Segregation of Duty (SoD) is a security principle that aims to prevent misuse of the system by limiting the privileges of each user. SoD can be enforced by dividing different functions among different roles or individuals, and by defining access authorizations that support the separation. For example, the person who prepares a paycheck should not be the same person who authorizes it. SoD helps to reduce the risk of malicious activity without collusion and to increase accountability and transparency. SoD is recommended by several security standards and frameworks, such as NIST SP 800-53.
SoD is a key principle of RBAC that enhances the security and integrity of business processes. SoD prevents any single person from having complete control over a critical activity, such as creating, approving, and paying an invoice. By dividing these tasks among different roles, SoD reduces the risk of fraud, errors, and conflicts of interest. RBAC enables SoD by assigning access privileges to roles rather than individuals, and enforcing rules that restrict incompatible roles from being assigned to the same person. For example, RBAC can ensure that a person who has the role of accountant cannot also have the role of auditor. Implementing SoD with RBAC requires a clear understanding of the business functions and workflows, as well as the potential threats and vulnerabilities that could compromise them.