12
Computer-Supported Access Control GUNNAR STEVENS University of Siegen and VOLKER WULF University of Siegen and Fraunhofer FIT
Traditionally, access control is understood as a purely technical mechanism which rejects or accepts access attempts automatically according to a specific preconfiguration. However, such a perspective neglects the practices of access control and the embeddedness of technical mechanisms within situated action. In this article, we reconceptualize the issue of access control on a theoretical, methodological, and practical level. On a theoretical level, we develop a terminology to distinguish between access control practices and the technical support mechanisms. We coin the term Computer Supported Access Control (CSAC) to emphasize this perspective. On a methodological level, we discuss empirical investigations of access control behavior from a situated action perspective. We discovered a differentiated set of social practices around traditional access control systems. By applying these findings to a practical level, we enhance the design space of computer supported access control mechanisms by suggesting a matrix of technical mechanisms which go beyond an ex-ante configuration. Categories and Subject Descriptors: H.5.3 [Information Interfaces and Presentation]: Group and Organization Interfaces—Computer supported cooperative work General Terms: Design, Performance Additional Key Words and Phrases: Access control, computer supported cooperative work field, study, coordination mechanism, ethnomethodology, critical design ACM Reference Format: Stevens, G. and Wulf, V. 2009. Computer-Supported access control. ACM Trans. Comput.-Hum. Interact. 16, 3, Article 12 (September 2009), 26 pages. DOI = 10.1145/1592440.1592441 http://doi.acm.org/10.1145/1592440.1592441
1. INTRODUCTION Controlling access legitimacy is an important issue in CSCW. According to the mainstream perception in access control research, intervening against Authors’ addresses: G. Stevens, University of Siegen, Germany; V. Wulf (contact author), University of Siegen and Fraunhofer FIT, Sankt Augustin, Germany; email:
[email protected]. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or
[email protected]. C 2009 ACM 1073-0516/2009/09-ART12 $10.00 DOI 10.1145/1592440.1592441 http://doi.acm.org/10.1145/1592440.1592441 ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:2
•
G. Stevens and V. Wulf
illegitimate access is the only control mechanism which is given or needed. As a result, the design space for access control consists mainly of technical mechanisms for intervention. We argue that this concept has to be broadened by investigating into the practices of access control, by opening the design space for an innovative access control mechanism, and by looking at the appropriation of the access control systems. In his seminal work, Lampson [1974] proposed an access control matrix which requires configuration prior to assigning specific access rights to certain users. In other words, the Lampson mechanism requires to fully specify the access legitimacy by granting certain rights to a particular user before an access occurs. Researchers have not yet challenged the appropriateness of Lampson’s basic assumptions for cooperative work settings. While the Lampson mechanism is based on the ‘automation’ paradigm [Schmidt 1991], we argue that this design paradigm is inadequate in dealing with the access control problem in its whole complexity. Following the CSCW research paradigm—which can be seen as a shift from automating the office to supporting office workers [Bannon 1993]—we argue that access control should be designed as a supporting system. Approaches which focus on complete automation do not take full advantage of the design space for access control. To indicate a paradigm shift in analyzing access control practices and designing innovative access control mechanisms, we coin the term Computer Supported Access Control (CSAC). Based on such a differentiated understanding, we indicate some inherent limitations in the traditional perspective on access control. If access control is restricted to a specification of permissions before the actual access takes places, certain aspects of existing practices cannot be supported. As a consequence of such a narrow conceptualization, design alternatives shift out of focus. Therefore, we need to explore the limitations of the Lampson mechanism in order to broaden our understanding and open up the design space for CSAC. Our understanding of CSAC is based on earlier work by the authors, especially several studies on access control practices and related design guidelines [Stevens and Wulf 2002; Stiemerling and Wulf 2000; Wulf 1997]. These studies already documented practices that were not supported by traditional control mechanisms. While they challenged the traditional perspective on access control, we missed a systematical analysis of the conceptual assumptions in the state of the art. Assuming a categorical difference between normative rules of social practices and algorithmic rules of technical implementations, it is an interesting challenge to analyze the resulting design space. The article is structured as follows. A survey on the current state of the art in access control provides an introduction (Section 2). After that, we develop a terminology to differentiate between practices of access control and technical mechanisms for their support (Section 3). While authors from an HCI background have already become aware of the fact that access control is not a purely technical issue [e.g., Adams and Sasse 1999], a systematical investigation of the relation between control practices and technical mechanisms is still missing. To deal with this problem, we elaborate on the CSAC research paradigm which takes this relationship into account. Theoretically, this paradigm is grounded ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:3
in our action research tradition [Nett and Stevens 2008; Wulf and Rohde 1995] and in Suchman’s [1987] work on the role of computer artifacts in human action. The CSAC paradigm allows broadening the traditional perspective on access control on a conceptual level. In Section 4, we demonstrate the relevance of the CSAC paradigm by systematizing our analysis of control practices from earlier empirical work. These findings stimulated us to generate a design framework for technical mechanisms of access control. To conclude, the article summarizes earlier work by establishing an appropriate theoretical understanding and suggesting a new research paradigm for access control. 2. ACCESS CONTROL Computer science security is typically divided into three aspects: authentication, authorization, and encryption. While authentication and encryption are important components of a security system, especially for access via public networks [Coulouris et al. 1998], we focus primarily on authorization. Authorization by means of access control becomes relevant in all cases where a computer system is not used solely by a single user. This applies specifically to distributed multi-user systems. Due to its pervasiveness, the issue of access control has been investigated at various places in computer science research. Despite their different origins, most papers are characterized by a strong focus on formal and technical aspects of access control. One of the earliest and most influential works on access control is the model developed by Lampson [1974]. It distinguishes three dimensions for specifying access rights: subjects, objects, and operations. Seen from a user-oriented point of view, access control specifies which subjects are allowed to carry out certain operations on a specific object. The subject dimension is typically defined by a list of users. The object dimension consists of a list of resources, for example, individual files. With regard to operations, Lampson [1974] distinguishes between read and write access. The Lampson approach has been enlarged in different dimensions. Ferraiolo and Kuhn [1992], for instance, proposed the concept of Role-Based Access Control (RBAC). Operations on objects are granted to roles while individual users can be assigned to these roles at different times. The focus on formal models can be explained by the role of the military sector in early computer science research. More than many other areas, the military sector is characterized by strict requirements concerning the adherence towards firmly coded and defined security regulations. Formal regulations exist in order to determine a user’s access rights and the process of granting these rights. The U.S. military information security policy is defined by the Orange Book [Department of Defence 1985]. It articulates standards for maintaining the confidentiality of information. Clark and Wilson [1987] have shown that security in the military and commercial sector is not necessarily identical. Above all, they see a difference in the prioritization of security goals. In the military sector, prevention of disclosure is the main goal, while “preventing unauthorized data modification” [Clark and Wilson 1987, p. 185] is paramount in the commercial sector. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:4
•
G. Stevens and V. Wulf
A different approach is taken by optimistic security policies. An optimistic approach to access control, as explained by Povey [1999], is based on the following idea. Optimistic access control takes the approach of assuming that most accesses will rely on controls external to the system to ensure that the organization’s security policy is maintained. [. . . ] In an optimistic system, enforcement of the security policy is retrospective, and relies on administrators to detect unreasonable access and takes steps to compensate for the action. Such steps might include: undoing illegitimate modifications, taking punitive action (e.g., firing, or prosecuting individuals) or removing privileges.
Optimistic access control relies fully on social processes around the system or intervention by the system’s administrators. It does not offer any technical mechanisms that allow the owner to control access over his resources. Yet, Povey’ s [1999] work demonstrates that there could be technical support mechanisms which go beyond Lampson’s approach. Another line of criticism with regard to existing security models has emerged from research in CSCW. Already at the beginning of the CSCW discussion, it became obvious that rigid security models cannot meet the specific requirements of computer supported group work (refer to Ellis et al. [1991] and Greif and Sarin [1986]). In contrast to the traditional assumptions, cooperative work is understood to take place in dynamic environments which are rarely determined by static administrative regulations. It seemed necessary that users should negotiate their partly contradictory goals when regulating access.1 Therefore, the design of appropriate mechanisms for access control has become an important topic in the CSCW discourse. At the beginning, the discussion focused more on flexible access control systems which could be at least partly administered by the users themselves. It was assumed that such approaches would satisfy the requirements of dynamic and complex environments. The seminal work by Dewan and Shen [1998b] and Shen and Dewan [1992] marks a major step in overcoming the limitations of traditional approaches. They allow for a more fine-grained specification of access rights on the object- and operation dimensions. Access can be specified even for individual elements within a file, such as a sentence within a text file. Access can also be specified with regard to a big variety of groupware-related operations (e.g., copying). To cope with the greater efforts which are necessary to define more fine-grained access rights, Dewan and Shen [1998a] have implemented a hierarchical order on each of the three dimensions, for example, either a user can take a role or belong to a group. Moreover, basic operations can be grouped so that the group of operations can be handled jointly. Access rights are therefore inherited in accordance with the hierarchical order, for instance, all members of a group are assigned the group’s access rights. To express exceptions from the inheritance rules, Shen and Dewan [1992] allowed 1 In
organizations access control needs to balance between the wish for a broader distribution of information and the threat of an abuse of the information. This ambiguity is rarely taken into account in access control research.
ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:5
to explicitly specify negative access rights. Sikkel [1997] and Wulf et al. [1999] maintained the main premise of Shen and Dewan’s access model. However, they modified the inheritance mechanisms to ease the specification of access control strategies. Edwards [1996] offers an alternative mechanism to make the specification access control policies more flexible for users. He introduces a descriptor to define roles dynamically, which allows evaluating the adherence to a role permanently during runtime. That permits the constitution of the group of users to be more dynamically specified than in traditional RBAC approaches. In contrast to rigidly regulated domains, application domains of groupware do usually not have a strict process of assigning access rights. In order to increase efficiency and flexibility, the assignment of rights should be done without a rigid division of labor between system administrators and users. Therefore, users should be able to assign access rights themselves. A formal model of this meta-access control was developed by Dewan and Shen [1998b]. Wulf et al. [1999b] provided additional mechanisms for negotiation when collectively assigning access rights. Due to the increase in complexity of access control systems and the involvement of larger groups of users in specifying control policies, usability of access systems has gained high priority (e.g., Cranor and Garfinkel [2005]). Neuwirth et al. [1994] have suggested bundling access specifications on the operation dimensions into labels such as “limited”, “extended”, and “total”. While this approach impacts the flexibility, it reduces the effort required to specify access parameters. Wulf et al. [1999] have developed an exploration environment which allows users to evaluate more complex access control policies. The interface is based on a description of individual users’ permits in natural language. The aforementioned approaches do not question the basic assumption that access control is based on yes/no decision before the actual access takes place. This new perspective was influenced by studies dealing with privacy concerns in computerized communication systems. Studies dealing with communication systems such as media spaces [Dourish 1993; Gaver et al. 1992] or ISDN private branch exchange systems [Wulf and Hartmann 1994] had indicated conflicts among users with regard to privacy settings. Some of these conflicts were hard to solve at design time, since the interests of the different human actors changed according to their context of use. Based on these findings, two distinct technical frameworks were developed to deal with privacy. Bellotti and Sellen [1993] suggested the mechanisms of feedback and control to empower the owner to protect her personal data. Wulf [1999, 1995] has developed technical mechanisms to support negotiations among those users who were in conflict concerning the activation of a certain function. More recent studies have added to our knowledge about privacy- and security-related practices. Grinter and Palen [2006] have investigated privacyrelated practices of children using instant messengers. Dourish et al. [2004] studied security-related practices of two distinct populations: college students and researchers within an organization under government contract. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:6
•
G. Stevens and V. Wulf
Olson et al. [2005] studied empirically which type of personal data users would like to share or protect. An important outcome of these studies is the fact that privacy concerns are interpersonally distinct, dynamic, and depending on the situational context of the users. Discussing Altman’s [1975] work on privacy regulation, Palen and Dourish [2003] interpret these findings from a theoretical perspective. Discussing the relief of private information by means of the World Wide Web Consortium’s Platform for Privacy Preferences Project (P3P), Ackerman [2000] postulates a socio-technical gap which exists because human activities are much more flexible, nuanced, and contextualized than technical mechanisms could possibly be. As an approach to deal with this gap, he suggests to integrate CMC components into other functionalities. While some of the design-oriented work influenced our thinking, the privacyrelated discourse focuses on a rather specific problem. Privacy concerns deal with the (self-) presentation and accessibility of human actors, their identity, or data generated on their system usage, such as the content of communication or the history of usage. Privacy is understood as a “selective control of access to the self ” [Altman, cited by Palen and Dourish 2003]. As an individually oriented concept, it has different connotations than controlling access to shared resources in organizations. Access control traditionally deals with large sets of data or documents which do not necessarily have a personal reference or ownership. It is a rather work-related and collective concept. Therefore, we assume that the practices of access control ought to be different in the two domains. However, we believe that research into privacy and access control in organizations can mutually benefit from each other. We started our investigations into access control to document collections when introducing a groupware into German government agencies in the context of the POLITeam project. Following the perspective of our earlier work, we found conflicts with regard to the execution of different groupware functions. For instance, the “search” and “delete” function created conflicts among users in a shared workspace (refer to Wulf 1997a]). As we became aware of the complexity and diversity of access control practices, we conducted additional case studies in office environments, both paper-based and computerized [Stiemerling and Wulf 2000]. This work was complemented in a follow-up study by an investigation into the control practices in maintenance engineering. We looked at two external engineering offices which accessed the central document archive of a steel mill [Stevens and Wulf 2002]. These studies showed a variety of different practices to control access to documents. They helped us to refine the earlier design frameworks. We will present details later on. To support access control, we have implemented two prototypes of extended access control to documents. In the context of the POLITeam project, we have implemented a prototype which realizes an additional mechanism of access control. It requests all affected users’ admission before a document can be deleted in a shared work space [Wulf 1997a; Wulf et al. 2001]. The prototype developed for the steel mill offered much more technical flexibility. Its component architecture allows assembling a wide range of different access control mechanisms, ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:7
even some that were not foreseen in the original design framework [Stevens and Wulf 2002]. Our design-oriented work has been followed up in the CSCW community by Haake et al. [2004]. They look at the problem of access rights from the perspective of group formation within an elearning platform. When building the CURE platform, they applied a key-metaphor to allow users to specify access rights dynamically. Users can, for instance, request rights to access a shared workspace. Metarights are modeled as the rights of passing or copying the user’s key. The design framework has also been perceived in the security research community where post-Lampson approaches to access control gain importance. For instance, Rissanen et al. [2006] developed an approach to specify access policies in a way that they can be overwritten temporarily. Padavachee and Elorff [2007] suggested combining optimistic access control with awareness mechanisms for applications in software engineering. 3. COMPUTER SUPPORTED ACCESS CONTROL Research concerning access control has exceeded Lampson’s model in different ways, for example, in differentiating the object-, subject-, and operation dimensions. These improvements are incremental in the way that they make the Lampson matrix more fine grained and its configuration more user-friendly. However, a qualitative step in re-defining the issue of access control is still missing. At the core of the traditional approach in access control research is the idea to fully delegate access control to the computer by formalizing the legitimized behavior as a prerequisite of any legitimate access. In our earlier work on access control, we started questioning this assumption. In the following, we want to elaborate on that argument. We postulate “Computer Supported Access Control” as an alternative research paradigm related to a new design paradigm for technical systems. This design paradigm is directed towards the support of access control practices while earlier work aimed at the automation of such practices. To elaborate on the new design paradigm, it seems necessary to analytically and conceptually differentiate between the control of access in practice and an access control system that supports the control. The two following definitions express this distinction. (1) Access control is a practice to control the access to resources. (2) A technical functionality which controls access or which is designed to support users in controlling access is called a Computer Supported Access Control System (CSAC system). So far, there has not been terminological distinction between the practical action of access control and technical mechanisms to support this control. However, such a distinction is necessary to explicate the categorical difference between the rule-governed behavior of an access control system and the rulegoverned behavior of access control practice. While in the first case we have ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:8
•
G. Stevens and V. Wulf
to deal with the normative rules of a social practice, the second case relies on algorithmic rules executed by the computer.2 As a result of the missing explication, there is a tendency in access control research to neglect the categorical difference between both types of rules. The concept of a rule-governed behavior of as part of a social practice is often confused with the concept of a rule-governed behavior implemented in an algorithmic access control system. The following statement by Lampson [2000] illustrates this observation. The informal access policy [. . . ] must be elaborated considerably before it can be enforced by a computer system. Both the set of confidential information and the set of properly authorized employees must be described precisely. We can view these descriptions as more detailed policy, or as implementation of the informal policy.
