{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T15:23:35Z","timestamp":1778081015105,"version":"3.51.4"},"reference-count":39,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2019,5,15]],"date-time":"2019-05-15T00:00:00Z","timestamp":1557878400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61520106007"],"award-info":[{"award-number":["61520106007"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>A major development in the field of access control is the dominant role-based access control (RBAC) scheme. The fascination of RBAC lies in its enhanced security along with the concept of roles. In addition, attribute-based access control (ABAC) is added to the access control models, which is famous for its dynamic behavior. Separation of duty (SOD) is used for enforcing least privilege concept in RBAC and ABAC. Moreover, SOD is a powerful tool that is used to protect an organization from internal security attacks and threats. Different problems have been found in the implementation of SOD at the role level. This paper discusses that the implementation of SOD on the level of roles is not a good option. Therefore, this paper proposes a hybrid access control model to implement SOD on the basis of permissions. The first part of the proposed model is based on the addition of attributes with dynamic characteristics in the RBAC model, whereas the second part of the model implements the permission-based SOD in dynamic RBAC model. Moreover, in comparison with previous models, performance and feature analysis are performed to show the strength of dynamic RBAC model. This model improves the performance of the RBAC model in terms of time, dynamicity, and automatic permissions and roles assignment. At the same time, this model also reduces the administrator\u2019s load and provides a flexible, dynamic, and secure access control model.<\/jats:p>","DOI":"10.3390\/sym11050669","type":"journal-article","created":{"date-parts":[[2019,5,15]],"date-time":"2019-05-15T11:37:40Z","timestamp":1557920260000},"page":"669","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":26,"title":["Permission-Based Separation of Duty in Dynamic Role-Based Access Control Model"],"prefix":"10.3390","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9649-7757","authenticated-orcid":false,"given":"Muhammad Umar","family":"Aftab","sequence":"first","affiliation":[{"name":"School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Zhiguang","family":"Qin","sequence":"additional","affiliation":[{"name":"School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2294-9279","authenticated-orcid":false,"given":"Negalign Wake","family":"Hundera","sequence":"additional","affiliation":[{"name":"School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Oluwasanmi","family":"Ariyo","sequence":"additional","affiliation":[{"name":"School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"family":"Zakria","sequence":"additional","affiliation":[{"name":"School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4098-3147","authenticated-orcid":false,"given":"Ngo Tung","family":"Son","sequence":"additional","affiliation":[{"name":"Computing Fundamental Department, FPT University, Hanoi 10000, Vietnam"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tran Van","family":"Dinh","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Freiburg, 79098 Freiburg, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2019,5,15]]},"reference":[{"key":"ref_1","unstructured":"Samarati, P., and de Vimercati, S.C. (2000, January 18\u201330). Access control: Policies, models, and mechanisms. Proceedings of the International School on Foundations of Security Analysis and Design, Bertinoro, Italy."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Cheminod, M., Durante, L., Seno, L., Valenza, F., and Valenzano, A. (2018). A comprehensive approach to the automatic refinement and verification of access control policies. Comput. Secur.","DOI":"10.1016\/j.cose.2018.09.013"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1109\/65.993219","article-title":"Simplifying network administration using policy-based management","volume":"16","author":"Verma","year":"2002","journal-title":"IEEE Netw."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Sandhu, R., and Munawer, Q. (1998, January 22\u201323). How to do discretionary access control using roles. Proceedings of the Third ACM Workshop on Role-Based Access Control, Fairfax, VA, USA.","DOI":"10.1145\/286884.286893"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Li, N. (2011). Discretionary access control. Encyclopedia of Cryptography and Security, Springer.","DOI":"10.1007\/978-1-4419-5906-5_798"},{"key":"ref_6","unstructured":"Jueneman, R.R. (1988, January 12\u201316). Integrity controls for military and commercial applications. Proceedings of the Fourth Aerospace Computer Security Applications, Orlando, FL, USA."