First, we present three status functions among users, authorization rules, and access tuples of the SOD constraint, defined as follows.

To demonstrate whether the SOD constraints can be satisfied, the different status functions in Definition 6 are used in the following example.

According to

sod_{1} and

Table 13, at least two users are required to collaborate and together have

t_{1},

t_{2}, and

t_{3}, and all these access tuples can be done using either the rules

ar_{1},

ar_{3,} and

ar_{7} or the rules

ar_{2},

ar_{3,} and

ar_{7}. In other words, no user can own these three rules at the same time.

Table 8 shows that

sod_{1} can be satisfied under

γ. Similarly, according to

sod_{2} and

Table 14, any two users cannot own rules

ar_{1},

ar_{3}, and

ar_{5} at the same time.

Table 12 demonstrates, however, that users

u_{1} and

u_{2} can access all the tuples of

sod_{2} through these three rules. Hence,

sod_{2} cannot be satisfied under

γ. Therefore, immediately enforcing SOD constraints in ABAC systems appears to be intractable.

Reducing the problem of verifying SOD constraints in an ABAC system into the construction of MEAR constraints includes two phases: (1) Converting k-n SOD constraints into k-n SOAR constraints and (2) constructing t-m MEAR constraints from k-n SOAR constraints.

#### 4.2.1. Construction of k-n SOAR Constraints from k-n SOD Constraints

Given a constructed rule set AR and a specific SOD constraint <{t_{1}, t_{2}, …, t_{n}}, k> under system status γ, we convert the input instance (<{t_{1}, t_{2}, …, t_{n}}, k>, AR) into an intermediate form according to the following steps:

**Step 1.** For each access tuple t_{i} in the constraint, we identify set tuple_rules_{γ}(t_{i}) as a substitute for t_{i};

**Step 2.** Replace rule set AR with a union of different set of rules associated with each tuple in the constraint.

Then, the corresponding intermediate form, which is denoted as CIF, can be represented as CI F =<{S_{1}, S_{2}, …S_{n}}, AR’>, where S_{i} = tuple_rules_{γ}(t_{i}), and $A{R}^{\prime}={\displaystyle \underset{i=1}{\overset{n}{\cup}}{S}_{i}}\subseteq AR$.

According to the conversion, two conclusions can be made:

- (1)
The process of the conversion does not take value k of the constraint into consideration because, for each k’-n SOAR constraint constructed, k’ takes the value of k in the following process of constructions.

- (2)
AR’ in CIF does not contain the rules in (AR\AR’) because the rules not in AR’ are not relevant to the construction of the SOAR constraints.

A SAT solver takes the formula in CNF as the input parameter for solving the problem, which can identify the total number of different types of such assignments. For the given intermediate form CIF = <{S_{1},S_{2},…S_{n}},AR’>, we next construct a CNF formula F corresponding to CIF through the following steps:

**Step 1.** For each rule ar_{i} in AR’, create the corresponding literal variable $\overline{a{r}_{i}}$;

**Step 2.** For each S_{i} and AR’, create the corresponding clause using the disjunction of different literals, which is formalized as $\overline{a{r}_{1}}\vee \overline{a{r}_{2}}\vee \dots $;

**Step 3.** Construct a CNF formula using the conjunction of different clauses, which is represented as $F=(\underset{i=1}{\overset{n}{\wedge}}{S}_{i}clause)\wedge A{R}^{\prime}clause$.

Thus, a set of several different literals that can satisfy a truth assignment for F forms the SOAR constraint, and all sets of such literals form different types of SOAR constraints, where the value of k remains constant.

