1、American National StandardDeveloped byfor Information Technology Next Generation Access Control Generic Operations andData Structures(NGAC-GOADS)INCITS 526-2016INCITS 526-2016INCITS 526-2016American National Standardfor Information Technology Next Generation Access Control Generic Operations andData
2、 Structures (NGAC-GOADS)SecretariatInformation Technology Industry CouncilApproved February 17, 2016American National Standards Institute, Inc.AbstractNext Generation Access Control (NGAC) is a fundamental reworking of traditional access control to meetthe needs of the modern, distributed, interconn
3、ected enterprise. NGAC policy follows an attribute-basedconstruction in which authorization to resources is defined in terms of attributes associated with users, ap-plications, resources, and other system entities. This standard, NGAC-GOADS contains a detailed math-ematical description of the defini
4、tions and abstractions defined in the NGAC-FA standard, INCITS 499-2013. It details a fixed set of configurable data relations and a fixed set of functions that are capable ofexpressing and specifying a wide range of different types of access control policies of a wide range of com-plexities. Approv
5、al of an American National Standard requires review by ANSI that therequirements for due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is established when, in the judgement of the ANSI Board ofStandards Review, substantial agreement has been re
6、ached by directly andmaterially affected interests. Substantial agreement means much more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be considered, and that a concerted effort be madetowards their resolution.The use of American National Stan
7、dards is completely voluntary; theirexistence does not in any respect preclude anyone, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, processes, or procedures not conforming to the standards.The American National Standards Institute does not
8、 develop standards andwill in no circumstances give an interpretation of any American NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American National Standard in the name of the AmericanNational Standards Institute. Requests for interpretatio
9、ns should beaddressed to the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The procedures of the American National StandardsInstitute require that action be taken periodically to rea
10、ffirm, revise, orwithdraw this standard. Purchasers of American National Standards mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.American National StandardPublished byAmerican National Standards Institute, Inc.25 West 43rd Street, New
11、York, NY 10036Copyright 2016 by Information Technology Industry Council (ITI)All rights reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherwise,without prior written permission of ITI, 1101 K Street NW, Suite 610, Washington, DC 20005. Printe
12、d in the United States of AmericaCAUTION: The developers of this standard have requested that holders of patents that may berequired for the implementation of the standard disclose such patents to the publisher. However,neither the developers nor the publisher have undertaken a patent search in orde
13、r to identifywhich, if any, patents may apply to this standard. As of the date of publication of this standardand following calls for the identification of patents that may be required for the implementation ofthe standard, no such claims have been made. No further patent search is conducted by the
14、de-veloper or publisher in respect to any standard it processes. No representation is made or impliedthat licenses are not required to avoid infringement in the use of this standard.i Table of Contents Page Foreword . iv Introduction . x 1 Scope . 1 2 Normative References . 2 3 Definitions, Symbols,
15、 Abbreviations, and Conventions 3 3.1 Definitions . 3 3.2 Symbols and abbreviations 3 3.3 Keywords 4 3.4 Conventions . 4 4 Abstract Data Structures . 5 4.1 Overview 5 4.2 Basic elements . 5 4.2.1 Background 5 4.2.2 Users 5 4.2.3 Processes . 5 4.2.4 Objects . 5 4.2.5 Operations 6 4.2.6 Access rights
16、6 4.3 Containers 6 4.3.1 Background 6 4.3.2 User attributes 6 4.3.3 Object attributes . 6 4.3.4 Policy classes . 6 4.4 Relations 7 4.4.1 Background 7 4.4.2 Assignment . 7 4.4.3 Association . 8 4.4.4 Prohibition 9 4.4.5 Obligation . 13 4.5 Access authorization 13 5 Administrative Commands 16 5.1 Over
17、view 16 5.2 Semantic definitions . 16 5.2.1 Element creation 19 5.2.2 Element deletion . 20 5.2.3 Entity creation . 22 5.2.4 Entity deletion . 24 5.2.5 Relation formation 26 5.2.6 Relation rescindment 28 Annex A (Informative) Pattern and Response Grammars 31 A.1 Overview 31 A.2 Event pattern grammar
18、. 32 A.2.1 Base specification 32 A.2.2 User specification . 32 A.2.3 Policy class specification 32 A.2.4 Operation specification . 33 A.2.5 Policy element specification . 33 ii A.3 Event response grammar . 33 A.3.1 Base Specification 33 A.3.2 Create action specification . 34 A.3.3 Assign action spec
