Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems

@inproceedings{Kuhn1997MutualEO,
  title={Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems},
  author={D. Richard Kuhn},
  booktitle={RBAC '97},
  year={1997}
}
  • D. R. Kuhn
  • Published in RBAC '97 6 November 1997
  • Computer Science
Role based access control (RBAC) is attracting increasing attention as a security mechanism for both commercial and many military systems. Much of RBAC is fundamentally different from multi-level security (MLS) systems, and the properties of RBAC systems have not been explored formally to the extent that MLS system properties have. This paper explores some aspects of mutual exclusion of roles as a means of implementing separation of duty policies, including a safety property for separation of… 

Mutual exclusion and role inheritance affecting least privilege in RBAC

  • Muhammad Asif Habib
  • Computer Science
    2010 International Conference for Internet Technology and Secured Transactions
  • 2010
This paper describes the complexities and complications which can be faced after implementing separation of duty in terms of mutually exclusive roles (MER), and proposes the solutions to the given problems and proposes a model against all the problems discussed.

Mutually exclusive permissions in RBAC

The complexities and complications which can be faced after implementing separation of duty in terms of mutually exclusive roles (MER) are described and a model to counter the problems is proposed.

Separation of Duty in Role-Based Access Control Model through Fuzzy Relations

This paper proposes a model to express the separation of duty policies in RBAC using the fuzzy set theory, and the concept of trustworthiness, which is fuzzy in nature, is used to express this model.

Separation of duties for access control enforcement in workflow environments

This paper presents the "conflicting entities" administration paradigm for the specification of static and dynamic separation ofduty requirements in the workflow environment, and argues that RBAC does not support the complex work processes often associated with separation of duty requirements, particularly with dynamic separated of duty.

Role Based Access Control

Role languages are needed that can simply modify constraints associated with roles thereby permitting dynamic response to enterprise policy changes in a transparent fashion to applications and thus becomes a process with high trust requirements.

Multi-session Separation of Duties (MSoD) for RBAC

This paper proposes multi-session SoD policies for business processes which include multiple tasks enacted by multiple users over many user access control sessions, and explores the means to define MSoD policies in RBAC via multi- Session mutually exclusive roles (MMER) and multi- session mutually exclusive privileges (MMEP).

On mutually-exclusive roles and separation of duty

It is shown that directly enforcing SSoD policies is intractable (<b>coNP</b>-complete), while checking whether an RBAC state satisfies a set of SMER constraints is efficient, and why this intractability result should not lead us to conclude that SMer constraints are not an appropriate mechanism for enforcing S soD policies.

A model of OASIS role-based access control and its support for active security

The overall architecture of OASIS is presented through a basic model, followed by an extended model that includes parametrization, which aims to allow autonomous management domains to specify their own access control policies and to interoperate subject to service level agreements.

A model of OASIS role-based access control and its support for active security

A basic model is presented followed by an extended model which includes parameterisation, which is motivated by the approach and formalise OASIS.
...

References

SHOWING 1-10 OF 16 REFERENCES

Transaction control expressions for separation of duties

  • R. Sandhu
  • Computer Science
    [Proceedings 1988] Fourth Aerospace Computer Security Applications
  • 1988
The author describes a model and notation for specifying and enforcing aspects of integrity policies, particularly separation of duties. The key idea is to associate a transaction control expression

Some conundrums concerning separation of duty

  • Michael J. NashK. Poland
  • Computer Science
    Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy
  • 1990
An examination is made of questions concerning commercial computer security integrity policies and it is shown that it implements a well-defined and sensible integrity policy that includes separation of duty, yet fails to meet either the TCSEC or the D.D.R. Wilson (1987) rules.

Role-Based Access Control Models

Why RBAC is receiving renewed attention as a method of security administration and review is explained, a framework of four reference models developed to better understandRBAC is described, and the use of RBAC to manage itself is discussed.

Naming and grouping privileges to simplify security management in large databases

  • R. Baldwin
  • Computer Science
    Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy
  • 1990
The main conclusion is that the naming and abstraction mechanism provided by NPDs can simplify security management in much the same way that procedures can simplify programming.

Role based access control: Features and motivations

  • Annual Computer Security Applications Conference
  • 1995

Role-Based Application Design and Enforcement

Extending Access Control with Duties - Realized by Active Mechanisms