At first glance, Lampson [2000] describes a standard requirements gathering strategy to convert an informal policy into a formal configuration. Obviously, the author does not distinguish between a resource for human action and an algorithmic action implemented on a computer. Therefore, he needs to enforce the correspondence between the access control practices and the configuration of the access control system. This may be a viable approach for specific fields of application. However, the assumption that control practices and computational enforcement are categorically identical seems to be a problematic foundation for a scientific field. The definitional distinction developed previously enables us to ask whether and to which extent an informal practice of access control needs to be elaborated before it can be (partly) enforced by a computer system. Moreover, we can develop alternative requirements gathering strategies, which, for instance, could ask practioners to judge whether a specific configuration of the access control system supports their work. Even articles which propose post-Lampson mechanisms do not reflect systematically on the categorical difference. As a consequence, the relationship between practices and computerized mechanisms is not analyzed systematically in the literature. However, such a reflection opens up the design space in access control research, framing the problem of access control in a different way. Moreover, it helps researchers to clarify their own theoretical standing in the field of computer supported access control.
2 At
that point the CSAC has a strong affinity to the analytical stance of the late Wittgenstein and his reflection on the question what it means by obeying a rule. In CSCW research it is especially the ethnomethodological school which pointed to the relevance of Wittgenstein and the sociological interpretation of the rule concept by Peter Winch [1958]: “Winch suggests, borrowing from Wittgenstein, that to make sense of social relations is to understand social behavior as rule-following behavior. This argument, of course, is of profound importance because it has a close relationship with ethnomethodology and with Suchman’s [1987] argument about plans. This is because arguments about ‘plans’ or ‘situatedness’ depend on what we mean when we talk about rules.” [Randall et al. 2007, p. 33].
ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:9
In the following, we will elaborate on CSAC research methods from a critical design point of view.3 We argue that computational automation can neither be straight forwardly deduced from practices, nor can practices be determined by technical artifacts. We therefore suggest reflecting on the dialectical relationship between “control practices” and “technical artifacts”. The following excerpt helps to illustrate this point. One of the anonymous reviewers described the possible use of a traditional access control system. [E]ven in early 1970’s implementations of Lampson’s model, it was often possible for someone encountering a read-only document or directory to blast off an email asking for permission to be changed to allow writing, effectively “unotempore”.
First of all, the excerpt supports our interpretation that the algorithmic rules specified by the configuration of the Lampson matrix should not be interpreted as the normative rules of the practice itself, while they may present an expression of such practices. Moreover, the episode indicates that there is not even a direct mapping between a general type of practice and a general type of access control mechanism. In this case, the Lampson mechanism, which is actually intended to enforce an ex-ante specification of access rights, is used as part of a control practice which takes place at the time of the attempted access. This leads to the question how to treat the relationship between “access control practices” and the “technical artifacts”, and also how to reflect on this relationship, both theoretically and methodologically. Our answer is related to our perception of reality as a historically contingent continuum. To analyze socio-culturally shaped control practices and technical control mechanisms, they should be understood as interrelated but separate entities. Our theoretical perception of contingencies in practice is influenced by the pragmatist conception of reality and its symbolic construction. According to Dewey [1938], ordinary situations constitute a continuum where means (e.g., control mechanism) and ends (e.g., control purposes) are not separated. However, from a reflective position, there is no immediate, static link between practices and mechanisms. We rather have to assume a pragmatic, contingent relationship.4 3 We
label our position critical by drawing on two distinct scientific discourses. On the one hand, we are influenced by the critical Scandinavian research tradition [Ehn 1990], which proposes that the goal of research is to promote emancipation. On the other hand our position is influenced by Pragmatist philosophy, which states “that indeterminacy is endemic to objective reality, and that pattern and structure are best understood as events of emergent process” [Shalin 1991]. Both aspects lead to an understanding of design, which is similar to the “critical design” concept by Dunne and Raby [2001] who “reject the current situation as the only possibility, and provide a critique in the form of design outputs embodying alternative[s]” [Bowen 2007]. The critical design conception fits well with a pragmatist conception if we understand design as part of a participative inquiry process and visa versa. 4 More precisely, Dewey [1938] states that ordinary, determinate situations constitute a close continuum which does not offer a logical place to distinguish between the material and the symbolic world. Only in reflection, which typically happens in situations of doubt or breakdown (refer to Stevens et al. [2008]) are we able to distinguish between the two items. In this process, we constitute the relationship between a practice and a technical mechanism and understand this relationship to be a contingent one. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:10
•
G. Stevens and V. Wulf
Elaborating on the contingency in this relationship is one of the major goals in CSAC research. Social change is understood as being embedded in and shaped by an appropriation of the external conditions which are related to the distribution of labor, wealth, and power.5 In order to reveal these contingencies in practice, CSAC research should treat mechanisms and practices as autonomous entities. The separation helps in particular to define what is specifically addressed and reduces the pressure to make a direct mapping. It thus provides the necessary freedom to develop alternative access control opportunities. The separation of both entities should not be misunderstood as an endorsement to study them in isolation. Quite to the contrary, CSAC research should take into account that in daily life, technical mechanisms are a part of historically contingent practices which are shaped by material conditions and social demands to control access. More specifically, both entities, practices and mechanisms, progressively interact with each other. In the following, we want to work out the consequences of our position in detail, studying both practices and mechanisms in their own right. Afterwards we will address the issue of integrating both entities in a nonreductionist manner. The abolishment of the strong correspondence between practices and computational models allows ethnographic studies to figure out particular control practices in their own right. Earlier work has interpreted these practices merely as an instance of a given access control model bounded to the current state-ofthe-art in computational mechanisms. To some extent, the empirical work by Grinter and Palen [2002] and also by Dourish et al. [2004], both of whom follow a grounded theory approach, are examples of this new kind of empirical research following the CSAC paradigm. The empirical sections of Stiemerling and Wulf ’s [2000] and of Stevens and Wulf ’s [2002] articles are further examples. The fact that we consider ethnographic studies is no coincidence. While other methodological approaches can also make important contributions to uncover the contingencies in practice systematically, single case-specific methodologies should be preferred to quantitative evaluations that apply strict formalisms.6 The methodological orientation, committing oneself to following the specific logic of the case, allows uncovering control mechanisms in action which were previously unknown in the research literature. This can lead to a revision or extension of given typologies. From an affirmative, utilitarian position, the strength of a “following the case” methodology is at the same time its weakness. It does not necessarily 5 This
position is close to the Scandinavian participation design tradition. In particular, our understanding of appropriation is close to Bratteteig’s [2003, p. 3] understanding of learning which “is characterized by relations between the material possibilities and the logic of the work.” 6 Well-known examples of single case-specific methodologies are grounded theory, ethnomethodology, or objective hermeneutic. What these methodologies have in common is that research does not follow a mechanical formalism, but relies on the hermeneutical competence of the subject. In this context, Randall et al. [2007] speak of a “unique adequacy requirement” as an ambition, Reichertz [2004] refers to an “abductive attitude” and Oevermann understands objective hermeneutic to be a hermeneutical “Kunstlehre” according to its focus on research pragmatics (refer to Oevermann et al. [1979]). ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:11
reveal the contributions to design in a straightforward manner. However, this “weakness” cannot be circumvented since the ethnographic endeavor needs to cultivate, at least to some extent, an indifference to specific design issues (refer to Randall et al. [2007]. Therefore, “implications for design” cannot be mechanically derived [Dourish 2006]. Instead, from a critical research position, ethnographical studies should improve our understanding of the phenomena of access control in practice and uncover the contingency in appropriating existing control mechanisms. Beyond ethnographical studies, there are other research strategies that can uncover control practices. For instance, Dourish and Palen [2003] apply a research strategy which draws conclusions by analogy (Dourish and Palen refer to Altman’s privacy theory). These analogies offer a framework for finding empirical evidence to validate their concepts. By doing so, they add to our understanding of access control practices.7 Another interesting case is the work by Povey [1999]. He also draws on analogies in his work on access control in locking policies for database systems. Based on a theoretical model of access control, Povey becomes aware of the “break the glass” principle in case people access a button to signal an emergency. He takes this as an example of an optimistic access control strategy. Unfortunately, Povey fails to empirically study the (control) practices with respect to the “break the glass” principle. His work on post-Lampson mechanisms and his remarks on possible application areas nevertheless identify themes which might be good candidates for ethnographical studies. Since technology influences our perception of reality, design studies will play an important role in CSAC research. Design-oriented research is an instrument to explore the contingencies of access control from a technological point of view. Hence, it is not only a problem solving strategy but also a strategy to reflect on “wicked situations”.8 Design studies have implications for the constitution of the “problemsolution” nexus. It leads to somehow inverse consequences compared to the ones stated by Dourish [2006] when discussing the role of ethnography in human computer interaction. Paraphrasing Dourish [2006], we can say that demanding “implications for practice” inherently tends to restrict the outcomes of the design process.9 We argue that design-oriented research should not restrict itself by following an “implications for practice” perspective completely. Judging 7 This
