Attribute-based access control systems rely upon enterprise-specific attributes to both define access control policy rules and enforce the access control. Confidence in access control decisions is dependent on the accuracy, integrity, and timely availability of attributes. Attributes must therefore be established, defined, and constrained by allowable values required by the relevant digital policies, and those shared across organizations should provide assurance.
NIST has published Special Publication (SP) 800-205, Attribute Considerations for Access Control Systems, which describes the attribute-influencing factors that an access control system must address when engineering and evaluating attributes. The document proposes some notional implementation suggestions for consideration from the perspectives of fundamental security properties: preparation, veracity, security, readiness, and management applied to access control systems. A general attribute framework with examples is demonstrated to show the importance and efficiency of the semantic and syntactic accuracies of attributes in federated access control environments, especially when natural language policies (NLP) are the initial policies. The discussed considerations are summarized to illustrate Attribute Evaluation Scheme examples, which are applied to different access control system requirements.
Security and Privacy: access control