Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Attribute Considerations for Access Control Systems



Chung Tong Hu, David F. Ferraiolo, David Kuhn


Attribute-based access control systems rely upon attributes to not only define access control policy rules but also enforce the access control. Attributes need to be established, issued, stored, and managed under an authority. Attributes shared across organizations should provide assurance via location, retrieval, publication, validation, update, modification, security, and revocation capabilities. Consequently, all attributes must be established, defined, and constrained by allowable values required by the appropriate digital policies; successful deployment of the schema for these attributes and allowable attribute values must be completed to help enable subject (e.g., consumers) and object (e.g., protected resource/service) owners with policy and relationship development. Once attributes and their allowable values are established, methods for provisioning attributes and appropriate attribute values to subjects and objects within a framework for storing, retrieving, updating, or revoking attributes must also be established. In addition, interfaces and mechanisms must be developed or adopted to enable sharing of these attributes. Finally, to achieve the assurance of attributes, an Attribute Evaluation Scheme, which brings confidence based on the five principal areas of interest, needs to be established:Preparation,Veracity,Security,Readiness, and Management.
Special Publication (NIST SP) - 800-205
Report Number


access control, access control mechanism, access control model, access control policy, attribute considerations, attribute, assurance, attribute-based access control (ABAC), authorization, privilege.


, C. , Ferraiolo, D. and Kuhn, D. (2019), Attribute Considerations for Access Control Systems, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed June 13, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created June 17, 2019, Updated March 1, 2021