{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T02:34:10Z","timestamp":1782873250605,"version":"3.54.5"},"reference-count":112,"publisher":"Association for Computing Machinery (ACM)","issue":"7","license":[{"start":{"date-parts":[[2025,2,20]],"date-time":"2025-02-20T00:00:00Z","timestamp":1740009600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2025,7,31]]},"abstract":"<jats:p>Separation of Duty (SoD) is a fundamental security principle that ensures critical tasks or functions are divided among multiple users to prevent fraud. The topic of SoD spans over many different areas, such as Identity and Access Management, Workflows, Petri nets, or high-level enterprise management. In this survey article, we conduct a systematic and stand-alone literature review on SoD. We develop a multi-level classification scheme and analyze the state-of-the-art and current trends in SoD research as well as the current challenges and potential research gaps. To the best of our knowledge, this is the first effort to comprehensively survey and structure SoD literature.<\/jats:p>","DOI":"10.1145\/3715959","type":"journal-article","created":{"date-parts":[[2025,1,30]],"date-time":"2025-01-30T11:04:52Z","timestamp":1738235092000},"page":"1-35","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Separation of Duty in Information Security"],"prefix":"10.1145","volume":"57","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-1097-4967","authenticated-orcid":false,"given":"Sebastian","family":"Groll","sequence":"first","affiliation":[{"name":"Nexis GmbH, Regensburg, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-8432-6755","authenticated-orcid":false,"given":"Ludwig","family":"Fuchs","sequence":"additional","affiliation":[{"name":"Nexis GmbH, Regensburg, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1338-9003","authenticated-orcid":false,"given":"G\u00fcnther","family":"Pernul","sequence":"additional","affiliation":[{"name":"Informatik, Universit\u00e4t Regensburg, Regensburg, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,2,20]]},"reference":[{"key":"e_1_3_2_2_2","first-page":"43","volume-title":"4th ACM Workshop on Role-based Access Control (RBAC\u201999)","author":"Ahn Gail-Joon","year":"1999","unstructured":"Gail-Joon Ahn and Ravi Sandhu. 1999. The RSL99 language for role-based separation of duty constraints. In 4th ACM Workshop on Role-based Access Control (RBAC\u201999). Association for Computing Machinery, New York, NY, USA, 43\u201354."},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","unstructured":"Gail-Joon Ahn and Ravi Sandhu. 2000. Role-based authorization constraints specification. ACM Transactions on Information and System Security (TISSEC) 3 4 (Nov.2000) 207\u2013226. DOI:10.1145\/382912.382913","DOI":"10.1145\/382912.382913"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2006.03.009"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/SERVICES.2010.62"},{"key":"e_1_3_2_6_2","first-page":"138","volume-title":"Trust, Privacy and Security in Digital Business","author":"Alm Christopher","year":"2009","unstructured":"Christopher Alm, Ruben Wolf, and Joachim Posegga. 2009. The OPL access control policy language. In Trust, Privacy and Security in Digital Business, Simone Fischer-H\u00fcbner, Costas Lambrinoudakis, and G\u00fcnther Pernul (Eds.). Springer Berlin, 138\u2013148."},{"key":"e_1_3_2_7_2","unstructured":"American National Standards Institute. 2004. Role Based Access Control. ANSI\/INCITS 359-2004. https:\/\/csrc.nist.gov\/projects\/role-based-access-control last accessed February 6 2025."},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.1992.228226"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/FiCloud.2015.43"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101802"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","unstructured":"David Basin Samuel J. Burri and G\u00fcnter Karjoth. 2012. Dynamic enforcement of abstract separation of duty constraints. ACM Transactions on Information and System Security (TISSEC) 15 3 Article 13 (Nov.2012) 30 pages. DOI:10.1145\/2382448.2382451","DOI":"10.1145\/2382448.2382451"},{"key":"e_1_3_2_12_2","doi-asserted-by":"crossref","unstructured":"Elisa Bertino Elena Ferrari and Vijay Atluri. