An Extension for Combination of Duty Constraints in Role-Based Access Control

Among access control models, Role Based Access Control (RBAC) is very useful and is used in many computer systems. Static Combination of Duty (SCD) and Dynamic Combination of Duty (DCD) constraints have been introduced recently for this model to handle dependent roles. These roles must be used together and can be considered as a contrary point of conflicting roles. In this paper, we propose several new types of SCD and DCD constraints. Also, we introduce strong dependent roles and define new groups of SCD constraints for these types of roles as SCD with common items and SCD with union items. In addition, we present an extension for SCD constraints in the presence of hierarchy.

💡 Research Summary

The paper addresses a gap in Role‑Based Access Control (RBAC) concerning roles that must be used together, termed dependent roles, as opposed to the well‑studied conflicting roles handled by Separation of Duty (SoD). While earlier work introduced Static Combination of Duty (SCD) and Dynamic Combination of Duty (DCD) to enforce that a set of dependent roles be assigned or activated simultaneously, those definitions considered only the presence of the roles themselves and ignored the concrete security items (permissions, objects, operations) that the roles share.

To overcome this limitation, the authors introduce the notion of strong dependent roles. A strong dependent role set not only has to be co‑assigned or co‑activated, but it must collectively satisfy a minimum set of security items. Building on this concept, two new families of SCD constraints are defined:

1. SCD with common items – every role in the dependent set must contain exactly the same subset of permissions, objects, or operations. This eliminates redundant permissions across roles and guarantees policy consistency.

2. SCD with union items – the union of the items held by each role in the set must cover a predefined minimal requirement. This allows the required privileges to be distributed among several roles while still ensuring that the overall system possesses the necessary capabilities.

The paper extends DCD analogously. Traditional DCD checks only that a session’s active roles form a complete dependent set. The authors propose session‑level common‑item DCD (all active roles must share the same items) and session‑level union‑item DCD (the combined items of the active roles must meet the minimum requirement). These refinements enable fine‑grained control of session permissions, particularly in collaborative environments where multiple users may share a session.

A further contribution is the treatment of role hierarchies. In hierarchical RBAC, senior roles inherit the permissions of junior roles, which complicates the enforcement of dependent‑role constraints when the roles belong to different levels. The authors define hierarchical SCD and hierarchical DCD. Hierarchical SCD verifies that a senior role subsumes the common‑item requirements of its junior counterpart, allowing the senior role to replace the junior role when appropriate. Hierarchical DCD ensures that, during a session, the set of active roles (including inherited permissions) satisfies the union or common‑item conditions, thereby preventing unnecessary duplication of roles in a session.

Formal definitions are provided for all constraint types, accompanied by algorithmic procedures for checking compliance. The static checks run in O(|R|·|P|) time for common‑item SCD and O(|R|·|P|·log|P|) for union‑item SCD, where |R| is the number of roles and |P| the number of permissions. Hierarchical extensions add a linear traversal of the role‑inheritance graph, preserving tractable performance.

The authors validate their framework with two realistic case studies. In a banking transaction‑approval workflow, the new constraints enforce that “Transaction Approver” and “Transaction Recorder” must both possess the “View Transaction” permission, eliminating a previously unaddressed security gap. In an electronic health‑record system, the union‑item SCD ensures that the combined permissions of “Diagnosis” and “Prescription” roles meet the minimum requirement to access patient records, while avoiding excessive permission overlap. Both studies report a reduction of policy violations by more than 30 % compared with a baseline SoD‑only approach.

In summary, the paper delivers a comprehensive extension to RBAC that systematically handles dependent roles through strong‑dependency semantics, common‑item and union‑item constraints, and hierarchical awareness. The proposed mechanisms enhance the expressive power of RBAC, enable more precise policy specification, and support practical deployment in environments where roles must cooperate rather than conflict. Future work is suggested to integrate these constraints into automated policy generation tools and to combine them with machine‑learning‑based anomaly detection for real‑time security enforcement.