Separation of Duty in Role-based Environments
نویسندگان
چکیده
Separation of Duty is a principle that has a long history in computer security research. Many computing systems provide rudimentary support for this principle, but often the support is inconsistent with the way the principle is applied in non-computing environments. Furthermore, there appears to be no single accepted meaning of the term. We examine the ways in which Separation of Duty has been used, adding the notion of History-based Separation of Duty. We assess ways in which computing systems may support Separation of Duty. We discuss the mechanisms we are implementing to support Separation of Duty and roles in Adage, a general-purpose authorization language and toolkit.
منابع مشابه
Separation of duties for access control enforcement in workflow environments
Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a check. Previous work on s...
متن کاملConflict analysis as a means of enforcing static separation of duty requirements in workflow environments
The increasing reliance on information technology to support business processes has emphasised the need for information security mechanisms. This, however, has resulted in an ever-increasing workload in terms of security administration. Policy-based approaches have been proposed, promising to lighten the workload of security administrators. Separation of duty is one of the principles cited as a...
متن کاملAccess control and separation of duty in agent-based workflow environments
Agent Technology provides a new methodology in implementing workflow environments. This paper is concerned with how this shift in paradigm affects traditional security concepts like access control and separation of duty principles. The discussion focuses on the implementation of task allocation in an agent-based workflow environment (AWE) that is currently being developed. Task allocation is fu...
متن کاملAn XML based approach to enforcing history-based separation of duty policies in heterogeneous workflow environments
In the computing world a new technology occasionally comes along, promising to make dramatic changes to the way computing tasks are performed. The Extensible Markup Language (XML) has been heralded as one such technology. XML promises to provide a universal metadata mechanism for defining, understanding and interchanging information between possibly heterogeneous systems. This paper exploits th...
متن کاملConflict checking of separation of duty constraints in RBAC - implementation experiences
Separation of duty constraints define mutual exclusion relations between two entities (e.g. two permissions). Thus, a software component that supports the definition of separation of duty constraints implicitly requires a means to control their definition and to ensure the consistency of the resulting runtime structures. In this paper, we present our experiences with the implementation of confl...
متن کامل