Effects of access-control policy conflict-resolution methods on policy-authoring usability

Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, M.K. Reiter, Kami Vaniea

Research output: Working paper

Abstract / Description of output

Access-control policies can be stated more succinctly if they support both rules that grant access and rules that deny access, but this introduces the possibility that multiple rules will give conflicting conclusions for an access. In this paper, we compare a new conflict-resolution method, which uses first specificity and then deny precedence, to the conflict resolution method used by Windows NTFS, which sometimes uses deny precedence before specificity. We show that our conflict-resolution method leads to a more usable policy authoring system compared with the Windows method. We implemented both conflict-resolution methods in a simulated Windows NTFS file system and built a state-of-the-art policy authoring interface on top of the simulated file system. We ran a user study to compare policy authors’ performance with each conflict-resolution method on a range of file-permissions policy-authoring tasks. Our results show that the conflict-resolution method has a significant effect on usability, and that, though no conflict-resolution method can be optimal for all tasks, our specificity-based conflict resolution method is generally superior, from a usability perspective, to the Windows deny-based method. Ours is the first user study we are aware of that demonstrates empirically the effect that an access-control semantics can have on usability, independent of the graphical user interface.
Original languageEnglish
Number of pages15
Publication statusPublished - 17 Mar 2009


Dive into the research topics of 'Effects of access-control policy conflict-resolution methods on policy-authoring usability'. Together they form a unique fingerprint.

Cite this