UNSPECIFIED Multi-session Separation of Duties (MSoD) for RBAC
نویسندگان
چکیده
Separation of duties (SoD) is a key security requirement for many business and information systems. Role Based Access Controls (RBAC) is a relatively new paradigm for protecting information systems. In the ANSI standard RBAC model both static and dynamic SoD are defined. However, static SoD policies assume that the system has full control over the assignment of all roles to users, whilst dynamic SoD policies assume that conflicts of interest can only arise during the simultaneous activation of a users roles. Unfortunately neither of these assumptions hold true in dynamic virtual organisations (VOs), or in business processes that span multiple user sessions, or where users only partially disclose their roles at each session. In this paper we propose multi-session SoD (MSoD) policies for business processes which include multiple tasks enacted by multiple users over many user access control sessions. We explore the means to define MSoD policies in RBAC via multi-session mutually exclusive roles (MMER) and multi-session mutually exclusive privileges (MMEP). We propose an approach to expressing MSoD policies in XML and enforcing MSoD policies in a policy controlled RBAC infrastructure. Finally, we describe how we have implemented MSoD policies in the PERMIS Privilege Management Infrastructure
منابع مشابه
Enforcing RBAC Policies over Data Stored on Untrusted Server (Extended Version)
One of the security issues in data outsourcing is the enforcement of the data owner’s access control policies. This includes some challenges. The first challenge is preserving confidentiality of data and policies. One of the existing solutions is encrypting data before outsourcing which brings new challenges; namely, the number of keys required to access authorized resources, efficient policy u...
متن کاملSeparation of duties for access control enforcement in workflow environments
Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a check. Previous work on s...
متن کاملConsistency Checks for Duties in Extended UML2 Activity Models
Process-aware information systems support the execution of business processes. In this context, organizations require the precise specification of security policies that govern the behavior of subjects in the systems. Obligation policies specify duties to be fulfilled by certain subjects. In organizational contexts, duties are often associated with a certain task in a business process. In this ...
متن کاملA temporal-logic extension of role-based access control covering dynamic separation of duties
Security policies play an important role in today’s computer systems. We show some severe limitations of the widespread standard role-based access control (RBAC) model, namely that object-based dynamic separation of duty as introduced by Nash and Poland cannot be expressed with it. We suggest to overcome these limitations by extending the RBAC model with an execution history. The natural next s...
متن کاملDynamic Role-Based Access Control Model
With the rapid development of network and the coming of information age, access control is particularly important, role-based access control (RBAC) is an access control which is popular. RBAC authorizes and controls the roles corresponding to the users to operate the object. It solves problems of least privilege, separation of duties and so on. However, limited permissions are required to be ex...
متن کامل