example illustrates the usefulness of different research strategies. However, it does not invalidate our previous argument. If empirical studies do not want to just replicate already known conceptions (that might be found by analogy or speculative investigations), we have to analyze them with an “abductive attitude” [Reichertz 2004] to discover new practices. 8 The strategy of using design as a research method to deal with “wicked problems” goes back to Rittel and Webber [1973]. They assume that “the information needed to understand the problem depends on one’s idea for solving it” [Rittel and Webber 1973, p. 161]. This assumption aligns with a pragmatist perspective. However, following Dewey, we radicalize this view by assuming that the constitution of a situation as being problematic already depends to some extent on perceived opportunities and anticipated solutions. Therefore, we use the term “wicked situation” to indicate that the constitution of a problem is already an act of interpretation (refer to Dewey [1938]). 9 See, for instance, Hevner et al. [2004], who reduce the goal of design to the solution of a clearly specified problem in a rather utilitarian manner. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:12
•
G. Stevens and V. Wulf
research on access-control mechanisms solely by their implications for practice misplaces and misconstrues the very nature of such a critical design enterprise. With regard to innovation-oriented, technical papers [Randall et al. 2007, p. 135], we occasionally face the following problem: Compared to elaborated technical concepts, the perception of social practices is rather simplistic and their use cases seem to be unrealistic. We understand the phenomenon of simplistic use cases to be a manifestation of the pitfalls resulting from an “implication for practice” orthodoxy. These pitfalls can be caused by difficulties which designers have to face when they reflect on unintended appropriation effects.10 However, in some cases it seems to be that only design activities offer opportunities to perceive contingencies of common practices in a constructive manner. In these cases the exploration of opportunities offered by newly designed technical artifacts allows anticipating innovative practices. But we would neglect this critical capability of design if we took it only as a means to solve a given, previously specified problem. Instead, we should use it as an instrument for inquiry. A critical, research-oriented approach to design should therefore improve our understanding of the contingencies in control practices by increasing the repertory of access-control mechanisms and supporting the creation of innovative control practices. Examining access control practices and mechanisms separately and detached from a fixed problem-solving nexus, allows exploring contingencies of the social world which are usually taken for granted in daily work life. Exploring contingencies is part of a critical design endeavor which supports practices and their development. Such a development can be realized by modifying material artifacts (e.g., create a new tool) or the symbolic world (e.g., create a new interpretation of a tool). However, these changes are interrelated, which raises the issues of reintegrating the separately treated entities of practices and technical mechanisms and exploring the role of contingencies in the development of practices. While there is no logically necessary connection between existing and future practices, the existence of contingencies does not make active participation in the development of practices obsolete. These contingencies are a precondition for reflective technology development (refer to Nett and Stevens [2008]) which conceptualizes new control mechanisms and identifies pragmatic references to existing control practices. Ironically, treating practices and technical mechanisms as separate entities allows relating them in an innovative manner. In Section 4, we will show how the CSAC perspective can be used to explore the design space of control mechanisms systematically. This exploration follows the CSCW design paradigm suggesting that a control mechanism can be used 10 These
difficulties are caused by the professional perspective of designers. To illustrate our argument, let us ask a designer who implements the Lampson mechanism about the implications for practice. If he answers by describing a use case similar to the anecdote presented by the external reviewer, one could ask: “If this is your use case why does your system not support control at access time?” We might be intrigued by the use case as we could expect a direct linkage between the access control model and the presented practice. However, according to the concepts developed in this article, this should not be the job of a designer. He should rather present an artifact that causes reflection on yet unrealized opportunities.
ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:13
as a resource to support practice. Such a strategy could be understood as subordinating the design of technical mechanisms under the primacy of existing control practices. However, such an impression would represent a misunderstanding. In our approach, the analysis of access control practice actually plays the role of informing or sensitizing design-oriented theories (refer to Randall et al. [2007, p. 124]). Technological options should not be discarded just because there might not yet be any theories for corresponding practices. We thus use our understanding of control practices as a heuristic tool to search for innovative control mechanisms. 4. RESEARCH IN COMPUTER SUPPORTED ACCESS CONTROL In this section, we want to summarize and extent earlier findings from a CSAC perspective. Our work was guided by a dialectic process of studying practices and designing mechanism concurrently. Practices inspired our design process for access control mechanisms which again sensitized our analytical lens [Stevens and Wulf 2002; Stiemerling and Wulf 2000, 1995, 1997a]. In this process, early conceptions of negotiation mechanisms within communication systems developed into a variety of access control mechanisms. Drawing on our earlier findings, we demonstrate how a CSAC research perspective can be practically applied to give details about design frameworks which go beyond Lampson. First, we show that control strategies that do not follow the “yes/no” paradigm (Section 4.1) exist in practice. Then, we analyze the underlying structure of the practices from a temporal (Section 4.2) and from an interactional perspective (Section 4.3). Third, we use the analysis of control practices to further explore the design space for access control mechanisms (Section 4.4). Finally, we conclude by working out basic requirements for the implementation of control mechanisms (Section 4.5). 4.1 Empirical Case Studies: Selected Results We have conducted empirical case studies of the practices of controlling access to documents (refer to Stevens and Wulf [2002] and Stiemerling and Wulf [2000]). These studies were conducted in office as well as in engineering environments. We looked at the practices of access control on paper documents and at those on electronic documents protected by technical mechanisms. In the editorial office of a small newsletter we observed how employees regulated access to their physical mail boxes. The mail boxes were freely accessible in a hall. However, the spatial arrangement of the office principally allowed the employees to observe each other’s access [Stiemerling and Wulf 2000]. We also analyzed how external engineers accessed technical drawings in the central archives of a steel mill. The archives were only partly digitalized. A variety of practices allowed external engineers to take out drawings while working on a maintenance engineering project for the mill. According to the official procedures, all relevant documents had to be handed out to the external service providers at the kick-off of the project. However, we found different practices which compensated for the case that the external engineers did not receive all the necessary documents. A fax form allowed them to request drawings. The ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:14
•
G. Stevens and V. Wulf
request was checked by the internal engineers while the employees of the steel mill’s archive handed over the paper documents. We even found external engineers searching in the archives and taking out drawings by themselves. In these cases, a certain control was enforced by the presence of archive workers and the guardians at the steel mill’s external gate [Stevens and Wulf 2002]. We also investigated into cases of computer supported access control. When introducing a groupware into a German federal ministry, we found that an inappropriately implemented access control policy could have prevented the appropriation of the whole application. In this case, the control policy granted access rights according to the position in the formal hierarchy of the organization. Superiors could see all documents of their subordinates. For legal and cultural reasons, this technical implementation was considered unacceptable within the organization. While this policy was hard coded, we had to circumvent it in a first step by modeling the organizational hierarchy fully flat. The design of a search tool on shared workspaces led to problems, as well. The search tool allowed finding and accessing all documents of all users of the groupware which were not explicitly categorized as being private. We had to implement the tool again, because the users objected to it due to privacy considerations. Finally, a version was installed which allowed searching only within the privately owned folders and those shared with other users. However, occasionally there was the need to find documents which had already been passed to another user. In these cases, the employees asked their typists to conduct a search for them. Since the typists shared folders with all members of the work unit, they could access all shared documents of the unit [Stiemerling and Wulf 2000]. In a representative body of a German state at the federal capital, we found practices to circumvent access control policies in case of an employee’s absence. The employees left their password in a sealed envelope which was placed in a strongbox. The keys to the strongbox were kept by the system administrator and the department head. In urgent cases, employees could ask for permission to open a colleague’s sealed envelope. The system administrator or the department’s head would evaluate the request before handing out the password [Stiemerling and Wulf 2000]. The empirical findings show a wide variety of access control practices with regard to both paper and digital documents. The diversity of control practices in the physical world is obviously not yet taken sufficiently into account when designing access control systems. When looking at the usage of access control systems, we found a large variety of patterns of appropriating or even circumventing the implemented policies. Research in the domain of access control obviously has to take these practices into account. However, these practices do not always seem to be effective, since they are grounded in inappropriately designed technical mechanisms (refer to Stiemerling and Wulf [2000]). In the following, we want to analyze basic elements of access control practices to understand the design space in CSAC better. We will focus particularly on the temporal constitution of control and the pattern of interaction among the human actors. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:15
Fig. 1. Temporal relationship between access attempt and the decision to legitimate access.
