UBC Theses and Dissertations
Intentional access management : making access control usable for end-users Cao, Xiang
In today's network-connected, highly dynamic and distributed computing environments, end-users are motivated to share information and collaborate. It is often the responsibility of end-users, however, to control access to their information. The usability of access control mechanisms in modern distributed systems has been widely criticized but little studied. In this thesis, I carefully examine one widely deployed access control mechanism embedded in the WebDAV (Web-based Distributed Authoring and Versioning) standard, from the point-of-view of an end-user trying to decide how to grant or deny access to some resource to a third party. My analysis points to problems with the conceptual usability of the system. Significant effort is required on the part of the user to determine how to implement the desired access rules. The user, however, has low expertise and interest in this task, given that such access management actions are almost always secondary to the collaborative task at hand. This gap between interest and complexity does, however, indicate a possible solution to this problem: to recast the access control puzzle as a decision-support problem in which user intentions (i.e., the descriptions of desired system outputs) are interpreted by an access mediator that either automatically or semi-automatically decides how to achieve the designated goals. I call such systems intentional access management (IAM) systems, and describe them in both general and specific terms. I then propose a set of design principles, as well as three levels of IAM model (wizard, full, and multi-backend). By using the IAMs, end-users interact with the access control system in a natural and consistent way (e.g., by simply specifying their intentions and getting feedback in terms of system effects) without needing to know the internal security mechanism used. Such simplification makes access control more usable. To demonstrate the feasibility and usability of the proposed IAM models, I develop an intentional access management system for WebDAV. End-users can manage access to their WebDAV resources by specifying intentions to this system. The results of a user study conducted on the system show its superior usability compared to traditional access management tools like the access control list editor.
Item Citations and Data