U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Policy Machine PM

Library / References

Primary Policy Machine References/Background:

This paper provides a good overview of the Policy Machine's ability to express and enforce policies and policy combinations. However, unlike Policy Machine's most recent specification, this paper activates attributes prior to mediating an access request and does not recognize obligations or prohibitions.

  • D. Ferraiolo, S. Gavrila, V. Hu, R. Kuhn, “Composing and combining policies under the policy machine, in: Proceedings of ACM Symposium on Access Control Models and Technologies”, 2005, pp. 11–20.

These papers describe the benefits and approach of the Policy Machine’s integration of Access Control and Data Services.

  • Pre-print: David Ferraiolo, Serban Gavrila, Wayne Jansen, "On the Unification of Access Control and Data Service", In proceedings of the IEEE 15th International Conference of Information Reuse and Integration, 2014, pp. 450 – 457.
  • David Ferraiolo, Serban Gavrila (NIST), and Wayne Jansen (Booz Allen Hamilton); "Enabling an Enterprise-Wide, Data-Centric Operating Environment." IEEE Computer Magazine’s Security Column, Vol. 46, No. 5, April 2013.

A good description of the PM's ability to support different types of policies without the need to activate attributes:

  • D. Ferraiolo, V. Atluri, and S. Gavrila, “ The Policy Machine: A Novel Architecture and Framework for Access Control Policy Specification and Enforcement,” J. Systems Architecture, vol. 57, no. 4, 2011, pp. 412–424.

This white paper describes a method that leverages ANSI/INCITS Next Generation Access Control (NGAC) standard for imposing fine-grain access control over database queries independent of an application.

This NIST IR is the most detailed Policy Machine specification:

High level slide briefing:

Related Articles:

  • David Ferraiolo & Vijay Atluri, "A Meta Model for Access Control: Why is it needed and Is it even possible to achieve?", In Proceeding SACMAT '08 Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 153–154
  • D. Ferraiolo, J. Voas and G. Hurlburt, “A Matter of Policy”, IT Pro, March/April 2012, pp. 4–7

Certain software products are identified in this document. Such identification does not imply recommendation by NIST, nor does it imply that the products identified are necessarily the best available for the purpose..



Additional Pages

Library / References


Mr. David Ferraiolo - NIST/ITL/CSD

Mr. Serban Gavrilla - NIST/CSD


Security and Privacy: access control

Technologies: cloud & virtualization

Created June 06, 2016, Updated June 22, 2020