Specification and Verification of Separation of Duty Constraints in Attribute-Based Access Control

Abstract

Constraints form an important aspect of any access control system and are often regarded as one of the principle motivations behind developing different access control models. The two primary concerns related to a constraint are its specification and enforcement. Among the various types of constraints, enforcement of the Separation of Duty (SoD) constraint is considered to be the most important in commercial applications. In this paper, we introduce the problem of SoD specification, verification, and enforcement in attribute-based access control (ABAC) systems. We then demonstrate the effect of modifications in the different components of ABAC on enforcement. We also analyze the complexity of the enforcement problem and provide a methodology for solving it. Experiments on a wide range of data sets show encouraging results.