I'm reading an article about Role based Access Control, in section 6 (Separation of Duties) I didn't understand this part :
Separation of duty can be either static or dynamic. Compliance with static separation requirements can be determined simply by the assignment of individuals to roles and allocation of transactions to roles. The more difficult case is dynamic separation of duty where compliance with requirements can only be determined during system operation.
Can someone clarify it !
Quoting this SANS article:
Static Separation of Duties defines role memberships that are mutually exclusive. For example, RBAC can ensure that users cannot be members of both the purchasing role and the approving role. That is how SSD ensures that the same person cannot purchase and approve the purchase.
Dynamic Separation of Duties allows the same person to be in the purchasing role and the approving role, but they would be prohibited from approving their own purchase. They would only be able to approve the purchases of others.
Another example would be restricting the person who made firewall configuration changes from auditing and approving those same changes. In the SSD model, a user may not be members of both roles. In the DSD model, a user could be a member of both roles, but could not function in both capacities for the same linked transactions.
What they are referring to is a rule-set that is either extremely rigid, in the case of static, or a little more malleable, as is the case with dynamic.
I will use the article's example to explain a little bit further:
A static policy could require that no individual who can serve as payment initiator could also serve as payment authorizer. This could be implemented by ensuring that no one who can perform the initiator role could also perform the authorizer role.
So in this case, the static policy concerning separation of duty would not allow one person to assume to role of payment initiator AND payment authorizer, even at different times. They could either initiate payments, or authorize them. This rule is rigid, meaning that they couldn't assume one role or the other, they are ONLY an authorizer or ONLY an initiator.
Example: Bob is the initiator, and Becky is the authorizer. If Becky doesn't show up to work, Bob cannot assume the role of Becky, the authorizer.
Now a dynamic policy:
More flexibility could be allowed by a dynamic policy that allows the same individual to take on both initiator and authorizer roles, with the exception that no one could authorize payments that he or she had initiated.
So in this case, the dynamic policy concerning separation of duty would not allow one person to initiate payments AND authorize them. They could either initiate payments, or authorize them. Since this is a dynamic policy, they could assume either role as necessary, but they could not assume both roles simultaneously.
Example: Bob is the initiator, Becky is the authorizer. Bob doesn't show up to work. Becky can step in for Bob to initiate, but CANNOT authorize the same payment. Someone else would have to authorize the payment, a third party, Bill. (Or wait until Bob comes back)
The long and short of it is: Static policies separating duties are rigid, your role is your role and you cannot "wear someone else's hat" in order to complete a task. Dynamic policies separating duties are less rigid, and allow for flexibility, but would never give complete control of a process to one individual.
