Access control usually requires that a user is given access to perform a specific operation on an object which they have been given permission to access in a specified way (e.g., a user editing a Word document). Their ability to access the file is a result of permissions granted to them due to their assignment to a particular group or role.
IT professionals and users alike have dealt with this often frustrating form of access control for many years. In IT, it is not always an easy task to assign certain capabilities or roles to single users or groups, and thus access control can be difficult to manage.
A different way to manage such access can be granted via attribute based access control (ABAC), where user requests for access are granted based on various attributes of the file or object along with other conditions that are relevant to current policies.
In 2009, the Federal CIO Council published the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0, to provide guidance to federal organizations that were reconfiguring their logical access control architectures to include the evaluation of attributes in order to give access between organizations within the Federal enterprise. Three years later, the FICAM Roadmap and Implementation Plan v2.0 identified ABAC as the recommended access control model to share between varied and different organizations.
In our IT Downloads, the Guide to Attribute Based Access Control (ABAC) Definition and Considerations provides Federal agencies and other enterprise organizations an opportunity to learn more about ABAC and its functionalities. The document was created by the National Institute of Standards Technology (NIST), and also provides details on how to plan for, design, implement, and put into operation the components of ABAC within the enterprise.
According to the document:
When deployed across an enterprise for the purposes of increasing information sharing among diverse organizations, ABAC implementations can become complex—supported by the existence of an attribute management infrastructure, machine-enforceable policies, and an array of functions that support access decisions and policy enforcement.
In addition to the basic policy, attribute, and access control mechanism requirements, the enterprise must support management functions for enterprise policy development and distribution, enterprise identity and subject attributes, subject attribute sharing, enterprise object attributes, authentication, and access control mechanism deployment and distribution. The development and deployment of these capabilities requires the careful consideration of a number of factors that will influence the design, security, and interoperability of an enterprise ABAC solution.
High-level IT security professionals will benefit from this informative document. It can assist enterprises (both Federal and non-governmental) to maintain control of data while they improve file sharing capabilities among users and between organizations.
