We use the language of propositional logic to represent RBAC optimisation instances. The question we ask is not simply about the satisfiability of a logic statement by some propositional model (SAT), because we need to also express preferences between conflicting objectives (similarity and simplicity of the output RBAC state). It turns out a slightly different, “optimising” framework perfectly suited to our needs is Max-SAT, which considers all possible truth assignments to the input formula and picks the best one according to a fitness metric defined in the Max-SAT language itself (“SAT and Max-SAT”, “Hard constraints”, “Soft constraints” and “RBAC optimisation” sections).
As far as the plan synthesis problem is concerned, we use the language of domain-dependent automated planning by (Ghallab et al. 2004). This framework supports the definition of optimisation problems which consist in finding the course of RBAC actions to transform the input into the target RBAC state while minimising the number of required actions as fitness metric (“Plan synthesis” section). By solving such a planning problem, one finds the best (shortest) sequence of actions to reach the desired RBAC state.
SAT and Max-SAT
A SAT problem (Cook 1971) is solved by assigning a truth value in {True, False} to each Boolean variable that appears in the input propositional formula in such a way that the formula as a whole evaluates to True. If at least one such assignment exists, the formula is satisfiable and the satisfying assignment is called a model; otherwise, the formula is unsatisfiable (inconsistent) and it has no model. This problem is intractable (NP-complete) in general, yet several highly efficient solvers exist that in practice solve real-world problems with millions of variables in reasonable time.
Given any UPA matrix, its factorisation into UA⊗PA=UPA for some number of roles k can be directly expressed in SAT as:
$$ \bigwedge_{ij} \left[{UPA}_{ij} \leftrightarrow \vee_{l=1}^{k} ({UA}_{il} \wedge {PA}_{lj})\right] $$
(1)
Equation (1) is a SAT instance with k(m+n) variables. Without loss of generality, most SAT solvers require input formulas in Conjunctive Normal Form (CNF), i.e., a conjunction of clauses, each clause being a disjunction of literals. By either reworking the formula (possibly enlarging its size) or adding auxiliary variables, it is possible to rewrite any non-CNF problem like (1) in CNF.
In SAT, all clauses have to be satisfied for the formula to be declared satisfiable. The Maximum Satisfiability problem (Max-SAT) is a variant of SAT that relaxes this premise. The goal of Max-SAT is to find an assignment that makes true the largest possible subset of clauses: some may remain unsatisfied. Partial Max-SAT is another variant in which some clauses are declared hard and must be satisfied no matter what, as in SAT, while others are declared soft: As many of them as possible must be satisfied, à la Max-SAT. Yet another variant is Weighted Max-SAT, that generalises Max-SAT by associating a positive real or integer weight to each input clause: An assignment that maximizes the sum of the weights of satisfied clauses, rather than just their number, is sought (clauses left unsatisfied contribute nothing to the sum).
Finally, the Weighted Partial Max-SAT (WPMS) language combines both features: It finds an assignment that satisfies all hard clauses while maximizing the cumulative weight of satisfied soft clauses. We employ WPMS here (and call it simply Max-SAT).
Hard constraints
Hard clauses are well suited to represent invariants that must hold on any RBAC state we may possibly output, and in particular to capture condition (a) from “Maintenance of an RBAC state” section.
The input RBAC state is represented by two boolean matrices UA0 and PA0 such that UA0⊗PA0=UPA0. UA0 and PA0 are respectively a m×k0 and a k0×n boolean matrices having non-empty roles, i.e.,
$${}\forall_{t=1,..,k^{0}} \left(\bigvee_{i=1,..,m} UA^{0}_{i,t} = True\right) \wedge \left(\bigvee_{j=1,..,n} PA^{0}_{t,j} = True\right) $$
We consider exceptions \(e \in \mathbb {E}\) and violations \(v \in \mathbb {V}\). An exception e:p→u is meant to grant permission p to user u, assuming it was \(UPA^{0}_{u,p} = False\). A violation v:p→u is meant to revoke permission p from user u, assuming it was \(UPA^{0}_{u,p} = True\).
We define \(EXC(\mathbb {E})\) as the m×n boolean matrix that is True at position (u,p) if \(e:p \rightarrow u \in \mathbb {E}\) and False otherwise, and \(VIOL(\mathbb {V})\) as the m×n boolean matrix that is True at position (u,p) if \(v:p \rightarrow u \in \mathbb {V}\) and False otherwise.
