Enforcement of separation of duty constraints in attribute-based access control

Abstract

While the verification of separation of duty (SoD) constraints on attribute based access control (ABAC) systems has been defined and examined in existing works, it still remains an open problem since the existing approaches are either inefficient or inadequate to check all SoD constraints; furthermore, the problem of solving SoD violations has not yet been addressed in the literature. In this paper, we present an integer linear programming (ILP) based approach to check the satisfiability of all SoD constraints. It can be applied to different SoDs. Hence, it is feasible in real-world scenarios. Moreover, we present an ILP based violation solution that can correct all SoD violations with a minimum number of restrictions regarding users’ normal operations on target objects. All SoD violations can be solved in a once-and-done way while simultaneously guaranteeing the satisfaction of all SoD constraints.