Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Proceedings

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home ยป To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations
Tweet

connect with us

To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations

Authors: 

Pooya Jaferian, Hootan Rashtian, and Konstantin Beznosov, University of British Columbia

Abstract: 

This work addresses the problem of reviewing complex access policies in an organizational context using two studies. In the first study, we used semi-structured interviews to explore the access review activity and identify its challenges. The interviews revealed that access review involves challenges such as scale, technical complexity, the frequency of reviews, human errors, and exceptional cases. We also modeled access review in the activity theory framework. The model shows that access review requires an understanding of the activity context including information about the users, their job, their access rights, and the history of access policy. We then used activity theory guidelines to design a new user interface named AuthzMap. We conducted an exploratory user study with 340 participants to compare the use of AuthzMap with two existing commercial systems for access review. The results show that AuthzMap improved the efficiency of access review in 5 of the 7 tested scenarios, compared to the existing systems. AuthzMap also improved accuracy of actions in one of the 7 tasks, and only negatively affected accuracy in one of the tasks.

Pooya Jaferian, University of British Columbia

Hootan Rashtian, University of British Columbia

Konstantin Beznosov, University of British Columbia

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {185323,
author = {Pooya Jaferian and Hootan Rashtian and Konstantin Beznosov},
title = {To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations},
booktitle = {10th Symposium On Usable Privacy and Security (SOUPS 2014)},
year = {2014},
isbn = {978-1-931971-13-3},
address = {Menlo Park, CA},
pages = {301--320},
url = {https://www.usenix.org/conference/soups2014/proceedings/presentation/jaferian},
publisher = {USENIX Association},
month = jul
}
Download
Jaferian PDF
  • Log in or    Register to post comments

© USENIX

  • Privacy Policy
  • Contact Us