4.2 Analyzing Practices: Temporal Constitution of Control The empirical findings indicate that the temporal constitution of access control shapes the document owner’s practice. We will therefore take a closer look at the temporal structure of the work practices which we have described in Section 4.1. In order to analyze these practices, we will refer to the point in time at which the access permissions are controlled (legitimacy of access). Figure 1 shows the temporal structure of the Lampson mechanism. There are three points in time to be distinguished, described next. — Ex-Ante Control. The legitimacy has been defined before an access is attempted. The traditional access control research considers that ex-ante is the normal (and only) point in time at which users can decide whether an access will be legitimized. Such an understanding is reflected by formal rules within organizations which define access permissions regardless of a specific situation. These rules specify access control strategies ex-ante. Additionally, these rules typically do not grant permission to a person but to a structurally defined entity, such as a position or a role [Ferraiolo and Kuhn 1992]. Unsurprisingly, we find that the concept of ex-ante control represents the idealized case of cooperative work practice, in the sense of an espoused theory. In case of maintenance engineering, the internal engineer is supposed to collect all needed documents for the externals at the beginning of the project. These documents are regarded to be a sufficient base which enables the externals to fulfill their contracts. The idealized work practice then defines the ex-ante access control strategy: Externals do not have any permission to read or modify drawings except for those which were handed over at the beginning. In case of the federal ministry, the idealized work practice allows employees to access only those documents which are shown on their desktop, either contained in their private folders or in shared ones. In this case, the idealized practice was even defined as part of a participatory design process (refer to Kahler [1996]) and resulted in an ex-ante control strategy which required changing the search tool’s implementation accordingly. — Uno-Tempore Control. The permission is defined at the moment of the access attempt. Uno-tempore control strategies legitimize access in the context of a concrete situation. We can observe such ad hoc decisions in daily life where access is controlled by the user. In the case of the steel mill, the fax form required single case decisions when granting access to externals. Even in the case where certain ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:16
•
G. Stevens and V. Wulf
administrative regularities are codified in an ex-ante manner, these regularities are used as resources rather than as algorithmic forces by the human actors who control access. In areas where traditional access control systems are in use, we have observed uno-tempore control practices empirically. In the dogmatic view of access control which does not distinguish between the technical enforcement of access control and the access control practice, such phenomena can only be described as bad practice or as being paradoxical. In case of the steel mill, an ex-ante strategy was enforced by a traditional access control system. In case externals needed an additional drawing, the internal engineers usually provided any requested drawing. However, they did not grant access permission to the entire electronic archive. In the state representative body, the password stored in the strongbox allowed overcoming the specified control policy at the moment access was required. In these cases, we observed a mismatch between the control practice and the configuration of the access control system. From the perspective of traditional access control, configurations of the access control system and work practice have to be assimilated. However, with regard to the terminology developed in this article, we can derive another interpretation of the observed phenomena. The described practices are a viable way to realize uno-tempore access control by means of a traditional access control system. In other words, the traditional perspective on access control misunderstands the role of its configuration. A restrictive configuration does not necessarily mean that accessing additional documents is illegitimate. In applying our definition of computer supported access control, we see that a restrictive configuration can be a viable way to support a situated access control practice by means of a traditional access control system. With this in mind, uno-tempore access control can be realized by the means of traditional access control systems. However, traditional access control systems do not support this control practice very well and force users to come up with their own error-prone and most likely inefficient temporary solutions. In the case of the steel mill, such a solution let to the creation of a fax template. If an external engineer needed any additional drawings, he would fill in the template and send a fax to his internal counterpart. However, this forces the users to switch between different applications and media. In addition, the temporary solutions reduce the traceability of access. Inside the access control system the access of externals is not recorded. For instance, a returning employee will not see which of his documents were accessed after his envelope has been opened. — Ex-Post Control. Permissions are checked after access was granted. Ex-post control describes a realization in which the legitimacy of access is checked after it has taken place. There are different reasons why ex-post control is implemented in practice. Povey [1999] argues that ex-post control is economical when the costs of an illegitimate access are lower than those resulting from a highly restrictive access control. Moreover, ex-post control allows evaluating access from the perspective of future events. While a certain access may appear to be legitimate at the moment of its occurrence, this legitimacy may change in ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:17
Fig. 2. The patterns of interaction defined by three double-dyadic relationships: awareness, protection, and negotiation.
the light of later events. In case of the steel mill, an evaluation of historical access data would be helpful if suspicions about industrial espionage arose. In this case, the steel mill could reconsider the external offices’ past activities within the central archives. In case of the federal ministry, the workers could perceive who has searched and accessed their documents when they are confronted with details contained only in new versions of the document. Empirically, we found only restricted evidence for existing ex-post control. In case of the steel mill, system administrators automatically documented write access to the central archives. In that way, they created at least preconditions for a certain level of ex-post control. In case of the state representative body, a broken seal from the enveloped indicated that the password had been used. Therefore, the affected person became aware and could ask the intruder to legitimate the access retrospectively. 4.3 Analyzing Practices: The Pattern of Interaction Beyond the temporal constitution of control, the empirical case studies indicate differences in the patterns of interaction between the three entities that constitute access control: the controller, the access seeker, and the resource. The triadic relationship between them can be described by a double-dyadic relationship. We can distinguish here between three different types of interaction which we call awareness, protection, and negotiation (refer to Figure 2). These basic types can be assembled to a more complex interaction pattern. — Awareness. A pattern of interaction where the access to resources can (potentially) be observed by others to create accountability. Awareness does not protect resources from unauthorized access in a formal understanding. However, the opportunity that illegitimate access can be detected could have a restricting impact on people’s access behavior. Awareness played an important role in controlling external engineers’ access to the steel mill’s archive. The external engineers were allowed to search the whole archive and take drawings out. However, the presence of the archive workers and the guardians at the gate imposed restrictions. The external engineers had to potentially justify their activities. In a similar way, access to the mail boxes in the editorial office was restricted. Employees would only access a box that belonged to somebody else in case they had justifiable reasons. Awareness is a pattern of interaction which becomes effective in uno-tempore settings. However, it is also effective as an ex-post mechanism. In the state representative body, the ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:18
•
G. Stevens and V. Wulf