**Example** **4.** Consider a SOD constraint sod = <{t_{1}, t_{2}, t_{3}, t_{4}}, 2> in the ABAC system status γ. The corresponding rules associated with each tuple are given in Table 15. First, we convert sod into the intermediate form CIF = <{{ar_{4}}, {ar_{2}}, {ar_{1}, ar_{3}}, {ar_{2}, ar_{3}, ar_{4}}}, {ar_{1}, ar_{2}, ar_{3}, ar_{4}}>. Next, we construct the Boolean formula F for CIF as $F=\overline{a{r}_{4}}\wedge \overline{a{r}_{2}}\wedge (\overline{a{r}_{1}}\vee \overline{a{r}_{3}})\wedge (\overline{a{r}_{2}}\vee \overline{a{r}_{3}}\vee \overline{a{r}_{4}})\wedge (\overline{a{r}_{1}}\vee \overline{a{r}_{2}}\vee \overline{a{r}_{3}}\vee \overline{a{r}_{4}})$. It is readily verified that {$\overline{a{r}_{1}}$, $\overline{a{r}_{2}}$, $\overline{a{r}_{4}}$} can satisfy a truth assignment for F, and <{ar_{1}, ar_{2}, ar_{4}}, 2> is regarded as a SOAR constraint. Moreover, {$\overline{a{r}_{2}}$, $\overline{a{r}_{3}}$, $\overline{a{r}_{4}}$}, $\overline{a{r}_{2}}$, , $\overline{a{r}_{3}}$, $\overline{a{r}_{4}}$} can also satisfy such assignments, and <{ar_{2}, ar_{3}, ar_{4}}, 2>, <{ar_{1}, ar_{2}, ar_{3}, ar_{4}}, 2> are the other two SOAR constraints corresponding to sod.

#### 4.2.2. Construction of t-m MEAR Constraints from k-n SOAR Constraints

In this subsection, we determine how to construct MEAR constraints for the given SOAR constraints. Using the notions of the k-n SOAR constraint and the t-m MEAR constraint, as well as the status function user_rules_{γ}(u) in Definition 6, we can define the safety and satisfiability of the system status as the following.

**Definition** **6.** (Safety of the system status, safe_{soar}(γ)) Given an ABAC system status γ and a k-n SOAR constraint soar = <{ar_{1}, ar_{2}, …ar_{n}}, k>, if any set of (k − −1) users cannot have all the n rules under γ, then γ is safe with respect to soar, which is denoted as safe_{soar}(γ) = 1. Otherwise, γ is unsafe with respect to soar, which is denoted as safe_{soar}(γ) = 0. Let the set of different k-n SOAR constraints be ξ = {soar_{1}, soar_{2}, …}; if γ is safe with respect to each soar_{i}, then γ is safe with respect to ξ, which is denoted as safe_{ξ}(γ) = 1. Otherwise, γ is unsafe with respect to ξ, which is denoted as safe_{ξ}(γ) = 0.

The safety of the system status is formally expressed as:

The unsafety of the system status is formally expressed as:

**Definition** **7.** (Satisfiability of the system status, satisfied_{mear}(γ)) Given an ABAC system status γ and a t-m MEAR constraint mear = <{ar_{1}, ar_{2}, … ar_{m}}, t>, if no user is allowed to have t or more of these m rules under γ, then γ is satisfied with respect to mear, which is denoted as satisfied_{mear}(γ) = 1. Otherwise, γ is unsatisfied with respect to mear, which is denoted as satisfied_{mear}(γ) = 0. Let the set of different t-m MEAR constraints be ψ = {mear_{1}, mear_{2}, …}; if γ is satisfied with respect to each mear_{i}, then γ is satisfied with respect to ψ, which is denoted as satisfied_{ψ}(γ) = 1. Otherwise, γ is unsatisfied with respect to ψ, which is denoted as satisfied_{ψ}(γ) = 0.

The satisfiability of the system status is formally expressed as:

The unsatisfiability of the system status is formally expressed as:

**Statement** **1.** Given an ABAC system status γ and a set of SOAR constraints ξ = {soar_{1}, soar_{2}, …}, the process for verifying whether γ is safe with respect to ξ is in P.

**Proof.** We prove this statement through the following three steps: (1) Use status function user_rules_{γ}() and identify user_rules_{γ}(u) for some user u under γ (2). Based on the formal expression in Definition 7, identify the number of the rules in user_rules_{γ}(u) present in any sod, which is represented as s, and (3) compare s with k included in sod. These steps can be readily computed. If |U|,|AR|, and |ξ| are used to represent the total number of users, the number of authorization rules and the number of SOAR constraints under γ, respectively, then the computational complexity for verifying whether safe_{ξ}(γ) is true is O(|U|×|AR|×|ξ|), which is polynomial time. Thus, the verification process for enforcing the SOAR constraints is in P. □

**Statement** **2.** Given an ABAC system status γ and a set ψ of MEAR constraints, the process of verifying whether γ is satisfied with respect to ψ is also in P.

