Top

Published in:

2019 | OriginalPaper | Chapter

On Building a Visualisation Tool for Access Control Policies

Authors : Charles Morisset, David Sanchez

Published in: Information Systems Security and Privacy

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

An access control policy usually consists of a structured set of rules describing when an access to a resource should be permitted or denied, based on the attributes of the different entities involved in the access request. A policy containing a large number of rules and attributes can be hard to navigate, making policy editing and fixing a complex task. In some contexts, visualisation techniques are known to be helpful when dealing with similar amounts of complexity; however, finding a useful visual representation is a long process that requires observation, supposition, testing and refinement. In this paper, we report on the design process for a visualisation tool for access control policies, which led to the tool VisABAC. We first present a comprehensive survey of the existing literature, followed by the description of the participatory design for VisABAC. We then describe VisABAC itself, a tool that implements Logic Circle Packing to pursue the reduction of cognitive load on Access Control Policies. VisABAC is a web-page component, developed in Javascript using the D3.js library, and easily usable without any particular setup. Finally, we present a testing methodology that we developed to prove usability by conducting a controlled experiment with 32 volunteers; we asked them to change some attribute values in order to obtain a given decision for a policy and measured the time taken by participant to conduct these tasks (the faster, the better). We obtained a small to medium effect size (\(d=0.44\)) that indicates that VisABAC is a promising tool for authoring and editing access control policies.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Managing Cybersecurity Break-ins Using Bluetooth Low Energy Devices to Verify Attackers: A Practical Study

next chapter Survey and Guidelines for the Design and Deployment of a Cyber Security Label for SMEs

See for instance [3] for an account on the variety of access control models introduced over the past decades.

https://www.axiomatics.com/pure-xacml.html.

VisABAC is open-source and available at https://gitlab.com/morisset/visabac.

For the sake of compactness, we abbreviate the XACML Indeterminate extended decisions to Indet.

Also available with VisABAC documentation: http://homepages.cs.ncl.ac.uk/charles.morisset/visabac/visualiser/resources/pages/help.html.

As a side note, the abstractions and simplifications commonly used in visual techniques designed for humans, can also be useful to computers, presenting even formal proof of the correctness and normalisation of policies. For example, in [35] Graph theory is used to validate policies and in [30] decision diagrams are used to accelerate XACML speed evaluation; none of them show any visuals to users.

[28] indicates that future works is necessary in order to make PRISM a general purpose access control administration tool capable to support alternatives representations such as XACML.

VisABAC is available for demonstration at http://homepages.cs.ncl.ac.uk/charles.morisset/visabac.

A prototype version of VisABAC with collapsible trees is available alongside the main tool, illustrating the poor screen utilisation.

https://d3js.org.

The full test with both interfaces is available from the front page of the tool.

Cohen’s effect is computed as \((m_t - m_g)\) divided by \(\sqrt{(\sigma _t^2 + \sigma _g^2)/2}\).

Alavi, R., Islam, S., Mouratidis, H.: A conceptual framework to analyze human factors of Information Security Management System (ISMS) in organizations. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 297–305. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07620-1_26CrossRef

Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). IBM Research (2003)

Barker, S.: The next 700 access control models or a unifying meta-model? In: SACMAT, pp. 187–196. ACM (2009)

Barrett, R., Kandogan, E., Maglio, P.P., Haber, E.M., Takayama, L.A., Prabaker, M.: Field studies of computer system administrators: analysis of system management tools and practices. In: Proceedings of the 2004 ACM Conference on Computer Supported Cooperative Work, CSCW 2004, pp. 388–395 (2004). https://doi.org/10.1145/1031607.1031672

Bastian, M., Heymann, S., Jacomy, M.: Gephi: an open source software for exploring and manipulating networks. In: Third International AAAI Conference on Weblogs and Social Media (2009)

Bauer, L., Garriss, S., Reiter, M.K.: Detecting and resolving policy misconfigurations in access-control systems. In: SACMAT, pp. 185–194. ACM (2008)

Becker, J., Heddier, M., Öksüz, A., Knackstedt, R.: The effect of providing visualizations in privacy policies on trust in data privacy and security. In: 2014 47th Hawaii International Conference on System Sciences, pp. 3224–3233 (2014). https://doi.org/10.1109/HICSS.2014.399

Benantar, M.: Access Control Systems: Security, Identity Management and Trust Models. Springer, Boston (2005). https://doi.org/10.1007/0-387-27716-1CrossRefMATH

Card, S.K., Mackinlay, J.D., Shneiderman, B. (eds.): Readings in Information Visualization: Using Vision to Think. Morgan Kaufmann Publishers Inc., San Francisco (1999)

10.

