However, I looked again at the other recent NCCOE paper, the so-called ABAC Building Block. That is referenced in the draft SP 1800-3b ("b" is the "medium-sized" volume of the set that we have been discussing) one time in a footnote, not very prominently, as a "white paper." However, in that ABAC Building Block paper is a pretty good logical diagram, here:
(I could quibble about how a few things are represented, but this looks like a good 80% solution.)
Here's a link to the whole document:
Assuming that it would be easier and more acceptable to NIST to add material from one of their own docs to the draft 1800-3, we might just suggest that they include this diagram as a logical architecture before presenting their physical (product-specific) solution diagram. We might even suggest they highlight the parts of this diagram that the physical solution covers (which is most of it.)
Looking past the proposed suggestion to include a logical ABAC architecture diagram, does anyone have other observations on the draft 1800-3?
And do we agree that we can endorse the above diagram as--is, or do people want to ask them to tweak it?
Whatever we do, we need to do it pretty soon:
Comments on this publication may be submitted to: abac-nccoe@nist.gov
Public comment period: September 30, 2016 through December 4, 2016
Regards,
Martin
PS-- I also promised last meeting to locate and send around the functional capabilities which the 1800-3 physical implementation sought to demonstrate. Here they are:
The scope of this build is the successful execution of the following capabilities:
identity and attribute federation between trust partners
user authentication and creation of an authentication context
fine-grained access control through a policy enforcement point (PEP) closely coupled with the
application
creation of attribute-based policy definitions
secondary attribute requests
allowing RP access decisions on external identities without the need for pre-provisioning