The concept of Attribute Based Access Control (ABAC) has existed for many years. It represents a point on the spectrum of logical access control from simple access control lists to more capable role-based access, and finally to a highly flexible method for providing access based on the evaluation of attributes.
In November 2009, the Federal Chief Information Officers Council (Federal CIO Council) published the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0, which provided guidance to federal organizations to evolve their logical access control architectures to include the evaluation of attributes as a way to enable access within and between organizations across the Federal enterprise. In December 2011, the FICAM Roadmap and Implementation Plan v2.0 took the next step of calling out ABAC as a recommended access control model for promoting information sharing between diverse and disparate organizations.
ABAC is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of the entities (subject and object) actions and the environment relevant to a request. Attributes may be considered characteristics of anything that may be defined and to which a value may be assigned. In its most basic form, ABAC relies upon the evaluation of attributes of the subject, attributes of the object, environment conditions, and a formal relationship or access control rule defining the allowable operations for subject-object attribute and environment condition combinations. All ABAC solutions contain these basic core capabilities to evaluate attributes and environment conditions, and enforce rules or relationships between those attributes and environment conditions. ABAC systems are capable of enforcing both Discretionary Access Control (DAC) and Mandatory Access Control (MAC) models. Moreover, ABAC systems can enable Risk-Adaptable Access Control (RAdAC) solutions, with risk values expressed as variable attributes.
The rules or policies that can be implemented in an ABAC model are limited only to the degree imposed by the computational language. This flexibility enables the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object. For example, a subject is assigned a set of subject attributes upon employment (e.g., Nancy Smith is a Nurse Practitioner in the Cardiology Department.). An object is assigned its object attributes upon creation (e.g., a folder with Medical Records of Heart Patients). Resources Objects may receive their attributes either directly from the creator or as a result of automated scanning tools. The administrator or owner of an object owner creates an access control rule to govern the set of allowable operations (e.g., all Nurse Practitioners in the Cardiology Department can View the Medical Records of Heart Patients). Adding to the flexibility of the logical access control model, attributes and their values may then be modified throughout the lifecycle of subjects, objects, and attributes without modifying each and every subject/object relationship. This provides a more dynamic access control capability as access decisions can change between requests when attribute values change.
Provisioning ABAC describes attributes to subjects and objects governed by an access control rule set that specifies what operations can take place, this capability enables object owners or administrators to apply access control policy without prior knowledge of the specific subject and for an unlimited number of subjects that might require access. As new subjects join the organization, rules and objects do not need to be modified. As long as the subject is assigned the attributes necessary for access to the required objects (e.g., all Nurse Practitioners in the Cardiology Department are assigned those attributes), no modifications to existing rules or object attributes are required. This benefit is often referred to as accommodating the external user and is one of the primary benefits of employing ABAC.
Over the past decade, vendors have begun implementing Attribute Based Access Control (ABAC)-like features in their security management and network operating system products, without general agreement as to what constitutes an appropriate set of ABAC features. Due to a lack of consensus on ABAC features, users cannot accurately assess the benefits and challenges associated with ABAC.
Despite the clear guidance to implement contextual (risk adaptive) role or attribute based access control ABAC, to date there has not been a comprehensive effort to formally define or guide the implementation of ABAC within the federal government. NIST Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, serves a two-fold purpose. First, it aims to provide Federal agencies with a definition of ABAC and a description of the functional components of ABAC. Second, it provides planning, design, implementation, and operational considerations for employing ABAC within a large enterprise with the goal of improving information sharing while maintaining control of that information.
The Attribute Based Access Control Workshop held on July 17, 2013 was organized by NIST in partnership with NSA and the National Cybersecurity Center of Excellence (NCCoE) based on the NIST SP 800-162. About 100 people attended the event from government, industry, and academia. The workshop provided attendees an opportunity to identify, refine, and guide the many interrelated considerations, challenges, and efforts needed to develop ABAC guidance. In the workshop, Three topics: 1), “The importance of ABAC”, 2), “NIST SP 800-162: Guide to Attribute Based Access Control Definition and Considerations”, and 3) “Framework of ABAC models” were presented. In the panel section, experts focused on the issues of motivation, applications, and vision of ABAC. In the demonstrations and poster display section, 13 vendors demonstrated ABAC related products and research. (click links for: workshop agenda, workshop minutes, and workshop presentation slides).