CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

The Policy Machine: Towards Universal Attribute-based Access Control Policy Specification and Enforcement

David F. Ferraiolo - National Institute of Standards and Technology

Sep 17, 2003


Through the administration of sets of configurable relations, RBAC models have been able to go beyond the simple table lookup models of the access control matrix to support a wider range of access control policies. Existing role-based models have been shown to be natural in their support of subject-based policies such as least privilege, and a variety of static and dynamic separation of duty policies. More recently RBAC models have been extended in their support of workflow policies, but have proven clumsy in support of other policies, such as one-directional information flow, discretionary access and Chinese wall policies. In this paper we present a Policy Machine (PM) that is more complete than RBAC or any other model in its natural embodiment and enforcement of access control policies. However, the PM is not another extension or variation on the RBAC theme

About the Speaker

David F. Ferraiolo is the supervisor of the Emerging Technologies Research group of the Computer Security Division at the National Institute of Standards and Technology (NIST). He has over 19 years of experience in computer and communications security, serving both the government and private industry. During his last 10 years of employment at NIST, he has conducted extensive research in various areas of access control, including formal model development, reference and prototype implementation, product demonstration development and evaluation, and is given credited as the originator of numerous commercially available security mechanisms. He is a coauthor of a recent book on RBAC, is the author or coauthor of more than 20 papers in the area of access control, and the principle inventor on two U.S. patents. He received a U.S. Department of Commerce gold medal in 2002 and a 1998 Excellence in Technology Transfer award from the Federal Laboratory Consortium for research in RBAC,
and has served on the editorial boards of the U.S Federal Criteria and the international Common Criteria (ISO 15408). His talks have included Key Note speeches at technical conferences, and lectures at Universities and corporations. His publications are widely referenced from sources within the U.S., Canada, Europe, Asia, and Africa and have impacted research and standardization efforts around the world. He received a combined B.S. in computer science and mathematics from the State University of New York at Albany in 1982.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...


The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.