The usability and manageability of access control policies in an attribute-based access control (ABAC) setting are the main focus of this paper. The authors aim to provide a scientific way to obtain a usable access control rule set.
If we had clear and simple access control rules, it would be trivial to enforce the separation of duties. In fact, with ABAC models, few theoretical results have been found to formally prove that a given policy respects the aforementioned security concepts due to the complexity that the attribute/policy couple may have. This is even more complicated in policy-based access control, where the policy is not a set of attributes to be matched; rather, the policy evaluation is dependent on an external context, since it may contain code fragments written in a programming language (such as Extensible Access Control Markup Language (XACML)).
Thus, a method that users can exploit to (in)formally define the function “policy x is more usable than policy y” is extremely important (and challenging). The authors stress the fact that both IT experts and non-experts can manage the access control policies.
The study is structured as follows. With the help of volunteers, the authors ran a first pilot with IT administrators to define “six goals for building usable and secure access control rule sets.” Such rules were formalized and metrics were attached. The authors then conducted two chained user studies; the output of the first study was used as input on the second user study in order to evaluate how helpful the found metrics were to users in creating new rule sets. The approach was validated by testing three different hypotheses. Although there are some known limitations, the results are encouraging.