Effective Collaboration in the Management of Access Control Policies: A Survey of Tools

Abstract

Access control (AC) tools implement security policies for controlling access to various assets, including file systems, physical resources, and social media posts. They are also used as pedagogical tools for exploring and understanding intricate details of complex security policies. However, current tools are not developed based on the actual needs of security and policy professionals. They are not equipped to support basic and vital operations like providing a policy overview, policy comparisons, identifying and resolving policy conflicts. In this paper, we explore (a) the specific challenges faced in the collaboration between access control policy makers and implementers, and (b) the limitations that current tools have towards addressing these challenges. We argue that a lack of effective collaboration between policy makers and implementers may lead to a misunderstanding of security policy semantics. The main reason for this problem is that policy makers and implementers use different technical languages for communication. The lack of a common technical language leads to a miscommunication between the two parties. The key aim of our work is to review the currently available research-based access control tools and to identify their pros and cons. To accomplish this, we have reviewed a set of access control tools that have a wide variety of features and applications. We have also identified a set of tasks that these access control tools possess to help the work of policy professionals who are involved in the creation, management and maintenance of security policies. We also compared the functionalities of these tools, the different types of security policies that they support, and their visualizations. Together, these comparisons provide a clear understanding of what current access control systems lack and how they can be improved in order to support effective collaboration between policy makers and policy implementers. We have also found that many of these tools could be more accessible to non-technical policy professionals to understand the semantics of security policies if these tools provide features for visualizing security policies.