Dynamic Separation of Duty (DSoD) differs from Static Separation of Duty (SSoD) based on the when the enforcement of the Separation of Duty constraint is performed.
Static Separation of Duty (SSoD) is typically determined when the roles are assigned to the users. Dynamic Separation of Duty (DSoD) is dynamically evaluated within the active session.
DSoD relations #
DSoD relations place constraints on the roles that can be activated in a user’s session. If one role that takes part in a DSD relation is activated, the user cannot activate the related (conflicting) role in the same session
The Dynamic Separation of Duty concept becomes especially important when utilizing RBAC Hierarchical where a senior role may contain conflicting Separation of Duty constraints.