On mutually-exclusive roles and separation of duty

Separation of Duty (SoD) is widely considered to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain number of users is required. In Role-Based Access Control (RBAC), Statically Mutually Exclusive Role (SMER) constraints are used to enforce SSoD policies. In this paper, we pose and answer fundamental questions related to the use of SMER constraints to enforce SSoD policies. We show that directly enforcing SSoD policies is intractable (<b>coNP</b>-complete), while checking whether an RBAC state satisfies a set of SMER constraints is efficient. Also, we show that verifying whether a given set of SMER constraints enforces an SSoD policy is intractable (<b>coNP</b>-complete) and discuss why this intractability result should not lead us to conclude that SMER constraints are not an appropriate mechanism for enforcing SSoD policies. We show also how to generate SMER constraints that are as accurate as possible for enforcing an SSoD policy.

[1]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[2]  Henrik Stormer,et al.  Modeling and Analyzing Separation of Duties in Workflow Environments , 2001, SEC.

[3]  Panos M. Pardalos,et al.  Satisfiability Problem: Theory and Applications , 1997 .

[4]  Gail-Joon Ahn,et al.  The RSL99 language for role-based separation of duty constraints , 1999, RBAC '99.

[5]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[6]  Ravi S. Sandhu,et al.  Secure Role-Based Workflow Models , 2001, DBSec.

[7]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[8]  Jason Crampton,et al.  Specifying and enforcing constraints in role-based access control , 2003, SACMAT '03.

[9]  D. Richard Kuhn,et al.  Role-Based Access Control ( RBAC ) : Features and Motivations , 2014 .

[10]  R.W. Baldwin,et al.  Naming and grouping privileges to simplify security management in large databases , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[12]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[13]  Ramaswamy Chandramouli,et al.  The role control center: features and case studies , 2003, SACMAT '03.

[14]  T. C. Ting A User-Role Based Data Security Approach , 1988, Database Security.

[15]  Jason Crampton An Algebraic Approach to the Analysis of Constrained Workflow Systems , 2004 .

[16]  D. Richard Kuhn,et al.  Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems , 1997, RBAC '97.

[17]  Simon N. Foley The specification and implementation of “commercial” security requirements including dynamic segregation of duties , 1997, CCS '97.

[18]  Michael J. Nash,et al.  Some conundrums concerning separation of duty , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[20]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[21]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[22]  Elisa Bertino,et al.  Dependencies and separation of duty constraints in GTRBAC , 2003, SACMAT '03.

[23]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[24]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..

[25]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[26]  Vijayalakshmi Atluri,et al.  An Authorization Model for Workflows , 1996, ESORICS.

[27]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[28]  Jason Crampton A reference monitor for workflow systems with constrained task execution , 2005, SACMAT '05.

[29]  Simon N. Foley,et al.  A security model of dynamic labelling providing a tiered approach to verification , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[30]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[31]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[32]  Trent Jaeger,et al.  An access control model for simplifying constraint expression , 2000, CCS.

[33]  Ravi S. Sandhu,et al.  Separation of Duties in Computerized Information Systems , 1990, DBSec.

[34]  Ravi Sandhu,et al.  Transaction control expressions for separation of duties , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[35]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[36]  American National Standard for Information Technology – Role Based Access Control , 2004 .

[37]  Sushil Jajodia,et al.  Integrity Mechanisms in Database Management Systems , 2006 .

[38]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[39]  Jason Crampton,et al.  The consistency of task-based authorization constraints in workflow , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[40]  Trent Jaeger On the increasing importance of constraints , 1999, RBAC '99.