the cups blog


How Users Use Access Control

What is access control? Its a specification of policy, who can do what to whom?

Systems that use named groups allow for a level of indirection. Users don’t need to know the exact content of a group just the properties of it.

Access control is hard to use! People avoid it and try and get around it. XP’s interface is complex. But first we need to understand what controls do users really want? Users like to share data using email.

We want to know how much control users actually want to have. We looked at the access control lists for servers that had been run for several years. We wanted to know what sorts of things were users willing to expend effort to set.

Looked at group memberships in two types of systems, an administrator managed system (Unix, windows) and a user managed system (mailing lists). Also looked at access control lists shared on DocuShare. DocuShare is a context management system. It has discretionary access-control. All files have an owner.

What access control work people do?

When users make their own groups there are allot more groups. Users are also involved in quite a few mailing lists. Only 13.4% of users who owned groups. Admin created groups were clearly organized by intent. User-created groups showed ineffective transition between intent and effect. Many misspellings.

5.2% of objects had their ACL explicitly modified. The remainder were interdicted. Users were more likely to change ACLs on folders than files. People more often changed who had access than they type of access that they had. Many of the documents they saw were public. This could be intentional as this is a web interface for sharing.

Users only occasionally set access controls, they primarily relied on inheritance. When they do assign controls they are surprisingly complex.

Implications include simplifying the access control system. Can we remove the deny? Simplifying the inheritance model for changes. Limit the types of permissions that can be granted. Simple tools could help users allot.

Audience Questions

  • Since sharing through email is so common, why not let users share through email and you do the complexities for them? You could do that.
  • The striking logical difference between email and centralized file is transitivity and centralized vs. decentralized policy. Which is more error prone? Error prone is not because it is centralized or decentralized. Email is a gifting model.
  • How much the problem might be that the users don’t understand the access-control model but that the developers don’t understand their own model? The developers aren’t doing the stupid things its the users. The developers of this system do understand it. Users just throw more permissions at the problem till the person gets access.