Authorization constraint enforcement for information system security

Managing access authorities is critical to the security of information systems. To prevent fraud or abuse due to conflict of interests, a well-known authorization constraint called separation of duty (SoD) is commonly applied. SoD ensures that no single user receives too many authorities. Enforcement of authorization constraints such as SoD in large organizations can be difficult due to the large number of information system users, the variety of assets involved, and tasks that require roles that may be shared or delegated at multiple levels. Most existing work in this area focuses on specifications of SoD constraints and assumes that constraints can be enforced by logical inference mechanisms at run-time. A drawback of this approach is that when violations occur, finding alternative role activations at run-time may not be feasible. This can result in delays or even failure for critical service transactions. Moreover, logic-based systems are difficult to understand and do not scale easily. This paper presents an algorithmic set-based approach that automatically checks for SoD compliance prior to run-time by searching for a set of valid role activations. The paper discusses details of this approach and illustrates its use in managing access authorizations in a health insurance claim processing system.