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2 1 (Feb.1999) 65\u2013104.","DOI":"10.1145\/300830.300837"},{"key":"e_1_3_2_13_2","first-page":"131","article-title":"Constraints specification in attribute based access control","volume":"2","author":"Bijon Khalid","year":"2013","unstructured":"Khalid Bijon, R. Krishman, and R. Sandhu. 2013. Constraints specification in attribute based access control. Science 2 (012013), 131\u2013144.","journal-title":"Science"},{"key":"e_1_3_2_14_2","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1007\/978-3-319-60795-5_14","volume-title":"Data Analytics","author":"Bollwein Ferdinand","year":"2017","unstructured":"Ferdinand Bollwein and Lena Wiese. 2017. Closeness constraints for separation of duties in cloud databases as an optimization problem. In Data Analytics, Andrea Cal\u00ec, Peter Wood, Nigel Martin, and Alexandra Poulovassilis (Eds.). Springer International Publishing, Cham, 133\u2013145."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1147\/sj.403.0666"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30475-3_15"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDEW.2007.4401062"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","unstructured":"Hong Chen and Ninghui Li. 2006. Constraint generation for separation of duty. InACM Symposium on Access Control Models and Technologies (SACMAT\u201906). Association for Computing Machinery New York NY USA 130\u2013138. DOI:10.1145\/1133058.1133077","DOI":"10.1145\/1133058.1133077"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICYCS.2008.223"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.1987.10001"},{"key":"e_1_3_2_21_2","first-page":"43","volume-title":"8th ACM Symposium on Access Control Models and Technologies (SACMAT\u201903)","author":"Crampton Jason","year":"2003","unstructured":"Jason Crampton. 2003. Specifying and enforcing constraints in role-based access control. In 8th ACM Symposium on Access Control Models and Technologies (SACMAT\u201903). Association for Computing Machinery, New York, NY, USA, 43\u201350."},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","unstructured":"Jason Crampton. 2005. A reference monitor for workflow systems with constrained task execution In ACM Symposium on Access Control Models and Technologies (SACMAT \u201905). Association for Computing Machinery New York NY USA 38\u201347. DOI:10.1145\/1063979.1063986","DOI":"10.1145\/1063979.1063986"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCST.2017.8167833"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICYCS.2008.131"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.accinf.2007.10.005"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1111\/rego.12027"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.scient.2011.08.016"},{"key":"e_1_3_2_28_2","unstructured":"David Ferraiolo and David Kuhn. 1992. Role-based access controls. In 15th National Computer Security Conference."},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSFW.1991.151572"},{"key":"e_1_3_2_30_2","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1007\/11863908_9","volume-title":"Computer Security \u2013 ESORICS 2006","author":"Fong Philip W. L.","year":"2006","unstructured":"Philip W. L. Fong. 2006. Discretionary capability confinement. In Computer Security \u2013 ESORICS 2006, Dieter Gollmann, Jan Meier, and Andrei Sabelfeld (Eds.). Springer Berlin, 127\u2013144."},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1998.674833"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1007\/s00453-015-9986-9"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSPCS.2014.7021054"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSMC.2008.4811840"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.5555\/3921"},{"key":"e_1_3_2_36_2","first-page":"162","article-title":"Guide to attribute based access control (ABAC) definition and considerations","author":"Hu Vincent","year":"2014","unstructured":"Vincent Hu, David Ferraiolo, D. Kuhn, A. Schnitzer, Knox Sandlin, R. Miller, and Karen Scarfone. 2014. Guide to attribute based access control (ABAC) definition and considerations. Nat\u2019l Instit. Stand. Technol. Spec. Pub. (012014), 162\u2013800.","journal-title":"Nat\u2019l Instit. Stand. Technol. Spec. Pub."