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Barkley, J. (1997, January 6\u20137). Comparing simple role based access control models and access control lists. Proceedings of the second ACM workshop on Role-Based Access Control, Fairfax, VA, USA.","DOI":"10.1145\/266741.266769"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1109\/2.485845","article-title":"Role-based access control models","volume":"29","author":"Sandhu","year":"1996","journal-title":"Computer"},{"key":"ref_9","first-page":"2","article-title":"Incits 359-2004. role-based access control","volume":"359","author":"Incits","year":"2004","journal-title":"Am. Natl. Stand. Inf. Technol"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"601","DOI":"10.1109\/TSC.2014.2363474","article-title":"From RBAC to ABAC: Constructing flexible data access control for cloud storage services","volume":"8","author":"Zhu","year":"2015","journal-title":"IEEE Trans. Serv. Comput."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Batra, G., Atluri, V., Vaidya, J., and Sural, S. (2018, January 16\u201318). Enabling the Deployment of ABAC Policies in RBAC Systems. Proceedings of the 32nd IFIP Annual Conference on Data and Applications Security and Privacy, Bergamo, Italy.","DOI":"10.1007\/978-3-319-95729-6_4"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"1153","DOI":"10.1007\/s12652-017-0573-6","article-title":"Garbled role-based access control in the cloud","volume":"9","author":"Alam","year":"2018","journal-title":"J. Ambient Intell. Humaniz. Comput."},{"key":"ref_13","first-page":"131","article-title":"Emergency role-based access control (E-RBAC) and analysis of model specifications with alloy","volume":"45","author":"Nazerian","year":"2019","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"12240","DOI":"10.1109\/ACCESS.2018.2812844","article-title":"RBAC-SC: Role-Based Access Control Using Smart Contract","volume":"6","author":"Cruz","year":"2018","journal-title":"IEEE Access"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"897","DOI":"10.1109\/TIFS.2017.2771492","article-title":"Specification and Verification of Separation of Duty Constraints in Attribute-Based Access Control","volume":"13","author":"Jha","year":"2018","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1109\/MC.2010.155","article-title":"Adding attributes to role-based access control","volume":"43","author":"Kuhn","year":"2010","journal-title":"Computer"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Zheng, R., Jiang, J., Hao, X., Ren, W., Xiong, F., and Zhu, T. (2019). CaACBIM: A Context-aware Access Control Model for BIM. Information, 10.","DOI":"10.3390\/info10020047"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Jin, X., Krishnan, R., and Sandhu, R. (2012, January 11\u201313). A unified attribute-based access control model covering DAC, MAC and RBAC. Proceedings of the 26th IFIP Annual Conference on Data and Applications Security and Privacy, Paris, France.","DOI":"10.1007\/978-3-642-31540-4_4"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, A.R., Lang, A.J., Cogdell, M.M., Schnitzer, A., Sandlin, K., Miller, R., and Scarfone, K. (2013). Guide to attribute based access control (ABAC) definition and considerations (draft). NIST Spec. Publ., 800.","DOI":"10.6028\/NIST.SP.800-162"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Xu, R., Chen, Y., Blasch, E., and Chen, G. (2018). Blendcac: A smart contract enabled decentralized capability-based access control mechanism for the IOT. Computers, 7.","DOI":"10.20944\/preprints201805.0079.v1"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"185","DOI":"10.1007\/BF02831728","article-title":"Least privileges and role\u2019s inheritance of RBAC","volume":"11","author":"Fan","year":"2006","journal-title":"Wuhan Univ. J. Nat. Sci."},{"key":"ref_22","unstructured":"Sandhu, R.S. (1990, January 18\u201321). Separation of Duties in Computerized Information Systems. Proceedings of the IFIP WG11.3 Workshop on Database Security, Halifax, UK."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Habib, M.A., Mahmood, N., Shahid, M., Aftab, M.U., Ahmad, U., and Faisal, C.M.N. (2014, January 15\u201317). Permission Based Implementation of Dynamic Separation of Duty (DSD) in Role Based Access Control (RBAC). Proceedings of the 8th International Conference on Signal Processing and Communication Systems, Gold Coast, Australia.","DOI":"10.1109\/ICSPCS.2014.7021054"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Aftab, M.U., Habib, M.A., Mehmood, N., Aslam, M., and Irfan, M. (2015, January 18). Attributed role based access control model. Proceedings of the Conference on Information Assurance and Cyber Security, Rawalpindi, Pakistan.","DOI":"10.1109\/CIACS.2015.7395571"},{"key":"ref_25","unstructured":"Al-Kahtani, M.A., and Sandhu, R. (2002, January 9\u201313). A model for attribute-based user-role assignment. Proceedings of the the 18th Annual Computer Security Applications Conference, Las Vegas, NV, USA."