passwords are sealed in envelopes. A broken seal indicates that the password had been used. — Protection. A pattern of interaction in which a controller safeguards a resource, regulates access, and decides on the legitimacy of other actors’. This practice protects documents from unauthorized access. Legitimacy is defined by the resource owner and can be partly realized by technical means. Protection is the standard practice when the Lampson mechanism is applied. However, even practices which enhance the flexibility of the Lampson mechanism are typically based on the protection of resources. In case of the state representative body, the users’ passwords are protected in a strongbox. In case of the steel mill’s control practice based on a fax form, the drawings are protected and the external engineers need to request access while the internal engineers decide on the legitimacy. Palen and Dourish [2003] describe similar practices. Office workers protect the content of their computer screens and certain types of papers by spatial arrangements in their office which do not allow visitors to perceive them easily. The legitimacy of access can happen in an exante, an uno-tempore, and to some extent an ex-post manner. While the fax form is an example of uno-tempore, legitimation, the specification of an access policy on the steel mill’s database is an ex-ante mechanism. In case access is legitimated in an uno-tempore manner, the resource owner needs to become aware of the access attempt. For instance, an incoming fax makes the internal engineer aware of the external attempt. An ex-post protection practice allows any access to a resource. There seems to be no formal protection. However, the resource is protected from manipulation of the content since changes can be revoked later on. Povey’s [1999] optimistic security concept is an example for such an ex-post protection. — Negotiation. A pattern of interaction where human actors can negotiate the legitimacy of an access claim to resources. Negotiations are held between those controllers (the actors who have the access rights to a certain resource) and the access seeker, who claims access. In the federal ministry, the access seeker needs to convince the secretaries to carry out a search on his colleagues’ documents. In case of the state representative body, an access seeker needs to convince the responsible person to open the strongbox and hand out the password. Negotiations can be conducted ex-ante, uno-tempore, and ex-post, regarding the access claim. Negotiations typically happen when one of the actors protects the documents. The two examples given earlier serve as an example for that. However, this is not a necessary condition, but negotiations usually make the owner aware of the access claims. 4.4 Exploring the Design Space Having analyzed practices of access control empirically, we now want to explore the design space for technical mechanism which can be used by human actors as a resource to support their control practices. While there is no straightforward deduction of technical mechanisms from an empirical analysis (see Section 3.3), ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:19
these findings can explicate constraints and stimulate creativity. Hereafter, we will follow a specific approach to give details about the design space. We create and classify technical mechanisms for access control by referring to the concepts extracted from our analytical understanding of practices, as described before. If the owner of a resource is not aware, or will not become aware of an (intended) access, the only option for access control is the Lampson mechanism. Moving beyond Lampson by supporting uno-tempore or ex-post control requires a certain level of awareness. Due to the nature of digital (storage) media and the distribution of most cooperative work settings, awareness almost always needs to be supported by technical means. In case the owner becomes aware of an actual or an intended access, the technical control mechanism can provide him with the right to intervene. The right to intervene can be realized in an uno-tempore mode. This means that access can only happen after the controller has granted permission. In the case of uno-tempore control, the users involved may want to discuss the legitimacy of the access (e.g., need of an access claim). The required communication channel may be realized as a part of the access control mechanism. In case the communication channel is integrated into the control mechanism, a structured communication pattern enables the system to detect the outcome of the negotiation (refer to Wulf [1997b] and Wulf et al. [1999]). Uno-tempore access control mechanisms are characterized by the fact that the access in question and the point in time at which the owner becomes aware of it are well specified. With regard to both issues, supporting ex-post control practices offer a larger design space. The owner can control access ex-post at any time and the control can be applied to any access that has occurred in the past. Therefore, we can distinguish between two ex-post awareness mechanisms: (1) monitoring access peripherally and (2) checking access histories. In the first case, the activity is triggered by an external access, while in the second case an internal suspicion that an illegitimate access has occurred is required. Nevertheless, both activities will benefit from traceability of past events, highlighting suspicious access.11 Therefore, we subsume these types of ex-post awareness mechanism under the category of “traceability”. We can differentiate between two more dimensions in the design space for ex-post mechanisms. For some types of illegitimate access such as “write”operations, restoration can take place within the systems, for example, by tracking the changes. Restorability is the primary focus of the concept of optimistic access control (refer to Povey [1999]). Another type of ex-post intervention urges the controller to identify and inform the intruder that access will be penalized. Therefore, ex-post mechanisms may contain a channel of communication that allows users to question accesses which have already taken place. Table I depicts the design space for technical mechanisms of access control. An earlier version of the design framework was published in Stiemerling and Wulf [2000]. It was mainly based on a classification of the different modes of interaction without taking the temporal constitution of access control into 11 The definition of strategies to identify suspicious access is out of the scope of this article. However,
finding these patterns is an important yet open issue in computer supported access control. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:20
•
G. Stevens and V. Wulf Table I. Exploring the Design Space of Technical Mechanism to Support Access Control Practices Ex-ante
Awareness X
Uno-tempore Ex-post
Visibility Traceability
Protection Lampson mechanism mechanism Controllability Restorability
Negotiation X Negotiability Discussability
account. In the following we will give a brief description of the different technical mechanisms which need to be understood as resources for control practices. — Lampson Mechanism. The Lampson mechanism requires the controller to define the access policy before the actual access takes place. Access control is handled according to the previously specified strategy. — Visibility. Visibility supports uno-tempore access control by informing the controller actively while an access attempt occurs. The user can specify the conditions under which he wants to be informed about an access. — Controllability. Controllability supports uno-tempore control after the controller is aware of an intended access. Access is granted when the controller explicitly gives permission. Communication among the individuals is not supported as a part of the technical mechanism. — Negotiability. Negotiability characterizes a case in which the controller becomes aware of an intended access. A channel of communication is built into the control mechanism. The channel supports discussions about the access condition among individuals.12 — Traceability. Traceability supports ex-post access control. It enables a controller to evaluate whether an illegitimate access has occurred and shows who was responsible for it. Technical means to support traceability include elements of workspace awareness relating to past events [Fuchs et al. 1996; Gutwin and Greenberg 2002]. Automatically generated reports allow users to study the history of past events. Beyond that, traceability can support the activity of access mining which is triggered by the controller himself. — Restorability. Restorability supports ex-post control by enabling resource owners to undo the effects of an illegitimate access. The applicability of this mechanism is primarily restricted to write access. It is typically implemented by a version of the control system. In certain cases, the concept of restorability helps in relaxing restrictive access control strategies and in supporting ex-post protection. For instance, most Wiki systems implement this kind of ex-post control in regulating write access. — Discussability. Discussability will be used in combination with the mechanism of traceability. A communication channel is additionally integrated into this access control mechanism. As with all mechanisms supporting ex-post control, an intervention against the access is not technically implemented. 12 In
practice, we think that negotiability will be implemented in combination with the controllability mechanisms to deal with access requests. However, from a theoretical point of view a separate implementation is also possible.
ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:21
4.5 Basic Requirements for a CSAC System The classification scheme for technical mechanism indicates that Lampson’s approach is limited since it restricts computer supported access control to a single mechanism. To overcome this shortcoming, the different implementations of computer supported access control should at least fulfill the following requirements: — CSAC systems should integrate different mechanisms covering the spectrum from supporting ex-ante to ex-post control. In practice, users control access at different points in time. In the case of the steel mill, external demands for additional drawings were expressed via fax, phone, or email. The internal engineers decided ad hoc whether and to which extent they would allow the actual access. This uno-tempore control complemented the Lampson mechanism. In addition, the system administrators recorded all write events in log-files in order to allow for ex-post access control. Although users apply various media at different points in time to control access, current implementations do not integrate such approaches. As a result, existing CSAC systems do not offer sufficient flexibility to support users in choosing the appropriate control strategy. — CSAC systems should make human actors aware of access attempts and support visibility and traceability. In our case studies, we have identified several practices which ensure the awareness of external access, for instance, by physical presence or fax ordering. However, these realizations of awareness are not integrated into the access