Open AccessProceedings Article10.1145/1572532.1572552

How users use access control

- 15 Jul 2009

- pp 15

TL;DR: This work used automated data mining techniques to examine the real-world use of access control features present in standard document sharing systems in a corporate environment as used over a long (> 10 year) time span, and proposes a set of design guidelines for access control systems themselves and the tools used to manage them.

Abstract: Existing technologies for file sharing differ widely in the granularity of control they give users over who can access their data; achieving finer-grained control generally requires more user effort. We want to understand what level of control users need over their data, by examining what sorts of access policies users actually create in practice.We used automated data mining techniques to examine the real-world use of access control features present in standard document sharing systems in a corporate environment as used over a long (> 10 year) time span. We find that while users rarely need to change access policies, the policies they do express are actually quite complex. We also find that users participate in larger numbers of access control and email sharing groups than measured by self-report in previous studies. We hypothesize that much of this complexity might be reduced by considering these policies as examples of simpler access control patterns. From our analysis of what access control features are used and where errors are made, we propose a set of design guidelines for access control systems themselves and the tools used to manage them, intended to increase usability and decrease error.

AI Agents for this Paper

Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps

Most frequently asked questions

1. What have the authors contributed in "How users use access control" ?

The authors want to understand what level of control users need over their data, by examining what sorts of access policies users actually create in practice.. The authors used automated data mining techniques to examine the realworld use of access control features present in standard document sharing systems in a corporate environment as used over a long ( > 10 year ) time span.. The authors also find that users participate in larger numbers of access control and email sharing groups than measured by self-report in previous studies.. The authors hypothesize that much of this complexity might be reduced by considering these policies as examples of simpler access control patterns.. From their analysis of what access control features are used and where errors are made, the authors propose a set of design guidelines for access control systems themselves and the tools used to manage them, intended to increase usability and decrease error.

2. What are the future works in "How users use access control" ?

In future work the authors hope to extend their analysis to other organizations for comparison.

Table 2: The number of non-empty groups, and average number of group members (users/group) and user memberships (groups/user) for the various sharing systems.

Figure 4: The number of groups owned by individual users.

Figure 5: The distribution of the active lifespan of groups. This is an underestimate; measuring only up to the last modification at the time of data collection.

Table 3: Users made limited use of the ability to define groups in terms of other groups. As we study users’ choices in group definition here, we include all user-defined groups (including empty ones) in our analysis.

Table 6: ACL Complexity. This table shows the number of user (rows) and group (columns) ACL entries in ACL specifications. a) The left table shows the distribution of ACL entry types for objects whose ACLs were explicitly set (out of a total of 2,608, see Section 4.2.2). b) The right table shows the number of objects effected by ACLs of a given complexity – the total count of objects (folders and documents, permissions set or inherited, out of a total of 49,672) with ACLs containing a given number of user or group entries. Default entries for owner and the Content Administrators group are omitted. Note that user counts skip values with no non-zero counts to save space.

Figure 1: The permissions management interface in DocuShare. DocuShare, like most CMSs, can be accessed via a web browser or Windows file interface.

Citations

•Proceedings Article•10.1145/1866307.1866317

A methodology for empirical analysis of permission-based security models and its application to android

David Barrera, +3 more

- 04 Oct 2010

TL;DR: This work presents a methodology for the empirical analysis of permission-based security models which makes novel use of the Self-Organizing Map (SOM) algorithm of Kohonen (2001) and offers some discussion identifying potential points of improvement for the Android permission model.

...read moreread less

557

•Book Chapter•10.1007/978-3-642-34638-5_6

A conundrum of permissions: installing applications on an android smartphone

Patrick Gage Kelley, +5 more

- 02 Mar 2012

TL;DR: It is found that the permissions displays are generally viewed and read, but not understood by Android users, and users are not currently well prepared to make informed privacy and security decisions around installing applications.

...read moreread less

392

Privacy as Part of the App Decision-Making Process (CMU-CyLab-13-003)

Patrick Gage Kelley, +2 more

- 01 Jan 2013

TL;DR: A short "Privacy Facts' display is designed that could assist users in choosing applications that request fewer permissions by bringing privacy information to the user when they were making the decision and by presenting it in a clearer fashion.

...read moreread less

297

•Proceedings Article•10.1145/2470654.2466466

Privacy as part of the app decision-making process

Patrick Gage Kelley, +2 more

- 27 Apr 2013

TL;DR: Wang et al. as discussed by the authors investigated how permissions and privacy could play a more active role in app-selection decisions and found that by bringing privacy information to the user when they were making the decision and by presenting it in a clearer fashion, they could assist users in choosing applications that request fewer permissions.

...read moreread less

293

Proceedings Article•10.1145/2207676.2207728

Tag, you can see it!: using tags for access control in photo sharing

Peter Klemperer, +8 more

- 05 May 2012

TL;DR: It is found that tags created for organizational purposes can be repurposed to create efficient and reasonably accurate access-control rules and participants can understand and actively engage with the concept of tag-based access control.

...read moreread less

139

...

Expand

References

Journal Article•10.1109/2.485845

Role-based access control models

Ravi Sandhu, +3 more

- 01 Feb 1996

- IEEE Computer

TL;DR: Why RBAC is receiving renewed attention as a method of security administration and review is explained, a framework of four reference models developed to better understandRBAC is described, and the use of RBAC to manage itself is discussed.

...read moreread less

6.1K

HMAC: Keyed-Hashing for Message Authentication

Hugo Krawczyk, +2 more

- 01 Feb 1997

TL;DR: This document describes HMAC, a mechanism for message authentication using cryptographic hash functions that can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key.

...read moreread less

2.6K

•Book

Role-Based Access Controls

David F. Ferraiolo, +1 more

- 13 Oct 1992

TL;DR: RBAC as discussed by the authors uses RBAC to implement Military Policies and Integrates RBAC with Existing Infrastructure, using role hierarchies and role-based role-role hierarchies to implement military policies.

...read moreread less

700

Proceedings Article•10.1145/304851.304859

User-centered security

Mary Ellen Zurko, +1 more

- 17 Sep 1996

TL;DR: In this article, the authors introduce the term user-centered security to refer to security models, mechanisms, systems, and software that have usability as a primary motivation or goal, and discuss the history of usable secure systems, citing both past problems and present studies.

...read moreread less

257

•Proceedings Article

User-Centered Security.

Mary Ellen Zurko

- 01 Jan 1999

TL;DR: This work discusses the work on user-centered authorization, which started with a rules-based authorization engine (MAP) and will continue with Adage, and evaluates the pros and cons of this effort, as a precursor to further work in this area.

...read moreread less

252

...

Expand

How users use access control

Chat with Paper

AI Agents for this Paper

Most frequently asked questions

1. What have the authors contributed in "How users use access control" ?

2. What are the future works in "How users use access control" ?

Figures

Citations

A methodology for empirical analysis of permission-based security models and its application to android

A conundrum of permissions: installing applications on an android smartphone

Privacy as Part of the App Decision-Making Process (CMU-CyLab-13-003)

Privacy as part of the app decision-making process

Tag, you can see it!: using tags for access control in photo sharing

References

Role-based access control models

HMAC: Keyed-Hashing for Message Authentication

Role-Based Access Controls

User-centered security

User-Centered Security.

Related Papers (5)

Improving user-interface dependability through mitigation of human error

Real life challenges in access-control management

Why Johnny can't encrypt: a usability evaluation of PGP 5.0

Exploring reactive access control

Method and apparatus for providing a web-based active virtual file system