EDITOR JEFFREY VOAS SECURITY National Institute of Standards and Technology, [email protected]

Attribute-Based Access Control

Vincent C. Hu, D. Richard Kuhn, and David F. Ferraiolo, National Institute of Standards and Technology

Attribute-based access control (ABAC) is a

flexible approach that can implement AC ABAC: A FLEXIBLE policies limited only by the computational ACCESS CONTROL MODEL ABAC is a logical AC model that language and the richness of the available controls access to objects by eval- uating rules against the attributes attributes, making it ideal for many distributed of entities (subject and object), op- erations, and the environment rel- or rapidly changing environments. evant to a request. ABAC enables more precise AC by allowing for a higher number of discrete inputs raditionally, access control (AC) has been based into an AC decision and thereby providing a larger set on the identity of a user requesting execution of of possible combinations of those variables to reflect a a capability to perform an operation (for exam- larger and more definitive set of possible rules to express ple, read) on an object (for example, a file), either policies, which are limited only by the computational Tdirectly or through predefined attribute types such as language and the richness of the available attributes. roles or groups assigned to that user. Practitioners have This flexibility enables creation of access rules with- noted that this AC approach is often cumbersome to man- out specifying individual relationships between each age given the need to associate capabilities directly to subject and each object. For example, a subject is as- users or their roles or groups. In addition, the requester signed a set of subject attributes upon employment, such qualifiers of identity, groups, and roles are often insuf- as Nancy Smith is a Nurse Practitioner in the Cardiology ficient in expressing real-world AC policies. An alterna- Department. An object is assigned its object attributes tive is to grant or deny user requests based on arbitrary upon creation, such as a folder with Medical Records of attributes of the user and selected attributes of the object, Heart Patients. Objects may receive their attributes ei- and environment conditions that could be globally rec- ther directly from the creator or as a result of automated ognized and more relevant to the policies at hand. This scanning tools. The administrator or owner of an object approach is often referred to as attribute-based access creates an AC rule using attributes of subjects and objects control (ABAC). to govern the set of allowable capabilities—for example,

COMPUTER 0018-9162/15/$31.00 © 2015 IEEE PUBLISHED BY THE IEEE COMPUTER SOCIETY FEBRUARY 2015 85

r2sec.indd 85 1/22/15 5:25 PM SECURITY

Hierarchical policy Enterprise access pushed to control policy subordinate repository organizations Local access control Enterprise policy repository access Enterprise policy manager control policy administration point Optional enterprise policy decision service Credential Environmental issuance conditions Local access control policy administration point Enterprise identity/ Rules credential manager Decision Subject Enforce attribute issuance Object Role Group Subject ABAC access control Optional enterprise mechanism object attribute binding and validation service Enterprise subject attribute

administration Af liation Owner Name Type point Enterprise subject Clearance Classi cation attribute sharing Etc. Etc. Enterprise object attribute manager

Af liation Owner Local subject Name Type Object attribute Clearance attribute repository Etc. Etc. Classi cation repository Set of available Local subject attribute attributes Local object attribute administration point for policy administration point development

Figure 1. Attribute-based access control (ABAC) example. Adapted from V.C. Hu et al., Guide to Attribute Based Access Control (ABAC) Definition and Considerations, NIST Special Publication 800-162, Nat’l Institute of Standards and Technology, Jan. 2014.

