Beyond Separation of Duty: An Algebra for Specifying High-level Security Policies

Get BibTex-formatted data

Download

PDF

Author

Ninghui Li, Qihua Wang, Mahesh Tripunitara

Tech report number

CERIAS TR 2005-75

Entry type

article

Abstract

A separation of duty policy requires a sensitive task to be performed by a team of at least k users. It states a high-level requirement about the task without the need to refer to individual steps in the task. While extremely important and widely used, separation of duty policies cannot capture qualification requirements on users involved in the task. In this paper, we introduce a novel algebra that enables the specification of high-level policies that combine user qualification requirements with separation of duty considerations. A high-level policy associates a task with a term in the algebra and requires that all sets of users that perform the task satisfy the term. Our algebra has four operators. We give the syntax and semantics of the algebra and study algebraic properties of these operators. We also study several computational problems related to the algebra. As our algebra is about the general concept of sets of sets, we conjecture that it will prove to be useful in other contexts as well.

Download

PDF

Date

2006 – 01 – 31

Key alpha

access control

School

Purdue University

Affiliation

Department of Computer Science and CERIAS

Publication Date

2006-01-31

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Article{ access control,
	title = "Beyond Separation of Duty: An Algebra for Specifying High-level Security Policies",
	author = "Ninghui Li, Qihua Wang, Mahesh Tripunitara",
	year = "2006",
	month = "01",
	school = "Purdue University",
	day = "31",
	abstract = "A separation of duty policy requires a sensitive task to be performed by a team of at least k users.
It states a high-level requirement about the task without the need to refer to individual steps in the task.
While extremely important and widely used, separation of duty policies cannot capture qualification
requirements on users involved in the task. In this paper, we introduce a novel algebra that enables the
specification of high-level policies that combine user qualification requirements with separation of duty
considerations. A high-level policy associates a task with a term in the algebra and requires that all
sets of users that perform the task satisfy the term. Our algebra has four operators. We give the syntax
and semantics of the algebra and study algebraic properties of these operators. We also study several
computational problems related to the algebra. As our algebra is about the general concept of sets of
sets, we conjecture that it will prove to be useful in other contexts as well.",
	affiliation = "Department of Computer Science and CERIAS",
}