Expandable grids for visualizing and authoring computer security policies

Abstract: We introduce the Expandable Grid, a novel interaction technique for creating, editing, and viewing many types of security policies. Security policies, such as file permissions policies, have traditionally been displayed and edited in user interfaces based on a list of rules, each of which can only be viewed or edited in isolation. These list-of-rules interfaces cause problems for users when multiple rules interact, because the interfaces have no means of conveying the interactions amongst rules to users. Inste… Show more

“…We found no significant difference between conditions when working with different album states. All participants did significantly worse when working with changed albums (8, 13 and 17) than existing (8,11, and 14) (p<0.0002) or new (7, 10, and 16) (p<0.003) albums.…”

“…The grid design is based on work by Reeder et al, who successfully used a combination of grids and effective permissions (discussed below) to make it easier for users to manage file permission settings [8], [9]. Participants were able to use the grid to get a quick sense of permissions settings and focus on important components easily.…”

“…Similarly, Gallery has a built-in group "Everybody," which includes users from all other groups, making possible policy conflicts between Everybody and other groups. Prior work shows that end users find it much easier to understand access-control policy when they are shown effective permissions (the result of evaluating all relevant policy rules) rather than the sets of policy rules that induce them [8]. Accordingly, we designed our proximity interfaces to show effective permissions.…”

“…As this makes understanding the overall policy unreasonably difficult, we implemented a grid-style policy interface that allowed viewing and editing of all permissions on one screen. This interface was heavily inspired by recent work on Expandable Grids [8], [9], and was available to users in all our conditions. An example of this interface is shown in Figure 2.…”

Out of sight, out of mind: Effects of displaying access-control information near the item it controls

“…We found no significant difference between conditions when working with different album states. All participants did significantly worse when working with changed albums (8, 13 and 17) than existing (8,11, and 14) (p<0.0002) or new (7, 10, and 16) (p<0.003) albums.…”

“…The grid design is based on work by Reeder et al, who successfully used a combination of grids and effective permissions (discussed below) to make it easier for users to manage file permission settings [8], [9]. Participants were able to use the grid to get a quick sense of permissions settings and focus on important components easily.…”

“…Similarly, Gallery has a built-in group "Everybody," which includes users from all other groups, making possible policy conflicts between Everybody and other groups. Prior work shows that end users find it much easier to understand access-control policy when they are shown effective permissions (the result of evaluating all relevant policy rules) rather than the sets of policy rules that induce them [8]. Accordingly, we designed our proximity interfaces to show effective permissions.…”

“…As this makes understanding the overall policy unreasonably difficult, we implemented a grid-style policy interface that allowed viewing and editing of all permissions on one screen. This interface was heavily inspired by recent work on Expandable Grids [8], [9], and was available to users in all our conditions. An example of this interface is shown in Figure 2.…”

Out of sight, out of mind: Effects of displaying access-control information near the item it controls

“…The browser shows details about a resource, delegatee, and delegation in the bottom part of the window. Resources as well as delegatees can be grouped enabling a more coarse grained view similar to the Expandable Grids by Reeder et al (2008).…”

Delegation of access rights in multi-domain service compositions

Cyber Security Technology Usability and Management