Expressions of Expertness: The Virtuous Circle of Natural Language for Access Control Policy Specification
July 25, 2008 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2008/proceedings/p77Inglesant.pdf
SOUPS 2008 Best Paper Award
In this paper the researchers explored how to make it so that non-security specialists are able to express access control rules in formal policy terms. This is especially important because often people know what rules they want, but doesn’t know how to express them.
Access control is the ability to permit or deny the user of a particular resource by a particular entity.
The research was conducted using PERMIS, which makes role-based access control decisions as defined by policies expressed in XML. The XML is editable using the GUI PERMIS Editor. Permissions not explicitly granted are implicitly denied, so all statements are positive.
The approach used in this study was to provide a controlled natural language. For the first phase of the study the researchers conducted interviews and foxu groups over 45 resource owners asking how they think about authorization requirements and how they express them. For the second phrase they designed an ontology and control language driven by this data.
The interface displayed provides examples policies on the right side of the interface with an open text box on the left side of the interface. When the user is happy with their policy they click Convert and can scan the Log panel which runs along the bottom of the interface for errors. They tested this interface with 17 target users carrying out a series of scenarios. They analyzed users going through the studies looking at time to complete tasks, whether users understand the building blocks, and whether they were able to successfully construct workable policies.
They found that users were not daunted by the controlled natural language, though the time taken and attempts per task were higher than they would have liked. However, they believe that over time users would improve at using the interface. They also found that they largely overcame the concern of users trying to write negative (”deny-based”) rules.