Visualising Access Control Policies

Dates: December 2016 – January 2017

Lead researchers: Dr Charles Morrisett, David Sanchez, Newcastle University

Overview

Security practitioners have to maintain access control policies, sometimes with hundreds of rules, which may be misconfigured or have to be periodically updated. They are difficult to read, even to the technically trained eye. This work investigated how to make such complex policies easier to understand at a glance.

The researchers developed a tool called ‘VisABAC’ for the visualisation of attribute-based access control policies, and a test for visitors to take to help assess the effectiveness of these design changes. VisABAC presents a way to visually overview an access control policy, by disclosing details on demand and exploring policies graphically.

Users who tested the tool largely found it intuitive and easy to use, although they remarked that some training could have improved their response time. This experiment also showed that such a tool could be used to pass on the ability to understand access control policies to non-technical people.

The level of contribution VisABAC could provide to access control experts was not clear from this small study alone, but the work was intended to pave the way towards a larger scale experiment. It could result in fewer errors that leave networks vulnerable and is promising for authoring and editing access control policies.

Methods

Prototype design and surveys.

Funders: NCSC

Find out more: https://gitlab.com/morisset/visabac

Skills

Posted on

December 9, 2021