This work addresses the security decision problem for Next-Generation Access Control (NGAC): given a policy and attribute configuration, determine whether any policy violation exists. Theoretically, we establish, for the first time, that this problem is coNP-complete under mild assumptions—thereby precisely characterizing its computational complexity boundary. Algorithmically, we propose the first decision procedure explicitly optimized for realistic constraints—including bounded attribute cardinality and attribute exclusivity—avoiding brute-force enumeration. Empirical evaluation demonstrates speedups of several orders of magnitude over naive search. Key contributions include: (i) the first formal complexity-theoretic characterization of NGAC security decidability; (ii) a constraint modeling and solving framework that balances formal correctness with practical efficiency; and (iii) the identification that attribute exclusivity critically degrades worst-case performance, along with empirical characterization of real-world attribute patterns that induce near-worst-case behavior.

We study the safety problem for the next-generation access control (NGAC) model. We show that under mild assumptions it is coNP-complete, and under further realistic assumptions we give an algorithm for the safety problem that significantly outperforms naive brute force search. We also show that real-world examples of mutually exclusive attributes lead to nearly worst-case behavior of our algorithm.