Separation of duty (SoD) is an important security principle used for prevention of fraud and errors. It is used to enforce conflict of interest policies, requiring that two or more different users be responsible for the completion of a task or set of related tasks.

Why it is Needed#

The purpose of Separation of Duty in RBAC is " to ensure that failures of omission or commission within an organization are caused only as a result of collusion among individuals. To minimize the likelihood of collusion, individuals of different skills or divergent interests are assigned to separate tasks required in the performance of a business function. The motivation is to ensure that fraud and major errors cannot occur without deliberate collusion of multiple users "[1]

The simplest form of the SoD principle states that, if a sensitive task is comprised of two steps, then different users should perform different steps. Generally, when a sensitive task is comprised of n steps, an SoD policy requires the cooperation of at least k (for some k ≤ n) different users to complete the task.


Consider the following example of purchasing and paying for goods. The steps to perform such a task are:
  • (1) ordering the goods and recording the details of the order;
  • (2) recording the arrival of the invoice and verifying that the details on the invoice match the details of the order;
  • (3) verifying that the goods have been received, and the features of the goods match the details on the invoice;
  • (4) authorizing the payment to the supplier against the invoice [2].
We want to ensure that for an order that was never placed, that no payment will be released, and that the received goods match those in the order and those in the invoice. If we consider a policy that requires a different user to perform each step, it may be too restrictive. It may be permissible, for instance, that the user who places the order also records the arrival of the invoice.

One may require that (a) at least three users cooperation is needed to perform all four steps, and (b) two different users perform steps (1) and (4) (i.e., no single user can order goods and authorize payment for them).

Static Separation of Duty#

Dynamic Separation of Duty#

[#1] ANSI. American National Standard for Information Technology- Role Based Access Control, ANSI INCITS 359-2004, 2004.

[#2] N. Li, Z. Bizri, and M. V. Tripunitara, On mutuallyexclusive roles and separation of duty, In Proceedings of the 11th ACM conference on Computer and communications security, pp. 42-51 ,Washington DC, USA ,2004.

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-11) was last changed on 30-Jan-2015 10:41 by jim