TY - GEN
T1 - Security analysis of Role-Based Separation of Duty with workflows
AU - Hewett, Rattikorn
AU - Kijsanayothin, Phongphun
AU - Thipse, Aashay
PY - 2008
Y1 - 2008
N2 - Role-Based Access Control (RBAC) is the most predominant access control model in today's security management due to its ability to simplify authorization, and flexibility to specify and enforce protection policies. In RBAC, Separation of Duty (SoD) constrains user role authorization to protect sensitive information from frauds due to conflicts of interests. SoD constraints are commonly defined by mutually exclusive roles (MER) (e.g., bank teller and auditor). This paper proposes practical computational techniques for analyzing SoD by integrating workflows of the enterprise processes into the RBAC framework. Specifically, we present 1) an algorithm for generating MER to enforce SoD, and 2) a verification algorithm to check if a given RBAC state (role authorization and user-role assignments) satisfies a given type of SoD constraint or not. The paper discusses the details of the approach and illustrates its use in a loan application domain.
AB - Role-Based Access Control (RBAC) is the most predominant access control model in today's security management due to its ability to simplify authorization, and flexibility to specify and enforce protection policies. In RBAC, Separation of Duty (SoD) constrains user role authorization to protect sensitive information from frauds due to conflicts of interests. SoD constraints are commonly defined by mutually exclusive roles (MER) (e.g., bank teller and auditor). This paper proposes practical computational techniques for analyzing SoD by integrating workflows of the enterprise processes into the RBAC framework. Specifically, we present 1) an algorithm for generating MER to enforce SoD, and 2) a verification algorithm to check if a given RBAC state (role authorization and user-role assignments) satisfies a given type of SoD constraint or not. The paper discusses the details of the approach and illustrates its use in a loan application domain.
UR - http://www.scopus.com/inward/record.url?scp=49049117584&partnerID=8YFLogxK
U2 - 10.1109/ARES.2008.71
DO - 10.1109/ARES.2008.71
M3 - Conference contribution
AN - SCOPUS:49049117584
SN - 0769531024
SN - 9780769531021
T3 - ARES 2008 - 3rd International Conference on Availability, Security, and Reliability, Proceedings
SP - 765
EP - 770
BT - ARES 2008 - 3rd International Conference on Availability, Security, and Reliability, Proceedings
T2 - 3rd International Conference on Availability, Security, and Reliability, ARES 2008
Y2 - 4 March 2008 through 7 March 2008
ER -