Access control policies govern the authorization of an attempted request to access online resources in a software system. The resources in a system vary such as networking devices, infrastructure, data, services, or other security-critical components accessible in a network. Access control has been broadly used for financial, security, privacy, safety, defense, and many other applications to protect the resources from being accessed by unauthorized users.

Access control policies for cybersecurity are enforced by an access control model, such as Attribute-based Access Control (ABAC), Multilevel Security, and Workflows. The legacy DAC (Discretionary Access Control), RBAC( Role-Based Access Control), RBAC (Rule-Based Access Control), OrBAC (Organization-Based Access control), MAC (Mandatory Access Control), IBAC (Identity-Based Access Control), HBAC (History-Based Access Control), RsBAC (Responsibility Based Access control) can be evolved into an ABAC model.

XACML (eXtensible Access Control Makeup Language) 2.0/3.0 defines a framework for access control policy enforcement. The framework includes PEP (Policy Enforcement Point), PDP (Policy Decision Point), PIP (Policy Information Point), PAP (Policy Administration Point), and PRP (Policy Retrieval Point). XACML defines a standard language to describe the access control policies such that they can be deployed in the access control system. A user-end request to access a resource is routed to PEP which transfers the request to a PDP for evaluation and authorization decision. PDP then refers to PIP and PRP for a necessary verification through a PAP.


Mentionable Milestones

  1. August 10, 2007, NSF (National Science Foundation) awarded Prof. Tao Xie at North Carolina State University for the Research of "A New Approach to Testing and Verification of Security Policies".
  2. December 17, 2008 Dr. Vincent Hu, Rick Kuhn and Tao Xie first officially proposed Access Control Policy Tool in the IEEE/IFIP International Symposium on Trust, Security and Privacy for Pervasive Application conference.
  3. March 31, 2010, NIST (National Institute of Standards and Technology) awarded Prof. Tao Xie at North Carolina State University for the research of "Access Control Policy Tool for Privilege Management and Data-Level Access Control Pilot".
  4. NIST released Access Control Policy tool (ACPT) software in 2011 and reported by IEEE news, Industry Cortex, ScienceDaily, Center for Internet Security (CIS), etc. The software has attracted 460 acquisitions from major industrial, academic, and government organizations by May 1, 2017 and this number is continuously increasing.
  5. Since 2016, Professor Qinghua Li's team including Ang Li and Professor Jia Di from University of Arkansas has been working to improve Access Control Policy Tool.
  6. October 1, 2015, NIST awarded InfoBeyond Technology (PI: Dr. Bin Xie) to develop Security Policy Tool as a full deployable ACPT version with advanced functions and July 1, 2017, Security Policy Tool is officially released.
  7. October 14, 2017, InfoBeyond Technology is awarded the Innovative Security Solution Award for their demonstration of Security Policy Tool at the 2017 IEEE Big Data and SDN/NFV Summit


  1. Vincent C. Hu, D. Richard Kuhn, and Tao Xie, "Property Verification for Generic Access Control Models", in Proc., the 2008 IEEE/IFIP International Symposium on Trust, Security and Privacy for Pervasive Applications, Shanghai China December, 2008.
  2. V. C. Hu, E. Martin, J. Hwang, and T. Xie, "Conformance Checking of Access Control Policies Specified in XACML", in Proc. 1st IEEE International Workshop on Security in Software Engineering (IWSSE 2007), Beijing, China, pp. 275–280, July 2007.
  3. Vincent C. Hu, D. Richard Kuhn, Tao Xie, and JeeHyun Hwang, "Model checking for verification of mandatory access control models and properties", International Journal of Software Engineering and Knowledge Engineering (IJSEKE). (under review).
  4. JeeHyun Hwang, Tao Xie, and Vincent C. Hu, "Detection of Multiple-Duty-Related Security Leakage in Access Control Policies", in Proc. The third IEEE international Conference on Secure Software Integration and Reliability Improvement (SSIRI), Shanghai China July 2009.
  5. E. Martin, T. Xie, and V. C. Hu, "Assessing Quality of Policy Properties in Verification of Access Control Policies", North Carolina State University Department of Computer Science Technical report TR-2007-25, September 16, 2007.
  6. Vincent Hu, Rick Kuhn, Tao Xie, JeeHyun Hwang, "Model Checking for Verification of Mandatory Access Control Models and Properties", Int'l Journal of Software Engineering and Knowledge Engineering (IJSEKE) regular issue IJSEKE Vol. 21 No. 1. 2011.