Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)

Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. An objective of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies in support of various types of data services. The two standards differ with respect to the manner in which access control policies and attributes are specified and managed, and decisions are computed and enforced. This paper is presented as a consolidation and refinement of public draft NIST SP 800-178 [21], describing, and comparing these two standards.

[1]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[2]  David F. Ferraiolo,et al.  Access Control Policy Combinations for the Grid Using the Policy Machine , 2007, Seventh IEEE International Symposium on Cluster Computing and the Grid (CCGrid '07).

[3]  Vijayalakshmi Atluri,et al.  The Policy Machine: A novel architecture and framework for access control policy specification and enforcement , 2011, J. Syst. Archit..

[4]  David F. Ferraiolo,et al.  Policy Machine: Features, Architecture, and Specification , 2014 .

[5]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[6]  Bruno Crispo,et al.  Performance evaluation of XACML PDP implementations , 2008, SWS '08.

[7]  Sylvia L. Osborn,et al.  HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control , 2014, FPS.

[8]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[9]  Francis M. Kugblenu,et al.  Separation of Duty in Role Based Access , 2007 .

[10]  David F. Ferraiolo,et al.  On the unification of access control and data services , 2014, Proceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration (IEEE IRI 2014).

[11]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[12]  Ravi S. Sandhu,et al.  Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy , 2016, ABAC '16.

[13]  Axel Küpper,et al.  A Performance Analysis of the XACML Decision Process and the Impact of Caching , 2015, 2015 11th International Conference on Signal-Image Technology & Internet-Based Systems (SITIS).

[14]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[15]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[16]  D. Richard Kuhn,et al.  Composing and combining policies under the policy machine , 2005, SACMAT '05.

[17]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[18]  Carole S. Jordan A Guide to Understanding Discretionary Access Control in Trusted Systems , 1987 .

[19]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[20]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.