jspωiki
Static Separation of Duty

Static Separation of Duty (SSoD) differs from Dynamic Separation of Duty (DSoD) based on the when the enforcement of the Separation of Duty constraint is performed.

Static Separation of Duty is typically determined when the roles are assigned to the users. Dynamic Separation of Duty is dynamically evaluated within the active session.

(SSoD) relations #

  • prevents conflict of interests that arise when a user gains permissions associated with conflicting roles
  • (SSoD) relations are specified for any pair of roles that conflict.

The Dynamic Separation of Duty concept becomes especially important when utilizing RBAC Hierarchical where a senior role may contain conflicting Separation of Duty constraints.