An Extended Analysis of Delegating Obligations

In [1] we have presented our initial investigations into the delegation of obligations and the concept of review as one kind of organisational principle to control such delegation activities. However, this initial approach was too simplistic and failed to explain how a principal may be related to an obligation; how obligations relate to roles; and how the delegation of specific and general obligations may be controlled through the concepts of review and supervision. As a result, we presented a more detailed and refined analysis of organisational controls in the context of a formal framework [2]. This paper summarises some of our investigations.

[1]  Henry Mintzberg,et al.  The Structuring of Organizations , 1979 .

[2]  Jonathan D. Moffett,et al.  Delegation of authority using domain-based access rules , 1990 .

[3]  Andreas Schaad,et al.  Delegation of obligations , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[4]  A. Hopwood,et al.  Accounting and human behaviour , 1976 .

[5]  D. Pugh,et al.  Organization theory : selected readings , 1971 .

[6]  Victoria Ungureanu,et al.  Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems , 2000, TSEM.

[7]  Manu Sridharan,et al.  A micromodularity mechanism , 2001, ESEC/FSE-9.

[8]  Mao Bi,et al.  Role based Access Control Model , 2003 .

[9]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[10]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[11]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[12]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.

[13]  Andreas Schaad,et al.  Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles , 2004, SAC '04.

[14]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[15]  Elisa Bertino,et al.  An Extended Authorization Model for Relational Databases , 1997, IEEE Trans. Knowl. Data Eng..

[16]  Andreas Schaad,et al.  A framework for organisational control principles , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..