You are here

Policy Machine/Next Generation Access Control Implementation


To solve the interoperability and policy enforcement problems of today’s access control paradigm, NIST has developed a specification [1] and open source reference implementation [2], of an access control system, referred to as the Policy Machine (PM). The PM is designed in support of, and in alignment with an emerging ANSI/INCITS standard under the title of “Next Generation Access Control” (NGAC) [3], [4]. The PM/NGAC is a fundamental reworking of traditional access control into a form suited to the needs of the modern, distributed, interconnected enterprise. It is based on a flexible infrastructure that can provide access control services for a number of different types of resources accessed by a number of different types of applications and users. The PM/NGAC infrastructure is proven scalable and can support policies of various types [5] simultaneously while remaining manageable in the face of changing technology, organizational restructuring, and increasing data volumes.

The PM/NGAC is defined in terms of a standardized set of configurable data relations and a set of standardized functions that are generic to the specification and enforcement of arbitrary combinations of attribute-based access control policies. The PM is not an extension or adaptation of any existing access control model or mechanism, but instead is an attempt to fundamentally redefine access control in terms of its basic configuring data abstractions and functions. Its objective is to provide a unifying framework to support not only current OS and application policies, but also a host of orphan policies for which no mechanism yet exists for their viable enforcement. The PM requires changes only in its data configuration in the enforcement of arbitrary and organization-specific, attribute-based access control policies.

The current version of the open source is a close Java implementation of the NGAC standard, to include a policy and attribute store, a Policy Enforcement Point and a centralized Policy Decision Point, and an administrative tool for managing policies and attributes. In addition, the implementation includes in memory structures, a session manager, several applications, a system for viewing available resources, among others.

The PM and NGAC compare favorably [6] to XACML [7], the current de facto access control standard, in many respects, including performance, scalability, policy expression and enforcement, policy and attribute administration and visualization, and application adaptation.

Of the two standard Attribute-Based Access Control methodologies, XACML is the oldest with the first version having been published in 2003. Compared to the relatively young NGAC standard (published in 2013), there exist many more implementations and it has achieved much greater adoption. This is most likely because XACML was available first and, up to this point, there has been a lack of compelling evidence to convince the community to use PM/NGAC. Paramount to the argument to deploy PM/NGAC is a demonstration of its scalability. This concern has recently been put to rest with a publication showing linear run-time algorithms for both computing decisions and reviewing policies [8]. These algorithms are now included in the latest version 1.6 of the open source reference implement. The next logical step in promoting PM/NGAC’s wide spread use is the availability of a commercially viable implementation.

In addition to fundamental features of the Open source version of the PM, advanced features are required for enhanced performance and usability. This SBIR subtopic seeks development of additional PM features, which may include: (1) easy and general user interface for managing, visualizing and analyzing policies; (2) extend the current in memory structures developed for a subset of the policy relations to the entire standard set necessary for computing decisions and reviewing policies; (3) adopt a more efficient and flexible storage mechanism for importing and exporting policies to/from memory; (4) enhance existing permission delegation approach through a better API and GUI; (5) replace the exist windows manager (Microsoft dependent) with a Java based implementation for enhanced portability; (6) Review and remove dormant features for better maintainability and increased performance; and (7) Better user, administrator, and application developer documentation.

Phase I activities and expected results:
Plan, specification and design for an enhanced implementation based on the existing PM open source for future commercial use. Completed development plan, specification, and design including test plan for the proposed capabilities.

Phase II activities and expected results:

Code development, documentation, and testing of the Beta version of a commercially viable PM/NGAC product. A robust beta version of PM/NGAC product that contains the proposed enhance capabilities, documentation for the code and user manual, and testing results to verify the completeness of the development.


In addition to PM source code, NIST may be available to provide consultation, input, and discussion with the awardee to help with the evaluation of the proposed development.

US Flag An Official Website of the United States Government