},{"key":"e_1_3_2_37_2","doi-asserted-by":"crossref","first-page":"533","DOI":"10.1007\/11816157_66","volume-title":"Intelligent Computing","author":"Jeon Jun-Cheol","year":"2006","unstructured":"Jun-Cheol Jeon and Kee-Young Yoo. 2006. Conflict detection in role-based access control using multiple-attractor cellular automata. In Intelligent Computing, De-Shuang Huang, Kang Li, and George William Irwin (Eds.). Springer Berlin, 533\u2013541."},{"key":"e_1_3_2_38_2","first-page":"61","volume-title":"Information Systems Security","author":"Jha Sadhana","year":"2015","unstructured":"Sadhana Jha, Shamik Sural, Vijayalakshmi Atluri, and Jaideep Vaidya. 2015. Enforcing separation of duty in attribute based access control systems. In Information Systems Security, Sushil Jajoda and Chandan Mazumdar (Eds.). Springer International Publishing, 61\u201378."},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2771492"},{"key":"e_1_3_2_40_2","unstructured":"James Joshi Elisa Bertino U. Latif and A. Ghafoor. 2001. Generalized temporal role based access control model (GTRBAC) (Part I) specification and modeling. Submitted to IEEE Transaction on Knowledge and Data Engineering. Available as CERIAS Technical Report 47 (2001)."},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","unstructured":"James B. D. Joshi Basit Shafiq Arif Ghafoor and Elisa Bertino. 2003. Dependencies and separation of duty constraints in GTRBAC. In ACM Symposium on Access Control Models and Technologies (SACMAT\u201903). Association for Computing Machinery New York NY USA 51\u201364. DOI:10.1145\/775412.775420","DOI":"10.1145\/775412.775420"},{"key":"e_1_3_2_42_2","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1007\/978-3-642-00199-4_2","volume-title":"Engineering Secure Software and Systems","author":"Kallel Slim","year":"2009","unstructured":"Slim Kallel, Anis Charfi, Mira Mezini, Mohamed Jmaiel, and Karl Klose. 2009. From formal access control policies to runtime enforcement aspects. In Engineering Secure Software and Systems, Fabio Massacci, Samuel T. Redwine, and Nicola Zannone (Eds.). Springer Berlin, 16\u201331."},{"key":"e_1_3_2_43_2","first-page":"765","volume-title":"3rd International Conference on Availability, Reliability and Security (ARES\u201908)","author":"Kijsanayothin P.","year":"2008","unstructured":"P. Kijsanayothin, R. Hewett, and A. Thipse. 2008. Security analysis of role-based separation of duty with workflows. In 3rd International Conference on Availability, Reliability and Security (ARES\u201908). IEEE Computer Society, Los Alamitos, CA, USA, 765\u2013770."},{"key":"e_1_3_2_44_2","doi-asserted-by":"crossref","first-page":"199","DOI":"10.1007\/0-306-46998-7_14","volume-title":"Trusted Information","author":"Knorr Konstantin","year":"2001","unstructured":"Konstantin Knorr and Henrik Stormer. 2001. Modeling and analyzing separation of duties in workflow environments. In Trusted Information, Michel Dupuy and Pierre Paradinas (Eds.). Springer US, Boston, MA, 199\u2013212."},{"key":"e_1_3_2_45_2","doi-asserted-by":"crossref","first-page":"102","DOI":"10.1007\/3-540-45116-1_13","volume-title":"Information Assurance in Computer Networks","author":"Knorr Konstantin","year":"2001","unstructured":"Konstantin Knorr and Harald Weidner. 2001. Analyzing separation of duties in Petri net workflows. In Information Assurance in Computer Networks, Vladimir I. Gorodetski, Victor A. Skormin, and Leonard J. Popyack (Eds.). Springer Berlin, 102\u2013114."},{"key":"e_1_3_2_46_2","doi-asserted-by":"crossref","first-page":"278","DOI":"10.1007\/3-540-36578-8_20","volume-title":"Fundamental Approaches to Software Engineering","author":"Koch Manuel","year":"2003","unstructured":"Manuel Koch and Francesco Parisi-Presicce. 2003. Visual specifications of policies and their verification. In Fundamental Approaches to Software Engineering, Mauro Pezz\u00e8 (Ed.). Springer Berlin, 278\u2013293."},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/266741.266749"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2018.11.004"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2006.08.002"},{"key":"e_1_3_2_50_2","article-title":"A systems approach to conduct an effective literature review in support of information systems research.","volume":"9","author":"Levy Yair","year":"2006","unstructured":"Yair Levy and Timothy J. Ellis. 2006. A systems approach to conduct an effective literature review in support of information systems research. Informing Sci. 9 (2006), 181\u2013212.","journal-title":"Informing Sci."