An Activity-Based Model for Separation of Duty

TL;DR

This paper introduces an activity-based formal framework for separation of duty in RBAC systems, simplifying management and reducing costs by aligning constraints with business activities and data conflicts.

Contribution

The paper presents a novel activity-based model for SoD in RBAC, incorporating object-based conflicts and demonstrating practical benefits in large organizations.

Findings

Reduced administration costs in a large organization

Effective formalization of SoD constraints based on activities

Introduction of object-based SoD using data domain concepts

Abstract

This paper offers several contributions for separation of duty (SoD) administration in role-based access control (RBAC) systems. We first introduce a new formal framework, based on business perspective, where SoD constraints are analyzed introducing the activity concept. This notion helps organizations define SoD constraints in terms of business requirements and reduces management complexity in large-scale RBAC systems. The model enables the definition of a wide taxonomy of conflict types. In particular, object-based SoD is introduced using the SoD domain concept, namely the set of data in which transaction conflicts may occur. Together with the formalization of the above properties, in this paper we also show the effectiveness of our proposal: we have applied the model to a large, existing organization; results highlight the benefits of adopting the proposed model in terms of reduced administration cost.