Browse Prior Art Database

Method and System for Providing Attribute Domain Based Rules for Administering Separation of Duties

IP.com Disclosure Number: IPCOM000196796D
Publication Date: 2010-Jun-16
Document File: 3 page(s) / 34K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method and system for providing attribute domain based rules for administering separation of duties is disclosed. Attribute specific rules are defined along with a methodology of applying these rules for a given incident. This facilitates an employee to perform more activities within the flexible framework based on the proposed methods for defining an incident.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 1 of 3

Method and System for Providing Attribute Domain Based Rules for Administering Separation of Duties

Disclosed is a method and system for providing attribute domain based rules for administering separation of duties. An attribute data is maintained in the authority itself and have the ability to reference the attribute data linked to the authority. In addition, a Separation of Duties (SoD) matrix indicates whether the attribute data can be considered for a given incident. Moreover, attribute specific rules are defined along with the methodology of applying those rules for a given incident. Thereafter, a SoD authority attribute data and logic is provided to end applications as a service for using it at a time of referencing an authority at a control point in the application. The routines that reference an authority against the SoD matrix may additionally consider attribute data before deciding on whether to allow or disallow an activity to take place. Subsequently, domains for an authority that may conflict with another authority or "authority + domain" combination are defined.

In an instance, an algorithm is described in two parts for providing attribute domain based rules for administering separation of duties. The first part of the algorithm, describes an attribute authority based incident definition.

In present SoD systems, authorizations are either conflicting or un-conflicting. However, in many cases an incidence only exists at the intersection of two or more authorizations. The authorization entitles a user to act upon a set of attribute values and this is reflected at the intersection. Therefore, the method and system as disclosed herein allows a domain to be set for an authority that may conflict with another authority or "authority + domain" combination. In addition, set theory notations are used to define incidents in terms of activities or duties and domains. A domain indicates a set of attribute values associated with the authorization. Therefore, the domain is set to "Universal", means that the domain covers everything. Hence, two conflicting authorizations with domains set to "Universal" behave similar to incidents defined in present SoD systems. Moreover, domains are defined by one or more couples of attribute and attribute values. This set of values may be realized as a static or dynamic list. A Structured Query Language (SQL) statement, an Extensible Markup Language (XML) document, a service, a flat file, or other external source may define the domain for dynamic sets.

While identifying incidents, the solution additionally allows the user to define one or more attributes and their value domains and a rule. For example, the domain for authorization i.e., "Administer Contracts" is a set of work items (the attribute) belonging to contracts of the user administers (the attribute's domain). This may be represented in multiple formats. For example, the representation in SQL format is as follows:

A:

SELECT WORK

_ITEM

FROM...