Attribute Based Access Control

Download the Practice Guide

The NCCoE has released the second draft version of NIST Cybersecurity Practice Guide SP 1800-3, Attribute Based Access Control. Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »Open Web Version »

Current Status

The NCCoE recently released a second draft of the NIST Cybersecurity Practice Guide, Attritbute Based Access Control, SP 1800-3.  Public comments on the draft will be accepted through October 20, 2017. Submit your comments.

For ease of use, the draft guide is available to download or read in volumes:

  • SP 1800-3a: Executive Summary (PDF) (web page)
  • SP 1800-3b: Approach, Architecture, and Security Characteristics (PDF) (web page)
  • SP 1800-3c: How-To Guides (PDF) (web page)

Or you can download the complete guide (PDF). A zip folder of supplemental files is also availble for implementing Volume C. 

If you have questions on our ABAC projects, please email us at abac-nccoe@nist.gov.

To get the latest information on our work in identity management, sign up for our email updates.

Summary

Most businesses today use Role-Based Access Control (RBAC) to assign access to the network and systems based on job title or defined role. But if an employee changes roles or leaves the company, an administrator must manually change access rights accordingly—perhaps within several systems. As organizations expand and contract, partner with external entities, and modernize systems, this method of managing user access becomes increasingly difficult and inefficient.

To help address this growing cybersecurity challenge and support the next generation of identity management, security engineers at the National Cybersecurity Center of Excellence developed a reference design for an Attribute-Based Access Control (ABAC) system. ABAC is an advanced method for managing access rights for people and systems connecting to networks and assets, offering greater efficiency, flexibility, scalability and security.”

The example solution uses commercially available technologies to demonstrate a standards-based ABAC platform in which access rights to an organization’s network or assets are granted based on a user’s attributes, such as certifications, originating IP address, group, department, or employee status. Decisions on access are then made based on information that is available to systems across an organization, or among organizations, about a person, the action she wants to execute, and the resource she wants to access. ABAC enables the appropriate permissions and limitations for each user’s access request based on individual attributes and allows for the management of those permissions by multiple systems from a single platform, reducing administrative burden.

Enterprises can use some or all of the guide to implement an ABAC system using standards and industry best practices. Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.

Read our two-page fact sheet for a brief overview. For archival purposes, the original draft of SP 1800-3 is available for download (PDF).

Video: Value of Attribute-Based Access Control

Video: Value of Attribute-Based Access Control

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

cisco logo
Microsoft logo
NextLabs logo
Ping Identity logo
RSA logo
Symantec logo