Separation of duties and entitlements analyzer

This technology analyzes separation of duty in role assignments, authorization policies, and log files. Static separation-of-duty constraints can be specified and evaluated for Tivoli® Access Manager for E-Business 6.0, Tivoli Identity Manager 5.0, and HTTP servers (log analysis only). Entitlement and accessor reports provide further insight into resource access. Log file analysis evaluates separation-of-duty constraints on Tivoli Access Manager native audit logs and standard HTTP logs. Separation of Duties and Entitlement Analyzer was developed by IBM research teams in Tokyo and Zurich.

The analyzer is implemented in Java™ and packaged as a Java Enterprise Edition (JEE) Web application containing the analysis functions, reports, and a Web-based console, which provides an editor for creating basic separation-of-duty constraints. The analyzer can be deployed into any JEE 1.4 container. After deployment, target systems are configured in the console. Note that the analyzer and the target systems can reside on different computers.

The separation-of-duty and entitlement policy analysis operates internally on XACML, the OASIS standard for authorization policy. When an analysis function is performed, policy information is first extracted from Tivoli Access Manager and then translated into XACML. The analysis functions are then performed on the XACML policy.

1. G. Karjoth, A. Schade and E. Van Herreweghen. Implementing ACL-based Policies in XACML. 24th Annual Computer Security Applications Conference, pages 183-192. IEEE Computer Society, 2008.
2. C. Giblin and S. Hada, Towards Separation of Duties for Services, 6th Int. Workshop on SOA & Web Services Best Practices Committee, OOPSLA, October 19, 2008, Nashville.