the steps in S′ are split as equally as possible b⌊e|tw|een⌋v⌈|dif|fere⌉nt users. The special case (1,S′) requiresthatadifferentuserperformseachstepinS′. Thresholdconstraints. The constraint(1,t,S′)requiresthatnouser executesmore thantstepsinS′.5 Generalizedthresholdconstraints. Theconstraint(t ,t ,S′)requiresthateachuser ℓ r (involvedintheexecutionofstepsinS′)performsbetweent andt ofthosesteps. ℓ r Counting constraints are notable to encodecertain types of requirements.For this reason,wealsoconsiderentailmentconstraints,whichhavetheform(ρ,S′,S′′),where ρ U U andS′,S′′ S.Aplanπsatisfiesentailmentconstraint(ρ,S′,S′′)ifandonly if⊆ther×e exists s′ S′⊆and s′′ S′′ such that (π(s′),π(s′′)) ρ. A plan π satisfies a set ∈ ∈ ∈ ofconstraintsC (whichmaybeamixtureofcountingandentailmentconstraints)ifπ satisfieseachconstraintinC. Countingconstraintsrepresent“universal”restrictionsontheexecutionofsteps(in the sense that every user in a plan must satisfy the requirement stipulated). In con- trast, entailmentconstraintsare “existential” in nature:theyrequirethe existenceof 5These constraints are similar in structure and analogous in meaning to SMER (statically, mutually- exclusive,role)constraints[Lietal.2007];theSMERconstraint(t,S′)requiresthatnouserisauthorized fortormore roles inthesetofroles S′.Theseconstraintsarealsosimilartothecardinalityconstraints definedinRBAC96[Sandhuetal.1996]. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. OntheParameterizedComplexityandKernelizationoftheWorkflowSatisfiabilityProblem A:7 apairofstepsforwhichaconditiononthetwouserswhoexecutethosesteps(defined bythebinaryrelationρ)issatisfied. We could write δ to the denote the diagonal relation (u,u):u U and δ to de- { ∈ } note (U U) δ. However, we will prefer to use the less formal, but more intuitive, × \ notation (=,S′,S′′) and (=,S′,S′′) to denote the constraints (δ,S′,S′′) and (δ,S′,S′′), 6 respectively. Therearesomerequirementsthatcanberepresentedbyacountingconstraintoran entailmentconstraint.Thecountingconstraint(1, s ,s ),forexample,issatisfiedby 1 2 { } plan π if and only if the entailmentconstraint (=, s , s ) is satisfied. We say that 1 2 twoconstraintsγandγ′areequivalentifaplanπ6 sa{tis}fie{sγ}ifandonlyifitsatisfiesγ′. Thus(1, s ,s )isequivalentto(=, s , s ).Similarly,(2, s ,s )isequivalentto 1 2 1 2 1 2 { } 6 { } { } { } (=, s , s ).Nevertheless,thereisnocountingconstraint(orsetofsuchconstraints) 1 2 { } { } that is equivalent to (=,S ,S ). Equally, there is no entailment constraint (or set of 1 2 suchconstraints)thatisequivalentto(t,S′). 2.3. EntailmentConstraintSubtypes Previous work on workflow satisfiability has not considered counting constraints. Moreover, our definition of entailment constraint is more general than prior defini- tions.Thus, we study more generalconstraints for WSP than have beeninvestigated before. Crampton[2005] defined entailment constraints in which S and S are singleton 1 2 sets:wewillreferto constraintsofthisformasType1constraints;forbrevitywewill write (ρ,s ,s ) for the Type 1 constraint (ρ, s , s ). WangandLi[2010] defined 1 2 1 2 { } { } constraints in which at least one of S and S is a singleton set: we will refer to con- 1 2 straints of this form as Type 2 constraints and we will write (ρ,s ,S ) in preference 1 2 to (ρ, s ,S ). The Type 2 constraint (ρ,s ,S ) is equivalent to (ρ,S ,s ) if ρ is sym- 1 2 1 2 2 1 { } metric,inwhichcasewewillwrite(ρ,s ,S )inpreferenceto(ρ,S ,s ).Notethatboth 1 2 2 1 δ and δ are symmetric binary relations. Constraints in which S and S are arbitrary 1 2 setswillbecalledType3constraints. We note that Type 1 constraints can expressrequirementsof the form described in Section 1, where we wish to restrict the combinations of users that perform pairs of steps.Theplanπsatisfiesconstraint(=,s,s′),forexample,ifthesameuserisassigned tobothstepsbyπ,andsatisfies constraint(=,s,s′)if differentusersareassignedtos ands′. 