Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Attribute Considerations for Access Control Systems

Published

Author(s)

Chung Tong Hu, David F. Ferraiolo, David R. Kuhn

Abstract

Attribute-based access control systems rely upon attributes to not only define access control policy rules but also enforce the access control. Attributes need to be established, issued, stored, and managed under an authority. Attributes shared across organizations should provide assurance via location, retrieval, publication, validation, update, modification, security, and revocation capabilities. Consequently, all attributes must be established, defined, and constrained by allowable values required by the appropriate digital policies; successful deployment of the schema for these attributes and allowable attribute values must be completed to help enable subject (e.g., consumers) and object (e.g., protected resource/service) owners with policy and relationship development. Once attributes and their allowable values are established, methods for provisioning attributes and appropriate attribute values to subjects and objects within a framework for storing, retrieving, updating, or revoking attributes must also be established. In addition, interfaces and mechanisms must be developed or adopted to enable sharing of these attributes. Finally, to achieve the assurance of attributes, an Attribute Evaluation Scheme, which brings confidence based on the five principal areas of interest, needs to be established:Preparation,Veracity,Security,Readiness, and Management.
Citation
Special Publication (NIST SP) - 800-205
Report Number
800-205

Keywords

access control, access control mechanism, access control model, access control policy, attribute considerations, attribute, assurance, attribute-based access control (ABAC), authorization, privilege.
Created June 18, 2019