1、American National StandardDeveloped byfor Information Technology Next Generation Access Control Functional Architecture (NGAC-FA)INCITS 499-2018INCITS 499-2018INCITS 499-2018Revision ofINCITS 499-2013American National Standardfor Information Technology Next Generation Access Control Functional Archi
2、tecture (NGAC-FA)SecretariatInformation Technology Industry CouncilApproved January 3, 2018American National Standards Institute, Inc.AbstractNext Generation Access Control (NGAC) is a fundamental reworking of traditional access control to meetthe needs of the modern, distributed, interconnected ent
3、erprise. NGAC is based on a flexible infrastruc-ture that can provide access control services for a number of different types of resources, accessed by anumber of different types of applications and users. The infrastructure is scalable, able to support policiesof different types simultaneously, and
4、 remain manageable in the face of changing technology, organiza-tional restructuring, and increasing data volumes. This standard defines the functional architecture that isthe basis for all other NGAC standards.Approval of an American National Standard requires review by ANSI that therequirements fo
5、r due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is established when, in the judgement of the ANSI Board ofStandards Review, substantial agreement has been reached by directly andmaterially affected interests. Substantial agreement means muc
6、h more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be considered, and that a concerted effort be madetowards their resolution.The use of American National Standards is completely voluntary; theirexistence does not in any respect preclude anyo
7、ne, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, processes, or procedures not conforming to the standards.The American National Standards Institute does not develop standards andwill in no circumstances give an interpretation of any Americ
8、an NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American National Standard in the name of the AmericanNational Standards Institute. Requests for interpretations should beaddressed to the secretariat or sponsor whose name appears on the title
9、page of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The procedures of the American National StandardsInstitute require that action be taken periodically to reaffirm, revise, orwithdraw this standard. Purchasers of American National Standards
10、mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.American National StandardPublished byAmerican National Standards Institute, Inc.25 West 43rd Street, New York, NY 10036Copyright 2018 by Information Technology Industry Council (ITI)All ri
11、ghts reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherwise,without prior written permission of ITI, 1101 K Street NW, Suite 610, Washington, DC 20005. Printed in the United States of AmericaCAUTION: The developers of this standard have requ
12、ested that holders of patents that may berequired for the implementation of the standard disclose such patents to the publisher. However,neither the developers nor the publisher have undertaken a patent search in order to identifywhich, if any, patents may apply to this standard. As of the date of p
13、ublication of this standardand following calls for the identification of patents that may be required for the implementation ofthe standard, no such claims have been made. No further patent search is conducted by the de-veloper or publisher in respect to any standard it processes. No representation
14、is made or impliedthat licenses are not required to avoid infringement in the use of this standard.i Table of Contents Topic Page Introduction ix 1 Scope . 1 2 Normative References . 2 3 Definitions, Symbols, Abbreviations, and Conventions 3 3.1 Definitions . 3 3.2 Symbols and acronyms 5 3.3 Keyword
15、s 5 3.4 Conventions . 6 4 Architecture 7 4.1 Functional architecture . 7 4.2 Operational overview 7 4.3 Information flows 9 4.4 Interfaces 13 5 Functional Entities . 14 5.1 Overview 14 5.2 Policy Enforcement Point (PEP) 14 5.3 Policy Decision Point (PDP) . 14 5.4 Event Processing Point (EPP) . 15 5.
