How Users Use Access Control

July 17, 2009 by Richard Conlan

http://cups.cs.cmu.edu/soups/2009/proceedings/a15-smetters.pdf
Diana Smetters and Nathan Good

Access control is a specification of policy indicating who can do what to whom.  Access control is hard to use.  People often get around it by granting overly permissive capabilities.  Looking at Windows XP, there are over a dozen of checkboxes that can be flipped for each file!  However, people like access controls - it has been shown that people like feeling they have control over their sharing.

The study examined how users actually make use of access controls.  It focused on group memberships in Administrator-managed systems (Windows domain groups and Unix groups) and User-managed systems (DocuShare and e-mail mailing lists), and ACLs in DocuShare at a “medium-sized industrial research lab,” including ~300 users ranging across researchers, administrative staff, and interns.  The systems have been in use for over a decade.  The data was collected through active user accounts (IRB wouldn’t approve having the Administrator collect it across the entire system), and anonymized prior to analysis.

It was found that when users are able to create and manage their own groups, they belong to a lot more of them.  90% of DocuShare groups and 55% of mailing lists were closed.  Only 13.4% of users owned groups, with group age ranging from four months to eleven years.  User groups were often duplicated and sometimes had completely misleading names.  The Administrator-created groups tended to be more organized, with more intuitive names.  5.2% of DocuShare objects had their ACLs explicitly modified, with it being more likely to see permissions explicitly set on folders than files.  It was more common for updates to change who had access rather than changing what level of access they had.  Though users created relatively few ACLs, they were surprisingly complicated when they were created.