**Proof** **.** This verification is similar to that of Theorem 1, so the detailed process is omitted due to limited space. Here, the enforcement of MEAR constraints under γ is also available in polynomial time. □

**Definition** **8.** (Implicit enforcement of SOAR constraints) Given a k-n SOAR constraint soar and a t-m MEAR constraint set ψ = {mear_{1}, mear_{2}, …} in the system status γ, soar can be implicitly enforced by ψ if and only if ∀mear ∊ ψ :satisfied_{mear}(γ) ⇒safe_{soar}(γ).

Then, we present an approach for constructing

t-m MEAR constraints in Algorithm 3, which takes a

k-n SOAR constraint constructed from a

k-n SOD constraint as input and outputs a set of MEAR constraints that can implicitly enforce SOAR.

**Algorithm****3** Construction of t-m MEAR constraints |

**Input:**k-n SOAR constraint soar = <{ar_{1},ar_{2},…ar_{n}},k>, where 2 ≤ k ≤ n
**Output:** set ψ of t-m MEAR constraints 1. Initialize ψ = ø; 2. **if** k == 2 **then** 3. ψ = {<{ar_{1},ar_{2},…ar_{n}},n>}; 4. **else if** k == n **then** 5. ψ = {<{ar_{1},ar_{2},…ar_{n}},2>}; 6. **else** 7. **for** t = 2 to $\lfloor \frac{n-1}{k-1}\rfloor +1$ **do** 8. m = (k-1) × (t-1)+1; 9. **for** any subset {ar_{1},ar_{2},…ar_{m}’} in {ar_{1},ar_{2},…ar_{n}} **do** 10. ψ = ψ∪{<{ar_{1},ar_{2},…ar_{m}’},t>}; 11. **end for** 12. **end for** 13.**end if** |

As observed from Lines 2–5 in Algorithm 3, two lemmas can be determined with the following:

**Lemma** **1.** Given a 2-n SOAR constraint, it can be efficiently enforced by the t-m MEAR constraint if and only if m = n, and t = n.

**Lemma** **2.** Given a n-n SOAR constraint, it can be efficiently enforced by the t-m MEAR constraint if and only if m = n, and t = 2.

**Theorem** **1.** Given a k-n SOAR constraint (k > 2), it can be efficiently enforced by the constructed t-m MEAR constraints through Algorithm 3 if $t\le (\lfloor \frac{n-1}{k-1}\rfloor +1)$

**Proof** **.** According to Definitions 7 and 8, any user is allowed to have (t − 1) rules at most, and any (k − 1) users are allowed to have (k − 1) × (t − 1) rules at most. We use the method of contradiction to prove this theorem. Without a loss of generality, assume that $t=\lfloor \frac{n-1}{k-1}\rfloor +1+1$; the k-n SOAR constraint is still satisfied, i.e., the number of rules associated with (k − 1) users is $(k-1)\times (\lfloor \frac{n-1}{k-1}\rfloor +2-1)\approx n-1+k-1>n$, which breaches the k-n SOAR constraint. Thus, the assumption is false. □

To further demonstrate the effectiveness of Algorithm 3, we next provide an example to show the construction of MEAR constraints from a given SOD constraint.

**Example** **5.** Given a set of authorization rulesAR = {ar_{1}, ar_{2}, ar_{3}, ar_{4}, ar_{5}} and a SOD constraint sod = <{t_{1}, t_{2}, t_{3}, t_{4}, t_{5}}, 3> in the ABAC system status γ, let the sets of tuple_rules_{γ}(t) with respect to sod be {ar_{1}, ar_{2}}, {ar_{3}}, {ar_{2}, ar_{3}}, {ar_{4}}, and {ar_{4}, ar_{5}}, respectively.

Then, for sod, the corresponding soars that can be constructed using the method of SAT-based model counting are as follows:

{<{ar_{2}, ar_{3}, ar_{4}}, 3>, <{ar_{1}, ar_{3}, ar_{4}}, 3>, <{ar_{1}, ar_{2}, ar_{3}, ar_{4}}, 3>, <{ar_{1}, ar_{3}, ar_{4}, ar_{5}}, 3>, <{ar_{2}, ar_{3}, ar_{4}, ar_{5}}, 3>, <{ar_{1}, ar_{2}, ar_{3}, ar_{4}, ar_{5}}, 3>}.

The different sets of

mears constraints corresponding to each

soar according to Algorithm 3 are given in

Table 16.