control system. As a result, enforcing this strategy costs additional efforts, for example, switching between email and the electronic archives application. Therefore, efficient access awareness should be an integral part of a CSAC system. In addition the CSAC system should support users to trace access to their resources.13 — CSAC systems should provide channels of communication. To decide whether an access attempt is legitimate is not always obvious. It is often the outcome of a discussion process among human actors. When external access rights become visible, opportunities for negotiation can emerge. For instance, when access to the strongbox is requested, its legitimacy needs to be explained and negotiated. A CSAC system should integrate communication channels for two reasons. First, the negotiation and discussion process will be more efficient if communication takes place inside the CSAC system due to reduced efforts to switch between media. Second, the negotiation process can be related to its final outcome and stored inside the CSAC system to increase traceability. Thus, traceability can be improved by offering additional information about the circumstances of access. — CSAC systems should support an assembly of different mechanisms. When exploring the design space, it appeared to be useful to allow the combination of different control mechanisms, such as traceability and negotiability. In the empirical case studies, we observed that certain control practices consist of 13 This requirement can also be motivated by the way access is controlled in Wikipedia. Many efforts
help identifying suspicious entries which means illegitimated write access. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:22
•
G. Stevens and V. Wulf
a combination of different basic elements. These elements could have been technically implemented or realized via social protocols. The analysis of the control practices as well as the exploration of the design space indicate that a CSAC system should allow users to flexibly take over certain aspects of control and configure the technical mechanisms accordingly. Thus, control mechanisms need to be broken down into software modules which should be configured flexibly. Recent implementations of CSAC systems in the CSCW community already realize some of the requirements mentioned before. ADOS-X, the prototype developed for the steel mill, has broken its implementation down into components [Stevens et al. 2006; Stevens and Wulf 2002]. The assembly of these components allows realizing most of the technical control mechanisms described earlier. ADOS-X applies a paper flow metaphor to support system administrators or users in understanding the meaning of the different components and their assembly. That enables actors without programming skills to tailor control mechanisms which support their specific practices. CURE implements some of the mentioned control mechanism in an innovative way. It enhances ex-ante control mechanisms by introducing temporal restrictions, allowing users “to grant access rights only for temporal restrictions” [Haake et al. 2004, p. 557]. It also implements negotiability in an interesting way: Every room (which presents the resource to be controlled within CURE) is equipped with a button which opens a communication channel to the key holders (owners) of the room. This feature supports the transition between ex-ante and uno-tempore control in a smooth manner. While not an integral part of the access control system, CURE, like other groupware systems, as for example BSCW or other Wiki systems, offers additional features which can be used to control access. For instance, CURE posits a history feature which supports traceability, as well as a versioning feature which supports restorability. Implementations like ADOS-X or CURE can be seen as a proof by construction [Nunamaker et al. 1991]. They indicate that the CSAC paradigm is not just interesting from a theoretical but also from a design perspective. However, the design of control mechanisms and their empirical evaluation is still in an early stage. 5. CONCLUSION Overcoming the traditional understanding in computer science, we tried to reconceptualize the issue of access control on a theoretical, methodological, and practical level. On a methodological level, we conducted investigations of real-world practices of access control following the tradition of action research [Nett and Stevens 2008; Wulf and Rohde 1995] and interpreting the empirical findings from a situated action perspective [Suchman 1987]. Our theoretic stance is influenced by Wittgenstein and his reflection on rules. Taken his consideration into account, we distinguish categorically between rule-governed behavior of an access control practice constituted by its competent members and the rule-governed behavior of an algorithmic access control system (see also ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:23
Winch [1958, chapter 3]). We elaborate this perspective from a critical research position, perceiving access control practices as a dialectic unit of control intent and technical means to realize it. By applying this perspective, we were able to demonstrate empirical and theoretical limitations of the traditional approaches to access control research. At the time Lampson [1974] published his seminal work, access control research mainly focused on technical issues, neglecting the social embedding of control systems. Focusing on the technical aspect, this school of thinking assumes at least implicitly that users are able to specify an algorithm ex-ante which distinguishes between allowed and forbidden operations. On a theoretical level, this view does not consider the relationship between access control practices and computational access control mechanisms. In particular, in this school of thinking it is understood that routine control activities can always be conducted automatically, a theoretical position which can be traced back to Turing [1950]. In contrast, Suchman [1987] argued that this assumption is generally not valid and needs to be evaluated in practice. Case studies in different organizational settings revealed that there is a large variety of different control practices (refer to Stevens and Wulf [2002], Stiemerling and Wulf [2000], and Wulf [1997, 1995a]. Interpreting these findings from Suchman’s [1987] perspective, it becomes evident that ignoring the situatedness of control activities and the interaction between technical artifacts and human action causes conceptual and practical problems. To tackle these problems, we need to reconsider the automatization paradigm of traditional access control research. Through uncovering these assumptions and their implications, research in computer supported access control gains a new momentum. In particular, it allows overcoming the automation paradigm. Taking the new perspective into practice, we have developed the CSAC design paradigm which can be summarized by the basic principle CSAC systems should not automate but support control practices. Exploring the design space, we developed a classification of CSAC mechanisms along two dimensions: (a) according to their temporal constitution, and (b) according to the pattern of interaction. With this in mind, CSAC systems should not merely implement the Lampson mechanism but support control practices at different points in time and make access attempts visible, controllable, and even negotiable. Since visibility is the precondition for all additional post-Lampson mechanisms, our results strongly suggest to link the research agenda on access control with the one on awareness [Heath and Luff 1991]. These research fields have so far developed rather independently. In addition, we believe that it is worthwhile to compare our findings with the work on privacy. Palen and Dourish [2003] understand privacy management in the sense of controlling access to the self, as a dynamic response to circumstances rather than a static enforcement of rules. While there are considerable similarities in the basic assumptions, we need to improve our understanding of the specifics of access control practices to documents compared to those to human actors and their personal data. Controlling access to shared resources can be seen as an aspect of articulation work [Strauss 1988]. In this sense our access control framework can be ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:24
•
G. Stevens and V. Wulf
understood as a particular instance of coordination mechanisms [Schmidt and Simone 1996]. On a design level, different post-Lampson control systems, such as ADOS-X [Stevens and Wulf 2002] or CURE [Haake et al. 2004], already provide “proofs by construction” [Nunamaker et al. 1991]. On an empirical level, we are not aware of any investigation of the appropriation of post-Lampson mechanisms in practice. However, we need to gain more insight into the appropriation of specific CSAC mechanisms in different types of control settings. These findings could stimulate the emergence of additional design concepts. Ackerman [2000] claims that the gap between “what we must support socially” and “what we can support technically” is the central challenge in CSCW. Our work can be seen as an elaboration on the socio-technical gap for the case of access control. However, the dialectic treatment of practices and technical artifacts offers a theoretical and practical framework for a broader spectrum of design problems in CSCW. REFERENCES ACKERMAN, M. 2000. The intellectual challenge of CSCW: The gap between social requirements and technical feasibility. Hum.-Comput. Interact. 15, 179–203. ADAMS, A. AND SASSE, M. A. S. 1999. Users are not the enemy: Why users compromise security mechanisms and how to take remedial measures. Comm. ACM 42, 41–46. ALTMANN, I. 1975. The Environment and Social Behavior: Privacy, Personal Space, Territory and Crowding. Brooks/Cole Publishing, Monterey, CA. BANNON, L. 1993. CSCW: An initial exploration. Scandinav. J. Inform. Syst. 5, 3–24. BELLOTTI, V. AND SELLEN, A. 1993. Design for privacy in ubiquitous computing environments. In Proceedings of the European Conference on Computer-Supported Cooperative Work (ECSCW’93). Kluwer, 77–92. BOWEN, S. J. 2007. Crazy ideas or creative probes? Presenting critical artefacts to stakeholders to develop innovative product ideas. In Proceedings of the EAD07: Dancing with Disorder: Design, Discourse and Disaster. BRATTETEIG, T. 2003. Making change: Dealing with relations between design and use. University of Oslo. CLARK, D. D. AND WILSON, D. R. 1987. