Abstract
Separation of Duties (SoD) aims to prevent fraud and errors by distributing tasks and associated privileges among multiple users. Li and Wang proposed an algebra (SoDA) for specifying SoD requirements, which is both expressive in the requirements it formalizes and abstract in that it is not bound to any specific workflow model. In this paper, we both generalize SoDA and map it to enforcement mechanisms. First, we increase SoDA’s expressiveness by extending its semantics to multisets. This better suits policy enforcement over workflows, where users may execute multiple tasks. Second, we further generalize SoDA to allow for changing role assignments. This lifts the strong restriction that authorizations do not change during workflow execution. Finally, we map SoDA terms to CSP processes, taking advantage of CSP’s operational semantics to provide the critical link between abstract specifications of SoD requirements by SoDA terms and runtime-enforcement mechanisms.
The research leading to these results has received funding from the European Community’s Seventh Framework Programme (FP7/2007-2013) under grant agreement N° 216917.
Chapter PDF
Similar content being viewed by others
Keywords
- Label Transition System
- Enforcement Mechanism
- Access Control Policy
- Access Control Model
- Business Process Modeling Notation
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Enron, See you in court. The Economist, November 15 (2001)
Sarbanes-Oxley Act of 2002. Public Law 107-204 (116 Statute 745), United States Senate and House of Representatives in Congress (2002)
Saltzer, J., Schroeder, M.: The Protection of Information in Computer Systems. Proceeding of the IEEE 63(9), 1278–1308 (1975)
Sandhu, R.S.: Transaction Control Expressions for Separation of Duties. In: 4th IEEE Aerospace Computer Security Applications Conference, pp. 282–286 (1988)
Li, N., Wang, Q.: Beyond separation of duty: An algebra for specifying high-level security policies. Journal of the ACM 55(3) (2008)
Ferraiolo, D.F., et al.: Proposed NIST Standard for Role-Based Access Control. ACM Trans. on Information and System Security 4(3), 224–274 (2001)
Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall, Englewood Cliffs (1985)
Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice-Hall, Englewood Cliffs (1997)
Syropoulos, A.: Mathematics of Multisets. In: Multiset Processing, pp. 347–358 (2000)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)
Basin, D., Burri, S.J., Karjoth, G.: Dynamic Enforcement of Abstract Separation of Duty Constraints. IBM Research Report RZ3726 (2009), domino.watson.ibm.com/library/cyberdig.nsf/Home
Schneider, F.B.: Enforceable Security Policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)
Business Process Modeling Notation (BPMN). OMG Standard, v. 1.1 (2008)
Web Services Business Process Execution Language (WS-BPEL). OASIS Standard, v. 2.0 (2007)
Wong, P.Y.H., Gibbons, J.: A Process-Algebraic Approach to Workflow Specification and Refinement. In: Int. Symp. on Software Composition, pp. 51–65 (2007)
Gligor, V.D., Gavrila, S.I., Ferraiolo, D.: On the Formal Definition of Separation-of-Duty Policies and their Composition. In: 19th IEEE Symposium on Security and Privacy, pp. 172–183 (1998)
Simon, R., Zurko, M.E.: Separation of Duty in Role-based Environments. In: 10th IEEE Workshop on Computer Security Foundations, pp. 183–194 (1997)
Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Transactions on Information and System Security 2(1), 65–104 (1999)
Knorr, K., Stormer, H.: Modeling and Analyzing Separation of Duties in Workflow Environments. In: 16th Int. Conf. on Information Security, pp. 199–212 (2001)
Schaad, A., Lotz, V., Sohr, K.: A Model-checking Approach to Analysing Organisational Controls in a Loan Origination Process. In: 11th ACM Symposium on Access Control Models and Technologies, pp. 139–149 (2006)
Nash, M.J., Poland, K.R.: Some Conundrums Concerning Separation of Duty. In: IEEE Symposium on Security and Privacy, pp. 201–207 (1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Basin, D., Burri, S.J., Karjoth, G. (2009). Dynamic Enforcement of Abstract Separation of Duty Constraints. In: Backes, M., Ning, P. (eds) Computer Security – ESORICS 2009. ESORICS 2009. Lecture Notes in Computer Science, vol 5789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04444-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-04444-1_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04443-4
Online ISBN: 978-3-642-04444-1
eBook Packages: Computer ScienceComputer Science (R0)