Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

This is an archive
(replace .gov by .rip)

Access Control Policy Testing

Beta Release Of Access Control Policy Tool

This ACPT version is a beta release, which includes a concise user manual, examples, and java code. Further modification on the user documentation and software are expected. Please check the web site for update information. To download the latest ACPT version (.zip file, September, 20, 2018), the source code is also available, please contact: Vincent Hu vhu@nist.gov for password to unzip the zip file.

The Access Control Policy Tool (ACPT) is developed by NIST Computer Security Division in corporation of North Carolina State University and University of Arkansas. The ACPT is provided free of charge and will remain free in the future as long as NIST/ACPT is mentioned, or the ACPT URL are provided in your product. NIST is not responsible for any damage caused by using ACPT.

NIST SBIR awardee InfoBeyond Technology developed Security Policy Tool (SPT) incorporates and enhances the ACPT functions to an access control policy software tool for policy composition, policy verification, policy analysis, and XACML policy export. SPT has rich policy analysis functions such that the policy author can use them to user-friendly analyze if there are access control leaks and then fix these leaks caused by unintended or faulty security policies. It offers Subject/Resource Privilege Access Preview functions to find unintended accessibility, such as: (i) who has the accessibility for a giving resource, and (ii) what resource can access for a given subject. All these functions help a policy author to identify and correct AC flaws, such as block privilege, leak privilege, unprotected objects, Separation of Duty error, etc. SPT won the Innovation Security Solution Award at seventh annual IEEE Big Data and SDN/NFV Summit.

NIST SBIR awardee ObjectSecurity developed and markets the policy testing tool OpenPMF Security Policy Auditor (OpenPMF Auditor™), which is based on ACPT and is embedded into the OpenPMF security policy automation platform. OpenPMF Auditor analyzes information about user’s technical security policies and IT environments; it imports information about user’s IT landscape to automatically generate detailed reports and analytics. OpenPMF Auditor enables manageable, easy-to-use, advanced access control policy testing, which detects potential errors, mistakes and vulnerabilities in access control policies by importing, authoring, analyzing, testing and exporting security policy rules. 

User Feedback:

Users have been very positive, and are applying ACPT to a wide variety of software.

  • "I did a related to verification of AC models and policies research, and I have concluded that yours is one of the most promising approaches."
  • "ACPT provides all the adequate functionality for the verification of access control policies against static constraints."
  • "We definitely see the potential in the ACPT tool."
  • “I was impressed by your work."
  • "Very impressive tool."
  • "A great tool from NIST's web site."
  • “There are many valuable features in the NIST ACPT and we hope to recommend it to our vendors to verify and validate the policies they author.”
  • "The ACPT approach is an important component of any robust security policy implementation."
  • “I was deeply impressed by such an amazing tool, not only due to its friendly interface, but also powerful functionalities. It is very useful for my work, and saves me a lot of time for checking the correctness of access control policies. With the detailed manual, it is quite easy to start, and works perfectly. It is well maintained and kept up to date.“
  • "NIST's Access Control Policy Tool (ACPT) provides the appropriate tool-chain to formally verify the correctness of specifications in various access control policies with the support of a state-of-the-art symbolic model checker. It includes — but not limited to — functional editors for the definition of policies and specification of properties; supports various strategies for the combination of policies, and exports policies in XACML format. The interface is intuitive and drives you through the whole process, thus rendering verification an easy task for different group of users including system administrators, researchers, etc. Having used ACPT and its underlying concepts in my research on access control, I would highly recommend trying and exploring the potentials of this great tool."
  • "It not only saves time and cost for access control policy development, but also is a unique and great tool for policy verification such that access control flaws can be identified and corrected to enhance the access control cybersecurity."

NC State DISA Fermilab U of Macedonia University of Arkansas Illinois InfoBeyond Object Security Lancaster Universtity

Created May 24, 2016, Updated September 26, 2018