NIEF TPAT | TD: Federated ICAM RP ABAC Reqirements

Federated ICAM RP ABAC Reqirements, v1.0

The requirements for publishing attribute based access control policies based on recommended user attributes.

Assessment Steps (2)

1 Well-Defined ABAC Policy (Well-DefinedABACPolicy) Has the organization defined an ABAC policy for the system, and does the policy use appropriate community endorsed attributes wherever possible? Note that non-endorsed attributes are acceptable, but only in cases where no appropriate community endorsed attribute exists. Artifact Policy ABAC policy that has been reviewed by the assessor and verified to meet the requirements.
2 Published List of Required Attributes (PublishedListofRequiredAttributes) Has the organization published a list of all user attributes required for use of the system? Artifact Attribute List List of user attributes required by the system.

Conformance Criteria (2)

Well-Defined ABAC Policy The operator of the system SHOULD define the system's access control policy in a manner that enables the system to make attribute-based access control (ABAC) policy decisions for users based on attributes about those users received from IDP systems within trusted assertions (e.g., OpenID Connect claims or SAML attributes). The attributes required by the system SHOULD be limited to only those attributes that have been endorsed by NIEF or another appropriate community. Citation NIEF Discussion/Review
Published List of Required Attributes The operator of the system MUST publish the list of user attributes required for use of the system. In addition, the operator of the system SHOULD make the system's full access control policy (including ABAC rules and any other non-ABAC policy rules) available to administrators from information sharing partner agencies to help ensure attribute interoperability between systems within the community. Citation NIEF Discussion/Review

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://trustmark.nief.org/tpat/tds/federated-icam-rp-abac/1.0/

Publication Date

2021-06-25

Issuing Organization

NIEF (https://nief.org/) View Contact

NIEF Support

help@nief.org

No telephone

No Mailing Address

Keywords

NIEF, Federated ICAM, Relying Party, RP, Service Provider, SP, Client, Attribute-Based Access Control, ABAC

Issuance Criteria

yes(all)

Legal Notice

This artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (1)

NIEF	NIEF Technical Guidance

Terms (6)

Term Name	Abbreviations	Definition
Attribute-Based Access Control	ABAC	A mechanism for making authorization decisions about entities (e.g., users) dynamically based on attributes about those entities.
Client		A system or software entity that communicates with with a server. Within OpenID Connect (and the related Oauth 2.0 framework on which OpenID Connect is built), client is an alternate term for a relying party.
Federated Identity, Credential, and Access Management	Federated ICAM	Refers to a comprehensive approach for dealing with digital identities (and associated attributes), credentials, and access control within a federated environment (across jurisdictional boundaries).
National Identity Exchange Federation	NIEF	National law enforcement and public safety information sharing trust framework.
Relying Party	RP	Alternate term for a service provider.
Service Provider	SP	A system that provides a user with some service capability, requently within Federated ICAM implementations. A service provider is the Federated ICAM counterpart to an identity provider.

Also available as XML or JSON