Um Modelo Pragmático de Separação de Responsabilidades para o Controle de Acesso Baseado em Papéis

Bruno C. B. Figueiredo; Gustavo H. M. B. Motta

doi:10.5753/sbseg.2007.20927

Bruno C. B. Figueiredo UFPB / Unimed-JP
Gustavo H. M. B. Motta UFPB

DOI: https://doi.org/10.5753/sbseg.2007.20927

Abstract

The separation of duties (SD) is a security principle accepted in the appliance of policies for reduction of conflict of interests. This work proposes a pragmatic model of SD (Pragma SD) for the role based access control model (RBAC), which concerns about actual situations on the regular work of companies. In Pragma SD, the association between roles and users and the role hierarchy are orthogonal to the SD policies. So, the SD doesn't affect the administration of the relations between users, roles and permissions, like is noted in the SD of the RBAC model. By this way, a user can have roles where there are conflicts of interests, just being prohibited to execute the tasks where the conflicts exist.

References

Ahn, G. e Sandhu R., (2000) “Role-Based Authorization Constrains Specification”, ACM Transactions on Information and System Security, vol. 3, n. 4, p. 207-226, November.

ANSI/INCITS 359-2004. (2004) Information Technology: Role Based Access Control. InterNational Committee for Information Technology Standards, 56 p. February.

Brewer, D. F. C. e Nash, M. J. (1989) “The Chinese Wall Security Policy”. In: IEEE Symposium on Security and Policy, Proceedings... p. 206-214.

Clark, D. e Wilson, D. (1987) “A Comparison of Commercial and Military Computer Security Policies”. In: IEEE Symposium on Security and Policy, Proceedings... p. 184-194.

EUA. Public Law 107-204 (2002). Sarbanes-Oxley Act of 2002. Washignton, DC: The Library of Congress. Disponível em: <http://thomas.loc.gov/cgi-bin/bdquery/z?d107:HR03763:>. Acesso em: 23 mar. 2007.

Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R. e Chandramouli, R. (2001) “Proposed NIST Standard for Role-Based Access Control”, ACM Transactions on Information and System Security, v. 4, n. 3, p. 224-274, August.

Ferraiolo, D. F., Kuhn, D. R. e Chandramouli, R. Role-Based Access Control. Boston: Artech House, 2003.

Giorgini, P., Massacci, F., Mylopoulos, J. e Zannone N. (2006) “Detecting Conflicts of Interest”, In 14th IEEE International Requirements Engineering Conference (RE´06), Proceedings… p. 315 – 318.

Gligor, V. D., Gavrila, S. I. e Ferraiolo, D. (1998) “On the Formal Definition of Separation of Duty Policies and Their Composition”, In IEEE Symposium on Security and Privacy, Proceedings… p. 172 – 183.

IBM Corporation. (2004) Addressing the Key Implications of Sarbanes-Oxley. September. Disponível em: <http://www.bizforum.org/whitepapers/ibm.htm>. Acesso em: 23 mar. 2007.

Kuhn, D. R. (1997) “Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems”, In: Second ACM Workshop on Role-Based Access Control, Proceedings… p. 23-30. .

Moon C., Park D, Park S. e Baik D. (2004) “Symmetric RBAC Model that Takes the Separation of Duty and Role Hierarchies into Consideration”, Computers & Security, v. 23, p. 126-136.

Motta, G. H. M. B. e Furuie, S. S. (2004) “Separação de Responsabilidades Orientada a Aplicação no MACA: um Modelo de Autorização Contextual para o Controle de Acesso Baseado em Papéis”, In: VI Simpósio de Segurança em Informática, Anais... 11 p.

NIST. RBAC and Sarbanes-Oxley Compliance. (2005) Sítio do NIST que disponibiliza informações sobre o padrão RBAC (Role-Based Access Control). Disponível em: <http://csrc.nist.gov/rbac/sarbanes-oxley-compliance.html>. Acesso em: 23 março. 2007.

Oh, S. e Park, S. (2003) “Task-Role-Based Access Control Model”, Information Systems, v. 28, p. 533-562.

Sandhu, R. S., Coyne, E. J., Feinstein, H. L. e Youman, C. E. (1996) “Role-Based Access Control Models”, Computer, p. 38-47, February.

Um Modelo Pragmático de Separação de Responsabilidades para o Controle de Acesso Baseado em Papéis

Abstract

References

Most read articles by the same author(s)