[Owasp-leaders] NIST Approved: Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations

Jim Manico jim.manico at owasp.org
Wed Jan 22 00:00:25 UTC 2014


Chris,

Context-Based-Access-Control is already a formal access control methodology
for firewall tech.
http://en.m.wikipedia.org/wiki/Context-based_access_control

Also, NIST's ABAC doc describes something done informally for decades.
Anyone building large multi-tenant systems has already been forced to go
down the ABAC path or similar. What makes me so happy is to see NIST
finally addressing the limitations of RBAC in such a public, formal way to
the point of helping federal agencies make a business case for ABAC.

Do you have anything published on your methodology? I would love to see it.

Cheers Chris,
--
Jim Manico
@Manicode
(808) 652-3805

On Jan 21, 2014, at 1:48 PM, Chris Schmidt <
chris.schmidt at contrastsecurity.com> wrote:

  I’ll have to read up on this and see how it compares to my idea for
Context-Based-Access-Control from a few years ago.



*From:* owasp-leaders-bounces at lists.owasp.org [
mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
*On Behalf Of *Jim Manico
*Sent:* Tuesday, January 21, 2014 4:23 PM
*To:* Bev Corwin; owasp-leaders at lists.owasp.org; OWASP IDecosystem List
*Subject:* Re: [Owasp-leaders] NIST Approved: Special Publication (SP)
800-162, Guide to Attribute Based Access Control (ABAC) Definition and
Considerations



Anything that encourages developers to stray away from modern
implementations of Role-Based-Access-Control is fine by me. This is a great
step in the right direction from what I have read so far.



Thanks for passing this along, Bev.



Aloha,

Jim



*From:* owasp-leaders-bounces at lists.owasp.org [mailto:
owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Bev Corwin
*Sent:* Tuesday, January 21, 2014 7:51 AM
*To:* owasp-leaders at lists.owasp.org; OWASP IDecosystem List
*Subject:* [Owasp-leaders] NIST Approved: Special Publication (SP) 800-162,
Guide to Attribute Based Access Control (ABAC) Definition and Considerations



FYI:



"*NIST Special Publication (SP) 800-162, Guide to Attribute Based Access
Control (ABAC) Definition and Considerations* has been approved as final
and is now available on the CSRC / NIST website.

URL to the SP 800-162 document (PDF):
http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf<http://links.govdelivery.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwMTIxLjI3ODAyMzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDEyMS4yNzgwMjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTM3NDg3JmVtYWlsaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZ1c2VyaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZmbD0mZXh0cmE9TXVsdGl2YXJpYXRlSWQ9JiYm&&&100&&&http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf>

An announcement about this documents released can be found on the CSRC
Announcement page:
http://csrc.nist.gov/news_events/#jan21<http://links.govdelivery.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwMTIxLjI3ODAyMzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDEyMS4yNzgwMjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTM3NDg3JmVtYWlsaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZ1c2VyaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZmbD0mZXh0cmE9TXVsdGl2YXJpYXRlSWQ9JiYm&&&101&&&http://csrc.nist.gov/news_events/#jan21>

The SP 800-162 listing can be found on the NIST CSRC Special Publications
page (for bookmarking purposes):
http://csrc.nist.gov/publications/PubsSPs.html#800-162<http://links.govdelivery.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwMTIxLjI3ODAyMzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDEyMS4yNzgwMjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTM3NDg3JmVtYWlsaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZ1c2VyaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZmbD0mZXh0cmE9TXVsdGl2YXJpYXRlSWQ9JiYm&&&102&&&http://csrc.nist.gov/publications/PubsSPs.html#800-162>
  "



Bev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140121/af61b8f2/attachment-0001.html>


More information about the OWASP-Leaders mailing list