Balancing Access and Control: Identity Management with Segregation of Duties | IJCT Volume 13 – Issue 3 | IJCT-V13I3P85
International Journal of Computer Techniques
ISSN 2394-2231
Author
SHARAD SHARMA
Abstract
Segregation of Duties (SoD) enforcement is crucial to avoid fraud, mistakes and mis-compliance in organizations. However, enforcing SoD correctly is a challenging task in identity management given the presence of orphaned accounts, exploding number of agents, roles and dynamic access needs in hybrid IT environments using identity governance technologies. In this paper, we discuss research challenges and solutions to enforce correct SoD in hybrid IT environments using identity governance technologies. We compare static rule-based SoD detection using predefined conflict matrices with Artificial Intelligence (AI)-supported SoD detection methods such as role mining and predictive detection of conflicting roles. Our evaluations show that SoD violations can remain undetected for a long time because of orphaned accounts (accounts of users that still exist after changes in role or termination of employment including accounts that are not linked to or owned by users). While role mining reveals new insights, it also uncovers hidden conflicts that must be continuously fine-tuned to avoid false positives. While a rule-based system provides easy audit-ready compliance for Sarbanes-Oxley Act (SOX) and the General Data Protection Regulation (GDPR) for complex SoD scenarios, it monitors adaptive risk. To take full advantage of this recommendation, regular access recertification, automating provisioning and deprovisioning workflows and using compensating controls where perfect SoD separation is not possible can help.
Keywords
Identity Management; Segregation of Duties; Orphaned Accounts; Role Mining; Rule-Based Detection; AI-Driven Detection; Compliance; SOX; GDPR
Conclusion
Conclusion: This paper talks about how identity management works with Segregation of Duties. The paper explains the big ideas. The paper gives some examples. The paper points out some technical problems. The paper lists rules that people need to follow. The main finding is clear. No single technical fix can handle SoD enforcement alone. We need three things to make SoD work well. The policy lists any roles that can overlap. The policy explains how much risk is allowed. The policy tells what to do if someone does not follow the rule. If the policy is not clear, even the best technology gets ignored. Second, identity governance gives the main tools and systems people need. This has trusted sources, ways to manage accounts over time, and one place to see what happens in different systems. Third, when the team checks often, the SoD controls keep working as the company changes. The team can find orphaned accounts. The team can see role drift. The team can spot new conflicts fast. Technical problems like role explosions, transitive conflicts, service accounts that get around controls, and the limits of set rules show that one way does not fit every place. Companies need to see the risks, the rules, and the limits at work. This helps companies pick the best way to do the work. Companies can use paper checklists or use AI that predicts things. Most groups that follow rules pick Level 3. Automated checks help spot SoD issues when someone asks for access. Level 4 uses AI or machine learning to find issues before they show up. Level 4 is new. Only some large companies with good data use Level 4 right now (Mpamugo and Ansa, 2024; Ghadge, 2024). The paper highlights Identity governance and administration tools can be used to enforce potential preventive and detective SoD.
References
1)Mpamugo, E., & Ansa, G. (2024). Enhancing Network Security in Mobile Applications with Role-Based Access Control. Journal of Information Systems and Informatics, 6(3), 1872–1899. https://doi.org/10.51519/journalisi.v6i3.863
2)Ghadge, N. (2024). Enhancing Identity Management: Best Practices for Governance and Administration. 219–228. https://doi.org/10.5121/csit.2024.141119
3)Uddin, M., Islam, S., & Al-Nemrat, A. (2019). A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control. IEEE Access, 7, 166676–166689. https://doi.org/10.1109/access.2019.2947377
4)Obuse, E., Ayanbode, N., Cadet, E., Essien, I., & Etim, E. (2025). Privacy-First security models for AI-integrated identity governance in multi-access cloud and edge environments. Computer Science & IT Research Journal, 6(8), 506–524. https://doi.org/10.51594/csitrj.v6i8.2012
5)Filho, W. L. R. (2025). THE ROLE OF AI IN ENHANCING IDENTITY AND ACCESS MANAGEMENT SYSTEMS. International Seven Journal of Multidisciplinary, 1(2). https://doi.org/10.56238/isevmjv1n2-011
6)Angela, O., Atoyebi, I., Soyele, A., & Ogunwobi, E. (2024). Enhancing fraud detection and prevention in fintech: Big data and machine learning approaches. World Journal of Advanced Research and Reviews, 24(2), 2301–2319. https://doi.org/10.30574/wjarr.2024.24.2.3617