},{"key":"e_1_3_2_51_2","doi-asserted-by":"crossref","unstructured":"Ninghui Li Mahesh V. Tripunitara and Ziad Bizri. 2007. On mutually exclusive roles and separation-of-duty. ACM Transactions on Information and System Security (TISSEC) 10 2 (May2007) 5\u2013es.","DOI":"10.1145\/1237500.1237501"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/1379759.1379760"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1016\/S0164-1212(03)00175-4"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2018.10.017"},{"key":"e_1_3_2_55_2","first-page":"502","volume-title":"IEEE Trustcom\/BigDataSE\/ICESS Conference","author":"Liu Meng","year":"2017","unstructured":"Meng Liu, Xuyun Zhang, Chi Yang, Shaoning Pang, Deepak Puthal, and Kaijun Ren. 2017. Privacy-preserving detection of statically mutually exclusive roles constraints violation in interoperable role-based access control. In IEEE Trustcom\/BigDataSE\/ICESS Conference. 502\u2013509."},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2012.21"},{"key":"e_1_3_2_57_2","first-page":"403","volume-title":"Information Security","author":"Lu Jianfeng","year":"2009","unstructured":"Jianfeng Lu, Ruixuan Li, Zhengding Lu, Jinwei Hu, and Xiaopu Ma. 2009. Specification and enforcement of static separation-of-duty policies in usage control. In Information Security, Pierangela Samarati, Moti Yung, Fabio Martinelli, and Claudio A. Ardagna (Eds.). Springer Berlin, 403\u2013410."},{"key":"e_1_3_2_58_2","first-page":"358","volume-title":"Information Security and Privacy","author":"Lui Richard W. C.","year":"2005","unstructured":"Richard W. C. Lui, Sherman S. M. Chow, Lucas C. K. Hui, and S. M. Yiu. 2005. Role activation management in role based access control. In Information Security and Privacy, Colin Boyd and Juan Manuel Gonz\u00e1lez Nieto (Eds.). Springer Berlin, 358\u2013369."},{"key":"e_1_3_2_59_2","doi-asserted-by":"crossref","first-page":"273","DOI":"10.1007\/978-3-540-79396-0_24","volume-title":"Business Information Systems","author":"Mendling Jan","year":"2008","unstructured":"Jan Mendling, Karsten Ploesser, and Mark Strembeck. 2008. Specifying separation of duty constraints in BPEL4People processes. In Business Information Systems, Witold Abramowicz and Dieter Fensel (Eds.). Springer Berlin, 273\u2013284."},{"key":"e_1_3_2_60_2","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1007\/978-3-642-25370-6_3","volume-title":"Business Information Systems Workshops","author":"Mendt Tamara","year":"2011","unstructured":"Tamara Mendt, Carsten Sinz, and Olga Tveretina. 2011. Analyzing separation of duties constraints with a probabilistic model checker. In Business Information Systems Workshops, Witold Abramowicz, Leszek Maciaszek, and Krzysztof W\u0119cel (Eds.). Springer Berlin, 18\u201329."},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","unstructured":"Ian Molloy Hong Chen Tiancheng Li Qihua Wang Ninghui Li Elisa Bertino Seraphin Calo and Jorge Lobo. 2010. Mining roles with multiple objectives. ACM Transactions on Information and System Security (TISSEC) 13 4 (Dec.2010) Article 36 35 pages. DOI:10.1145\/1880022.1880030","DOI":"10.1145\/1880022.1880030"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIME.2003.1214883"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/RISP.1990.63851"},{"key":"e_1_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2013.6596060"},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1145\/166635.166652"},{"key":"e_1_3_2_66_2","unstructured":"One Hundred Seventh Congress of the United States of America. 2002. Sarbanes-Oxley Act of 2002. Pub. L. No. 107-204 116 Stat. 745. https:\/\/www.govinfo.gov\/content\/pkg\/COMPS-1883\/pdf\/COMPS-1883.pdf last accessed February 6 2025."},{"key":"e_1_3_2_67_2","unstructured":"Federal office for information security (BSI). 1994. IT-Grundschutz. https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/IT-Grundschutz\/it-grundschutz_node"},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.1954824"},{"key":"e_1_3_2_69_2","doi-asserted-by":"crossref","first-page":"288","DOI":"10.1007\/978-3-642-24148-2_20","volume-title":"Governance and Sustainability in Information Systems. Managing the Transfer and Diffusion of IT","author":"Omland Jan","year":"2011","unstructured":"Jan Omland, Nick Gehrke, and Niels M\u00fcller-Wickop. 