16、5 Policy Administration Point (PAP) 15 5.6 Policy Information Point (PIP) 15 5.7 Resource Access Point (RAP) . 15 6 NGAC Standards Family 16 6.1 Introduction . 16 6.2 NGAC Generic Operations and Data Structures (GOADS) . 16 6.3 NGAC Implementation Requirements, Protocols and API Definitions (IRPAD)
17、24 Annex A (Informative) Bibliography 26 Annex B (Informative) Background to Access Control . 27 Annex C (Informative) Example NGAC Policy Configuration 29 C.1 Introduction . 29 C.2 RBAC . 31 C.3 MLS 37 ii List of Figures Figure Page Figure 1: NGAC Functional Architecture . 7 Figure 2: NGAC Resource
18、 Access Information Flow . 10 Figure 3: NGAC Administration Access Information Flow 11 Figure 4: NGAC Event Context Information Flow . 12 Figure C.1: Example diagram areas 29 Figure C.2: Example diagram conventions . 30 Figure C.3: Step 1 31 Figure C.4: Step 2 32 Figure C.5: Step 3 33 Figure C.6: St
19、ep 4 34 Figure C.7: Step 5 35 Figure C.8: Step 6 37 Figure C.9: Step 7 38 Figure C.10: Step 8 39 Figure C.11: Step 9 41 iiiForeword (This foreword is not part of American National Standard INCITS 499-2018.)Technical Committee CS1 of Accredited Standards Committee INCITS developedthe NGAC Functional
20、Architecture standard during 2011-2012. The standards ap-proval process started in 2012 and completed in 2013. This revision to the 2013NGAC Functional Architecture standard was developed during 2015-2016. The ap-proval process started in 2016.Next Generation Access Control (NGAC) is a fundamental r
21、eworking of traditionalaccess control into a form suited to the needs of the modern, distributed, intercon-nected enterprise. NGAC is based on a flexible infrastructure that can provide accesscontrol services for a number of different types of resources, accessed by a numberof different types of app
22、lications and users. The NGAC infrastructure is scalable andable to support policies of different types simultaneously, while remaining manage-able in the face of changing technology, organizational restructuring, and increasingdata volumes.Access control is both an administrative and an automated p
23、rocess of defining andrestricting which users and their processes can perform which operations on whichsystem resources. The information that provides the basis by which access requestsare granted or denied is known as a security policy. A security model is a formal rep-resentation of a security pol
24、icy and its working. A wide variety of policy types andsupporting security models have been created to address different situations. Exam-ples of well-known policies are Discretionary Access Control (DAC), Mandatory Ac-cess Control (MAC), Role Based Access Control (RBAC), and Chinese Wall.NGAC diver
25、ges from traditional approaches to access control in defining a genericarchitecture that is separate from any particular policy or type of policy. NGAC is notan extension of, or adaption of, any existing access control model, but instead is a re-definition of access control in terms of a fundamental
26、 and reusable set of data ab-stractions and functions. NGAC provides a unifying framework capable withoutextension of supporting not only current access control approaches, but also noveltypes of policy that have been conceived but never implemented due to the lack of asuitable means of expression a
27、nd enforcement.NGAC follows an attribute-based construction in which characteristics or propertiesare used to control access to resources and to describe and manage policy. NGACaccommodates combinations of different policies merely by changes to its control in-formation, and thus it is possible to h
28、ave several types of policies supported concur-rently in a manner that is both deterministic and manageable. NGAC is also suitablefor applications in which some information is stored locally and some is stored in agrid or cloud, since different policies can be asserted in each context. Even moregene
29、rally, NGAC supports a situation where policy determined by a central organiza-tion is able to operate concurrently with a local, specific and more ad-hoc policy.Through its support of access control policies, NGAC is also able to protect data ser-vices, such as e-mail, workflow, and records managem
30、ent. Support for data servicesis effected through the use of NGAC access control information to mediate data ser-vice operations.The family of NGAC standards specifies the architecture, functions, operations, andinterfaces at a level of detail necessary to ensure their realization in different types
31、 ofimplementation environments at a range of scalability levels. This standard specifiesthe functional architecture upon which the family of NGAC standards is based. ivThis standard contains the following items:a) illustrations of the functional architecture and the entities that it comprises;b) des
32、criptions of each entity of the functional architecture;c) descriptions of the interfaces between entities; d) definitions of the information flows between entities; ande) overviews of the other standards in the NGAC standards family.This standard contains three informative annexes, which are not co
33、nsidered part ofthis standard.Requests for interpretation, suggestions for improvement and addenda, or defect re-ports are welcome. They should be sent to the INCITS Secretariat, InterNationalCommittee for Information Technology Standards, Information Technology Institute,1101 K Street, NW, Suite 61
34、0, Washington, DC 20005.Users of this standard are encouraged to determine if there are standards in develop-ment or new versions of this standard that may extend or clarify technical informationcontained in this standard.This standard was processed and approved for submittal to ANSI by the InterNat
35、ion-al Committee for Information Technology Standards (INCITS). Committee approval ofthe standard does not necessarily imply that all committee members voted for its ap-proval. At the time it approved this standard, INCITS had the following members:Philip Wennblom, ChairDon Deutsch, Vice-ChairJennif
36、er Garner, SecretaryOrganization Represented Name of RepresentativeAdobe Systems, Inc Scott FosheeAIM Global, Inc. Steve HallidayMary Lou Bosco (Alt.)Chuck Evanhoe (Alt.)Dan Kimball (Alt.)Apple. Helene WorkmanMarc Braner (Alt.)Virginia Fournier (Alt.)David Singer (Alt.)Department of Commerce - NIST.
37、 Michael HoganWo Chang (Alt.)Sal Francomacaro (Alt.)Elaine Newton (Alt.)Farance, Inc Frank Farance Timothy Schoechle (Alt.)Futurewei Technologies, Inc. Yi ZhaoWilbert Adams (Alt.)Wael Diab (Alt.)GS1GO. Charles BissAndrew Hearn (Alt.)Edward Merrill (Alt.)HP, Inc Karen Higginbottom Paul Jeran (Alt.)IB
38、M Corporation . Steve HolbrookAlexander Tarpinian (Alt.)IEEE Jodie HaaszVictoria Kuperman-Super (Alt.)Don Wright (Alt.)Intel Corporation . Philip Wennblom Grace Wei (Alt.)vOrganization Represented Name of RepresentativeMicrosoft CorporationLaura Lindsay John Calhoon (Alt.)Oracle CorporationDonald De
39、utsch Anish Karmarkar (Alt.)Michael Kavanaugh (Alt.)Peter Lord (Alt.)Jim Melton (Alt.)Jan-Eike Michels (Alt.)Elaine Newton (Alt.)Toshihiro Suzuki (Alt.)Telecommunications Industry Association (TIA) .Florence OtienoStephanie Montgomery (Alt.)VMware, Inc. .Stephen DiamondLawrence Lamers (Alt.)Technica
40、l Committee CS1 on Cyber Security, which reviewed this standard, had thefollowing members:Dan Benigni, ChairSal Francomacaro, Vice-ChairEric Hibbard, International RepresentativeOrganization Represented Name of RepresentativeAlcatel-Lucent International.Frank BastryRao Vasireddy (Alt.)Amazon Web Ser
41、vices, Inc. Beatrice FullanOliver Bell (Alt.)Atsec Information Security Corporation Fiona PattinsonHelmut Kurth (Alt.)BCG PlatinionNadya BartolKris Winkler (Alt.)Booz Allen Approved international and regional standards (ISO and IEC); and Approved foreign standards (including JIS and DIN). For furthe
42、r information, contact the ANSI Customer Service Department: Phone: +1 212-642-4900 Fax: +1 212-302-1286 Web: http:/www.ansi.org E-mail: ansionlineansi.org or the InterNational Committee for Information Technology Standards (INCITS): Phone 202-626-5737 Web: http:/www.incits.org E-mail: incitsitic.or
43、g The following are approved references that pertain to this standard: ACF: ISO/IEC 10181-3:1996, Open Systems Interconnection - Security frameworks for open systems: Access control framework NGAC-GOADS: INCITS 526-2016, Information technology Next Generation Access Control - Generic Operations And
44、Data Structures (NGAC-GOADS) The following are references under development: NGAC-IRPAD: INCITS 525-201x, Information technology Next Generation Access Control - Implementation Requirements, Protocols and API Definitions (NGAC-IRPAD) Note that the status of the referenced American National Standards
45、 under development may have changed since the time of publication. For information about the current status of a document, or regarding availability, contact the relevant standards body. INCITS 499-2018 3 3 Definitions, Symbols, Abbreviations, and Conventions 3.1 Definitions 3.1.1 access control: Th
46、e prevention of unauthorized behavior, including the use of a resource in an unauthorized manner, which is regulated through a defined policy. 3.1.2 access control entry: A type of derived relation that for a specific policy element, governs which users and which operations those users may exercise
47、on the policy element, in the absence of any relevant restrictions. 3.1.3 access request: Information that a process acting on behalf of a user initiates to accomplish an action affecting either a resource or the basic elements, containers and relations that comprise policy. 3.1.4 access right: A pr
48、operty that enables a user to perform operations either on objects representing resources or on information persisted in the PIP. 3.1.5 access right set: A subset of all access rights, whose members are related for the purposes of access control. 3.1.6 ascendant: A policy element that is contained b
49、y another policy element through a chain of assignments originating from the former to the latter. 3.1.7 assignment: A type of configured relation that establishes a correspondence between two policy elements. 3.1.8 association: A type of configured relation that establishes a basis for one or more privileges. 3.1.9 attribute: A type of container that may be either a user attribute or an object attribute. 3.1.10 authorization: The allocation of access rights to users and processes via the association and prohibition relations. 3.1.11 basic elements: A collective term that de
