Help me keep data out of the wrong hands
January 17, 2008 4:35 AM Subscribe
What are some good resources for designing an access control and permissions system?
It has fallen to me to build an access control system from the ground up for my company, now that we have outgrown our previous system. I have a lot of experience with access control systems, but I have never designed one, and I want to make sure I am not missing something important as I go forward.
It has fallen to me to build an access control system from the ground up for my company, now that we have outgrown our previous system. I have a lot of experience with access control systems, but I have never designed one, and I want to make sure I am not missing something important as I go forward.
This thread is closed to new comments.
Lorrie Cranor (one of the co-authors of the above book) and I have also taught a course on Usable Privacy and Security, the slides are all online.
I'd also recommend this paper by one of our PhD students, Rob Reeder, looking at the Windows XP access control user interface (and why it's broken). Reeder, R.W. and Maxion, R.A. User Interface Dependability through Goal-Error Prevention. Presented at International Conference on Dependable Systems and Networks (DSN'05) (Yokohama, Japan, June 28 - July 1, 2005). 2005.
You should also consider whether you want to have positive rules only (allow x, allow y), or negative rules only (do not allow x, do not allow y). A mix of the two can allow possible conflicts to occur.
There are also issues of mandatory access control (typically centrally controlled) vs discretionary (where end-users can also specify policies); role-based access control (do a Google search on RBAC); and optimistic vs pessimistic access control. For this last issue, it's basically do you think that people accessing the system are generally trustworthy and you only need to detect and then fix abuses after the case (optimistic), or do you need to prevent abuses and hence state rules up front (pessimistic).
posted by jasonhong at 8:14 AM on January 17, 2008