@InProceedings{	  basin.ea:dynamic:2009,
  abstract	= {Separation of Duties (SoD) aims to prevent fraud and
		  errors by distributing tasks and associated privileges among
		  multiple users. Li and Wang proposed an algebra (SoDA) for
		  specifying SoD requirements, which is both expressive in the
		  requirements it formalizes and abstract in that it is not
		  bound to any specific workflow model. In this paper, we both
		  generalize SoDA and map it to enforcement mechanisms.
		  First, we increase SoDA's expressiveness by extending its
		  semantics to multisets. This better suits policy
		  enforcement over workflows, where users may execute multiple
		  tasks. Second, we further generalize SoDA to allow for
		  changing role assignments. This lifts the strong
		  restriction that authorizations do not change during
		  workflow execution. Finally, we map SoDA terms to CSP
		  processes, taking advantage of CSP's operational semantics
		  to provide the critical link between abstract
		  specifications of SoD requirements by SoDA terms and
		  runtime-enforcement mechanisms.},
  address	= {Saint Malo, France},
  author	= {David Basin and Samuel Burri and Guenter Karjoth},
  booktitle	= {14th European Symposium on Research in Computer Security
		  (ESORICS)},
  copyrighturl	= {http://www.springer-sbm.de/index.php?L=1},
  editor	= {Michael Backes and Peng Ning (Eds.) },
  isbn		= {978-3-642-04443-4},
  language	= {USenglish},
  month		= 09,
  pages		= {250--267},
  pdf		= {papers/2009/esorics09.pdf},
  publisher	= {Springer-Verlag },
  series	= 5789,
  title		= {Dynamic Enforcement of Abstract Separation of Duty
		  Constraints},
  url		= {http://www.springer.com/computer/security+and+cryptology/book/978-3-642-04443-4},
  volume	= 5789,
  year		= 2009
}