A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)

Date Published: December 2015
Comments Due: January 15, 2016 (public comment period is CLOSED)
Email Questions to: sp800-178@nist.gov

Author(s)

David Ferraiolo (NIST), Ramaswamy Chandramouli (NIST), Vincent Hu (NIST), Richard Kuhn (NIST)

Announcement

NIST requests public comments on Draft NIST Special Publication 800-178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. The aim of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies on various types of data services. However, the two standards differ with respect to the manner in which access control policies are specified, managed, and enforced.

This document describes XACML and NGAC, and then compares them with respect to five criteria. The goal of this publication is to help ABAC users and vendors make informed decisions when addressing future data service policy enforcement requirements.

The specific areas where comments are solicited are:

• Accuracy in the description of the XACML and NGAC frameworks; and
• Analysis

*The PDF of the draft was updated on December 15, 2015--see the Note to Reviewers on p. iii for details. (You may need to reload/re-save the PDF to see the changes.)

Control Families

Access Control