Static Separation of Duty (SSoD) differs from Dynamic Separation of Duty (DSoD) based on the when the enforcement of the Separation of Duty constraint is performed.

Static Separation of Duty is typically determined when the roles are assigned to the users. Dynamic Separation of Duty is dynamically evaluated within the active session.

(SSoD) relations #

  • prevents conflict of interests that arise when a user gains permissions associated with conflicting roles
  • (SSoD) relations are specified for any pair of roles that conflict.

The Dynamic Separation of Duty concept becomes especially important when utilizing RBAC Hierarchical where a senior role may contain conflicting Separation of Duty constraints.

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 19-Nov-2009 09:03 by jim