Effects of Access-Control Policy Conflict-Resolution Methods on Policy-Authoring Usability

Access-control policies can be stated more succinctly if they support both rules that grant access and rules that deny access, but this introduces the possibility that multiple rules will give conflicting conclusions for an access. In this paper, we compare a new conflict-resolution method, which uses first specificity and then deny precedence, to the conflictresolution method used by Windows NTFS, which sometimes uses deny precedence before specificity. We show that our conflict-resolution method leads to a more usable policyauthoring system compared with the Windows method. We implemented both conflict-resolution methods in a simulated Windows NTFS file system and built a state-of-the-art policy authoring interface on top of the simulated file system. We ran a user study to compare policy authors’ performance with each conflict-resolution method on a range of file-permissions policy-authoring tasks. Our results show that the conflict-resolution method has a significant effect on usability, and that, though no conflict-resolution method can be optimal for all tasks, our specificity-based conflictresolution method is generally superior, from a usability perspective, to the Windows deny-based method. Ours is the first user study we are aware of that demonstrates empirically the effect that an access-control semantics can have on usability, independent of the graphical user interface.