We then need k(m+n) variables to represent the unknown elements of the updated Role-to-User (UA) and Permissions-to-Role (PA) matrices, where m, k, and n are the number of users, roles, and permissions.
We have to find two boolean matrices UA and PA such that:
$$ UA \otimes PA = UPA^{0} \oplus (EXC(\mathbb{E}) + VIOL(\mathbb{V})) = UPA $$
(2)
where ⊕ is the element-by-element exclusive-or operator, while + is the element-by-element or operator. In terms of the variables defining UA and PA, for each user i=1,..,m and for each permission j=1,...,n, this can be written as:
$$ {\begin{aligned} \bigwedge_{i,j} F_{i,j}\text{, where } F_{i,j} & {:=} \left(\vee_{t \in [1,k]} {UA}_{i,t} \wedge {PA}_{t,j} \right)\\ &= UPA^{0}_{i,j} \oplus ({EXC}_{i,j}(\mathbb{E}) + {VIOL}_{i,j}(\mathbb{V})) \end{aligned}} $$
The formulas Fi,j are not in CNF, thus we convert them into CNF. Two different cases have to be taken into account:
$$\begin{aligned} \left(\begin{array}{ccc} \ldots & \ldots & \ldots \\ {UA}_{i_{0},1} & \ldots & {UA}_{i_{0},k} \\ \vdots & \vdots & \vdots \\ {UA}_{i_{1},1} & \ldots & {UA}_{i_{1},k} \\ \ldots & \ldots & \ldots \\ \end{array}\right)\left(\begin{array}{ccccc} \ldots & {PA}_{1,j_{0}} & \ldots & {PA}_{1,j_{1}} & \ldots \\ \vdots & \vdots & \vdots & \vdots & \vdots \\ \ldots & {PA}_{k,j_{0}} & \ldots & {PA}_{k,j_{1}} & \ldots \\ \end{array}\right) =\\ & \qquad\quad \ \ j_{0} \qquad\quad \ j_{1} \\ \begin{array}{c} i_{0} \\ i_{1}\end{array} & \left(\begin{array}{ccccc} \ldots & \ldots & \ldots & \ldots & \ldots \\ \ldots & False & \ldots & \ldots & \ldots \\ \vdots & \vdots & \vdots & \vdots & \vdots \\ \ldots & \ldots & \ldots & True & \ldots \\ \ldots & \ldots & \ldots & \ldots & \ldots \end{array}\right) \end{aligned} $$
If UPAi,j is False, such as at index (i0,j0) above, we have:
$$\left[\bigvee_{t \in [1,k]} ({UA}_{i,t} \wedge {PA}_{t,j})\right] = False $$
which can be rewritten as a set of clauses by negating both sides:
$$ {hasnt}_{i,j}(UA,PA) \colon = \bigwedge_{t \in [1,k]} (\neg {UA}_{i,t} \vee \neg {PA}_{t,j}) $$
(3)
If UPAi,j is True, such as at index (i1,j1), we have:
$$\left[\bigvee_{t \in [1,k]} ({UA}_{i,t} \wedge {PA}_{t,j})\right] = True $$
Here we apply the Tseytin transformation (Tseitin 1983) by inserting k auxiliary variables {aux1,…,auxk}, one for each disjunct:
$$\left\{ \begin{array}{ll} \bigvee_{t \in [1,k]} {aux}_{t}\\ \bigwedge_{t \in [1,k]} {aux}_{t} \leftrightarrow ({UA}_{i,t} \wedge {PA}_{t,j}) \end{array} \right. $$
which is equivalent to the CNF form:
$$ {}{has}_{i,j}(UA,PA) \colon = \left\{ \begin{array}{ll} \bigvee_{t \in [1,k]} {aux}_{t}\\ \bigwedge_{t \in [1,k]} (\neg {aux}_{t} \vee {UA}_{i,t}) \wedge (\neg {aux}_{t} \vee {PA}_{t,j})\\ \bigwedge_{t \in [1,k]} ({aux}_{t} \vee \neg {UA}_{i,t} \vee \neg {PA}_{t,j}) \end{array} \right. $$
(4)
Overall, the hard clauses that guarantee we are both incorporating the exceptions in \(\mathbb {E}\) and removing the violations in \(\mathbb {V}\) are:
$$\begin{array}{*{20}l} {}exc\_viol(UA,PA) \colon &= \bigwedge_{i,j | {UPA}_{i,j}} {has}_{i,j}(UA,PA)\\ &\wedge \bigwedge_{i,j | \neg {UPA}_{i,j}} {hasnt}_{i,j}(UA,PA) \end{array} $$
(5)
Soft constraints
We use soft clauses to express constraints that we know are in trade-off and cannot always be satisfied simultaneously. In particular, we want to capture the conditions (i) and (ii) at point (b) in “Maintenance of an RBAC state” section.