2011. A maturity model for segregation of duties in standard business software. In Governance and Sustainability in Information Systems. Managing the Transfer and Diffusion of IT, Markus N\u00fcttgens, Andreas Gadatsch, Karlheinz Kautz, Ingrid Schirmer, and Nadine Blinn (Eds.). Springer Berlin, 288\u2013294."},{"key":"e_1_3_2_70_2","doi-asserted-by":"crossref","first-page":"214","DOI":"10.1007\/11531142_10","volume-title":"ECOOP 2005 - Object-Oriented Programming","author":"Ostermann Klaus","year":"2005","unstructured":"Klaus Ostermann, Mira Mezini, and Christoph Bockisch. 2005. Expressive pointcuts for increased modularity. In ECOOP 2005 - Object-Oriented Programming, Andrew P. Black (Ed.). Springer Berlin, 214\u2013240."},{"key":"e_1_3_2_71_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICWS.2006.21"},{"key":"e_1_3_2_72_2","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1007\/978-3-031-04238-6_4","volume-title":"Electronic Governance and Open Society: Challenges in Eurasia","author":"Pa\u0144kowska Ma\u0142gorzata","year":"2022","unstructured":"Ma\u0142gorzata Pa\u0144kowska. 2022. Segregation of duties in business architecture models. In Electronic Governance and Open Society: Challenges in Eurasia, Andrei V. Chugunov, Marijn Janssen, Igor Khodachek, Yuri Misnikov, and Dmitrii Trutnev (Eds.). Springer International Publishing, 35\u201349."},{"key":"e_1_3_2_73_2","doi-asserted-by":"publisher","DOI":"10.1057\/s4I303-016-0020-3"},{"key":"e_1_3_2_74_2","doi-asserted-by":"publisher","DOI":"10.1145\/984334.984339"},{"key":"e_1_3_2_75_2","doi-asserted-by":"publisher","unstructured":"Indrakshi Ray Na Li Robert France and Dae-Kyoo Kim. 2004. Using UML to visualize role-based access control constraints. In ACM Symposium on Access Control Models and Technologies (SACMAT\u201904). Association for Computing Machinery New York NY USA 115\u2013124. DOI:10.1145\/990036.990054","DOI":"10.1145\/990036.990054"},{"key":"e_1_3_2_76_2","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1007\/11550648_14","volume-title":"Multiagent System Technologies","author":"Regayeg Amira","year":"2005","unstructured":"Amira Regayeg, Ahmed Hadj Kacem, and Mohamed Jmaiel. 2005. Towards a formal methodology for designing multi-agent applications. In Multiagent System Technologies, Torsten Eymann, Franziska Kl\u00fcgl, Winfried Lamersdorf, Matthias Klusch, and Michael N. Huhns (Eds.). Springer Berlin, 153\u2013164."},{"key":"e_1_3_2_77_2","first-page":"386","volume-title":"12th International Conference on Intelligent Systems Design and Applications (ISDA\u201912)","author":"Roy Arindam","year":"2012","unstructured":"Arindam Roy, Shamik Sural, and Arun Kumar Majumdar. 2012. Minimum user requirement in role based access control with separation of duty constraints. In 12th International Conference on Intelligent Systems Design and Applications (ISDA\u201912). 386\u2013391."},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.1145\/2996470"},{"key":"e_1_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.1109\/TETC.2019.2944787"},{"key":"e_1_3_2_80_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.1988.113349"},{"key":"e_1_3_2_81_2","doi-asserted-by":"publisher","DOI":"10.1109\/2.485845"},{"key":"e_1_3_2_82_2","first-page":"179","volume-title":"Conference on Data and Applications Security and Privacy (DBSec\u201990)","author":"Sandhu Ravi S.","year":"1990","unstructured":"Ravi S. Sandhu. 1990. Separation of duties in computerized information systems. In Conference on Data and Applications Security and Privacy (DBSec\u201990). Citeseer, 179\u2013190."},{"key":"e_1_3_2_83_2","doi-asserted-by":"crossref","first-page":"98","DOI":"10.1007\/978-3-319-26961-0_7","volume-title":"Information Systems Security","author":"Sarana Prasuna","year":"2015","unstructured":"Prasuna Sarana, Arindam Roy, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2015. Role mining in the presence of separation of duty constraints. In Information Systems Security, Sushil Jajoda and Chandan Mazumdar (Eds.). Springer International Publishing, Cham, 98\u2013117."},{"key":"e_1_3_2_84_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2001.991528"},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1145\/1133058.1133079"},{"key":"e_1_3_2_86_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2002.1176294"},{"key":"e_1_3_2_87_2","doi-asserted-by":"publisher","unstructured":"Andreas Schaad and Jonathan D. Moffett. 2002. A lightweight approach to specification and analysis of role-based access control extensions. In ACM Symposium on Access Control Models and Technologies (SACMAT\u201902). Association for Computing Machinery New York NY USA 13\u201322. DOI:10.1145\/507711.507714","DOI":"10.1145\/507711.507714"},{"key":"e_1_3_2_88_2","doi-asserted-by":"crossref","first-page":"329","DOI":"10.1007\/978-3-642-25109-2_22","volume-title":"On the Move to Meaningful Internet Systems: OTM 2011","author":"Schefer Sigrid","year":"2011","unstructured":"Sigrid Schefer, Mark Strembeck, Jan Mendling, and Anne Baumgrass. 2011. Detecting and resolving conflicts of mutual-exclusion and binding constraints in a business process context. In On the Move to Meaningful Internet Systems: OTM 2011, Robert Meersman, Tharam Dillon, Pilar Herrero, Akhil Kumar, Manfred Reichert, Li Qing, Beng-Chin Ooi, Ernesto Damiani, Douglas C. Schmidt, Jules White et\u00a0al. (Eds.). Springer Berlin, 329\u2013346."},{"key":"e_1_3_2_89_2","first-page":"157","volume-title":"IEEE 21st International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises","author":"Shin M. E.","year":"2001","unstructured":"M. E. Shin and G. Ahn. 2001. Role-based authorization constraints specification using object constraint language. In IEEE 21st International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE Computer Society, Los Alamitos, CA, USA, 157."},{"key":"e_1_3_2_90_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSFW.1997.596811"},{"key":"e_1_3_2_91_2","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1007\/11555827_5","volume-title":"Computer Security \u2013 ESORICS 2005","author":"Sohr Karsten","year":"2005","unstructured":"Karsten Sohr, Gail-Joon Ahn, Martin Gogolla, and Lars Migge. 2005. Specification and validation of authorisation constraints using UML and OCL. In Computer Security \u2013 ESORICS 2005, Sabrina de Capitani di Vimercati, Paul Syverson, and Dieter Gollmann (Eds.). Springer Berlin, 64\u201379."},{"key":"e_1_3_2_92_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2008.35"},{"key":"e_1_3_2_93_2","doi-asserted-by":"crossref","unstructured":"Jon A. Solworth. 2006. Approvability. InACM Asia Conference on Computer and Communications Security (ASIACCS\u201906). Association for Computing Machinery New York NY USA 231\u2013242.","DOI":"10.1145\/1128817.1128852"},{"key":"e_1_3_2_94_2","doi-asserted-by":"crossref","first-page":"100","DOI":"10.1007\/11844662_8","volume-title":"Secure Data Management","author":"Song Yunyu","year":"2006","unstructured":"Yunyu Song and Sylvia L. Osborn. 2006. Conflict of interest in the administrative role graph model. In Secure Data Management, Willem Jonker and Milan Petkovi\u0107 (Eds.). Springer Berlin, 100\u2013114."},{"key":"e_1_3_2_95_2","doi-asserted-by":"crossref","first-page":"204","DOI":"10.1007\/978-3-642-16934-2_16","volume-title":"On the Move to Meaningful Internet Systems: OTM 2010","author":"Strembeck Mark","year":"2010","unstructured":"Mark Strembeck and Jan Mendling. 2010. Generic algorithms for consistency checking of mutual-exclusion and binding constraints in a business process context. In On the Move to Meaningful Internet Systems: OTM 2010, Robert Meersman, Tharam Dillon, and Pilar Herrero (Eds.). Springer Berlin, 204\u2013221."},{"key":"e_1_3_2_96_2","doi-asserted-by":"publisher","DOI":"10.1109\/IAS.2007.68"},{"key":"e_1_3_2_97_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPSD.2008.4562752"},{"key":"e_1_3_2_98_2","doi-asserted-by":"publisher","unstructured":"Jonathon E. Tidswell and Trent Jaeger. 2000. Integrated constraints and inheritance in DTAC. InACM Workshop on Role-Based Access Control (RBAC \u201900). Association for Computing Machinery New York NY USA 93\u2013102. DOI:10.1145\/344287.344307","DOI":"10.1145\/344287.344307"},{"key":"e_1_3_2_99_2","doi-asserted-by":"crossref","first-page":"308","DOI":"10.1007\/BFb0053743","volume-title":"Information Security and Privacy","author":"Tidswell Jonathon E.","year":"1998","unstructured":"Jonathon E. Tidswell and John M. Potter. 1998. A dynamically typed access control model. In Information Security and Privacy, Colin Boyd and Ed Dawson (Eds.). Springer Berlin, 308\u2013319."