Permission based implementation of Dynamic Separation of Duty (DSD) in Role based Access Control (RBAC)

Abstract

Role based Access Control (RBAC) is known as an evolution in the field of access control. The strength of RBAC is considered due to the incorporation of concept of roles. Separation of Duty (SOD) is a constraint that implements least privilege principle in RBAC. Dynamic Separation of Duty (DSD) is a powerful constraint to control internal security threats. Current RBAC standard implements DSD on the level of roles. This creates various problems. In this paper, various problems in case of implementing DSD on the level of roles are identified. We show and prove that RBAC's strength is the incorporation of concept of roles but this is not for better security in terms of authorization. Instead this helps in better administration or usability for users. The RBAC usability can be improved if RBAC administration is being implemented on the basis of roles and access control can be more secure if DSD is being implemented on the basis of conflicting permissions. The concept of normalized roles is also introduced. The proposed model implements access control on the basis of normalized role. DSD is being implemented on the basis of conflicting permissions and non-conflicting permissions are exercised under the umbrella of role. This becomes a hybrid approach for access control. The administrators are given freedom in implementing DSD in various modes according to the organizational requirements from lenient to strict implementation. The proposed model is also formally specified and the benefits as a result of implementing the proposed model are discussed.