skip to main content
10.1145/2875491.2875496acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)

Published: 11 March 2016 Publication History

Abstract

Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. An objective of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies in support of various types of data services. The two standards differ with respect to the manner in which access control policies and attributes are specified and managed, and decisions are computed and enforced. This paper is presented as a consolidation and refinement of public draft NIST SP 800-178 [21], describing, and comparing these two standards.

References

[1]
Information technology -- Role-Based Access Control (RBAC), INCITS 359--2004, American National Standard for Information Technology, American National Standards Institute, 2004.
[2]
Information technology - Next Generation Access Control - Functional Architecture (NGAC-FA), INCITS 499--2013, American National Standard for Information Technology, American National Standards Institute, March 2013.
[3]
D. Bell and L. La Padula. Secure computer systems: unified exposition and MULTICS. Report ESD-TR-75--306, The MITRE Corporation, Bedford, Massachusetts, March 1976.
[4]
D.F.C. Brewer and M.J. Nash, "The Chinese Wall Security Policy," 1989 IEEE Symposium on Security and Privacy, Oakland, California, USA, May 1--3, 1989, pp. 206--214. http://dx.doi.org/10.1109/SECPRI.1989.36295 {accessed 11/15/15}
[5]
DoD Computer Security Center, Trusted Computer System Evaluation Criteria (December 1985).
[6]
D.F. Ferraiolo, S.I. Gavrila, V.C. Hu, and D.R. Kuhn, "Composing and Combining Policies Under the Policy Machine," Tenth ACM Symposium on Access Control Models and Technologies (SACMAT '05), Stockholm, Sweden, 2005, pp. 11--20.
[7]
D.F. Ferraiolo, V. Atluria, and S.I. Gavrila, "The Policy Machine: A Novel Architecture and Framework for Access Control Policy Specification and Enforcement," Journal of Systems Architecture, vol. 57, no. 4, pp. 412--424, April 2011. http://dx.doi.org/10.1016/j.sysarc.2010.04.005 {accessed 11/15/15}
[8]
D. Ferraiolo, S. Gavrila, and W. Jansen, National Institute of Standards and Technology (NIST) IR-7987 Revision 1, "Policy Machine: Features, Architecture, and Specification," October 2015. http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7987r1.pdf
[9]
D. Ferraiolo, S. Gavrila, and W. Jansen, "On the Unification of Access Control and Data Services," in Proc. IEEE 15th International Conference of Information Reuse and Integration, 2014, pp. 450--457. http://csrc.nist.gov/pm/documents/ir2014_ferraiolo_final.pdf
[10]
R. Graubart, On the need for a third form of access control, in: Proc. National Computer Security Conference, 1989, pp. 296--304.
[11]
V.C. Hu, D.F. Ferraiolo, and D.R. Kuhn, National Institute of Standards and Technology (NIST) Interagency Report (IR) 7316, "Assessment of Access Control Systems," September 2006. http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf
[12]
V. C. Hu, D.F. Ferraiolo, and K. Scarfone, Access Control Policy Combinations for the Grid Using the Policy Machine, Cluster Computing and the Grid, 2007, pp. 225--232.
[13]
V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone, National Institute of Standards and Technology (NIST) SP-800--162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, January 2014. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800--162.pdf
[14]
M. Lorch et al, "First Experience Using XACML for Access Control in Distributed Systems, ACM Workshop on XML Security, Fairfax, Virginia, 2003.
[15]
Guide to Understanding Discretionary Access Control in Trusted Systems, NCSC-TG-003, Version-1, National Computer Security Center, Fort George G. Meade, USA, September 30, 1987, 29 pp. http://csrc.nist.gov/publications/secpubs/rainbow/tg003.txt
[16]
XACML Profile for Role Based Access Control (RBAC), Committee Draft 01, February 2004.
[17]
The eXtensible Access Control Markup Language (XACML), Version 3.0, OASIS Standard, January 22, 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf
[18]
2010 Economic Analysis of Role-Based Access Control, RTI Number 0211876, Research Triangle Institute, December 2010.
[19]
R. Simon, M. Zurko, Separation of duty in role based access control environments, Proc. New Security Paradigms Workshop, 1997.
[20]
Information technology -- Next Generation Access Control -- Generic Operations and Data Structures, INCITS 526, American National Standard for Information Technology, American National Standards Institute, to be published.
[21]
D. F. Ferraiolo, R. Chandramouli, V. Hu, and R. Kuhn, National Institute of Standards and Technology DRAFT (NIST) SP-800--178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services, December 2015. http://csrc.nist.gov/publications/drafts/800178/sp800_178_draft.pdf

Cited By

View all

Index Terms

  1. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ABAC '16: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control
      March 2016
      82 pages
      ISBN:9781450340793
      DOI:10.1145/2875491
      This paper is authored by an employee(s) of the United States Government and is in the public domain. Non-exclusive copying or redistribution is allowed, provided that the article citation is given and the authors and agency are clearly identified as its source.

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 11 March 2016

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. abac
      2. access control
      3. ngac
      4. policy machine
      5. xacml

      Qualifiers

      • Research-article

      Conference

      CODASPY'16
      Sponsor:

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)84
      • Downloads (Last 6 weeks)7
      Reflects downloads up to 15 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)Privacy-preserving attribute-based access control using homomorphic encryptionCybersecurity10.1186/s42400-024-00323-88:1Online publication date: 22-Jan-2025
      • (2025)XML-Based Access Control LanguagesEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_833(2803-2808)Online publication date: 8-Jan-2025
      • (2024)Access control for trusted data sharingEURASIP Journal on Information Security10.1186/s13635-024-00178-z2024:1Online publication date: 10-Sep-2024
      • (2024)SR2ACM: A Methodical Approach for Translating Natural Language Security Requirements to Access Control Model2024 IEEE 6th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (TPS-ISA)10.1109/TPS-ISA62245.2024.00042(303-312)Online publication date: 28-Oct-2024
      • (2024)Security and Privacy in Solar Insecticidal Lamps Internet of Things: Requirements and ChallengesIEEE/CAA Journal of Automatica Sinica10.1109/JAS.2023.12387011:1(58-73)Online publication date: Jan-2024
      • (2024)Collaboration Management for Federated Learning2024 IEEE 40th International Conference on Data Engineering Workshops (ICDEW)10.1109/ICDEW61823.2024.00043(291-300)Online publication date: 13-May-2024
      • (2024)A Study of Attribute-Based Access Control (ABAC) Languages: A Real-World Perspective2024 International Conference on Computational Intelligence and Network Systems (CINS)10.1109/CINS63881.2024.10864398(1-9)Online publication date: 28-Nov-2024
      • (2024)Non-invasive System for Sleep Assessment: Software Components and Information FlowProcedia Computer Science10.1016/j.procs.2024.09.663246(5378-5387)Online publication date: 2024
      • (2024)Abnormal behavior detection mechanism using deep learning for zero-trust security infrastructureInternational Journal of Information Technology10.1007/s41870-024-02110-716:8(5091-5097)Online publication date: 28-Aug-2024
      • (2024)Securing Virtual Reality Apps Inter-process CommunicationInformation Systems Security10.1007/978-3-031-80020-7_4(63-84)Online publication date: 15-Dec-2024
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media