all Nurse Practitioners in the Cardiol- Nurse Practitioners in the Cardiology IMPLEMENTING ABAC IN THE ogy Department can View the Medical Department are assigned those attri- ENTERPRISE ENVIRONMENT Records of Heart Patients. butes—no modifications to existing Due to a lack of consensus on ABAC Under ABAC, access decisions can rules or object attributes are required. features, users can’t accurately assess change between requests simply by This accommodation of the external the benefits and challenges associ- altering attribute values, without re- (unanticipated) user is one of the pri- ated with the model. To help address quiring changes to the subject/object mary benefits of employing ABAC.1,2 this problem, the National Institute relationships defining the underly- As a result of this flexibility, ABAC of Standards and Technology (NIST) ing rule sets. This provides a more has attracted interest across indus- released Special Publication (SP) 800- dynamic AC management capability try and government, and is the fast- 162, Guide to Attribute Based Access and limits long-term maintenance re- est-growing AC model today.3 It has Control (ABAC) Definition and Consid- quirements of object protections. been integrated with other approaches, erations.1 This document serves a two- Further, ABAC enables object own- such as the International Committee fold purpose. First, it provides federal ers or administrators to apply AC policy for Information Technology Stan- agencies with a definition of ABAC without prior knowledge of the specific dards (INCITS) standard for role-based and a description of its functional subject and for an unlimited number access control,4 and has become the components. Second, it describes of subjects that might require access. basis for an increasing range of prod- planning, design, implementation, As new subjects join the organization, ucts. But beyond the basic scheme of and operational considerations for rules and objects need not be modified, associating attributes with subjects, employing ABAC within an enter- and as long as the subject is assigned objects, and environments, there has prise to improve information sharing the attributes necessary for access to been little consistency among ABAC while maintaining control of that in- the required objects—for example, all implementations. formation. The guide focuses on the

86 COMPUTER WWW.COMPUTER.ORG/COMPUTER

r2sec.indd 86 1/22/15 5:53 PM TABLE 1. Level of attribute assurance (LOAA) mappings example. LOAA Accuracy Integrity Availability

1 Attributes are properly verified Secure attribute repository. Attribute refresh frequency for veracity through provision meets the system performance and management. Secure communication between requirement. attribute providers (APs) and relying parties (RPs).

2 Includes level 1. Includes level 1. Includes level 1.

Documented rule or standards for Dedicated attribute repositories. Attribute caching during attribute value assignment and runtime meets the system definition (syntax and semantic performance requirement. rule).

3 Includes level 2. Includes level 2. Includes level 2.

Attributes cover all of the Encrypted attribute values and Failover or backup attributes organization’s protection policy communications between APs support. requirements (semantically and RPs. complete).

4 Includes Level 3. Includes level 3. Includes level 3.

Attributes under federated or Formal rules or policy (or Log for attribute changes and unified governance. standards) for create, update, access. modify, and delete attributes.

challenges of implementing ABAC factors can be summarized around a system development and solution rather than on balancing the cost and set of activities: acquisition considerations, and other effectiveness of other capabilities ver- enterprise ABAC capabilities. The sus ABAC. ››establish the business case for implementation/assessment phase in- When deployed across an enter- ABAC implementation; cludes attribute caching, attribute prise to increase information shar- ››understand the operational source minimization, and ABAC in- ing among diverse organizations, requirements and overall ABAC terface specifications. Finally, the op- ABAC implementations can become enterprise architecture; erations/maintenance phase includes complex, requiring an attribute man- ››establish or refine business pro- availability of quality ABAC data. agement infrastructure, machine-­ cesses to support ABAC; enforceable policies, and an array of ››develop and acquire an interop- ATTRIBUTE ASSURANCE functions that support access deci- erable set of ABAC capabilities; The metadata of ABAC attributes sions and policy enforcement. As Fig- and communicate aspects that are im- ure 1 shows, in addition to the basic ››operate with efficient ABAC portant for attribute standardiza- policy, attribute, and AC mechanism processing. tion. By coupling a common set of requirements, the enterprise must mandatory and optional metadata support management functions for NIST SP 800-162 helps ABAC sys- with attribute assertions, ABAC sys- enterprise policy development and tem planners, architects, managers, tems can query attribute information distribution, enterprise identity and and implementers carry out these ac- to make their own risk-based deci- subject attributes, subject attribute tivities in four phases. The initiation sions, especially when delivered via sharing, enterprise object attributes, phase includes building the business a broker connected to many systems. authentication, and AC mechanism case for deploying ABAC capabilities; In general, attribute metadata fall deployment and distribution. scalability, feasibility, and perfor- into three categories: Enabling these capabilities re- mance requirements; and developing quires careful consideration of nu- operational requirements and archi- ››Accuracy establishes the policy merous factors that will influence the tecture. The acquisition/development and technical underpinnings for design, security, and interoperability phase includes business process gen- semantically and syntactically of an enterprise ABAC solution. These eration and deployment preparation, correct use of these attributes

FEBRUARY 2015 87

r2sec.indd 87 1/22/15 5:25 PM SECURITY

and environmental conditions, object, or environmental condition to 2. V.C. Hu, D.F. Ferraiolo, and D.R. Kuhn, and ensures that the reported which it applies.2 Table 1 illustrates Assessment of Access Control Systems, attributes are trustworthy, example levels of attribute assurance NIST Interagency Report 7316, Nat’l based on the trust established in (LOAA) based on the accuracy, integ- Institute of Standards and Technol- the measurement and reporting rity, and availability properties. ogy, Mar. 2006; http://csrc.nist.gov processes. /publications/nistir/7316/NISTIR ››Integrity considers different -7316.pdf. standards and protocols used for ttribute-based access control 3. Avatier Corp., “Leveraging Today’s secure sharing of attributes be- is a flexible approach that can Megatrends to Drive the Future of tween systems in order to avoid A implement AC policies limited Identity Management,” video presen- compromising the integrity and only by the computational language tation, Gartner Identity and Access confidentiality of the attributes and the richness of the available at- Management (IAM) Summit, 2012; or exposing vulnerabilities in at- tributes. This flexibility enables the www.avatier.com/products tribute provider (AP) or relying greatest breadth of subjects to ac- /identity-management/resources party (RP) systems or entities. cess the greatest breadth of objects /gartner-iam-2020-predictions. ››Availability ensures that the up- without specifying individual rela- 4. D.R. Kuhn, E.J. Coyne, and T.R. Weil, date and retrieval of attributes tionships between each subject and “Adding Attributes to Role Based support the RP. In addition, each object, making ABAC ideal for Access Control,” Computer, vol. 43, attribute repositories’ failover many distributed or rapidly changing no. 6, 2010, pp. 79–81. and backup capability must be environments. considered. Note that some attri- ABAC has the potential to dramat- butes might change regularly or ically improve AC in modern appli- over time. cations such as e-commerce and the VINCENT C. HU is a computer scien- Internet of Things. In the meantime, tist in the Computer Security Division An AP is any person or system that a consensus definition of ABAC is at the National Institute of Standards provides subject, object (or resource), needed, and work remains to be done and Technology. Contact him at vhu@ or environmental condition attributes in assuring attribute accuracy and re- nist.gov. regardless of transmission method. liability. For more information on on- D. RICHARD KUHN is a project The AP could be the original authori- going efforts, see http://csrc.nist.gov leader and computer scientist in the tative source or receiving information /projects/abac/index.html. Computer Security Division at the from an authoritative source for re- National Institute of Standards and packing and storing-and-forwarding REFERENCES Technology. Contact him at kuhn@ nist.gov. to the ABAC system. Attribute values 1. V.C. Hu et al., Guide to Attribute Based can be human generated (for example, Access Control (ABAC) Definition and DAVID F. FERRAIOLO is a computer an employee database) or derived from Considerations, NIST Special Pub- scientist and manages the Secure formulas (for example, a credit score). lication 800-162, Nat’l Institute of Systems and Applications Group in Regardless of the attribute source, the Standards and Technology, Jan. 2014; the Computer Security Division at the National Institute of Standards system should ensure that the attri- http://nvlpubs.nist.gov/nistpubs and Technology. Contact him at bute value received from an AP is ac- /specialpublications/NIST.sp.800 [email protected]. curately associated with the subject, -162.pdf.

Engineering and Applying the Internet

IEEE Internet Computing reports emerging tools, technologies, and applications implemented through the Internet to support a worldwide computing environment. For submission information and author guidelines, please visit www.computer.org/internet/author.htm

88 COMPUTER WWW.COMPUTER.ORG/COMPUTER

r2sec.indd 88 1/22/15 5:25 PM