Identity. To express the condition that the output RBAC state (UA,PA) must be identical to the input state (UA0,PA0) we write:
$$\left\{ \begin{array}{ll} \bigwedge_{i\in[1,m],j\in[1,k]} {UA}_{i,j} \leftrightarrow UA^{0}_{i,j} \\ \bigwedge_{i\in[1,k],j\in[1,n]} {PA}_{i,j} \leftrightarrow PA^{0}_{i,j} \\ \end{array} \right. $$
which in CNF is:
$$ {}eq(UA,PA) \colon\! \,=\, \left\{\!\! \begin{array}{ll} \bigwedge_{i,j} \left({UA}_{i,j} \vee \neg UA^{0}_{i,j}\right) \wedge \left(\neg {UA}_{i,j} \vee UA^{0}_{i,j}\right) \\ \bigwedge_{i,j} \left({PA}_{i,j} \vee \neg PA^{0}_{i,j}\right) \wedge \left(\neg {PA}_{i,j} \vee PA^{0}_{i,j}\right) \\ \end{array} \right. $$
(6)
Note that exc_viol(UA,PA)∧eq(UA,PA) is unsatisfiable by construction in the traditional SAT sense.
Sparsification. To express the condition that the output RBAC state (UA,PA) must be as “simple” as possible we need to adopt some notion of simplicity. The two simplifying conditions we consider are: (i) a reduction in the number of Roles-to-User and/or Permission-to-Role assignments (“sparsification”), and (ii) a reduction in the number of roles (see next section, “Contraction”).
According to (i), the sparsest possible RBAC state would be:
$$ {}sparse(UA,PA) \colon = \left\{ \begin{array}{ll} \bigwedge_{i\in [1,m],j\in[1,k], UA^{0}_{i,j}=1} \neg {UA}_{i,j}\\ \bigwedge_{i\in [1,k],j\in[1,n], PA^{0}_{i,j}=1} \neg {PA}_{i,j}\\ \end{array} \right. $$
(7)
Contraction. Sometimes, incorporating an exception or removing a violation makes it possible to satisfy Eq. 2 with one less role than those present in (UA0,PA0). The soft constraint sparse(UA,PA) is not sufficient to prefer a reduction in the number of roles over similarly-sized but sparse unassignments from UA. The fact that role j is no longer in use in the target RBAC state is represented by a column of 0’s in the Role-to-User assignment matrix (UA); so the condition is:
$$ contr(UA) \colon = \bigwedge_{j\in[1,k]} {unused}_{j}(UA) $$
(8)
where {unusedj} are auxiliary variables telling whether role j is assigned to someone (unusedj=False) or not (unusedj=True):
$$ {unused}_{contr}(UA) \colon\! \,=\, \bigwedge_{j\in[1,k]}\! \left[{unused}_{j}(UA) \!\leftrightarrow \!\wedge_{t\in[1,m]} \neg {UA}_{t,j} \right] $$
(9)
Expansion. Dually, it is possible that the only way to incorporate an exception or removing a violation is by adding one role to the state, i.e., one column to UA and one row to PA. In a propositional encoding, the only way to accommodate for a possible expansion of the matrices we handle is to “reserve space” in advance for the additional row and column. This means we actually work with an RBAC state made by a matrix UA+ with \(k+|\mathbb {E}|+|\mathbb {V}|\) columns and a matrix PA+ with \(k+|\mathbb {E}|+|\mathbb {V}|\) rows. The condition that these additional roles stay unused is:
$$ {noexp(UA) \colon = \bigwedge_{j\in[k+1,k+|\mathbb{E}|+|\mathbb{V}|]} {unused}_{j}} $$
(10)
where unusedj is an auxiliary variable telling whether the corresponding additional role remains unused:
$$ {} \begin{aligned} {unused}_{exp}&(UA) \colon\\ &= \bigwedge_{j\in[k+1,k+|\mathbb{E}|+|\mathbb{V}|]} \left[{unused}_{j} \leftrightarrow \wedge_{i\in[1,m]} \neg UA^{+}_{i,j}\right] \end{aligned} $$
(11)
$$ {}unused(UA) \colon = {unused}_{contr}(UA) \wedge {unused}_{exp}(UA) $$
(12)
