Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

NIST Researchers Publish Book on Attribute-Based Access Control
March 14, 2018

Attribute-Based Access Control, by V. Hu, D. Ferraiolo, R. Chandramouli, and D. Kuhn was published in late 2017. See more information about the book and about NIST's Attribute Based Access Control project.

 

Access control is the process of defining and limiting which users are allowed access to which resources. Every organization typically has access control policies to protect files and directories; regulate access to tables, records, and fields; and protect information managed by applications such as time and attendance, payroll processing, and health benefits management.

Attribute-based access control (ABAC) is the latest development in a series of access control models going back more than 40 years. Early computing systems used simple access control lists (ACLs) of user IDs attached to each resource. As the number of resources and users multiplied into the tens or hundreds of thousands, setting up and managing ACLs became cumbersome and time-consuming. Role-based access control (RBAC) solved many of these problems by collecting permissions into roles that usually corresponded to user positions in an organization and permitting access only through roles. But RBAC's ease of management comes at a trade-off with the cost of initial setup, which many organizations found to be challenging and time-consuming.

ABAC, an alternative to RBAC, simplifies access management and reduces costs by granting or denying user requests based on attributes of the user and the object, and environment conditions. For example, building access may be granted only if a subject has a company badge and the current time is during working hours.

Until now, ABAC research has been documented in hundreds of research papers, but not consolidated in book form. This book explains ABAC's history and model, related standards, verification and assurance, applications, and deployment challenges. It is intended to three groups of readers:  security professionals, technology managers, and users in industry, government, and military organizations; software developers for database systems, enterprise management, security and cryptographic products; and computer science and IT students and instructors.

 

Parent Project

See: Attribute Based Access Control

Topics

Security and Privacy: access control,

Technologies: databases, software,

Activities and Products: reference materials,

Created March 14, 2018