Dynamic Enforcement of Abstract Separation of Duty Constraints

Separation of Duties (SoD) is a well-established security principle that aims to prevent fraud and errors by distributing tasks and associated privileges for business processes among multiple users. Li and Wang recently proposed an algebra (SoDA) for specifying SoD requirements, which is both expressive in the requirements it formalizes and abstract in that it is not bound to any specific workflow model. In this paper, we both generalize SoDA and map it to enforcement mechanisms. First, we increase SoDA’s expressiveness by extending its semantics to multisets. This better suits policy enforcement over workflows, where users may execute multiple tasks. Second, we further generalize SoDA to allow for changing role assignments. This lifts the strong restriction that authorizations do not change during workflow execution. Finally, we map SoDA terms to CSP processes. Since CSP has an operational semantics, this mapping provides the critical link between abstract specifications of SoD requirements by SoDA terms and runtime-enforcement mechanisms.

A condensed version of this report appears in: "Computer Security - ESORICS 2009," Lecture Notes in Computer Science, vol. 5789, (Springer Berlin / Heidelberg, September 2009), pp. 250-267

By: D. Basin, S.J. Burri and G. Karjoth

Published in: RZ3726 in 2009


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .