In many applications, it becomes a necessity to define who (which user) is allowed to access what (which resource). This is achieved via access control. Several models for access control exist. Attribute-based access control (ABAC) is one of them, and forms the focus of this book, published as part of a National Institute of Standards and Technology (NIST) project [1]. NIST has produced other publications on ABAC, including proceedings of workshops, conferences, and reports [2]. ABAC is an alternative to role-based access control (RBAC), which allows access only through roles assigned to users. ABAC has some advantages over RBAC. This is the first book devoted exclusively to ABAC. Its audience includes academics, computer science (CS) and information technology (IT) students, industry and government employees, military personnel, and security professionals, among others.

The book consists of 11 chapters. The introductory chapter provides a brief history of access control and ushers in ABAC. The subsequent chapters discuss access control models, the ABAC model and how it compares with RBAC, the practical deployment of ABAC using the Extensible Access Control Markup Language (XACML) standard, the next generation access control (NGAC) standard, approaches for verifying ABAC policies, concepts related to attributes, the challenges faced during the deployment of ABAC in various application architectures (including web service environments), life cycle considerations, the use of ABAC in commercially available products, and open-source implementations.

The book focuses on practical aspects rather than theory. The attention devoted to deployment, products, testing, standards, and the life cycle make it useful for implementers. Many books employ the unified modeling language (UML), especially its class diagrams and sequence diagrams, for ease of understanding and implementation; however, regrettably, this book uses block diagrams. The book does not make use of security patterns to depict models. Such patterns would have been very helpful for novices in the field. There is no concluding chapter. The authors could have discussed the future prospects of ABAC at least briefly. NIST researchers produced the book, so the references are mostly to NIST works; other important research is missing. For example, the Third ACM Workshop on Attribute-Based Access Control [3] could have been cited. In fact, David Ferraiolo, one of the authors of this book, chaired one of the sessions of that workshop. Ferraiolo also contributed a research paper on ABAC to the workshop. Nevertheless, despite these minor shortcomings, this first book on ABAC will be very useful for its intended audience.