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy. 184–194. COULOURIS, G., DOLLIMORE, J., AND ROBERTS, M. 1998. Secure communication in non-uniform trust environments. In ECOOP Workshop on Distributed Object Security. CRANOR, L. AND GARFINKEL, S. 2005. Security and Usability. Designing Secure Systems That People Can Use. O’Reilly, Sebastopol, CA. DEPARTMENT OF DEFENSE. 1985. Trusted computing evaluation criteria, National Computer Security Center. http://en.wikipedia.org/wiki/National Computer Security Center DEWAN, P. AND SHEN, H. 1998a. Controlling access in multiuser interfaces. ACM Trans. Comput.Hum. Interact. 5, 34–62. DEWAN, P. AND SHEN, H. 1998b. Flexible meta access-control for collaborative applications. In Proceedings of the ACM Conference on Computer Supported Cooperative Work (CSCW’98). 247–256. DEWEY, J. 1938. Logic: The Theory of Inquiry. Henry Holt and Company. DOURISH, P. 1993. Culture and control in a media space. In Proceedings of the European Conference on Computer-Supported Cooperative Work (ECSCW’93). Kluwer, 133–146. DOURISH, P. 2006. Implications for design. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’06). 541–550. DOURISH, P., GRINTER, R., DELGADO DE LA FLOR, J., AND JOSEPH, M. 2004. Security in the wild: User strategies for managing security as an everyday, practical problem. Personal Ubiq. Comput. 8, 391–401. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
Computer-Supported Access Control
•
12:25
¨ Basel. DUNNE, A. AND RABY, F. 2001. Design Noir: The Secret Life of Electronic Objects. Birkhauser, EDWARDS, K. 1996. Policies and roles in collaborative applications. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW’96). ACM Press, 11–20. EHN, P. 1990. Work-Oriented Design of Computer Artifacts. Lawrence Erlbaum Associates. ELLIS, C. A., GIBBS, S. J., AND REIN, G. L. 1991. Groupware—Some issues and experiences. Comm. ACM 34, 38–58. FERRAIOLO, D. AND KUHN, R. 1992. Role-based access control. In Proceedings of the NISTNSANational (USA) Computer Security Conference. 554–563. FUCHS, L., SOHLENKAMP, M., GENAU, A., KAHLER, H., PFEIFER, A., AND WULF, V. 1996. Transparenz in kooperativen prozessen; Der ereignisdienst in POLITeam. In Proceedings of the Herausforderung Telekooperation: Fachtagung Deutsche Computer Supported Cooperative Work. Springer, 3–16. ¨ GAVER, W., MORAN, T., MCLAEN, A., LOVSTRAND , L., DOURISH, P., CARTER, K., AND BUXTON, W. 1992. Realizing a video environment: EuroPARC’s RAVE system. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems (CHI’92). ACM Press, 27–35. GREIF, I. AND SARIN, S. 1986. Data sharing in group work. In Proceedings of the 1st Conference on Computer-Supported Cooperative Work (CSCW). ACM Press, 175–183. GRINTER, R. AND PALEN, L. 2006. Chatting with teenagers: Considering the place of chat technologies in teen life. ACM Trans. Hum.-Comput. Interact. 13, 423–447. GRINTER, R. E. AND PALEN, L. 2002. Instant messaging in teen life. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work. 21–30. GUTWIN, A. AND GREENBERG, S. 2002. A descriptive framework of workspace awareness for real-time groupware. Int. J. Comput.-Support. Coop. Work 11, 411–446. ¨ HAAKE, J., HAAKE, A., SCHUMMER , T., BOURIMI, M., AND LANDGRAF, B. 2004. End-user controlled group formation and access rights management in a shared workspace system. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW’04). ACM Press, 554–563. HEATH, C. AND LUFF, P. 1991. Collaborative activity and technological design: Task coordination in London underground control rooms. In Proceedings of the European Conference on ComputerSupported Cooperative Work. HEVNER, A. R., MARCH, S. T., PARK, J., AND RAM, S. 2004. Design science in information systems research. MIS Quart. 28, 75–105. KAHLER, H. 1996. Developing groupware with evolution and participation: A case study. In Proceedings of the Participatory Design Conference. 173–182. LAMPSON, B. 1974. Proctection. ACM Oper. Syst. Rev. 8, 18–24. LAMPSON, B. W. 2000. Computer security in the real world. In Proceedings of the Applied Computer Security Associates (ACSA) the 16th Annual Computer Security Applications Conference. NETT, B. AND STEVENS, G. 2008. Business ethnography—Aktionsforschung als beitrag zu einer reflexiven technikgestaltung (Business ethnography—Action research as a contribution to a reflective technique development). In Science Theory and Design-Oriented Information ¨ Wirtschaftsinformatik, Westfalische ¨ ¨ Munster, ¨ Science. Institut fur Wilhelms-Universitat 48–68. NEUWIRTH, C., KAUFER, D. S., CHANDHOK, R., AND MORRIS, J. H. 1994. Computer support for distributed collaborative writing: Defining parameters of interaction. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW’94). ACM Press,145–152. NUNAMAKER, J., CHEN, M., AND PURDIN, T. D. M. 1991. Systems development in information systems research. J. Manage. Inform. Syst. 7, 89–106. OEVERMANN, U., ALLERT, T., KONAU, E., AND KRAMBECK, J. 1979. Die methodologie einer, objektiven Hermeneutik’ und ihre allgemeine forschungslogische bedeutung in den sozialwissenschaften. In Interpretative Verfahren in den Sozial- und Textwissenschaften, H.-G. Soeffner, Ed. Metzler, Stuttgart, 352–434. OLSON, J., GRUDIN, J., AND HORVITZ, E. 2005. A study of preferences for sharing and privacy. In Proceedings of the ACM Conference on Computer Human Interaction (CHI’05): Late Breaking Results: Short Papers. ACM Press, 1985–1988. PADAYACHEE, K., ELOFF, J. H. P., AND SERGOT, M. 2007. Enhancing optimistic access controls with usage control. In Trust, Privacy and Security in Digital Business. Springer, Berlin, 75–82. PALEN, L. AND DOURISH, P. 2003. Unpacking privacy in a networked world. In Proceedings of the ACM Conference on Computer Human Interaction (CHI’03). ACM Press, 129–136. ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.
12:26
•
G. Stevens and V. Wulf
POVEY, D. 1999. Optimistic security: A new access control paradigm. In Proceedings of the Workshop on New Security Paradigms. ACM Press, 40–45. RANDALL, D., HARPER, R., AND ROUNCEFIELD, M. 2007. Fieldwork for Design: Theory and Practice. Springer Verlag Gmbh. REICHERTZ, J. 2004. Objective hermeneutics and hermeneutic sociology of knowledge. In Companion to Qualitative Research, U. Flick, Ed. Sage, London, 290–296. RISSANEN, E. AND FIROZABADI, B. S. 2006. Towards a mechanism for discretionary overriding of access control. In Security Protocols. Springer, Berlin, 312–319. RITTEL, H. AND WEBBER, M. 1973. Dilemmas in a General Theory of Planning. Elsevier Scientific Publishing, Amsterdam. SCHMIDT, K. 1991. Riding a tiger, Or computer supported cooperative work. In Proceedings of the 2nd European Conference on Computer-Supported Cooperative Work (ECSCW’91), L. Bannon et al., Eds. Kluwer Academic, Amsterdam, 1–16. SCHMIDT, K. AND SIMONE, C. 1996. Coordination mechanisms: Towards a conceptual foundation of CSCW systems design. Int. J. Comput.-Support. Coop. Work 5, 155–200. SHALIN, D. N. 1991. The pragmatic origins of symbolic interactionism and the crisis of classical science. Studies Symb. Interact. 11, 226–258. SHEN, H. AND DEWAN, P. 1992. Access control for collaborative environments. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work. ACM Press, 51–58. SIKKEL, K. 1997. A group-based authorization model for computer-supported cooperative work. In Arbeitspapiere der GMD. GMD, Sankt Augustin. STEVENS, G., QUAISSER, G., AND KLANN, M. 2006. Breaking it up: An industrial case study of componend-based tailorable software design. In End User Development, H. Liebermann et al., Eds. Springer, 269–294. STEVENS, G. AND WULF, V. 2002. A new dimension in access control: Studying maintenance engineering across organizational boundaries. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW’02). ACM Press, 196–205. STIEMERLING, O. AND WULF, V. 2000. Beyond ’yes or no’—Extending access control in groupware with awareness and negotiation. Group Decision Negotiation 9, 221–235. STRAUSS, A. 1988. The articulation of project work: An organizational process. The Sociolog. Quart. 29. SUCHMAN, L. 1987. Plans and Situated Actions: The Problem of Human-Machine Communication. Cambridge University Press, Cambridge, UK. TURING, A. 1950. Computing Machinery and Intelligence. Mind LIX, 433–460. WINCH, P. G. 1958. The Idea of a Social Science and its Relation to Philosophy. Routledge and Kegan Paul, London. WULF, V. 1995. Negotiability: Handling access to data in groupware. Behav. Inform. Technol. 14, 143–151. WULF, V. 1997a. Handling conflicts in groupware: Concepts and experiences made in the POLITeam project. In Proceedings of the Human Computer Interaction (INTERACT’97), S. H. Howard and J. Lindgaard, G., Eds. Chapman and Hall, 485–492. WULF, V. 1997b. Konfliktmanagement bei Groupware. Vieweg, Braunschweig. WULF, V. 1999. Conflicts and negotiation in multi-user applications. In Encyclopedia of Microcomputers, A. Kent and J. G. Williams, Eds. Marcel Dekker, New Basel, 63–88. WULF, V. AND HARTMANN, A. 1994. The ambivalence of networks’ visibility in an organizational context. In NetWorking: Connecting Workers In and Between Organizations, A. Clement et al., Eds. North Holland, Amsterdam, 143–152. WULF, V., PIPEK, V., AND PFEIFER, A. 2001. Resolving function-based conflicts in groupware systems. Al. Society 15, 233–262. WULF, V. AND ROHDE, M. 1995. Towards an integrated organization and technology development. In Proceedings of the DIS’95. ACM Press, 55–64. WULF, V., STIEMERLING, O., AND PFEIFER, A. 1999. Tailoring groupware for different scopes of validity. Behav. Inform. Technol. 18, 199–212. Received November 2006; revised January 2009; accepted July 2009 by Prasun Dewan
ACM Transactions on Computer-Human Interaction, Vol. 16, No. 3, Article 12, Publication date: September 2009.