This technology analyzes separation of duty in role assignments, authorization policies, and log files. Static separation-of-duty constraints can be specified and evaluated for Tivoli® Access Manager for E-Business 6.0, Tivoli Identity Manager 5.0, and HTTP servers (log analysis only). Entitlement and accessor reports provide further insight into resource access. Log file analysis evaluates separation-of-duty constraints on Tivoli Access Manager native audit logs and standard HTTP logs. Separation of Duties and Entitlement Analyzer was developed by IBM research teams in Tokyo and Zurich.

How does it work?

The analyzer is implemented in Java™ and packaged as a Java Enterprise Edition (JEE) Web application containing the analysis functions, reports, and a Web-based console, which provides an editor for creating basic separation-of-duty constraints. The analyzer can be deployed into any JEE 1.4 container. After deployment, target systems are configured in the console. Note that the analyzer and the target systems can reside on different computers.

The separation-of-duty and entitlement policy analysis operates internally on XACML, the OASIS standard for authorization policy. When an analysis function is performed, policy information is first extracted from Tivoli Access Manager and then translated into XACML. The analysis functions are then performed on the XACML policy.

Christopher Giblin is a software engineer in the Security and Assurance Group at the IBM Zurich Research Laboratory, where he is involved in security and compliance management projects.

Satoshi Hada, Ph.D., is a researcher at the IBM Tokyo Research Laboratory, Japan. At IBM, he has worked on XML security, enterprise privacy, and compliance technologies. He is a contributor to Web Services Security 1.0 and XACML 1.0.

Gunter Karjoth, Ph.D., is a researcher at the IBM Zurich Research Laboratory, Switzerland. At IBM, he has worked on enterprise privacy, middleware and mobile agent security, secure electronic commerce, and RFID security and privacy.

Andreas Schade, Ph.D., is a researcher at the IBM Zurich Research Laboratory, Switzerland, where he currently works in the Security and Assurance Group. At IBM he has worked on pervasive computing and e-business systems, as well as distributed systems and applications and their management.

Yukihiko Sohda, Ph.D., is a software engineer at the Tivoli Development of IBM Yamato Software Development Laboratory in Japan. Previously, he was at the IBM Tokyo Research Laboratory and worked on Web service caching, enterprise privacy, compliance technologies, and the Separation of Duties Analyzer.

Els Van Herreweghen, Ph.D., is a research staff member in the Security and Assurance Group at the IBM Zurich Research Laboratory, where she works on research projects related to security and privacy.