History-based Constraints for Dynamic Separation-of-Duty Policies in Usage Control
Separation of Duty (SoD) is a widely used security principle to help prevent frauds in a business process. Recently presented usage control (UCON) has been considered as the next generation access control model. However, as a related and fundamental problem, the research of SoD policy in UCON has not been explored. In this paper, we give a formal definition of dynamic SoD (DSoD) policies, and show that checking whether a UCONA state satisfies a given DSoD policy is a coNP-complete problem, only two special cases can be checked in polynomial time. We propose the history-based constraints for enforcing DSoD policies in usage control. The key idea is to record each permission access request, and use these histories to make the decision when a new permission request is generated. This approach poses and answers fundamental questions related to enable the use of constraints to support SoD policies in UCON.
usage control histroy-based contraint dynamic separation of duty
Jianfeng Lu Dewu Xu
School of Mathematics-Physical & Information Engineering Zhejiang Normal University Jinhua, Zhejiang 321004, China
国际会议
哈尔滨
英文
2438-2442
2011-12-24(万方平台首次上网日期,不代表论文的发表时间)