AC 24 ACCESS CONTROL DECISIONS - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control: [ Selection: Establish procedures; Implement mechanisms ] to ensure [ Assignment: organization-defined access control decisions ] are applied to each access request prior to access enforcement.

Discussion: Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.

Related Controls: AC-2, AC-3.

Control Enhancements:

• (1) ACCESS CONTROL DECISIONS / TRANSMIT ACCESS AUTHORIZATION INFORMATION
  Transmit [ Assignment: organization-defined access authorization information ] using [ Assignment: organization-defined controls ] to [ Assignment: organization-defined systems ] that enforce access control decisions.

  Discussion: Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so that timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made, and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission.

  Related Controls: AU-10.

• (2) ACCESS CONTROL DECISIONS / NO USER OR PROCESS IDENTITY
  Enforce access control decisions based on [ Assignment: organization-defined security or privacy attributes ] that do not include the identity of the user or process acting on behalf of the user.

  Discussion: In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions, and especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute.

  Related Controls: None.

References: [SP 800-162], [SP 800-178].