To authorize or not authorize: helping users review access policies in organizations

Pooya Jaferian ; Hootan Rashtian ; Konstantin Beznosov

05 June 2014

Abstract: This work addresses the problem of reviewing complex access policies in an organizational context using two studies. In the first study, we used semi-structured interviews to explore the access review activity and identify its challenges. The interviews revealed that access review involves challenges such as scale, technical complexity, the frequency of reviews, human errors, and exceptional cases. We also modeled access review in the activity theory framework. The model shows that access review requires an understanding of the activity context including information about the users, their job, their access rights, and the history of access policy. We then used activity theory guidelines to design a new user interface named AuthzMap. We conducted an exploratory user study with 340 participants to compare the use of AuthzMap with two existing commercial systems for access review. The results show that AuthzMap improved the efficiency of access review in 5 of the 7 tested scenarios, compared to the existing systems. AuthzMap also improved accuracy of actions in one of the 7 tasks, and only negatively affected accuracy in one of the tasks.

Keyword(s): HOTIDM IDM ACCESS MANAGEMENT ; Usable Security

Published in: Pooya Jaferian, Hootan Rashtian, and Konstantin Beznosov. 2014. To authorize or not authorize: helping users review access policies in organizations. SOUPS'14: Symposium On Usable Privacy and Security. Menlo Park, CA.:

The record appears in these collections:
Refereed Conference Papers
Usable Security

 Record created 2014-06-05, last modified 2015-12-03

Download fulltextPDF Download fulltextPDF (PDFA)
Rate this document:

Rate this document:
(Not yet reviewed)