6 Type 2 constraints provide greater flexibility, although Wang and Li, who intro- duced these constraints, do not provide a use case for which such a constraint would be needed. However, there are forms of separation-of-duty requirements that are most naturally encoded using Type 3 constraints. Consider, for example, the requirement that a set of steps S′ S must not all be performed by the same user [Armandoetal.2009]. We may e⊆ncode this as the constraint (=,S′,S′), which issatisfiedbyaplanπonlyifthereexiststwostepsinS′thatarealloc6atedtodifferent usersbyπ.6Thebinding-of-dutyconstraint(=,S′,S′′)cannotbedirectlyencodedusing Type2constraintsorcountingconstraints. Now consider a business rule of the form “two steps must be performed by mem- bers of the same organizational unit”. The constraint relations = and = do not allow 6 us to define such constraints. In Section 4, we model constraints of this form using 6ItisinterestingtonotethataType3constraint(6=,S′,S′′)canbeencodedasaType2constraint,thereby providingretrospectivemotivationfortheintroductionofType2constraintsbyWangandLi.Inparticular, we may encode (6=,S′,S′′) as (6=,s,S′ ∪S′′ \{s}) for some s ∈ S′ ∪S′′. The equivalence of these two constraintsisleftasanexercisefortheinterestedreader.(Notethatwemayalsoencodethisrequirement asthecountingconstraint(1,|S′|−1,S′).) ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:8 J.Cramptonetal. equivalence relations defined on the set of users. In Section 5, we introduce a model for hierarchical organizational structures, represented in terms of multiple, related equivalencerelationsdefinedonthesetofusers.Wethenconsiderconstraintsderived from such equivalence relations and the complexity of WSP in the presence of such constraints. Henceforth,wewillwrite WSP(ρ ,...,ρ )to denoteaspecialcase of WSP in which 1 t all constraints have the form (ρ ,S′,S′′) for some ρ ρ ,...,ρ and for some i i 1 t S′,S′′ S. We will write WSP (ρ ,...,ρ ) to denote a spe∈cia{l case of W} SP(ρ ,...,ρ ), i 1 t 1 t ⊆ in which there are no constraints of Type j for j > i. So WSP (=,=), for example, 1 6 indicatesaninstanceof WSP inwhichallconstraintsareofType1andonlyincludes constraints of the form (=,s ,s ) or (=,s ,s ) for some s ,s S. For ease of exposi- 1 2 1 2 1 2 6 ∈ tion,wewillconsidercountingconstraintsandentailmentconstraintsseparately.Our results,however,holdwhenaworkflowspecificationincludesbothtypesofconstraints. 3. WSP ANDFIXED-PARAMETERTRACTABILITY Inordertomakethepaperself-contained,wefirstprovideashortoverviewofparam- eterizedcomplexity,whatitmeansforaproblemtobe fixed-parametertractable,and summarizetheresultsobtainedbyWangandLiforWSP.Wethenintroducethenotion ofaneligiblesetofsteps.Theidentificationofeligiblesetsiscentraltoourmethodfor solving WSP. In the final part of this section, we state and prove a “master” theorem from which a number of useful results follow as corollaries.The master theorem also providesuseful insights into the structure of constraints that will result in instances ofWSPthatarefixed-parametertractable. 3.1. ParameterizedComplexity A na¨ıve approach to solving WSP would consider every possible assignment of users to steps in the workflow. There are nk such assignments if there are n users and k steps, so an algorithm of this form would have (worst-case) complexityO(cnk), where c is the numberof constraints.Moreover,Wang and Li showedthat WSP is NP-hard, by reducing GRAPH k-COLORABILITY to WSP(=) [WangandLi2010, Lemma 3]. In 6 short, WSP is hard to solve in general. The importance of finding an efficient algo- rithmforsolving WSP ledWangandLitolookattheproblemfromtheperspectiveof parameterizedcomplexity[WangandLi2010, 4]. Suppose we have an algorithm that solves a§n NP-hard problem in time O(f(k)nd), where n denotes the size of the input to the problem, k is some (small) parameter of the problem, f is some function in k only, and d is some constant (independent of k andn).Thenwesaythealgorithmisafixed-parametertractable(FPT)algorithm.Ifa problemcanbesolvedusinganFPT algorithmthenwesay thatitis anFPT problem andthatitbelongstotheclassFPT. Wang and Li showed, using an elementary argument, that WSP (=) is FPT 2 and can be solved in time O(kk+1N), where N is the size of the entir6e input to the problem [WangandLi2010, Lemma 8]. They also showed that WSP (=,=) is 2 6 FPT [WangandLi2010, Theorem 9], using a rather more complex approach: specif- ically,theyconstructedanalgorithmthatrunsintimeO(kk+1(k 1)k2k−1N);itfollows − thatWSP (=,=)isFPT. 2 6 WhentheruntimeO(f(k)nd)isreplacedbythemuchmorepowerfulO(nf(k)),weob- tain theclass XP, whereeach problemis polynomial-timesolvable for any fixedvalue ofk.Thereisaninfinitecollectionofparameterizedcomplexityclasses,W[1],W[2],..., with FPT W[1] W[2] XP. Informally, a parameterized problem belongs ⊆ ⊆ ⊆ ··· ⊆ to the complexity class W[i] if there exists an FPT algorithm that transforms every ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. OntheParameterizedComplexityandKernelizationoftheWorkflowSatisfiabilityProblem A:9 instance of the problem into an instance of WEIGHTED CIRCUIT SATISFIABILITY for a circuit of weft i. It can be shown that FPT is the class W[0]. The problems INDE- PENDENT SET and DOMINATING SET areinW[1]andW[2],respectively.Itiswidely- believedandoftenassumedthatFPT=W[1].ForamoreformalintroductiontotheW 6 familyofcomplexityclasses,seeFlumandGrohe[2006]. WangandLi[2010, Theorem 10] proved that WSP (for arbitrary relations de- fined on the user set) is W[1]-hard in general, using a reduction from INDEPEN- DENT SET. By definition, FPT is a subset of W[1] and a parameterized analog of Cook’sTheorem[DowneyandFellows1999]aswellastheExponentialTime Hypoth- esis [FlumandGrohe2006; Impagliazzoetal.2001] strongly supportthe widely held view that FPT is not equal to W[1]. One of the main contributions of this paper is to extendthesetofspecialcasesofWSPthatareknowntobeFPT. Henceforth, we often write O(T) instead of O(T logdT) for any constant d. That e is, we use the notation O to suppress polylogarithmic factors. This notation is often used in the literature oen algorithms—see, for example, Bjo¨rklundetal.[2009] and Kaufmanetal.[2004]—toavoidcumbersomeruntimebounds. 3.2. EligibleSets The basic idea behind our results is to construct a valid plan by partitioning the set ofsteps S into blocks of steps, each of which is allocated to a single (authorized)user. Moreformally,letπ be avalid plan for a workflow(S,U,6,A,C) and definean equiv- alence relation on S, where s s′ if and only if π(s) = π(s′). We denote the set π π ∼ ∼ ofequivalenceclasses of byS/π andwrite[s] todenotetheequivalenceclasscon- π π ∼ taining s. An equivalence class in S/π comprises the set of steps that are assigned to a single user by plan π. It is easy to see that there are certain “forbidden” subsets S′ of S for which there cannot exist a valid plan π such that S′ S/π. Consider, for example, the constraint (=,s,s′): then, for any valid plan π, it m∈ust be the case that [s] = [s′] ; in otherwords6 ,there doesnot exista valid plan π such that s,s′ S/π. π π 6 { } ∈ Thismotivatesthefollowingdefinition. Definition 3.1. Givenaworkflow(S,U,6,A,C)andaconstraintγ C,asetF S ∈ ⊆ isγ-ineligibleifany planπ : S U such that F S/π violatesγ.We say F iseligible → ∈ if and only if it is notineligible.We say F S is C-ineligibleor simply ineligibleif F ⊆ isγ-ineligibleforsomeγ C. ∈ A necessary condition for a valid plan is that no equivalence class is an ineligible set; equivalently, every equivalence class in a plan must be an eligible set. For many constraintsγ,wecandeterminewhetherF Sisγ-ineligibleornotintimepolynomial ⊆ in the number of steps. Consider,for example,the requirementthat no user executes morethantsteps:thenF S iseligibleifandonlyif F 6t.Similarly,wecantestfor ⊆ | | theineligibilityofF withrespectto(=, s ,s )bydeterminingwhetherF s ,s . 