A History-based Constraint for Separation-of-Duty Policy in Role Based Access Control Model

Separation-of-duty (SoD) is widely considered to be a fundamental principle in computer security. Role-based access control (RBAC) is today's dominant access control model, and supporting SoD policy is widely regarded as one of RBAC's main strengths. In this paper, we show that checking whether a RBAC state satisfies a given static SoD (SSoD) policy is a coNP-complete problem, and using statically mutually exclusive roles (SHIER) to enforce SSoD is usually computationally expensive, while enforcing SSoD policies by a history-based constraint is practicable. Our approach is focused on high-level SSoD policy, and the key idea is to record each permission access request, this history is maintained and processed by two different mechanisms based on two cases, one case is n=2 or m=n, the other case is 2<n<m, The history-based constraint consists of the two cases addresses the goal of the high-level SSoD policy in RBAC model.