Try the new and let us know what you think!
(Note: Beta site content may not be complete.)

View the beta site
NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

Access Control Policy and Implementation Guides


Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access (authorization) control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after s successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the clearance level of the user accessing those documents.

Organizations planning to implement an access control system should consider three abstractions: access control policies, models, and mechanisms. Access control policies are high-level requirements that specify how access is managed and who may access information under what circumstances. For instance, policies may pertain to resource usage within or across organizational units or may be based on need-to-know, competence, authority, obligation, or conflict-of-interest factors. At a high level, access control policies are enforced through a mechanism that translates a user’s access request, often in terms of a structure that a system provides. Access Control List is a familiar example. Access control models bridge the gap in abstraction between policy and mechanism. Rather than attempting to evaluate and analyze access control systems exclusively at the mechanism level, security models are usually written to describe the security properties of an access control system. Security models are formal presentations of the security policy enforced by the system, and are useful for proving theoretical limitations of a system. “NIST IR 7316 -- Assessment of Access Control Systems” explains some of the commonly used access control policies, models and mechanisms available in information technology systems.

As systems grow in size and complexity, access control is a special concern for systems that are distributed across multiple computers. These distributed systems can be a formidable challenge for developers, because they may use a variety of access control mechanisms that must be integrated to support the organization’s policy, for example, Big Data processing systems, which are deployed to manage a large amount of sensitive information and resources organized into a sophisticated Big Data processing cluster. Basically, BD access control requires the collaboration among cooperating processing domains to be protected as computing environments that consist of computing units under distributed access control managements. The paper: “An Access Control Scheme for Big Data Processing” provides a general purpose access control scheme for distributed BD processing clusters.

A state of access control is said to be safe if no permission can be leaked to an unauthorized, or uninvited principal. To assure the safety of an access control system, it is essential to make certain that the access control configuration (e.g., access control model) will not result in the leakage of permissions to an unauthorized principle. Even though the general safety computation is proven undecidable [1], practical mechanisms exist for achieving the safety requirement, such as safety constraints built into the mechanism. Access control systems come with a wide variety of features and administrative capabilities, and the operational impact can be significant. In particular, this impact can pertain to administrative and user productivity, as well as to the organization’s ability to perform its mission. Therefore, it is reasonable to use a quality metric such as listed in “NIST IR 7874-Guidelines for Access Control System Evaluation Metrics” to evaluate the administration, enforcement, performance, and support properties of access control systems.


[1] Harrison M. A., Ruzzo W. L., and Ullman J. D., “Protection in Operating Systems”, Communications of the ACM, Volume 19, 1976.