Skip to content
/ rbac-sod-detection Public

An automated tool for detecting Segregation of Duties (SoD) violations in Role-Based Access Control (RBAC) systems. It analyzes role hierarchies, user-role mappings, and predefined rules to identify unauthorized privilege escalations, ensuring compliance and reducing security risks.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

probablyAdi/rbac-sod-detection

BranchesTags

Repository files navigation

RBAC SoD & UPE Detection System

Overview

This project is designed to automate the detection of Segregation of Duties (SoD) conflicts and Unauthorized Privilege Escalation (UPE) within a Role-Based Access Control (RBAC) system. It efficiently analyzes user-role mappings, role hierarchies, and privilege assignments to detect policy violations, ensuring compliance with security regulations.

Key Features

  • ✔️Dynamic Analysis: The system processes role hierarchies, privilege assignments, and toxic action rules to detect SoD conflicts and privilege escalations.
  • ✔️Automated SoD & UPE Detection: Identifies security risks by analyzing role privileges and user assignments.
  • ✔️Structured Output: Generates a detailed report in analysis_result.csv summarizing violations.
  • ✔️Optimized Performance: Implemented with multi-threading and efficient data structures for fast processing.
  • ✔️Dockerized Deployment: Easily deployable in a containerized environment for scalability.

How It Works

  1. Input Files:

    • roles.csv (To be provided by the user) - Contains user-role mappings.
      • ⚠ Ensure the roles.csv file is added before execution, as it is NOT included in the repository.
    • privileges.csv - Defines which privileges are assigned to each role.
    • role_hierarchy.csv - Specifies role inheritance relationships.
    • sod_rules.csv - Lists toxic combinations of privileges that violate SoD policies.
    • toxic_actions.csv - Defines critical actions that should not be combined under any user.

  2. Processing:

    • The system reads the input files and constructs an RBAC model.
    • It traverses role hierarchies to resolve inherited permissions.
    • It applies SoD rules to detect conflicting privilege assignments.
    • It flags cases of unauthorized privilege escalation (UPE).

  3. Output:

    • The final analysis results, including detected SoD violations and UPE cases, are stored in analysis_result.csv.

Usage Instructions

Running via Docker

  1. Build the Docker Image: 
    docker build -t rbac-sod-detection .
  2. Run the Container: 
    docker run --rm -v "%cd%":/app rbac-sod-detection
    ( For Linux/macOS use $(pwd):/app instead of "%cd%":/app )
    • Ensure that all necessary input files are present in the working directory.
    • The output will be generated in analysis_result.csv.

Why This Matters

Organizations using ERP and role-based systems face challenges in managing user access risks. Manually tracking toxic combinations and escalated privileges is time-consuming and error-prone. This tool automates that process, enhancing security, auditability, and compliance with access control policies.

📌 Notes for Users

  • You must provide your own roles.csv file (or an equivalent Excel file) containing user-role mappings.
  • The system will analyze your provided data and output violations to analysis_result.csv.

This project ensures robust security enforcement in RBAC systems, preventing unauthorized privilege escalations and policy violations. 🚀

About

An automated tool for detecting Segregation of Duties (SoD) violations in Role-Based Access Control (RBAC) systems. It analyzes role hierarchies, user-role mappings, and predefined rules to identify unauthorized privilege escalations, ensuring compliance and reducing security risks.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages