Separation of Duties as a Service

We introduce the concept of Separation of Duties (SoD) as a Service, a new approach to enforce SoD requirements on workows and thereby prevent fraud and errors. SoD as a Service facilitates a separation of concern between business experts and security professionals. Moreover, it allows enterprises to address the need for internal controls and to quickly adapt to organizational, regulatory, and technological changes, which are common characteristics of today's dynamic business environments. We describe our implementation of SoD as a Service, which extends a widespread, commercial workow system. We validate our approach and implementation with a realistic case study, a drug dispensation workow deployed in a hospital.

A shortened version of this paper has appeared in: Proc. 6th ACM Symp. on Information, Computer and Communications Security "ASIACCS'11," Hong Kong (ACM, March 2011) 423-429.

By: Samuel J. Burri, Günter Karjoth, David Basin

Published in: RZ3784 in 2010


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .