AC-24 Access Control Decisions
ac-24_odp.01 to ensure ac-24_odp.02 are applied to each access request prior to access enforcement.
| Parameter ID | Definition |
|---|---|
| ac-24_odp.01 |
Selection (one-or-more):
|
| ac-24_odp.02 | access control decisions |
Baselines
- L
- M
- H
- P
Guidance
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.
References 2
- SP 800-162 Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019.
- SP 800-178 Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178.
Control Enhancements 2
- AC-24(01) Transmit Access Authorization Information L M H P
- AC-24(02) No User or Process Identity L M H P
Related controls 2
- AC-02 Account Management L M H P
- AC-03 Access Enforcement L M H P