Specifying and Enforcing the Principle of Static Separation of Duty in Multi Domain

Abstract

Role-based access control model (RBAC) has broadly applied in different enterprises to provide security protection for enterprise security products. In these systems, the important aspect and principle are some constraints. In this model the most frequently mentioned constraint is separation of duty constraint policy that includs static separation of duty constraint policy and dynamic separation of duty constraint policy respectively. However, little research has been done to specify and enforce the principle of static separation of duty under multi domain. Based on the current research status,on the basis of IRBAC 2000, we first descirbe and study the static separation of duty in two domains. Then give a general definition of global static separation of duty and strict global static separation of duty in order to satisfy the multi domain security requirement and management in real scenario. We also study the computational complexity of global static separation of duty. Furthermore, we put forward a methodto enforce global static separation of duty through global mutually exclusive role constraint in multi domain.