# NIST NGAC Presentation - Joshua Roberts - David Ferraiolo Link to slides: https://docs.google.com/presentation/d/1r33OGqIb7s7icacdjNq9kajiaDBW3EEPJfHz25PqVxc/edit?usp=sharing # Notes - *Basic elements*: users, processes, objects, operations, and access rights - *Containers*: user attributes, object attributes, and policy classes - *Relations*: assignments, associations, prohibitions, obligations ## Example Graph  ## Sample Policies - DAC - RBAC - Communities of Interest - SoD - ... ## PEP-PDP Aspect  - Note the decoupling between PEP and RAP - The PDP tells the PEP where to find the resource - This implies the policy/graph contains metadata about the resource's location - Configuration can grant (privileges) or deny access (prohibitions). The graph computes the overall access ## EPP - The EPP: it allows introducing contextual data such as time or dynamic parameters - EPP lets you do things like "if a user has read X, then prevent them from reading Y" - Does it tie into CAEP or Shared Signals?  ## Policy Review - What are the objects a user has access to? - Which users can access an object? - What are the minimum attributes necessary? - Why can't a user access an object? - Before the fact audit This corresponds to the "Search" feature of the AuthZEN API Design. See https://hackmd.io/@oidf-wg-authzen/BydEeGJqT