Authorization constraint enforcement for information system security

Rattikorn Hewett, Phongphun Kijsanayothin

Research output: Contribution to journalConference articlepeer-review


Managing access authorities is critical to the security of information systems. To prevent fraud or abuse due to conflict of interests, a well-known authorization constraint called Separation of Duty (SoD) is commonly applied. SoD ensures that no single user receives too many authorities. Enforcement of authorization constraints such as SoD in large organizations can be difficult due to the large number of information system users, the variety of assets involved, and tasks that require roles that may be shared or delegated at multiple levels. Most existing work in this area focuses on specifications of SoD constraints and assumes that constraints can be enforced by logical inference mechanisms at run-time. A drawback of this approach is that when violations occur, finding alternative role activations at run-time may not be feasible. This can result in delays or even failure for critical service transactions. Moreover, logic-based systems are difficult to understand and do not scale easily. This paper presents an algorithmic set-based approach that automatically checks for SoD compliance prior to run-time by searching for a set of valid role activations. The paper discusses details of this approach and illustrates its use in managing access authorizations in a health insurance claim processing system

Original languageEnglish
Article number4811840
Pages (from-to)3502-3507
Number of pages6
JournalConference Proceedings - IEEE International Conference on Systems, Man and Cybernetics
StatePublished - 2008
Event2008 IEEE International Conference on Systems, Man and Cybernetics, SMC 2008 - Singapore, Singapore
Duration: Oct 12 2008Oct 15 2008


  • Conflict of interest
  • Information security
  • Policy compliance
  • Role-based access control
  • Separation of duty


Dive into the research topics of 'Authorization constraint enforcement for information system security'. Together they form a unique fingerprint.

Cite this