Separation of duties for access control enforcement in workflow environments
نویسندگان
چکیده
Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a check. Previous work on separation of duty requirements often explored implementations based on role-based access control (RBAC) principles. These implementations are concerned with constraining the associations between RBAC components, namely users, roles, and permissions. Enforcement of the separation of duty requirements, although an integrity requirement, thus relies on an access control service that is sensitive to the separation of duty requirements. A distinction between separation of duty requirements that can be enforced in administrative environments, namely static separation of duty, and requirements that can only be enforced in a run-time environment, namely dynamic separation of duty, is required. It is argued that RBAC does not support the complex work processes often associated with separation of duty requirements, particularly with dynamic separation of duty. The workflow environment, being primarily concerned with the facilitation of complex work processes, provides a context in which the specification of separation of duty requirements can be studied. This paper presents the “conflicting entities” administration paradigm for the specification of static and dynamic separation of duty requirements in the workflow environment.
منابع مشابه
Enforcing RBAC Policies over Data Stored on Untrusted Server (Extended Version)
One of the security issues in data outsourcing is the enforcement of the data owner’s access control policies. This includes some challenges. The first challenge is preserving confidentiality of data and policies. One of the existing solutions is encrypting data before outsourcing which brings new challenges; namely, the number of keys required to access authorized resources, efficient policy u...
متن کاملA Model for Security in Agent-based Workflows
Introduction Workflow environments have hugely benefited from the technical advancements made available by the Internet over the last years. Many workflow environments today are implemented over public networks such as the Internet. Because workflow environments in most situations represent the “bread-andbutter” of a company, the implementation thereof has raised serious information security pr...
متن کاملUsing Description Logics in Relation Based Access Control
Relation Based Access Control (RelBAC ) is an access control model designed for the new scenarios of access control on Web 2.0. Under this model, we discuss in this paper how to formalize with Description Logics the typical authorization problems of access control together with the enforcement of an important security property: Separation of Duties (SoD) and some high level security policies ab...
متن کاملIdea: Efficient Evaluation of Access Control Constraints
Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i. e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e. g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement....
متن کاملIdea: Efficient Evaluation of Access Control Constraint
Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i. e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e. g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement....
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IBM Systems Journal
دوره 40 شماره
صفحات -
تاریخ انتشار 2001