Separation of Duties (SOD) in RBAC

Posted by Edward Killeen on Tue, Jul 17, 2012

You know that guy in accounting you just don't like and wish you didn't have to talk to?  Well, there's a chance that you don't have to!  Separation of Duties (SOD) to the rescue.

separation of duties RBACIt doesn't really work like that but there are some mutually exclusive roles.  One where if you have these sets of permissions, you cannot have another set of permissions.  Some of these are security related (for example, you have permission to create a user, you should not have permission to add them to the financials group, this keeps one person from being able to create a fake user to access critical financial reports).  Some are regulatory (for example, in a bank the analysts should not be able to have access to customer records, the bankers should not have access to analyst reports).

Once you are controlling permissions and access with roles (using Role based access control aka RBAC), it is simple to make roles mutually exclusive.  If you are a member of one role, you cannot be a member of another.  If you are a member of one role, you need CEO approval to be a member of another.  This creates a separation of duties.

I always picture it in action like a Hollywood need two keys to detonate the bomb and there is a tense standoff as the one guy knows they shouldn't do it.  Separation of duties is just like that.  Just. Like. That.

Once you've configured your roles to show what your users can do, you need to take that next deeper dive into what that same user shouldn't be able to do.  A good mapping of roles and SOD rules will make your organization more secure and your auditors much happier. 

If you are one of those "a picture is worth a thousand words" types, give us 15 minutes to show you how SOD works in RBAC by scheduling a demonstration.

Click me

Tags: Role Based Access Control (RBAC)