Run-time enforcement model for Dynamic Separation of Duty

Abstract

Separation of duty (SoD) is a primary internal control in many businesses including information systems intended to prevent frauds and errors due to the conflict of interest. To enforce the separation of duty in the information systems, Role-Based Access Control (RBAC) has been proposed and been the most popular access control model in today's security management. This paper focuses on the Dynamic Separation of Duty (DSD) which is one of the four components of the ANSI RBAC standard. To maximize the utilization of human resources, one user is allowed to have multiple mutually exclusive roles but can activate only one role at a time. The DSD does not only provide more flexibility for business system but also create more vulnerability in the separation of duty compliance because of the complication in checking the conflict of interest. This paper proposes a very simple but effective model to solve the problem of the DSD by integrating the workflow sequence to the concept of mutually exclusive roles (MER) constraint. From the proposed model, the conflict of interest can be verified at run time. The system will not allow the continuity of any process if the activation of conflicting users has been found.