Cohen, J.: Statistical Power Analysis for the Behavioral Sciences, pp. 20–26. Lawrence Earlbaum Associates, Hillsdale (1988)MATH

11.

Crampton, J., Morisset, C.: PTaCL: a language for attribute-based access control in open systems. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 390–409. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28641-4_21CrossRef

12.

Crampton, J., Morisset, C., Zannone, N.: On missing attributes in access control: Non-deterministic and probabilistic attribute retrieval. In: SACMAT, pp. 99–109. ACM (2015)

13.

Euler, L.: Lettres a une princesse d’allemagne. Sur divers sujets de physique et de philosophie, vol. 2. Birkhauser, Basel (1761)

14.

Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, ICSE 2005, pp. 196–205. ACM, New York (2005). https://doi.org/10.1145/1062455.1062502

15.

Heydon, A., Maimone, M.W., Tygar, J.D., Wing, J.M., Zaremski, A.M.: Miro: visual specification of security. IEEE Trans. Softw. Eng. 16(10), 1185–1197 (1990). https://doi.org/10.1109/32.60298CrossRef

16.

Johnson, B., Shneiderman, B.: Tree-maps: a space-filling approach to the visualization of hierarchical information structures. In: Proceedings of the 2nd Conference on Visualization 1991, Los Alamitos, CA, USA, pp. 284–291. IEEE (1991)

17.

Kirlappos, I., Sasse, M.A.: What usable security really means: trusting and engaging users. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 69–78. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07620-1_7CrossRef

18.

Kolovski, V.: Logic-based access control policy specification and management. Technical report, Department of Computer Science, University of Maryland, College Park (2007)

19.

Kordon, F.: An introduction to rapid system prototyping. IEEE Trans. Softw. Eng. 28(9), 817–821 (2002). https://doi.org/10.1109/TSE.2002.1033222CrossRef

20.

Lacey, D.: Managing the Human Factor in Information Security: How to Win over Staff and Influence Business Managers. Wiley, Hoboken (2009)

21.

Lampson, B.W.: Protection. Oper. Syst. Rev. 8(1), 18–24 (1974). https://doi.org/10.1145/775265.775268CrossRef

22.

Licht, D.M., Polzella, D.J., Boff, K.R.: Human factors, ergonomics and human factors engineering: an analysis of definitions. Crew System Ergonomics Information Analysis Center (1989)

23.

MacLean, A., Barnard, P., Wilson, M.: Evaluating the human interface of a data entry system: user choice and performance measures yield different tradeoff functions. People Comput. Des. Interface 5, 45–61 (1985)

24.

Meyer, M.: Information visualization for scientific discovery, April 2011. https://www.youtube.com/watch?v=Sua0xDCf8MA

25.

Montemayor, J., Freeman, A., Gersh, J., Llanso, T., Patrone, D.: Information visualization for rule-based resource access control. In: Proceedings of International Symposium on Usable Privacy and Security (SOUPS), p. 24 (2006)

26.

Morisset, C., Sanchez, D.: VisABAC: a tool for visualising ABAC policies. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, pp. 117–126. INSTICC, SciTePress (2018). https://doi.org/10.5220/0006647401170126

27.

Morisset, C., Zannone, N.: Reduction of access control decisions. In: SACMAT, pp. 53–62. ACM (2014)

28.

Mousas, A.S., Antonakopoulou, A., Gogoulos, F., Lioudakis, G.V., Kaklamani, D.I., Venieris, I.S.: Visualising access control: the prism approach. In: 2010 14th Panhellenic Conference on Informatics (PCI), pp. 107–111, September 2010. https://doi.org/10.1109/PCI.2010.52

29.

Nergaard, H., Ulltveit-Moe, N., Gjøsæter, T.: ViSPE: a graphical policy editor for XACML. In: Camp, O., Weippl, E., Bidan, C., Aïmeur, E. (eds.) ICISSP 2015. CCIS, vol. 576, pp. 107–121. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27668-7_7CrossRef

30.

Ngo, C., Makkes, M.X., Demchenko, Y., de Laat, C.: Multi-data-types interval decision diagrams for XACML evaluation engine. In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust (PST), pp. 257–266, July 2013. https://doi.org/10.1109/PST.2013.6596061

31.

Nielsen, J.: Usability Engineering. Morgan Kaufmann Publishers Inc., San Francisco (1993)CrossRef

32.

