Separation of duties for access control enforcement in workflow environments

Authors:
Reinhardt A. Botha;Jan H. P. Eloff
Affiliations:
Faculty of Computer Studies, Port Elizabeth Technikon, University Way, Port Elizabeth 6000, South Africa;Department of Computer Science, Rand Afrikaans University, P.O. Box 524, Auckland Park 2006, South Africa
Venue:
IBM Systems Journal - End-to-end security
Year:
2001

Citing 16
Cited 26

Role-Based Access Control Models

Computer
Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems

RBAC '97 Proceedings of the second ACM workshop on Role-based access control
Towards a task-based paradigm for flexible and adaptable access control in distributed applications

NSPW '92-93 Proceedings on the 1992-1993 workshop on New security paradigms
The role graph model and conflict of interest

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
The specification and enforcement of authorization constraints in workflow management systems

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Active database systems

ACM Computing Surveys (CSUR)
Turning points in interaction with computers

IBM Systems Journal
Production workflow: concepts and techniques

Production workflow: concepts and techniques
The RSL99 language for role-based separation of duty constraints

RBAC '99 Proceedings of the fourth ACM workshop on Role-based access control
Injecting RBAC to secure a Web-based workflow system

RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control
Access control mechanisms for inter-organizational workflow

SACMAT '01 Proceedings of the sixth ACM symposium on Access control models and technologies
Beyond Documents: Sharing Work

IEEE Internet Computing
Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management

Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects
An Authorization Model for Workflows

ESORICS '96 Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security
A Context-Sensitive Access Control Model and Prototype Implementation

Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on Information Security for Global Information Infrastructures
Separation of Duty in Role-based Environments

CSFW '97 Proceedings of the 10th IEEE workshop on Computer Security Foundations

Specification and querying of security constraints in the EFSOC framework

Proceedings of the 2nd international conference on Service oriented computing
A reference monitor for workflow systems with constrained task execution

Proceedings of the tenth ACM symposium on Access control models and technologies
EFSOC: A Layered Framework for Developing Secure Interactions between Web-Services

Distributed and Parallel Databases
A model-checking approach to analysing organisational controls in a loan origination process

Proceedings of the eleventh ACM symposium on Access control models and technologies
Inter-instance authorization constraints for secure workflow management

Proceedings of the eleventh ACM symposium on Access control models and technologies
On mutually exclusive roles and separation-of-duty

ACM Transactions on Information and System Security (TISSEC)
Task-based entailment constraints for basic workflow patterns

Proceedings of the 13th ACM symposium on Access control models and technologies
A Rule-Based Framework Using Role Patterns for Business Process Compliance

RuleML '08 Proceedings of the International Symposium on Rule Representation, Interchange and Reasoning on the Web
A policy-based authorization model for workflow-enabled dynamic process management

Journal of Network and Computer Applications
Verification of Business Process Entailment Constraints Using SPIN

ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
RBAC for Organisation and Security in an Agent Coordination Infrastructure

Electronic Notes in Theoretical Computer Science (ENTCS)
A formal framework for adaptive access control models

Journal on data semantics IX
Conceptual model for online auditing

Decision Support Systems
Generic algorithms for consistency checking of mutual-exclusion and binding constraints in a business process context

OTM'10 Proceedings of the 2010 international conference on On the move to meaningful internet systems - Volume Part I
Modeling process-related RBAC models with extended UML activity models

Information and Software Technology
Don't reveal my intension: protecting user privacy using declarative preferences during distributed query processing

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Detecting and resolving conflicts of mutual-exclusion and binding constraints in a business process context

OTM'11 Proceedings of the 2011th Confederated international conference on On the move to meaningful internet systems - Volume Part I
User-managed access control for health care systems

SDM'05 Proceedings of the Second VDLB international conference on Secure Data Management
Role activation management in role based access control

ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
Enforcing access control in workflow systems with a task engineering approach

International Journal of Internet Technology and Secured Transactions
On the exploitation of process mining for security audits: the conformance checking case

Proceedings of the 27th Annual ACM Symposium on Applied Computing
Performance analysis for workflow management systems under role-based authorization control

GPC'12 Proceedings of the 7th international conference on Advances in Grid and Pervasive Computing
On the Prevention of Fraud and Privacy Exposure in Process Information Flow

INFORMS Journal on Computing
Enforcement of entailment constraints in distributed service-based business processes

Information and Software Technology
A privacy-aware access control model for distributed network monitoring

Computers and Electrical Engineering
A systematic review on security in Process-Aware Information Systems - Constitution, challenges, and future directions

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a check. Previous work on separation of duty requirements often explored implementations based on role-based access control (RBAC) principles. These implementations are concerned with constraining the associations between RBAC components, namely users, roles, and permissions. Enforcement of the separation of duty requirements, although an integrity requirement, thus relies on an access control service that is sensitive to the separation of duty requirements. A distinction between separation of duty requirements that can be enforced in administrative environments, namely static separation of duty, and requirements that can only be enforced in a run-time environment, namely dynamic separation of duty, is required. It is argued that RBAC does not support the complex work processes often associated with separation of duty requirements, particularly with dynamic separation of duty. The workflow environment, being primarily concerned with the facilitation of complex work processes, provides a context in which the specification of separation of duty requirements can be studied. This paper presents the "conflicting entities" administration paradigm for the specification of static and dynamic separation of duty requirements in the workflow environment.