ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Intentional access management: making access control usable for end-users
Full text PdfPdf (531 KB)
Source SOUPS; Vol. 149 archive
Proceedings of the second symposium on Usable privacy and security table of contents
Pittsburgh, Pennsylvania
SESSION: Intelligible access control table of contents
Pages: 20 - 31  
Year of Publication: 2006
ISBN:1-59593-448-0
Authors
Xiang Cao  University of British Columbia, Vancouver BC, Canada
Lee Iverson  University of British Columbia, Vancouver BC, Canada
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 6,   Downloads (12 Months): 74,   Citation Count: 4
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1143120.1143124
What is a DOI?

ABSTRACT

The usability of access control mechanisms in modern distributed systems has been widely criticized but little studied. In this paper, we carefully examine one such widely deployed access control mechanism, the one embedded in the WebDAV standard, from the point-of-view of an end-user trying to decide how to grant or deny access to some resource to a third party. This analysis points to problems with the conceptual usability of the system. Significant effort is required on the part of the user to determine how to implement the desired access rules; the user, however, has low interest and expertise in this task, given that such access management actions are almost always secondary to the collaborative task at hand. The analysis does however indicate a possible solution: to recast the access control puzzle as a decision support problem in which user intentions (i.e. the descriptions of desired system outputs) are interpreted by an access mediator that either automatically or semi-automatically decides how to achieve the designated goals and provides enough feedback to the user. We call such systems intentional access management (IAM) systems and describe them in both specific and general terms. To demonstrate the feasibility and usability of the proposed IAM models, we develop an intentional access management prototype for WebDAV. The results of a user study conducted on the system show its superior usability compared to traditional access management tools like the access control list editor.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Anne Adams , Martina Angela Sasse, Users are not the enemy, Communications of the ACM, v.42 n.12, p.40-46, Dec. 1999  [doi>10.1145/322796.322806]
 
2
Dirk Balfanz , Glenn Durfee , Rebecca E. Grinter , D. K. Smetters, In Search of Usable Security: Five Lessons from the Field, IEEE Security and Privacy, v.2 n.5, p.19-24, September 2004  [doi>10.1109/MSP.2004.71]
 
3
Sacha Brostoff , M. Angela Sasse , David Chadwick , James Cunningham , Uche Mbanaso , Sassa Otenko, ‘R-What?’ Development of a role-based access control policy-writing tool for e-Scientists: Research Articles, Software—Practice & Experience, v.35 n.9, p.835-856, July 2005  [doi>10.1002/spe.v35:9]
 
4
Clemm, G., Reschke, J., Sedlar, E., and Whitehead, J. Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol. RFC 3744. May 2004. http://www.ietf.org/rfc/rfc3744.txt.
 
5
DAV Explorer. http://www.ics.uci.edu/~webdav/
 
6
Dussault, L. WebDAV benefits for the enterprise and its denizens. DM Direct Newsletter, Dmreview.com, June 27, 2003. http://www.dmreview.com/article_sub.cfm?articleID=6971
 
7
Goland, Y., Whitehead, E., Faizi, A., Carter, S. R., and Jensen, D. HTTP Extensions for Distributed Authoring -- WEBDAV. RFC 2518. Feb. 1999. http://www.ietf.org/rfc/rfc2518.txt.
 
8
Jakarta Slide project. http://jakarta.apache.org/slide/
9
Apu Kapadia , Geetanjali Sampemane , Roy H. Campbell, KNOW Why your access was denied: regulating feedback for usable security, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030092]
 
10
Lampson, B. Protection. In Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems, Princeton University, March 1971, 437--443.
 
11
Roy A. Maxion , Robert W. Reeder, Improving user-interface dependability through mitigation of human error, International Journal of Human-Computer Studies, v.63 n.1-2, p.25-50, July 2005  [doi>10.1016/j.ijhcs.2005.04.009]
 
12
Norman, D. The Design of Everyday Things. Basic Books, New York, 2002.
 
13
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
 
14
Sheehan, K. Towards a typology of Internet users and online privacy concerns. The Information Society, vol. 18, 2002, 21--23.
 
15
Whitten, A. and Tygar, J. D. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. In Proceedings of 8th Usenix Security Symposium, Usenix Assoc., 1999, 169--184.
16
Aaron Wilson , Margaret Burnett , Laura Beckwith , Orion Granatir , Ledah Casburn , Curtis Cook , Mike Durham , Gregg Rothermel, Harnessing curiosity to increase correctness in end-user programming, Proceedings of the SIGCHI conference on Human factors in computing systems, April 05-10, 2003, Ft. Lauderdale, Florida, USA  [doi>10.1145/642611.642665]
 
17
Ka-Ping Yee, User Interaction Design for Secure Systems, Proceedings of the 4th International Conference on Information and Communications Security, p.278-290, December 09-12, 2002
18
Mary Ellen Zurko , Richard T. Simon, User-centered security, Proceedings of the 1996 workshop on New security paradigms, p.27-33, September 17-20, 1996, Lake Arrowhead, California, United States  [doi>10.1145/304851.304859]
 
19
Zurko, M. E., Simon, R., and Sanfilippo, T. A user-centered, modular authorization service built on an RBAC foundation. In Proceedings of the IEEE Symposium on Security and Privacy, 9-12 May 1999, 57--71.

CITED BY  4
Robert W. Reeder , Lujo Bauer , Lorrie Faith Cranor , Michael K. Reiter , Kelli Bacon , Keisha How , Heather Strong, Expandable grids for visualizing and authoring computer security policies, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
Michael Toomim , Xianhang Zhang , James Fogarty , James A. Landay, Access control by testing for shared knowledge, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
 
Marc Langheinrich, Secure localised storage based on super-distributed RFID-tag infrastructures, Journal of Location Based Services, v.1 n.3, p.208-230, September 2007
Lujo Bauer , Lorrie Faith Cranor , Michael K. Reiter , Kami Vaniea, Lessons learned from the deployment of a smartphone-based access-control system, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

Additional Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.2 User/Machine Systems
          Subjects: Human information processing; Human factors


General Terms:
Design, Human Factors, Security


Keywords:
WebDAV, access control, intentional access management, usability

Collaborative Colleagues:
Xiang Cao: colleagues
Lee Iverson: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player