7)Servos, D., & Osborn, S. L. (2015). HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control (pp. 187–204). Springer. https://doi.org/10.1007/978-3-319-17040-4_12
8)Narouei, M., Khanpour, H., Takabi, H., Parde, N., & Nielsen, R. (2017). Towards a Top-down Policy Engineering Framework for Attribute-based Access Control. 103–114. https://doi.org/10.1145/3078861.3078874
9)Abu Jabal, A., Bertino, E., Lobo, J., Law, M., Russo, A., Calo, S., & Verma, D. (2020). Polisma – A Framework for Learning Attribute-Based Access Control Policies (pp. 523–544). Springer. https://doi.org/10.1007/978-3-030-58951-6_26
10)Bhatt, S., Patwa, F., & Sandhu, R. (2017). ABAC with Group Attributes and Attribute Hierarchies Utilizing the Policy Machine. 17–28. https://doi.org/10.1145/3041048.3041053
11)Yutaka, M., Zhang, Y., Sasabe, M., & Kasahara, S. (2019). Using Ethereum Blockchain for Distributed Attribute-Based Access Control in the Internet of Things. 1–6. https://doi.org/10.1109/globecom38437.2019.9014155
12)Wang, L., Wijesekera, D., & Jajodia, S. (2004). A logic-based framework for attribute-based access control. 45–55. https://doi.org/10.1145/1029133.1029140
13)Zhu, Y., Yu, R., Ma, D., & Cheng-Chung Chu, W. (2019). Cryptographic Attribute-Based Access Control (ABAC) for Secure Decision Making of Dynamic Policy with Multiauthority Attribute Tokens. IEEE Transactions on Reliability, 68(4), 1330–1346. https://doi.org/10.1109/tr.2019.2948713
14)Zhang, Y., Yutaka, M., Sasabe, M., & Kasahara, S. (2020). Attribute-Based Access Control for Smart Cities: A Smart-Contract-Driven Framework. IEEE Internet of Things Journal, 8(8), 6372–6384. https://doi.org/10.1109/jiot.2020.3033434
15)Li, N., Tripunitara, M. V., & Bizri, Z. (2007). On mutually exclusive roles and separation-of-duty. ACM Transactions on Information and System Security, 10(2), 5. https://doi.org/10.1145/1237500.1237501
16)Li, N., Bizri, Z., & Tripunitara, M. V. (2004). On mutually exclusive roles and separation of duty. 42–51. https://doi.org/10.1145/1030083.10300
17)Joshi, J. B. D., Bertino, E., Latif, U., & Ghafoor, A. (2005). A generalized temporal role-based access control model. IEEE Transactions on Knowledge and Data Engineering, 17(1), 4–23. https://doi.org/10.1109/tkde.2005.1
18)Thakare, A., Lee, E., Kumar, A., Nikam, V. B., & Kim, Y.-G. (2020). PARBAC: Priority-Attribute-Based RBAC Model for Azure IoT Cloud. IEEE Internet of Things Journal, 7(4), 2890–2900. https://doi.org/10.1109/jiot.2019.2963794
19)Yang, B., & Hu, H. (2024). Resiliency Analysis of Role-Based Access Control via Constraint Enforcement and Mathematical Programming. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 54(7), 4089–4100. https://doi.org/10.1109/tsmc.2024.3373567
20)Gligor, V. D., Gavrila, S. I., & Ferraiolo, D. (1998). On the formal definition of separation-of-duty policies and their composition. 430, 172–183. https://doi.org/10.1109/secpri.1998.674833
21)Atlam, H. F., & Yang, Y. (2025). Enhancing Healthcare Security: A Unified RBAC and ABAC Risk-Aware Access Control Approach. Future Internet, 17(6), 262. https://doi.org/10.3390/fi17060262
22)Roy, P. P. (2020, February 1). A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standard. https://doi.org/10.1109/ncetstea48365.2020.9119914
23)Alrahamneh, S. (2024). ENHANCING INTERNAL AUDIT QUALITY IN JORDANIAN INSURANCE COMPANIES A COSO FRAMEWORK PERSPECTIVE. EDPACS, 69(6), 1–27. https://doi.org/10.1080/07366981.2024.2307068
24)Espinosa-Jaramillo, M. T. (2024). Internal Control in Companies from the Perspective of the COSO. Management (Montevideo), 2, 28. https://doi.org/10.62486/agma202428
25)Thabit, T. (2019). Determining the Effectiveness of Internal Controls in Enterprise Risk Management based on COSO Recommendations. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3401199
26)Moeller, R. R. (2012). Brink’s Modern Internal Auditing. Wiley. https://doi.org/10.1002/9781118371558
27)Faruq, M. O. (2025). A META-ANALYSIS OF CYBERSECURITY FRAMEWORK INTEGRATION IN GRC PLATFORMS: EVIDENCE FROM U.S. ENTERPRISE AUDITS. Journal of Sustainable Development and Policy, 01(01), 224–249. https://doi.org/10.63125/kwhkmb57
28)Wang, W., Sadjadi, S. M., & Rishe, N. (2024). A Survey of Major Cybersecurity Compliance Frameworks. 19, 23–34. https://doi.org/10.1109/bigdatasecurity62737.2024.00013
29)Folorunso, A., Wada, I., Samuel, B., & Mohammed, V. (2024). Security compliance and its implication for cybersecurity. World Journal of Advanced Research and Reviews, 24(1), 2105–2121. https://doi.org/10.30574/wjarr.2024.24.1.3170
30)Olajide, J., Otokiti, B., Nwani, S., Ogunmokun, A., Adekunle, B., & Fiemotongha, J. (2024). A Regulatory Compliance Model for Financial Reporting Across Global Supply Chain Functions. International Journal of Scientific Research in Science and Technology, 11(4), 619–635. https://doi.org/10.32628/ijsrst241151217
How to Cite This Paper
SHARAD SHARMA (2026). Balancing Access and Control: Identity Management with Segregation of Duties. International Journal of Computer Techniques, 13(3). ISSN: 2394-2231.
