Towards Separation of Duties for Services

Separation of Duties is an essential security control for managing the integrity of information technology systems and human processes. Due in part to recent emphasis on regulatory compliance and corporate governance, Separation of Duties has taken on fresh importance. However, support for specifying and enforcing Separation of Duties constraints remains a missing feature for many of today’s access control systems, sometimes leading implementers to embed such constraints in application logic. We present the Separation of Duties and Entitlements Analyzer, a system for defining Separation of Duties constraints across multiple systems through a simple constraint model and use of standard XACML policies. The ability to define meta-policies across systems in a common language is a viable approach for managing certain integrity concerns in a services environment.

By: Chris Giblin, Satoshi Hada

Published in: RZ3718 in 2008


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .