Compatibility between SSOD Policy and Privilege Deduction
Static separation of duty (SSOD) is an important approach to enforce separation of duty (SOD) which is widely considered to be a fundamental principle in computer security. SSOD requires that the privileges are separately assigned to different users to complete a sensitive task. On the other hand, deduction relation which exists between privileges tend to undermine the isolated state of privileges. Therefore, deduction relations between privileges may be inconsistent with SSOD policy. However, few researches on this problem are found at present. In this paper, based on the privilege assignment state in RBAC, the definition of compatibility between SSOD policy and privilege deduction relations is given. Furthermore, through a novel concept of minimum deduction cover of a privilege set, the compatibility decision theorem is presented, and an efficient compatibility decision algorithm is designed accordingly. The application example shows that the work of this paper is useful to eliminate the conflicts between SSOD policy and the implicit authorization caused by privilege deduction.
separation of duty previlige deduction resource hierarchy RBAC
Ting Wang Xingyuan Chen Bin Zhang Siyuan Xin
Zhengzhou Information Science and Technology Institute; Henan Key Laboratory of Information Security Zhenzhou, China
国际会议
成都
英文
932-935
2010-12-17(万方平台首次上网日期,不代表论文的发表时间)