Guidelines are based on scientific sources.
| Name | Simplify Access Control Models |
| Sources | (Smetters and Good, 2009) |
| Synonyms | None |
| Context | Design of data access control systems and the interfaces used to manage them |
| Item 1 | Only allow positive grants of access “Adding explicit access denial takes a system where the impact of an access rule can be considered in isolation to one where access depends on the combination of rules in effect and the order in which they are applied. (Microsoft, 2005, Reeder et al. (2008)). This adds tremendous complexity, significantly limits the effectiveness of clever user interface techniques to simplify access management (Rode et al., 2006, Lieberman and Miller (2007)), and offers no significant functionality that cannot be otherwise achieved, say via more complex group definitions. Many systems get along fine without access denial (e.g., DocuShare, email, Unix permissions), and those systems that do include them discourage their use (Microsoft, 2005).” [Security Principle] “Fail-safe defaults: Base access decisions on permission rather than exclusion.” (Saltzer and Schroeder, 1975) |
| Item 2 | Simplify the inheritance model for access control changes “When a user changes access rights on a folder, they are typically confronted with a choice of how those changes should propagate to the folder’s children. That model of access inheritance directly mirrors the implementation choices faced by developers, but does not mirror users’ mental models of how inheritance should work. Users seem to treat the hierarchy of content covered by a folder’s access settings as a common protection domain, operating together until overridden by any explicitly-set ACLs [access control lists] present below. A simple default inheritance scheme might apply ACL changes to all content in the current protection domain, supplemented by visualizations to help users explore the extent of their changes.” [Principle] Appropriate Boundaries [Principle] Provide Standardized Security Policies [Principle] Visibility |
| Item 3 | Limit the types of permissions that can be granted “There seems an ever-constant expansion of the types of access rights that can be managed. While separation of read and write and perhaps execute permissions are clearly valuable to users, it is not clear that others (e.g., separate control of access settings themselves, deletion, or other options) are.” |
| Item 4 | Group Definitions “The one facet of access control management users seem relatively comfortable with is the creation and management of groups, and in fact creation of appropriate group structures can emulate many other, more complicated means of achieving an effective access control policy. Allowing users to flexibly create groups to meet their needs seems the simplest route to providing needed flexibility, rather than attempting to specify a small number of predefined groups and allowing other, more complex access specifications.” |
| Examples | None |
| Related Guidelines | None |
| Tags | access control models |
| Log history | [01/23/2019]: Added to repository |
Lieberman, E., Miller, R.C., 2007. Facemail: Showing faces of recipients to prevent misdirected email, in: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS ’07. ACM, New York, NY, USA, pp. 122–131. doi:10.1145/1280680.1280696
Microsoft, 2005. Best practices for permissions and user rights [WWW Document]. URL http://technet.microsoft.com/en-us/library/cc779601.aspx (accessed 1.23.19).
Reeder, R.W., Bauer, L., Cranor, L.F., Reiter, M.K., Bacon, K., How, K., Strong, H., 2008. Expandable grids for visualizing and authoring computer security policies, in: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’08. ACM, New York, NY, USA, pp. 1473–1482. doi:10.1145/1357054.1357285
Rode, J., Johansson, C., DiGioia, P., Filho, R.S., Nies, K., Nguyen, D.H., Ren, J., Dourish, P., Redmiles, D., 2006. Seeing further: Extending visualization as a basis for usable security, in: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS ’06. ACM, New York, NY, USA, pp. 145–155. doi:10.1145/1143120.1143138
Saltzer, J.H., Schroeder, M.D., 1975. The protection of information in computer systems. Proceedings of the IEEE 63, 1278–1308. doi:10.1109/PROC.1975.9939
Smetters, D.K., Good, N., 2009. How users use access control, in: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS ’09. ACM, New York, NY, USA, pp. 15:1–15:12. doi:10.1145/1572532.1572552