A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications

Published: October 03, 2016


David F. Ferraiolo, Ramaswamy Chandramouli, Chung Tong Hu, David R. Kuhn


Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control (ABAC) standards with similar goals and objectives. An objective of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies on various types of data services. However, the two standards differ with respect to the manner in which access control policies are specified and implemented. This document describes XACML and NGAC, and then compares them with respect to five criteria. The goal of this publication is to help ABAC users and vendors make informed decisions when addressing future data service policy enforcement requirements.
Citation: Special Publication (NIST SP) - 800-178
Report Number:
Pub Type: NIST Pubs

Download Paper


access control, access control mechanism, access control model, access control policy, attribute based access control (ABAC), authorization, Extensible Access Control Markup Language (XACML), Next Generation Access Control (NGAC), privilege
Created October 03, 2016, Updated February 28, 2017