ABSTRACT
This work addresses the problem of reviewing complex access policies in an organizational context using two studies. In the first study, we explored the access review activity and identified its challenges using semi-structured interviews. Interviews revealed that access review involves challenges such as scale, technical complexity, the frequency of reviews, human errors, and exceptional cases. We also modeled access review in the activity theory framework. The model shows that access review requires an understanding of the activity context including information about the users, their job, and their access rights, and the history of them. We then used activity theory guidelines to design a new user interface named AuthzMap. We conducted a user study with 340 participants to compare the use of AuthzMap with two of the existing commercial systems for access review. The results show that AuthzMap improved the efficiency of access review in 5 of the 7 tested scenarios compared to the existing systems.
Supplemental Material
Available for Download
Zip file containing a PDF of the Accompanying Poster
- Cser, A. The forrester wave: Role management and access recertification, q3 2011. Tech. rep., Forrester Research, inc., August 2011.Google Scholar
- Jaferian, P., Hawkey, K., Sotirakopoulos, A., VelezRojas, M., and Beznosov, K. Heuristics for evaluating IT security management tools. To appear in Human Computer Interaction, 2014. DOI= http://dx.doi.org/10.1080/07370024.2013.819198 Google ScholarDigital Library
- Kaptelinin, V., and Nardi, B. Acting with technology: Activity theory and interaction design. MIT Press, 2006. Google ScholarDigital Library
- Nielsen, J., and Molich, R. Heuristic evaluation of user interfaces. In CHI '90: Proceedings of the SIGCHI conference on Human factors in computing systems, ACM (New York, NY, USA, 1990), 249--256. Google ScholarDigital Library
- Reeder, R. W., Bauer, L., Cranor, L. F., Reiter, M. K., Bacon, K., How, K., and Strong, H. Expandable grids for visualizing and authoring computer security policies. In Proc. CHI '08, 2008 , 1473--1482. Google ScholarDigital Library
Index Terms
Helping users review and make sense of access policies in organizations
Recommendations
Review and Revocation of Access Privileges Distributed Through Capabilities
The problems of review and revocation of access privileges are presented in the context of the systems that use capabilities for the long-term distribution of access privileges. An approach that solves both of these problems in their-most general form ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Permission path analysis based on access intelligence
SACMAT '13: Proceedings of the 18th ACM symposium on Access control models and technologiesThe current Idintity and Access Management (IAM) landscape mainly consists of classic Identity Management (IdM) and business-oriented Access Governance. IdM focuses more on providing a single point of administration and provisioning users with the ...
Comments