Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Access Control Policy Testing ACPT

Beta Release Of Access Control Policy Tool

This ACPT version is a beta release, which includes a concise user manual, examples, and Java code. The user documentation and software will be updated in the future. Please check the web site for update information. To download the latest ACPT version (.zip file, May, 15, 2019), please contact: Vincent Hu vhu@nist.gov for the password to unzip the zip file.   The source code is also available.

The Access Control Policy Tool (ACPT) was developed by NIST's Computer Security Division in cooperation with North Carolina State University and the University of Arkansas. ACPT is provided free of charge and will remain free in the future as long as NIST/ACPT is mentioned, or the ACPT URL is provided in your product. NIST is not responsible for any damage caused by using ACPT. See NIST's Software Disclaimer.

NIST SBIR awardee InfoBeyond Technology developed the Security Policy Tool (SPT), which incorporates and enhances ACPT functions to provide for policy composition, policy verification, policy analysis, and XACML policy export. SPT has rich policy analysis functions, allowing the policy author to use them to analyze if there are access control leaks, and then fix leaks caused by unintended or faulty security policies. It offers Subject/Resource Privilege Access Preview functions to find unintended accessibility. Preview functions include: (i) which subjects have access to a given resource, and (ii) which resources are accessible to a given subject. These functions help a policy author to identify and correct AC flaws, such as blocked privileges, leaked privileges, unprotected objects, Separation of Duty errors, and others. SPT won the Innovation Security Solution Award at the IEEE Seventh Annual Big Data and SDN/NFV Summit.

NIST SBIR awardee ObjectSecurity developed and markets the policy testing tool OpenPMF Security Policy Auditor (OpenPMF Auditor™), which is based on ACPT and is embedded into the OpenPMF security policy automation platform. OpenPMF Auditor analyzes information about a user’s technical security policies and IT environments.  It also imports information about a user’s IT landscape to automatically generate detailed reports and analytics. OpenPMF Auditor enables manageable, easy-to-use, advanced access control policy testing, which detects potential errors, mistakes and vulnerabilities in access control policies by importing, authoring, analyzing, testing and exporting security policy rules. 

User Feedback:

Users have been very positive, and are applying ACPT to a wide variety of software.

  • "I did a related to verification of AC models and policies research, and I have concluded that yours is one of the most promising approaches."
  • "ACPT provides all the adequate functionality for the verification of access control policies against static constraints."
  • "We definitely see the potential in the ACPT tool."
  • “I was impressed by your work."
  • "Very impressive tool."
  • "A great tool from NIST's web site."
  • “There are many valuable features in the NIST ACPT and we hope to recommend it to our vendors to verify and validate the policies they author.”
  • "The ACPT approach is an important component of any robust security policy implementation."
  • “I was deeply impressed by such an amazing tool, not only due to its friendly interface, but also powerful functionalities. It is very useful for my work, and saves me a lot of time for checking the correctness of access control policies. With the detailed manual, it is quite easy to start, and works perfectly. It is well maintained and kept up to date.“
  • "NIST's Access Control Policy Tool (ACPT) provides the appropriate tool-chain to formally verify the correctness of specifications in various access control policies with the support of a state-of-the-art symbolic model checker. It includes — but not limited to — functional editors for the definition of policies and specification of properties; supports various strategies for the combination of policies, and exports policies in XACML format. The interface is intuitive and drives you through the whole process, thus rendering verification an easy task for different group of users including system administrators, researchers, etc. Having used ACPT and its underlying concepts in my research on access control, I would highly recommend trying and exploring the potentials of this great tool."
  • "It not only saves time and cost for access control policy development, but also is a unique and great tool for policy verification such that access control flaws can be identified and corrected to enhance the access control cybersecurity."

NC State DISA Fermilab U of Macedonia University of Arkansas Illinois InfoBeyond Object Security Lancaster Universtity

Created May 24, 2016, Updated May 08, 2024