Enforcement of Spatial Separation of Duty Constraint

Securing access to data in location-based services and mobile applications pose interesting security requirements against spatially aware access control systems. In particular, the permissions assigned to users depend on their physical positions in a reference space. When a session is established in a spatial regionby users, some spatial constraints related to thissession will be triggered and control the session process during its life automatically. There are often multiple mutually exclusive spatial roles (MESR)constraints that can enforce the same spatial separation of duty policy (SSoD). Although the different MESR constraints can enforce the same effect on the same session, we have found that the different MESR constraints are varying greatly in the enforcement efficiency. The more precise the MESR sets are defined for enforcing an SSoD policy, the less overhead the system is suffered. In this paper, we argue that enforcement of SSoD policies is realized by specifying minimal MESR constraints. By comparing the different MESR constraints which can enforce the same SSoD, we conclude the minimal MESR constraints can avoid redundant restrictiveness effectively and enforce the SSoD policy precisely. We also present an algorithm that generates all minimal MESR constraints that are precise for enforcing oneSSoD policy.