In an encoding where both contraction and expansion constraints are added, we enforce a coherent interplay between the two opposite effects by saying they must not happen simultaneously:
$$ mutex(UA) \colon = noexp(UA) \vee \neg leastcontr(UA) $$
(13)
where leastcontr tells weather at least a role is no longer in use:
$$leastcontr(UA) \colon = \bigvee_{j\in[1,k]} {unused}_{j}(UA) $$
RBAC optimisation
We have all the pieces to present the complete encoding of the RBAC optmisation problem as a Weighted Partial Max-SAT instance. First, let us list the hard constraints (HC) that any feasible solution must comply with. In addition to those from “Hard constraints” section, all the auxiliary contraints from “Soft constraints” section are hard, because auxiliary propositional variables cannot cause inconsistencies on their own, yet they must always be assigned a consistent value:
$$ \begin{aligned} {}HC&(UA,PA) \colon\\ &= exc\_viol\left(UA^{+},PA^{+}\right) \wedge unused(UA) \wedge mutex(UA) \end{aligned} $$
(14)
Soft constraints (SC) are used to express and balance two potentially conflicting objectives of the RBAC maintenance procedure:
-
1.
maximizing the similarity between the target and the origin RBAC state; in this sense, the higher the weight we assign to clauses in (6), the better;
-
2.
maximizing the simplicity of the target RBAC state (independently of the origin RBAC state); in this sense, the higher the weight we assign to clauses in (7), (8), and (10), the better.
Let us assume the weight of a given clause C is a real valueFootnote 1 w∈[0,1], noted w:C. The notation w:(C1∧…∧Cn) is a shorthand for w/n:C1∧…∧w/n:Cn, while w1:(w2:C) is interpreted as (w1·w2):C. The three components (7), (8), and (10) of the “simplicity” objective are merged into one weighted set of clauses, noted \(\phantom {\dot {i}\!}{SIMP}_{k^{+},k^{-}}(UP,PA)\) and defined as:
$$ {}\nu\!:\!\left[k^{-}:contr(\!UA,PA\!) \wedge sparse(\!UA,PA\!) \wedge k^{+}:noexp(\!UA,PA\!)\!\right] $$
(15)
Here, k−≥0 is a parameter meant to quantify how much we reward the elimination of a role versus to the sparsification of the matrix; k+≥0 measures our adversion to introduce a new role if not strictly necessary. ν:=(1+k−+k+)−1 is a normalization factor meant to ensure the weights of the three components sum up to 1. We assume k−>k+>1, i.e., we value the possibility to expunge a role more than the removal of an equivalent number of assignments; adding roles is a last resort.
Finally, let β∈[0,1] be a balancing parameter that measures the extent to which the RBAC administrator is interested in a simplified (β closer to 1) VS a stable (β closer to 0) RBAC state; we pose:
$$\begin{array}{*{20}l} {}{SC}_{\beta,k^{-},k^{+}}&(UA,PA)\colon\\ &=\! (1-\beta)\! :\! eq(UA,PA) \wedge \beta:{SIMP}_{k^{+},k^{-}}(UA,PA) \end{array} $$
(16)
Given (i) the input RBAC state (UA0,PA0), (ii) the exceptions list \(\mathbb {E}\) to incorporate and the violations to remove in \(\mathbb {V}\), and (iii) some specific values for the parameters β,k+, and k−, we submit to a Max-SAT solver the hard clauses (14) plus the soft clauses (16). The Max-SAT solver returns a fixed RBAC state (UA+,PA+), i.e., a truth assignment to all the \((k+|\mathbb {E}| \cdot |\mathbb {V}|) \cdot (m+n)\) variables that define UA+ and PA+. Note that the encoding is satisfiable by construction, so we always obtain a fixed state.
