More Web Proxy on the site http://driver.im/

Article

Beyond separation of duty: an algebra for specifying high-level security policies

Authors:

Qihua WangAuthors Info & Claims

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Pages 356 - 369

https://doi.org/10.1145/1180405.1180449

Published: 30 October 2006 Publication History

Abstract

A high-level security policy states an overall requirement for a sensitive task. One example of a high-level security policy is a separation of duty policy, which requires a sensitive task to be performed by a team of at least k users. It states a high-level requirement about the task without the need to refer to individual steps in the task. While extremely important and widely used, separation of duty policies state only quantity requirements and do not capture qualification requirements on users involved in the task. In this paper, we introduce a novel algebra that enables the specification of high-level policies that combine qualification requirements with quantity requirements motivated by separation of duty considerations. A high-level policy associates a task with a term in the algebra and requires that all sets of users that perform the task satisfy the term. We give the syntax and semantics of the algebra and study algebraic properties of its operators. We also study several computational problems related to the algebra.

References

[1]

G.-J. Ahn and R. S. Sandhu. The RSL99 language for role-based separation of duty constraints. In Proceedings of the 4th Workshop on Role-Based Access Control, pages 43--54, 1999.

Digital Library

[2]

G.-J. Ahn and R. S. Sandhu. Role-based authorization constraints specification. ACM Transactions on Information and System Security, 3(4):207--226, Nov. 2000.

Digital Library

[3]

V. Atluri and W. Huang. An authorization model for workflows. In Proceedings of the 4th European Symposium on Research in Computer Security (ESORICS), pages 44--64, 1996.

Digital Library

[4]

E. Bertino, E. Ferrari, and V. Atluri. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security, 2(1):65--104, Feb. 1999.

Digital Library

[5]

P. Bonatti, S. de Capitani di Vimercati, and P. Samarati. A modular approach to composing access control policies. In Proceedings of the 7th ACM conference on Computer and Communications Security (CCS), pages 164--173, Nov. 2000.

Digital Library

[6]

P. Bonatti, S. de Capitani di Vimercati, and P. Samarati. An algebra for composing access control policies. ACM Transactions on Information and System Security (TISSEC), 5(1):1--35, Feb. 2002.

Digital Library

[7]

D. D. Clark and D. R. Wilson. A comparision of commercial and military computer security policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184--194. IEEE Computer Society Press, May 1987.

[8]

J. Crampton. Specifying and enforcing constraints in role-based access control. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies (SACMAT 2003), pages 43--50, Como, Italy, June 2003.

Digital Library

[9]

M. R. Garey and D. J. Johnson. Computers And Intractability: A Guide to the Theory of NP-Completeness. W.H. Freeman and Company, 1979.

Digital Library

[10]

V. D. Gligor, S. I. Gavrila, and D. F. Ferraiolo. On the formal definition of separation-of-duty policies and their composition. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 172--183, May 1998.

[11]

T. Jaeger. On the increasing importance of constraints. In Proceedings of ACM Workshop on Role-Based Access Control, pages 33--42, 1999.

Digital Library

[12]

T. Jaeger and J. E. Tidswell. Practical safety in flexible access control models. ACM Transactions on Information and System Security, 4(2):158--190, May 2001.

Digital Library

[13]

N. Li, Z. Bizri, and M. V. Tripunitara. On mutually-exclusive roles and separation of duty. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS-11), pages 42--51. ACM Press, Oct. 2004.

Digital Library

[14]

N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 114--130. IEEE Computer Society Press, May 2002.

Digital Library

[15]

J. McLean. The algebra of security. In Proceedings of IEEE Symposium on Security and Privacy, pages 2--7, Apr. 1988.

[16]

M. J. Nash and K. R. Poland. Some conundrums concerning separation of duty. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 201--209, May 1990.

[17]

J. Pincus and J. M. Wing. Towards an algebra for security policies (extended abstract). In Proceedings of ICATPN 2005, number 3536 in LNCS, pages 17--25. Springer, 2005.

Digital Library

[18]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.

[19]

R. Sandhu. Separation of duties in computerized information systems. In Proceedings of the IFIP WG11.3 Workshop on Database Security, Sept. 1990.

[20]

R. S. Sandhu. Transaction control expressions for separation of duties. In Proceedings of the Fourth Annual Computer Security Applications Conference (ACSAC'88), Dec. 1988.

[21]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, February 1996.

Digital Library

[22]

T. T. Simon and M. E. Zurko. Separation of duty in role-based environments. In Proceedings of The 10th Computer Security Foundations Workshop, pages 183--194. IEEE Computer Society Press, June 1997.

Digital Library

[23]

J. Tidswell and T. Jaeger. An access control model for simplifying constraint expression. In Proceedings of ACM Conference on Computer and Communications Security, pages 154--163, 2000.

Digital Library

[24]

D. Wijesekera and S. Jajodia. A propositional policy algebra for access control. ACM Transactions on Information and Systems Security (TISSEC), 6(2):286--325, May 2003.

Digital Library

Cited By

Hale MGamble R(2019)Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standardsRequirements Engineering10.1007/s00766-017-0287-524:3(365-402)Online publication date: 1-Sep-2019
https://dl.acm.org/doi/10.1007/s00766-017-0287-5
Sabri KHiary H(2016)Algebraic Model for Handling Access Control PoliciesProcedia Computer Science10.1016/j.procs.2016.04.14683(653-657)Online publication date: 2016
https://doi.org/10.1016/j.procs.2016.04.146
Nassr NSteegmans EMakarevich OPoet RElçi AGaur MOrgun MBabenko LFerdous SHo ALaxmi VPieprzyk J(2015)Mitigating conflicts of interest by authorization policiesProceedings of the 8th International Conference on Security of Information and Networks10.1145/2799979.2800013(118-126)Online publication date: 8-Sep-2015
https://dl.acm.org/doi/10.1145/2799979.2800013
Show More Cited By

Index Terms

Beyond separation of duty: an algebra for specifying high-level security policies

Recommendations

Beyond separation of duty: An algebra for specifying high-level security policies

The process of introducing security controls into a sensitive task, which we call secure task design in this article, consists of two steps: high-level security policy design and low-level enforcement scheme design. A high-level security policy states ...
On mutually-exclusive roles and separation of duty
CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

Separation of Duty (SoD) is widely considered to be a fundamental principle in computer security. A Static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain ...
Dynamic Enforcement of Separation-of-Duty Policies
MINES '09: Proceedings of the 2009 International Conference on Multimedia Information Networking and Security - Volume 02

Separation-of-duty (SoD) policy is widely considered to be a fundamental security principle for prevention of fraud and errors in computer security. A static SoD (SSoD) policy states that in order to have all permissions necessary to complete a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

October 2006

434 pages

ISBN:1595935185

DOI:10.1145/1180405

General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Rebecca Wright
Stevens Institute of Technology
,
Sabrina De Capitani di Vimercati
University of Milan, Italy

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

October 30 - November 3, 2006

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
639
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hale MGamble R(2019)Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standardsRequirements Engineering10.1007/s00766-017-0287-524:3(365-402)Online publication date: 1-Sep-2019
https://dl.acm.org/doi/10.1007/s00766-017-0287-5
Sabri KHiary H(2016)Algebraic Model for Handling Access Control PoliciesProcedia Computer Science10.1016/j.procs.2016.04.14683(653-657)Online publication date: 2016
https://doi.org/10.1016/j.procs.2016.04.146
Nassr NSteegmans EMakarevich OPoet RElçi AGaur MOrgun MBabenko LFerdous SHo ALaxmi VPieprzyk J(2015)Mitigating conflicts of interest by authorization policiesProceedings of the 8th International Conference on Security of Information and Networks10.1145/2799979.2800013(118-126)Online publication date: 8-Sep-2015
https://dl.acm.org/doi/10.1145/2799979.2800013
Jiague MFrappier MGervais FLaleau RSt-Denis R(2013)Enforcing ASTD Access-Control Policies with WS-BPEL Processes in SOA EnvironmentsMobile and Web Innovations in Systems and Service-Oriented Engineering10.4018/978-1-4666-2470-2.ch014(252-273)Online publication date: 2013
https://doi.org/10.4018/978-1-4666-2470-2.ch014
Jiague MFrappier MGervais FLaleau RSt-Denis R(2011)Enforcing ASTD Access-Control Policies with WS-BPEL Processes in SOA EnvironmentsInternational Journal of Systems and Service-Oriented Engineering10.4018/jssoe.20110401032:2(37-59)Online publication date: 1-Apr-2011
https://dl.acm.org/doi/10.4018/jssoe.2011040103
Jiague MFrappier MGervais FLaleau RSt-Denis R(2011)From ASTD Access Control Policies to WS-BPEL Processes Deployed in a SOA EnvironmentWeb Information Systems Engineering – WISE 2010 Workshops10.1007/978-3-642-24396-7_11(126-141)Online publication date: 2011
https://doi.org/10.1007/978-3-642-24396-7_11
Jiague MFrappier MGervais FLaleau RSt-Denis R(2010)From ASTD access control policies to WS-BPEL processes deployed in a SOA environmentProceedings of the 2010 international conference on Web information systems engineering10.5555/2044492.2044506(126-141)Online publication date: 12-Dec-2010
https://dl.acm.org/doi/10.5555/2044492.2044506
LI RLU JLU ZMA X(2010)Consistency Checking of Safety and Availability in Access ControlIEICE Transactions on Information and Systems10.1587/transinf.E93.D.491E93-D:3(491-502)Online publication date: 2010
https://doi.org/10.1587/transinf.E93.D.491
Bertino EBrodie CCalo SCranor LKarat CKarat JLi NLin DLobo JNi QRao PWang X(2009)Analysis of privacy and security policiesIBM Journal of Research and Development10.5555/1850636.185063953:2(225-241)Online publication date: 1-Mar-2009
https://dl.acm.org/doi/10.5555/1850636.1850639
Pandey NGupta SLeekha S(2008)Algebra for capability based attack correlationProceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks10.5555/1789374.1789387(117-135)Online publication date: 13-May-2008
https://dl.acm.org/doi/10.5555/1789374.1789387
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten