Skip to main content
SpringerLink
Log in

Granularity and Usability in Authorization Policies

  • Conference paper
  • First Online:
Emerging Information Security and Applications (EISA 2021)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1403))

  • 457 Accesses

Abstract

Emerging security systems need to carefully reconcile usability considerations in their design. In this context, we address authorization policies, which are used to limit the actions a principal may exercise on a resource. We compare two designs from the standpoint of the ease with which such policies can be devised and expressed. The two designs we consider are read-write-execute policies in UNIX, which was designed many decades ago, and identity-based policies in Amazon Web Services (AWS), which is a modern system. These can be seen, in the evolution of such designs, as two extremes—in the former, only the three actions read, write and execute are allowed in an authorization policy; in the latter, more than a thousand actions are allowed. While a richer set of actions lends to finer-grained authorization policies, the question we pose is: are such policies easier to formulate? Our question is important because a trend in the design of such policy languages in real systems over the years has been to enrich the set of actions. For a meaningful comparison between the two extremes, we design an overlay authorization policy syntax for AWS that allows the three actions read, write and execute only. We then describe our design of an ethics-approved, human participants study to assess whether a richer set of actions indeed results in better usability, and our results from carrying out the study. Using carefully chosen statistical methods that are appropriate for our study, we find that there is indeed evidence that allowing for a richer set of actions lends to better usability. Our work has significant implications to design in emerging security systems that seek to reconcile usability.

Portions of this work were supported via grants from the Natural Sciences and Engineering Research Council of Canada (NSERC) and Mitacs, Canada.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Amazon Web Services (AWS): Serverless shopping cart microservice, January 2021.https://github.com/aws-samples/aws-serverless-shopping-cart

  2. Amazon Web Services (AWS): Actions, resources, and condition keys for amazon elastic transcoder. https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html. Accessed 31 Jan 2021

  3. Amazon Web Services (AWS): Amazon dynamodb, https://aws.amazon.com/dynamodb/. Accessed 31 Jan 2021

  4. Amazon Web Services (AWS): Amazon elastic transcoder. https://aws.amazon.com/elastictranscoder/. Accessed 31 Jan 2021

  5. Amazon Web Services (AWS): Amazon resource names (ARMS). https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html. Accessed 31 Jan 2021

  6. Amazon Web Services (AWS): Amazon simple queue service. https://aws.amazon.com/sqs/. Accessed 31 Jan 2021

  7. Amazon Web Services (AWS): Amazon web services (AWS) - cloud computing services. https://aws.amazon.com. Accessed 31 Jan 2021

  8. Amazon Web Services (AWS): Aws identity and access management – user guide – access management – policies and permissions in IAM. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html. Accessed 31 Jan 2021

  9. Bauer, L., Cranor, L.F., Reeder, R.W., Reiter, M.K., Vaniea, K.: A user study of policy creation in a flexible access-control system. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2008, pp. 543–552. ACM, New York (2008)

    Google Scholar 

  10. Beznosov, K., Inglesant, P., Lobo, J., Reeder, R., Zurko, M.E.: Usability meets access control: challenges and research opportunities. In: Proceedings of the Symposium on Access Control Models and Technologies, SACMAT 2009, pp. 73–74. ACM, New York (2009)

    Google Scholar 

  11. Bishop, M.: Introduction to Computer Security, 1st edn. Addison-Wesley, Boston (2004)

    Google Scholar 

  12. Both, D.: An introduction to linux’s ext4 filesystem. opensource.com, May 2017. https://opensource.com/article/17/5/introduction-ext4-filesystem

  13. Brostoff, S., Sasse, M.A., Chadwick, D., Cunningham, J., Mbanaso, U., Otenko, S.: ‘R-what?’ development of a role-based access control policy-writing tool for e-scientists. Softw. Pract. Exp. 35(9), 835–856 (2005)

    Google Scholar 

  14. Google Developers: Android API reference – android platform – manifest.permission, https://developer.android.com/reference/android/Manifest.permission. Accessed 31 Jan 2021

  15. Gusmeroli, S., Piccione, S., Rotondi, D.: A capability-based security approach to manage access control in the internet of things. Math. Comput. Model. 58(5), 1189–1205 (2013)

    Article  Google Scholar 

  16. Inglesant, P., Sasse, A.M., Chadwick, D., Shi, L.L.: Expressions of expertness: the virtuous circle of natural language for access control policy specification. In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS 2008, ACM, New York (2008)

    Google Scholar 

  17. Krishnan, V., Tripunitara, M.V., Chik, K., Bergstrom, T.: Relating declarative semantics and usability in access control. In: Proceedings of the Eighth Symposium on Usable Privacy and Security. SOUPS 2012, ACM, New York (2012)

    Google Scholar 

  18. Lipford, H.R., Besmer, A., Watson, J.: Understanding privacy settings in facebook with an audience view. In: Proceedings of the 1st Conference on Usability, Psychology, and Security. UPSEC2008, USENIX Association (2008)

    Google Scholar 

  19. Maxion, R.A., Reeder, R.W.: Improving user-interface dependability through mitigation of human error. Int. J. Hum.-Comput. Stud. 63(1), 25–50 (2005)

    Google Scholar 

  20. Mazurek, M.L., et al.: Access control for home data sharing: attitudes, needs and practices. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 645–654. ACM, New York (2010)

    Google Scholar 

  21. McLeod, S.A.: Experimental design. Simply Psychology, January 2017. https://www.simplypsychology.org/experimental-designs.html

  22. Network Encyclopedia: NTFS permissions (windows NT). https://networkencyclopedia.com/ntfs-permissions-windows-nt/. Accessed 31 Jan 2021

  23. Osborne, C.: The top 10 security challenges of serverless architectures. Zero Day, January 2017. https://www.zdnet.com/article/the-top-10-risks-for-apps-on-serverless-architectures/

  24. Paul, T., Puscher, D., Strufe, T.: Improving the usability of privacy settings in Facebook. arXiv e-prints arXiv:1109.6046, September 2011

  25. Pero-Cebollero, M., Guardia-Olmos, J.: The adequacy of different robust statistical tests in comparing two independent groups. Psicologica 34, 407–424 (2013)

    Google Scholar 

  26. Ramesh Johari: MS & E 226: “Small" Data, Lecture 13: The bootstrap (v3). September 2020.http://web.stanford.edu/~rjohari/teaching/notes/226_lecture13_inference.pdf

  27. Reeder, R.W., Maxion, R.A.: User interface dependability through goal-error prevention. In: 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 60–69 (2005)

    Google Scholar 

  28. Reeder, R.W., Maxion, R.A.: User interface defect detection by hesitation analysis. In: International Conference on Dependable Systems and Networks (DSN 2006), pp. 61–72 (2006)

    Google Scholar 

  29. Reeder, R.W., Bauer, L., Cranor, L.F., Reiter, M.K., Vaniea, K.: More than skin deep: measuring effects of the underlying model on access-control system usability. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2011, pp. 2065–2074. ACM, New York (2011)

    Google Scholar 

  30. Reeder, R.W., et al.:Expandable grids for visualizing and authoring computer security policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2008, pp. 1473–1482. ACM, New York (2008)

    Google Scholar 

  31. Ritchie, D.M., Thompson, K.: The Unix time sharing system. Commun. ACM 17, 365–375 (1974)

    Article  Google Scholar 

  32. Smith, J., Nguyen Quang Do, L., Murphy-Hill, E.: Why can’t johnny fix vulnerabilities: a usability evaluation of static analysis tools for security. In: Proceedings of the Symposium on Usable Privacy and Security. SOUPS2020, Usenix, Aug 2020

    Google Scholar 

  33. Chen,Y.-C.: STAT/Q SCI 403: introduction to resampling methods, Lecture 5: Bootstrap, April 2017. http://faculty.washington.edu/yenchic/17Sp_403/Lec5-bootstrap.pdf,

Download references

Author information

Authors and Affiliations

  1. University of Waterloo, Waterloo, Canada

    Boyun Zhang, Puneet Gill & Mahesh Tripunitara

  2. Cloud of Clouds Project, San Francisco, USA

    Nelu Mihai

Authors
  1. Boyun Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Puneet Gill
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nelu Mihai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mahesh Tripunitara
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mahesh Tripunitara .

Editor information

Editors and Affiliations

  1. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  2. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis K. Katsikas

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, B., Gill, P., Mihai, N., Tripunitara, M. (2022). Granularity and Usability in Authorization Policies. In: Meng, W., Katsikas, S.K. (eds) Emerging Information Security and Applications. EISA 2021. Communications in Computer and Information Science, vol 1403. Springer, Cham. https://doi.org/10.1007/978-3-030-93956-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-93956-4_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-93955-7

  • Online ISBN: 978-3-030-93956-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation