Attribute Based Access Control

Download the Practice Guide

The NCCoE has released the draft version of NIST Cybersecurity Practice Guide SP 1800-3, Attribute Based Access Control. Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »Open Web Version »


Most businesses today use Role-Based Access Control (RBAC) to assign access to the network and systems based on job title or defined role. But if an employee changes roles or leaves the company, an administrator must manually change access rights accordingly—perhaps within several systems. As organizations expand and contract, partner with external vendors or systems, and modernize systems, this method of managing user access becomes increasingly difficult and inefficient.

To help address this growing cybersecurity challenge and support the next generation of identity management, security engineers at the National Cybersecurity Center of Excellence developed a reference design for an Attribute-Based Access Control (ABAC) system. ABAC is an advanced method for managing access rights for people and systems connecting to networks and assets, offering greater efficiency, flexibility, scalability and security. In fact, Gartner recently predicted that “by 2020, 70% of enterprises will use attribute-based access control…as the dominant mechanism to protect critical assets, up from less than 5% today.”

The example solution uses commercially available technologies to demonstrate a standards-based ABAC platform in which access rights to an organization’s network or assets are granted based on a user’s attributes, such as certifications, IP address, group, department, or employee status. Decisions on access are then made based on information that is available to systems across an organization, or among organizations, about a person, the action she wants to execute, and the resource she wants to access. ABAC enables the appropriate permissions and limitations for the same information system for each user based on individual attributes and allows for the management of those permissions to multiple systems from a single platform, reducing administrative burden.

Enterprises can use some or all of the guide to implement an ABAC system using standards and industry best practices. Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.

Read our two-page fact sheet, or the press release from NIST on the practice guide. For archival purposes, you may download the revised and original project descriptions.

Video: Value of Attribute-Based Access Control

Video: Value of Attribute-Based Access Control

Collaborating Vendors

Microsoft logo
NextLabs logo
Ping Identity logo
RSA logo
Symantec logo

The NCCoE implemented this project with technology vendor collaborators and/or its National Cybersecurity Excellence Partnership (NCEP) partners. They contributed hardware, software, and expertise on this project.


Disclaimer: Certain commercial entities, equipment, products, or materials may be identified in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.