skip to main content
10.1145/1133058.1133077acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
Article

Constraint generation for separation of duty

Published: 07 June 2006 Publication History

Abstract

Separation of Duty (SoD) is widely recognized to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain number of users is required. In Role-Based Access Control (RBAC), Statically Mutually Exclusive Role (SMER) constraints are used to enforce SSoD policies. This paper studies the problem of generating sets of constraints that (a) enforce a set of SSoD policies, (b) are compatible with the existing role hierarchy, and (c) are minimal in the sense that there is no other constraint set that is less restrictive and satisfies (a) and (b).

References

[1]
G.-J. Ahn and R. S. Sandhu. The RSL99 language for role-based separation of duty constraints. In Proceedings of the 4th Workshop on Role-Based Access Control, pages 43--54, 1999.
[2]
G.-J. Ahn and R. S. Sandhu. Role-based authorization constraints specification. ACM Transactions on Information and System Security, 3(4):207--226, Nov. 2000.
[3]
ANSI. American national standard for information technology -- role based access control. ANSI INCITS 359-2004, Feb. 2004.
[4]
D. D. Clark and D. R. Wilson. A comparision of commercial and military computer security policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184--194. IEEE Computer Society Press, May 1987.
[5]
J. Crampton. Authorizations and Antichains. PhD thesis, Birbeck College, University of London, UK, 2002.
[6]
J. Crampton. Specifying and enforcing constraints in role-based access control. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies (SACMAT 2003), pages 43--50, Como, Italy, June 2003.
[7]
N. Een and N. Sorensson. The minisat page. http://www.cs.chalmers.se/Cs/Research/FormalMethods/MiniSat/.
[8]
D. F. Ferraiolo, J. A. Cuigini, and D. R. Kuhn. Role-based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Computer Security Applications Conference (ACSAC'95), Dec. 1995.
[9]
D. F. Ferraiolo and D. R. Kuhn. Role-based access control. In Proceedings of the 15th National Information Systems Security Conference, 1992.
[10]
D. F. Ferraiolo, D. R. Kuhn, and R. Chandramouli. Role-Based Access Control. Artech House, Apr. 2003.
[11]
D. F. Ferraiolo, R. S. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security, 4(3):224--274, Aug. 2001.
[12]
M. R. Garey and D. J. Johnson. Computers And Intractability: A Guide to the Theory of NP-Completeness. W.H. Freeman and Company, 1979.
[13]
V. D. Gligor, S. I. Gavrila, and D. F. Ferraiolo. On the formal definition of separation-of-duty policies and their composition. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 172--183, May 1998.
[14]
T. Jaeger. On the increasing importance of constraints. In Proceedings of ACM Workshop on Role-Based Access Control, pages 33--42, 1999.
[15]
T. Jaeger and J. E. Tidswell. Practical safety in flexible access control models. ACM Transactions on Information and System Security, 4(2):158--190, May 2001.
[16]
D. R. Kuhn. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In Proceedings of the Second ACM Workshop on Role-Based Access Control (RBAC'97), pages 23--30, Nov. 1997.
[17]
N. Li, Z. Bizri, and M. V. Tripunitara. On mutually-exclusive roles and separation of duty. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS-11), pages 42--51. ACM Press, Oct. 2004.
[18]
N. Li, Z. Bizri, and M. V. Tripunitara. On mutually-exclusive roles and separation of duty. Technical Report CERIAS-TR-2004-21, Center for Education and Research in Information Assurance and Security, Purdue University, June 2004.
[19]
M. J. Nash and K. R. Poland. Some conundrums concerning separation of duty. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 201--209, May 1990.
[20]
C. H. Papadimitriou. Computational Complexity. Addison Wesley Longman, 1994.
[21]
J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.
[22]
R. Sandhu. Separation of duties in computerized information systems. In Proceedings of the IFIP WG11.3 Workshop on Database Security, Sept. 1990.
[23]
R. S. Sandhu. Transaction control expressions for separation of duties. In Proceedings of the Fourth Annual Computer Security Applications Conference (ACSAC'88), Dec. 1988.
[24]
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, February 1996.
[25]
T. T. Simon and M. E. Zurko. Separation of duty in role-based environments. In Proceedings of The 10th Computer Security Foundations Workshop, pages 183--194. IEEE Computer Society Press, June 1997.
[26]
J. Tidswell and T. Jaeger. An access control model for simplifying constraint expression. In Proceedings of ACM Conference on Computer and Communications Security, pages 154--163, 2000.

Cited By

View all
  • (2024)A Framework for Managing Separation of Duty PoliciesProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670912(1-10)Online publication date: 30-Jul-2024
  • (2016)Interoperability of Relationship- and Role-Based Access ControlProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857706(231-242)Online publication date: 9-Mar-2016
  • (2016)Role mining using answer set programmingFuture Generation Computer Systems10.1016/j.future.2014.10.01855:C(336-343)Online publication date: 1-Feb-2016
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies
June 2006
256 pages
ISBN:1595933530
DOI:10.1145/1133058
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. constraints
  2. role based access control
  3. separation of duty

Qualifiers

  • Article

Conference

SACMAT06
Sponsor:

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Framework for Managing Separation of Duty PoliciesProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670912(1-10)Online publication date: 30-Jul-2024
  • (2016)Interoperability of Relationship- and Role-Based Access ControlProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857706(231-242)Online publication date: 9-Mar-2016
  • (2016)Role mining using answer set programmingFuture Generation Computer Systems10.1016/j.future.2014.10.01855:C(336-343)Online publication date: 1-Feb-2016
  • (2014)Access Control Models for Online Social NetworksDigital Arts and Entertainment10.4018/978-1-4666-6114-1.ch021(451-484)Online publication date: 2014
  • (2014)Attribute based access control constraint based on subject similarity2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA)10.1109/WARTIA.2014.6976238(226-229)Online publication date: Sep-2014
  • (2013)Access Control Models for Online Social NetworksSocial Network Engineering for Secure Web Data and Services10.4018/978-1-4666-3926-3.ch003(32-65)Online publication date: 2013
  • (2013)On the Complexity of Authorization of Temporal RBAC in Cloud Computing ServiceProceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications10.1109/TrustCom.2013.192(1567-1572)Online publication date: 16-Jul-2013
  • (2011)On the Complexity of Authorization in RBAC under Qualification and Security ConstraintsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2010.558:6(883-897)Online publication date: 1-Nov-2011
  • (2011)History-based constraints for dynamic separation-of-duty policies in usage controlProceedings of 2011 International Conference on Computer Science and Network Technology10.1109/ICCSNT.2011.6182463(2438-2442)Online publication date: Dec-2011
  • (2011)Reliability of separation of duty in ANSI standard role-based access controlScientia Iranica10.1016/j.scient.2011.08.01618:6(1416-1424)Online publication date: Dec-2011
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media