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Rajpoot, Q.M., Jensen, C.D., and Krishnan, R. (2015, January 13\u201315). Integrating attributes into role-based access control. Proceedings of the 29th IFIP Annual Conference on Data and Applications Security and Privacy, Fairfax, VA, USA.","DOI":"10.1007\/978-3-319-20810-7_17"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Chen, B.-C., Yang, C.-T., Yeh, H.-T., and Lin, C.-C. (2016). Mutual Authentication Protocol for Role-Based Access Control Using Mobile RFID. Appl. Sci., 6.","DOI":"10.3390\/app6080215"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Habib, M.A., and Praher, C. (2009, January 9\u201313). Object based dynamic separation of duty in RBAC. Proceedings of the 4th International Conference for Internet Technology and Secured Transactions, London, UK.","DOI":"10.1109\/ICITST.2009.5402642"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Jha, S., Sural, S., Atluri, V., and Vaidya, J. (2015, January 16\u201320). Enforcing separation of duty in attribute based access control systems. Proceedings of the International Conference on Information Systems Security, Kolkata, India.","DOI":"10.1007\/978-3-319-26961-0_5"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1109\/TKDE.2005.1","article-title":"A generalized temporal role-based access control model","volume":"17","author":"Joshi","year":"2005","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"462","DOI":"10.1093\/comjnl\/bxv060","article-title":"A Novel Permission Hierarchy for RBAC for Dealing with SoD in MAC Models","volume":"59","author":"Veloudis","year":"2016","journal-title":"Comput. J."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Ghosh, S., and Karar, V. (2018). Blowfish Hybridized Weighted Attribute-Based Encryption for Secure and Efficient Data Collaboration in Cloud Computing. Appl. Sci., 8.","DOI":"10.3390\/app8071119"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Yin, H., Xiong, Y., Zhang, J., Ou, L., Liao, S., and Qin, Z. (2019). A Key-Policy Searchable Attribute-Based Encryption Scheme for Efficient Keyword Search and Fine-Grained Access Control over Encrypted Data. Electronics, 8.","DOI":"10.3390\/electronics8030265"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"548","DOI":"10.1016\/j.future.2018.04.043","article-title":"Automatic fine-grained access control in SCADA by machine learning","volume":"93","author":"Zhou","year":"2019","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"47657","DOI":"10.1109\/ACCESS.2018.2856896","article-title":"Privacy-aware efficient fine-grained data access control in Internet of medical things based fog computing","volume":"6","author":"Wang","year":"2018","journal-title":"IEEE Access"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"3152","DOI":"10.1002\/sec.1520","article-title":"Towards Attribute-Centric Access Control: An ABAC versus RBAC argument","volume":"9","author":"Fatima","year":"2016","journal-title":"Secur. Commun. Netw."},{"key":"ref_37","unstructured":"Zao, J., Wee, H., Chu, J., and Jackson, D. (2003, January 2\u20133). RBAC schema verification using lightweight formal model and constraint analysis. Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT), Villa Gallia, Como, Italy."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Schaad, A., and Moffett, J.D. (2002, January 3\u20134). A lightweight approach to specification and analysis of role-based access control extensions. Proceedings of the seventh ACM symposium on Access control models and technologies, Monterey, CA, USA.","DOI":"10.1145\/507711.507714"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Umar Aftab, M., Qin, Z., Ali, S., and Khan, J. (2018, January 14\u201316). The Evaluation and Comparative Analysis of Role Based Access Control and Attribute Based Access Control Model. Proceedings of the 15th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP), Chengdu, China.","DOI":"10.1109\/ICCWAMTIP.2018.8632578"}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/11\/5\/669\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T12:52:10Z","timestamp":1760187130000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/11\/5\/669"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,5,15]]},"references-count":39,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2019,5]]}},"alternative-id":["sym11050669"],"URL":"https:\/\/doi.org\/10.3390\/sym11050669","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,5,15]]}}}