1 2 1 2 6 { } ⊇{ } Definition 3.2. Wesayaconstraintγ isregularifanyplanπ inwhicheachequiva- lenceclass[s] isaneligiblesetsatisfiesγ. π Theregularityofaconstraintisasufficientconditiontoguaranteethatwecancon- structa valid plan usingeligible sets. With oneexception,allconstraints weconsider areregular. PROPOSITION 3.3. All counting constraints are regular and all entailment con- straintsoftheform(=,S ,S )areregular.Entailmentconstraintsoftheform(=,S ,S ) 1 2 1 2 6 areregularifatleastoneofS andS isasingletonset. 1 2 PROOF. Theresultistrivialforcountingconstraints. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:10 J.Cramptonetal. Givenanentailmentconstraint(=,S ,S ),aplanπ inwhichallequivalenceclasses 1 2 6 are eligible, and [s] for some s S S , we have that [s] S S (since, by π 1 2 π 1 2 assumption,[s] iseligible).Hence∈,ther∪eexistsan elements′ S6⊇ S∪with s′ [s] . π 1 2 π ∈ ∪ 6∈ SincetheequivalenceclassesinS/π formapartitionofS,thereexistsanequivalence class [s′] = [s] . Hence, the constraint is satisfied (since each equivalence class is π π 6 assignedtoadifferentuser).Thustheconstraintisregular. We demonstrate,by exhibiting a counterexample,that a partition of S into eligible sets doesnot guarantee the satisfaction of a Type 3 constraint of the form (=,S ,S ). 1 2 Consider,forexample,S = s ,s ,s ,s andtheconstraint(=, s ,s , s ,s ).Then 1 2 3 4 1 2 3 4 { } { } { } s ,..., s areeligiblesets,butaplaninwhichu isassignedtos isnotvalid. 1 4 i i { } { } Finally,considertheType2constraint(=,s ,S ).Anyeligiblesetforthisconstraint 1 2 that contains s must contain an element of S . Hence a partition of S into eligible 1 2 sets ensures that the constraint will be satisfied (and hence that the constraint is regular). 3.3. ReducingWSPtoMAXWEIGHTEDPARTITION We now state and prove our main result. We believe this result subsumes existing results in the literature on the complexity of WSP. Moreover, the result considerably enhancesourunderstandingofthetypesofconstraintsthatcanbeusedinaworkflow specification if we wish to preserve fixed-parameter tractability of WSP. We explore theconsequencesandapplicationsofourresultinSections4and5. THEOREM 3.4. LetW =(S,U,6,A,C)beaworkflowspecificationsuchthat(i)each constraint γ is regular and (ii) there exists an algorithm that can determine whether F S isγ-eligibleintimepolynomialink.Thentheworkflowsatisfiabilityproblemfor ⊆ W canbesolvedintimeO(2k(c+n2)). e The proof of this result reduces an instance of WSP to an instance of the MAX WEIGHTED PARTITION problem,which, by a result of Bjo¨rklundetal.[2009], is FPT. Westatetheproblemandtherelevantresult,beforeprovingTheorem3.4. MAX WEIGHTED PARTITION Input:AsetS ofk elementsandnfunctionsφ ,i [n],from2S tointegersfrom i ∈ therange[ M,M](M 1). Output:Ann-partit−ion(F ,...,≥F )ofS thatmaximizes n φ (F ). 1 n Pi=1 i i THEOREM 3.5 (BJO¨RKLUND ET AL. [2009]). MAX WEIGHTED PARTITION can be solvedintimeO(2kn2M). e PROOF OF THEOREM 3.4. We construct a binary matrix with n rows (indexed by elementsofU)and2k columns(indexedbyelementsof2S):everyentryinthecolumn labeled by the empty set is defined to be 1; the entry indexed by u U and F S ∈ ⊆ is defined to be 0 if and only if F = is C-ineligible or there exists s F such that 6 ∅ ∈ (s,u) A. In other words, the non-zero matrix entry indexed by u and F defines a 6∈ C-eligiblesetanduisauthorizedforallstepsinF,andthusrepresentsasetofsteps thatcouldbeassignedtoasingleuserinavalidplan. Thematrixdefinedaboveencodesafamilyoffunctions φ ,φ :2S 0,1 .We { u}u∈U u →{ } nowsolveMAX WEIGHTED PARTITIONoninputS and{φu}u∈U.Giventhatφu(F)61, φ (F ) 6 n, with equality if and only if we can partition S into different C- Pu∈U u u eligible blocks and assigned them to different users. Since each γ is regular, W is satisfiableifandonlyifMWPreturnsapartitionhavingweightn. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.