Plan synthesis
The Plan synthesis phase is activated after the RBAC optimisation in order to determine the plan of actions a security administrator has to carry out to deploy the target RBAC state. The point here is that the Max-SAT solver reasoned on the initial and target RBAC states independently of the course of actions eventually required to transform the former into the latter. The problem of finding such plan, possibly the “best” or “cheapest” one according to some formal metrics, is not trivial.
We formalise the problem as a Planning problem within the PDDL framework (McDermott et al. 1998), one of the reference languages for the planning community. In PDDL, several concepts have to be formalised to produce workable instances: objects are the entities of interest in the world; predicates are the properties of the objects we are interested in, and are either true or false at a certain point; actions change the state of the world by changing the truth value of predicates; they have preconditions that must be met before considering them for execution; the set of predicates that are true at the beginning is called initial state; the set of predicates we want to be true in the final state is called the goal state.
In our formalisation we consider user, permission, and role object types and two predicates: userRole(u,r) (true iff role r is assigned to user u) and rolePermission(r,p) (true iff the permission p is entailed by role r). These two predicates represent the state of UA and PA. The initial and the goal state are defined as the conjunction of predicates which represent the assignments in the initial and final Permission-to-Role and Role-to-User RBAC states (see Eqs. 17–18 where \(\mathbb {N}\) represents the set of potentially added roles, \(|\mathbb {N}| \leq |\mathbb {E} | + |\mathbb {V}|\)).
$$ {\begin{array}{ll} initial\left(UA^{0},PA^{0}\right) \!\colon \! \,=\, \! \left\{ \begin{array}{llll} \bigwedge_{i\in [1,m],j\in[1,k], UA^{0}_{i,j}=1} userRole(u_{i},r_{j})\\ \bigwedge_{i\in [1,m],j\in[1,k], UA^{0}_{i,j}=0} \neg userRole(u_{i},r_{j})\\ \bigwedge_{i\in [1,k],j\in[1,n], PA^{0}_{i,j}=1} rolePermission(r_{i},p_{j})\\ \bigwedge_{i\in [1,k],j\in[1,n], PA^{0}_{i,j}=0} \neg rolePermission(r_{i},p_{j})\\ \bigwedge_{i\in [1,m],j\in [k+1,k+|\mathbb{N}|]} \neg userRole(u_{i},r_{j})\\ \bigwedge_{i \in [k+1,k+|\mathbb{N}|],j\in[1,n]} \neg rolePermission(r_{i},p_{j})\\ \end{array} \right. \end{array}} $$
(17)
$$ {\begin{array}{ll} goal\!\left(UA^{+}\!,PA^{+}\right)\! \colon\! \,=\,\! \left\{\! \begin{array}{llll} \bigwedge_{i\in [1,m],j\in[1,k+|\mathbb{N}|], UA^{+}_{i,j}=1} userRole(u_{i},r_{j})\\ \bigwedge_{i\in [1,m],j\in[1,k+|\mathbb{N}|], UA^{+}_{i,j}=0} \neg userRole(u_{i},r_{j})\\ \bigwedge_{i\in [1,k+|\mathbb{N}|],j\in[1,n], PA^{+}_{i,j}=1} rolePermission(r_{i},p_{j})\\ \bigwedge_{i\in [1,k+|\mathbb{N}|],j\in[1,n], PA^{+}_{i,j}=0} \neg rolePermission(r_{i},p_{j})\\ \end{array} \right. \end{array}} $$
(18)
Actions, whose formalisation depends on the target RBAC system, are defined in terms of input parameters, preconditions, and effects. The set of action templates the planner is allowed to instantiate have to reflect what the RBAC management system at hand exposes to the administrator. In Listing 1–10 we present a fairly basic formalisation of a few core actions common to most RBAC management systems. Listing 1 defines in PDDL the action meant to assign a role r to a user u. User u and role r are input parameters to the action (they will be instantiated to specific values by the planner); the preconditions states that the predicate userRole(u,r) has to be false for the rule to fire, i.e., that r is not already assigned to the user. The effect section states that the predicate userRole(u,r) becomes true, i.e., that role r is assigned to u as a consequence of the action. Similarly, Listing 2, 3 and 4 show how to remove a role from a user and assign/remove a permission to/from a role. Listing 5 shows how to remove a role r from all users by posing to false userRole(u,r) for each user u for which this predicate holds. Similarly, Listing 6 adjusts the predicates to invalidate all the role assignments for an input user. We also make it possible to adjust the predicates in order to remove a single permission from each role (see Listing 7) and to strip a single role from all its permissions (see Listing 8). Listing 9 erases the entire input RBAC state by posing all predicates userRole(u,r) and rolePermission(r,p) to False. Finally, Listing 10 replaces the assignments of a permission from one role to another by inverting the validity of the corresponding rolePermission predicates.
The set of admissible actions (Listing 1–10), along with the initial (Eq. 17) and goal (Eq. 18) RBAC state are issued to a state-of-the-art PDDL planner to synthesise the maintenance plan. In our formalisation all actions have cost 1, thus the optimising planner (that seeks the cheapest plan) looks for the shortest plan. Certain trivial plans of actions may be considered as baselines. In particular: A full rewrite plan consists in erasing the input RBAC state (through deleteUAPA action) and then adding the assignments to achieve the target RBAC state (actions in Listing 1 and 3). The cost (length) of such plan can be easily computed as:
$$ {{baseline}_{rewrite} \colon = 1 + \left|UA^{+}\right| + \left|PA^{+}\right|} $$
(19)
A second trivial plan is diff, which consists in adjusting the differences in terms of assignments occurring between the target and input matrices (actions in listings 1–4) whose cost is:
$$ {{baseline}_{diff} \colon = \left|UA^{+} - UA^{0}\right| + \left|PA^{+} - PA^{0}\right|} $$
(20)
We expect the PDDL planner to find a plan with fewer actions than either baseline.
Solutions and their quality
To assess the quality of UA+,PA+ (both per se and w.r.t. UA0,PA0) we need some synthetic indicators for the two dimensions we are after: simplicity, similarity and maintainability.
Similarity is computed according to the metric defined in Vaidya et al. (2008), which is based on the Jaccard coefficient.
Role-to-Role similarity. The similarity between two roles r1 and r2 granting permissions P1 and P2 respectively is defined as:
$${sim}_{1-1}(r_{1},r_{2})\colon =\frac{|P_{1} \cap P_{2}|}{|P_{1} \cup P_{2}|} $$
Role-to-RoleSet similarity. The similarity between a role r and a set of roles R is defined as:
$${sim}_{1-N}(r,R)\colon = {max}_{r_{x} \in R} {sim}_{1-1}(r,r_{x}) $$
RoleSet-to-RoleSet similarity. The similarity between a set of roles R1 and a set of roles R2 is defined as:
$${sim}_{N-N}(R_{1},R_{2}) \colon = {avg}_{r \in R_{1}} {sim}_{1-N}(r,R_{2}) $$
Similarity. Building on the former definition, we pose the similarity of the target RBAC state (with roles R) to the source RBAC state (with roles R0) as:
$$ sim(R_{0},R) \colon = \frac{{sim}_{N-N}(R_{0},R) + {sim}_{N-N}(R,R_{0})}{2} $$
(21)
This similarity function is always between 0 and 1; in particular, the value 1 is obtained iff R≡R0.
Simplicity is defined in different ways in the relevant literature; metrics taken into account to define it include, but are not limited to, the number of roles, assignments, erroneous permission granted, relations among roles, permission assigned directly, and any combination of these metrics. We start from a definition of “absolute complexity” that grows with the number of roles and the number of assignments in UA and PA:
$$ comp(UA,PA) \colon = (|UA|+|PA|)+ k^{-} \cdot |R| $$
(22)
where R is the set of roles, k− is the parameter to reward elimination of a role versus the the sparsification of the matrixes and UA and PA are the assignments of permissions and rolesFootnote 2. A relative complexity is then computed as the ratio between the complexity of the target state and the complexity of the “trivial” admissible state; in such state, each user is assigned one and only one custom role which entails exactly the set of permissions that user has in UPA. In this configuration, the UA matrix becomes the identity matrix, there are as many roles as users, and all the knowledge about permissions is in PA. The absolute complexity of such trivial state is thus (|UPA|+|U|)+k−·|U|.
The (relative) simplicityFootnote 3 of a state is then:
$$ {spt} = 1 - \frac{|UA| + |PA| + k^{-} \cdot |R| }{ |UPA|+|U| + k^{-} \cdot |U|} $$
(23)