},{"key":"e_1_3_2_100_2","doi-asserted-by":"publisher","DOI":"10.1111\/1467-8551.00375"},{"key":"e_1_3_2_101_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.03.012"},{"key":"e_1_3_2_102_2","unstructured":"U.S. Department of Health & Human Services. 1996. American Health Insurance Portability and Accountability Act. https:\/\/www.hhs.gov\/hipaa\/for-professionals\/index.html"},{"key":"e_1_3_2_103_2","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1007\/978-3-642-22348-8_8","volume-title":"Data and Applications Security and Privacy XXV","author":"Uzun Emre","year":"2011","unstructured":"Emre Uzun, Vijayalakshmi Atluri, Haibing Lu, and Jaideep Vaidya. 2011. An optimization model for the extended role mining problem. In Data and Applications Security and Privacy XXV, Yingjiu Li (Ed.). Springer Berlin, 76\u201389."},{"key":"e_1_3_2_104_2","doi-asserted-by":"publisher","DOI":"10.1093\/comjnl\/bxv060"},{"key":"e_1_3_2_105_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.accinf.2014.05.003"},{"key":"e_1_3_2_106_2","doi-asserted-by":"crossref","first-page":"687","DOI":"10.1007\/978-3-540-24655-8_75","volume-title":"Advanced Web Technologies and Applications","author":"Wang Hua","year":"2004","unstructured":"Hua Wang, Yanchun Zhang, Jinli Cao, and Jian Yang. 2004. Specifying role-based access constraints with object constraint language. In Advanced Web Technologies and Applications, Jeffrey Xu Yu, Xuemin Lin, Hongjun Lu, and Yanchun Zhang (Eds.). Springer Berlin, 687\u2013696."},{"key":"e_1_3_2_107_2","article-title":"Analyzing the past to prepare for the future: Writing a literature review","volume":"26","author":"Webster Jane","year":"2002","unstructured":"Jane Webster and Richard Watson. 2002. Analyzing the past to prepare for the future: Writing a literature review. MIS Quart. 26 (062002), xiii\u2013xxiii.","journal-title":"MIS Quart."},{"key":"e_1_3_2_108_2","article-title":"Continuous compliance monitoring in ERP systems\u2014A method for identifying segregation of duties conflicts","volume":"39","author":"Wolf Patrick","year":"2009","unstructured":"Patrick Wolf and Nick Gehrke. 2009. Continuous compliance monitoring in ERP systems\u2014A method for identifying segregation of duties conflicts. Wirtschaftsinformatik Proceedings 2009 39 (2009), 347\u2013356.","journal-title":"Wirtschaftsinformatik Proceedings 2009"},{"key":"e_1_3_2_109_2","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1007\/978-3-540-75183-0_5","volume-title":"Business Process Management","author":"Wolter Christian","year":"2007","unstructured":"Christian Wolter and Andreas Schaad. 2007. Modeling of task-based authorization constraints in BPMN. In Business Process Management, Gustavo Alonso, Peter Dadam, and Michael Rosemann (Eds.). Springer Berlin, 64\u201379."},{"key":"e_1_3_2_110_2","doi-asserted-by":"crossref","first-page":"142","DOI":"10.1007\/978-3-540-77010-7_15","volume-title":"Web Information Systems Engineering \u2013 WISE 2007 Workshops","author":"Wolter Christian","year":"2007","unstructured":"Christian Wolter, Andreas Schaad, and Christoph Meinel. 2007. Deriving XACML policies from business process models. In Web Information Systems Engineering \u2013 WISE 2007 Workshops, Mathias Weske, Mohand-Sa\u00efd Hacid, and Claude Godart (Eds.). Springer Berlin, 142\u2013153."},{"key":"e_1_3_2_111_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSMC.2019.2954589"},{"key":"e_1_3_2_112_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.3012729"},{"key":"e_1_3_2_113_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2021.3124271"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3715959","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3715959","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:49Z","timestamp":1750295929000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3715959"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,20]]},"references-count":112,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2025,7,31]]}},"alternative-id":["10.1145\/3715959"],"URL":"https:\/\/doi.org\/10.1145\/3715959","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,20]]},"assertion":[{"value":"2023-07-20","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-01-18","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-02-20","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}