- a condition that must be met to ensure that separation of duty requirements are not violated
- no user should have access to all the privileges that are required for any task requiring separation of duty
- M[i] = users authorized for role i
- P[i] = privileges that are authorized for role i
- C[t] = mapping from tasks requiring separation of duty to sets of privileges required for those tasks
Degree of privilege sharing by mutually exclusive roles and other roles
- disjoint/disjoint (D/D) - if two roles are designated as mutually exclusive, then each privilege is assigned to only one of them
- if a privilege has been assigned to a role that has been designated as mutually exclusive with another role, then it is not assigned to any other role
- complete exclusion
- disjoint/shared (D/S)
- shared/disjoint (S/D)
- shared/shared (S/S) - privileges may be shared between roles that are mutually exclusive, but each must have at least one privilege not available to the other (to avoid redundancy?)
- privilege assigned to mutually exclusive role with another role may be assigned to roles outside the mutual exclusion relationship
- partial exclusion
Basic properties
- If authorization-time exclusion (static SoD) holds, then run-time exclusion (dynamic SoD is maintained.
- If complete exclusion holds, then partial exclusion is maintained.
- Mutually exclusive roles cannot be brought into the active set A.
- Two roles i and j can be mutually exclusive only if they are incomparable within the role hierarchy. (neither of them inherits the other directly or indirectly)
- a role cannot inherit another role that has been designated as mutually exclusive with it
- A role cannot be mutually exclusive with itself.
Constraints introduced by mutual exclusion
- If there are any mutually exclusive roles, then those roles cannot have a common upper bound. (there is no role that inherits them both because that role would violate the mutual exclusion)
- Rules also prohibit the existence of a "superuser" or "root" role that contains all other roles on the system. (what does this say about the RBAC products that limit role hierarchy structure to a tree?)
- If roles i and j are mutually exclusive with each other, then either P[i] and P[j] are disjoint sets or else #P[i] >= 2 and #P[j] >= 2.
- if complete exclusion is in effect then they are disjoint
- if partial exclusion is in effect then they should have at least one privilege each not in common
Maintenance of safety condition
- If there are no empty privilege sets, then authorization-time/complete exclusion is sufficient to ensure the safety condition.
- run-time/complete exclusion will ensure SoD safety within a single user session
- The safety condition can be met for a subject s only if (at least) partial exclusion is maintained. (necessary but not sufficient)
No comments:
Post a Comment