Dynamic Enforcement of Abstract Separation of Duty Constraints

Separation of Duties (SoD) aims at preventing fraud and errors by distributing tasks and associated authorizations among multiple users. Li and Wang proposed an algebra (SoDA) for specifying SoD requirements, which is both expressive in the requirements it formalizes and abstract in that it is not bound to a workflow model. In this article, we bridge the gap between the specification of SoD constraints modeled in SoDA and their enforcement in a dynamic, service-oriented enterprise environment. Using the process algebra CSP, we proceed by generalizing SoDA’s semantics to traces, modeling workflow executions that satisfy the respective SoDA terms. We then refine the set of traces induced by a SoDA term to also take a workflow’s control-flow and role-based authorizations into account. Our formalization supports the enforcement of SoD on general workflows and handles changing role-assignments during workflow execution, addressing a well-known source for fraud.
The resulting CSP model serves as blueprint for a distributed and loosely-coupled architecture where SoD enforcement is provisioned as a service. This new concept, which we call SoD as a Service, facilitates a separation of concern between business experts and security professionals. As a result, integration and configuration efforts are minimized and enterprises can quickly adapt to organizational, regulatory, and technological changes. We describe an implementation of SoD as a Service, combining commercial components, such as a workflow engine, and newly developed components, such as an SoD-enforcement monitor.
Starting out with a generalization of SoDA’s semantics and ending up with a prototype implementation, we go the full distance from theory to practice. To evaluate our design decisions and to demonstrate the feasibility of our approach, we present a case study of a drug dispensation workflow deployed in a hospital.

The condensed journal version of this RZ has appeared in ACM Trans. Information and System Security (TISSEC), vol. 15, no. 3, article 13 (November 2012). The RZ contains the full proofs.

By: David Basin, Samuel J. Burri, Guenter Karjoth

Published in: RZ3812 in 2011


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .