An Efficient Verification Approach to Separation of Duty in Attribute-Based Access Control

The problem considered in this paper is the verification and enforcement of separation of duty (SoD) constraints in attribute based access control (ABAC) systems. We propose an efficient algorithm for checking the satisfiability of SoD constraints. It is based on the idea of partitioning all permissions of SoD constraints into two classes so as to compute the minimal number of users to accomplish each class of permissions, respectively. As a result, several SoD constraints with certain class of permissions can be verified in polynomial time. Experimental results show that our method performs well compared with existing ones. When SoD violations occur, a 0-1 integer programming (IP) based enforcement solution is presented such that SoD violations can be solved once for all and it is provably shown that such solution does not result in the violation of other SoD constraints.