19、ification . 34 A.3.4 Grant action specification . 35 A.3.5 Deny action specification 35 A.3.6 Delete action specification 36 A.4 Grammar considerations 36 Annex B (Informative) Mappings of Existing Access Control Schemes . 38 B.1 Overview 38 B.2 Chinese wall . 38 B.2.1 Background 38 B.2.2 Mapping co
20、nsiderations 39 B.2.3 Example mapping . 40 B.3 Role-based access control . 42 B.3.1 Background 42 B.3.2 Mapping considerations 42 B.3.3 Example mapping . 44 B.4 Bibliography 48 Annex C (Normative) Summary of Notation . 49 iii List of Figures Figure Page Figure 1: NGAC Access Decision Function 15 Fig
21、ure B.1: Example Chinese Wall Policy 40 Figure B.2: RBAC Policy Configuration 44 Figure B.3: Roles and Role Hierarchy Representation 45 Figure B.4: Permission Assignment Representation . 46 Figure B.5: User Assignment Representation . 46 Figure B.6: Complete GOADS Policy Representation . 48 ivForewo
22、rd(This foreword is not part of American National Standard INCITS 526-2016.)Technical Committee CS1 of Accredited Standards Committee INCITS developedthis standard during 2012-2013. The standards approval process started in 2014. Next Generation Access Control (NGAC) is a fundamental reworking of tr
23、aditionalaccess control into a form suited to the needs of the modern, distributed, intercon-nected enterprise. Access control is both an administrative and an automated process of defining andrestricting which users and their processes can perform which operations on whichsystem resources. The info
24、rmation that provides the basis by which access requestsare granted or denied is known as a security policy. A security model is a formal rep-resentation of a security policy and its working. A wide variety of policy types andsupporting security models have been created to address different situatio
25、ns. Exam-ples of well-known policies are Discretionary Access Control (DAC), Mandatory Ac-cess Control (MAC), Role Based Access Control (RBAC) and Chinese Wall.NGAC diverges from traditional approaches to access control in defining a genericarchitecture that is separate from any particular policy or
26、 type of policy. NGAC is notan extension of, or adaption of, any existing access control mechanism, but insteadis a redefinition of access control in terms of a fundamental and reusable set of dataabstractions and functions. NGAC provides a unifying framework capable without ex-tension of supporting
27、 not only current access control approaches, but also noveltypes of policy that have been conceived but never implemented due to the lack of asuitable enforcement mechanism.NGAC accommodates combinations of different policies merely by changes to itscontrol information, and thus it is possible to ha
28、ve several types of policies supportedconcurrently in a manner that is both deterministic and manageable. NGAC is alsosuitable for applications in which some information is stored locally and some isstored in a grid or cloud, since different policies can be asserted in each context.Even more general
29、ly, NGAC supports a situation where policy determined by a cen-tral organization is able to operate concurrently with a local, specific and more ad hocpolicy.Through its support of access control policies, NGAC is also able to protect data ser-vices, such as e-mail, workflow, records management etc.
30、 Support for data servicesis effected through the use of NGAC access control information to mediate data ser-vice operations.The family of NGAC standards specifies the architecture, functions, operations, andinterfaces necessary to ensure interoperability between conforming NGAC imple-mentations. Th
31、is standard, NGAC-GOADS, defines in detail the generic operationsand data structures of NGAC, which were previously outlined in the NGAC-FA stan-dard.This standard contains the following items:a) detailed specifications of the abstract data structures needed to support thedefinitions in NGAC-FA;b) a
32、 detailed description of how the abstract structures in (a) above are used torepresent an access control policy and form access decisions;c) detailed descriptions of the generic commands needed to support the admin-istration access information flows in NGAC-FA, in terms of the descriptionsin (b) abo
33、ve;vd) an informative annex containing an example of using formal grammars tospecify the pattern and response components of an obligation; e) an informative annex containing examples of representing common accesscontrol methods in terms of (a), (b), (c), and (d) above; andf) a normative annex summar
34、izing the mathematical notation used in this stan-dard.Users of this standard are encouraged to determine if there are standards in develop-ment or new versions of this standard that may extend or clarify technical informationcontained in this standard.This standard contains three annexes. Annexes A
35、 and B are informative and are notconsidered part of this standard. Annex C is normative and is considered part of thisstandard.Requests for interpretation, suggestions for improvement or addenda, or defect re-ports are welcome. They should be sent to InterNational Committee for InformationTechnolog
36、y Standards (INCITS), ITI, 1101 K Street, NW, Suite 610, Washington, DC20005.This standard was processed and approved for submittal to ANSI by INCITS. Com-mittee approval of this standard does not necessarily imply that all committee mem-bers voted for its approval. At the time it approved this stan
37、dard, INCITS had thefollowing members:Philip Wennblom, ChairJennifer Garner, SecretaryOrganization Represented Name of RepresentativeAdobe Systems, Inc. .Scott FosheeSteve Zilles (Alt.)AIM Global, Inc. Steve HallidayMary Lou Bosco (Alt.)Chuck Evanhoe (Alt.)Dan Kimball (Alt.)Apple.Helene WorkmanMarc
38、Braner (Alt.)David Singer (Alt.)Distributed Management Task Force (DMTF) John Crandall Jeff Hilland (Alt.)Lawrence Lamars (Alt.)EMC Corporation .Gary Robinson Stephen Diamond (Alt.)Farance, Inc. .Frank Farance Timothy Schoechle (Alt.)Futurewei Technologies, Inc. Yi ZhaoTimothy Jeffries (Alt.)Wilbert
39、 Adams (Alt.)GS1GO .Frank SharkeyCharles Biss (Alt.)Hewlett-Packard Company Karen Higginbottom Paul Jeran (Alt.)IBM Corporation .Steve HolbrookAlexander Tarpinian (Alt.)IEEEJodie HaaszChristy Bahn (Alt.)Justin Casto (Alt.)Noelle Humenick (Alt.)Don Wright (Alt.)viOrganization Represented Name of Repr
40、esentativeIntel Philip Wennblom Grace Wei (Alt.)Stephen Balogh (Alt.)Microsoft Corporation . Laura Lindsay John Calhoon (Alt.)National Institute of Standards approved international and regional standards (ISO and IEC); and approved foreign standards (including JIS and DIN). For further information,
41、contact the ANSI Customer Service Department: Phone: +1 212-642-4900 Fax: +1 212-302-1286 Web: http:/www.ansi.org E-mail: ansionlineansi.org or the InterNational Committee for Information Technology Standards (INCITS): Phone 202-626-5738 Web: http:/www.incits.org E-mail: incitsitic.org NGAC-FA: INCI
42、TS 499-2013, American National Standard for Information Technology Next Generation Access Control - Functional Architecture (NGAC-FA) ZNOT: ISO/IEC 13568:2002, Information technology Z formal specification notation Syntax, type system and semantics INCITS 526-2016 3 3 Definitions, Symbols, Abbreviat
43、ions, and Conventions 3.1 Definitions For the purposes of this document, the terms and definitions in NGAC-FA apply, as do the following terms and definitions. Access right: A property that needs to be held by a user to perform operations on information persisted in the PIP and on object resources.
44、Access decision: The result of evaluating an access request with respect to authorizations defined with a configured NGAC policy. Access right set: A subset of all access rights, whose members are related for the purposes of access control. Authorization state: The basic elements and containers, tog
45、ether with the relations that define the prevailing access rights between these entities. Policy elements: The users, user attributes, object attributes and policy classes associated with a particular access control policy. Policy element diagram: The directed graph representing all policy elements
46、and the assignment relation over them. Referent: A policy element used in NGAC relations as a designator for not only itself, but also for the section of the policy element diagram whose members are contained by the policy element. 3.2 Symbols and abbreviations Symbol /Abbreviation Meaning (see NGAC
47、-FA forfurtherinformation) ACE Access Control Entry API Application Programming Interface BNF Backus-Naur Form DAC Discretionary Access Control DSD Dynamic Separation of Duty EPP Event Processing Point MAC Mandatory Access Control NGAC Next Generation Access Control PAP Policy Administration Point P
48、DP Policy Decision Point PEP Policy Enforcement Point PIP Policy Information Point RBAC Role-Based Access Control SOD Separation of Duty SSD Static Separation of Duty INCITS 526-2016 4 3.3 Keywords Invalid: A keyword used to describe an illegal or unsupported bit, byte, word, field or code value. Re
49、ceipt of an invalid bit, byte, word, field or code value shall be reported as an error. Mandatory: A keyword indicating an item that is required to be implemented as defined in this standard to claim compliance with this standard. May: A keyword that indicates flexibility of choice with no implied preference. Optional: A keyword that describes features that are not required to be implemented by this standard. However, if any optional feature defined by this standard is implemented, it shall be implemented as defined in this standard. Reserved: A keyword referring to bits,