Nielsen, J., Levy, J.: Measuring usability: preference vs. performance. Commun. ACM 37(4), 66–75 (1994). https://doi.org/10.1145/175276.175282CrossRef

33.

Pan, L., Liu, N., Zi, X.: Visualization framework for inter-domain access control policy integration. China Commun. 10(3), 67–75 (2013). https://doi.org/10.1109/CC.2013.6488831CrossRef

34.

Pan, L., Xu, Q.: Visualization analysis of multi-domain access control policy integration based on tree-maps and semantic substrates. Intell. Inf. Manag. 4(5), 188–193 (2012)

35.

Pina Ros, S., Lischka, M., Gómez Mármol, F.: Graph-based XACML evaluation. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT 2012, pp. 83–92. ACM, New York (2012). https://doi.org/10.1145/2295136.2295153

36.

PwC: 2015 information security breaches survey. Technical report, HM Government and PwC Consulting and Infosecurity Europe, April 2015

37.

Rao, P., Ghinita, G., Bertino, E., Lobo, J.: Visualization for access control policy analysis results using multi-level grids. In: IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 25–28 (2009). https://doi.org/10.1109/POLICY.2009.29

38.

Riche, N.H., Dwyer, T.: Untangling Euler diagrams. IEEE Trans. Vis. Comput. Graph. 16(6), 1090–1099 (2010). https://doi.org/10.1109/TVCG.2010.210CrossRef

39.

Rissanen, E., Lockhart, H., Moses, T.: XACML V3.0 administration and delegation profile version 1.0. Committee Draft 1 (2009)

40.

Ritter, F.E., Baxter, G.D., Churchill, E.F.: Foundations for Designing User-Centered Systems. Springer, London (2014). https://doi.org/10.1007/978-1-4471-5134-0CrossRef

41.

Rodgers, P.: A survey of Euler diagrams. J. Vis. Lang. Comput. 25(3), 134–155 (2014). https://doi.org/10.1016/j.jvlc.2013.08.006CrossRef

42.

Rosa, W.D.: Toward visualizing potential policy conflicts in eXtensible Access Control Markup Language (XACML). Theses and dissertations, University of New Orleans, New Orleans, May 2009

43.

Sackmann, S., Kähmer, M.: ExPDT: Ein policy-basierter ansatz zur automatisierung von compliance. Wirtschaftsinformatik 50(5), 366–374 (2008)CrossRef

44.

Sato, Y., Mineshima, K., Takemura, R.: The efficacy of Euler and Venn diagrams in deductive reasoning: empirical findings. In: Goel, A.K., Jamnik, M., Narayanan, N.H. (eds.) Diagrams 2010. LNCS (LNAI), vol. 6170, pp. 6–22. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14600-8_6CrossRef

45.

OASIS Standard: eXtensible Access Control Markup Language (XACML) version 2.0 (2005)

46.

Stapleton, G., Zhang, L., Howse, J., Rodgers, P.: Drawing Euler diagrams with circles. In: Goel, A.K., Jamnik, M., Narayanan, N.H. (eds.) Diagrams 2010. LNCS (LNAI), vol. 6170, pp. 23–38. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14600-8_7CrossRef

47.

Stepien, B., Matwin, S., Felty, A.: Strategies for reducing risks of inconsistencies in access control policies. In: 2010 International Conference on Availability, Reliability and Security, pp. 140-147 (2010)

48.

Trudeau, S., Sinclair, S., Smith, S.W.: The effects of introspection on creating privacy policy. In: WPES 2009: Proceedings of the 8th ACM Workshop on Privacy in the Electronic Society, pp. 1–10. ACM, New York (2009). https://doi.org/10.1145/1655188.1655190

49.

Vaniea, K., Ni, Q., Cranor, L., Bertino, E.: Access control policy analysis and visualization tools for security professionals. In: SOUPS Workshop (USM) (2008)

50.

Wang, W., Wang, H., Dai, G., Wang, H.: Visualization of large hierarchical data by circle packing. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 517–520. ACM, New York (2006). https://doi.org/10.1145/1124772.1124851

51.

Xu, W., Shehab, M., Ahn, G.J.: Visualization based policy analysis: case study in SELinux. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, SACMAT 2008, pp. 165–174. ACM, New York (2008). https://doi.org/10.1145/1377836.1377863

Title: On Building a Visualisation Tool for Access Control Policies
Authors: Charles Morisset
David Sanchez
Publisher: Springer International Publishing
Book: Information Systems Security and Privacy
Print ISBN: 978-3-030-25108-6

Electronic ISBN: 978-3-030-25109-3

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-25109-3_12

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner