[2/27/24, 11:00 AM EST] CSRC has been experiencing technical issues. If you are unable to access a CSRC page or resource, or get a 503 error, please try reloading the page several times--it may help to wait a few minutes before trying again. We apologize for the inconvenience, and hope to have a solution in place next week.
This ACPT version is a beta release, which includes a concise user manual, examples, and Java code. The user documentation and software will be updated in the future. Please check the web site for update information. To download the latest ACPT version (.zip file, May, 15, 2019), please contact: Vincent Hu firstname.lastname@example.org for the password to unzip the zip file. The source code is also available.
The Access Control Policy Tool (ACPT) was developed by NIST's Computer Security Division in cooperation with North Carolina State University and the University of Arkansas. ACPT is provided free of charge and will remain free in the future as long as NIST/ACPT is mentioned, or the ACPT URL is provided in your product. NIST is not responsible for any damage caused by using ACPT. See NIST's Software Disclaimer.
NIST SBIR awardee InfoBeyond Technology developed the Security Policy Tool (SPT), which incorporates and enhances ACPT functions to provide for policy composition, policy verification, policy analysis, and XACML policy export. SPT has rich policy analysis functions, allowing the policy author to use them to analyze if there are access control leaks, and then fix leaks caused by unintended or faulty security policies. It offers Subject/Resource Privilege Access Preview functions to find unintended accessibility. Preview functions include: (i) which subjects have access to a given resource, and (ii) which resources are accessible to a given subject. These functions help a policy author to identify and correct AC flaws, such as blocked privileges, leaked privileges, unprotected objects, Separation of Duty errors, and others. SPT won the Innovation Security Solution Award at the IEEE Seventh Annual Big Data and SDN/NFV Summit.
NIST SBIR awardee ObjectSecurity developed and markets the policy testing tool OpenPMF Security Policy Auditor (OpenPMF Auditor™), which is based on ACPT and is embedded into the OpenPMF security policy automation platform. OpenPMF Auditor analyzes information about a user’s technical security policies and IT environments. It also imports information about a user’s IT landscape to automatically generate detailed reports and analytics. OpenPMF Auditor enables manageable, easy-to-use, advanced access control policy testing, which detects potential errors, mistakes and vulnerabilities in access control policies by importing, authoring, analyzing, testing and exporting security policy rules.
Users have been very positive, and are applying ACPT to a wide variety of software.