Skip to main content
Article thumbnail
Location of Repository

RBAC What? Development of a Role-Based Access Control Policy Writing Tool for E-Scientists

By Sacha Brostoff, M.Angela Sassea, David W. Chadwick, James Cunningham, Uche Mbanaso and Sassa Otenko


A lightweight role-based access control policy authoring tool was developed for e-Scientists, a community for which access policies have to be implemented for an increasingly heterogeneous group of local and remote users. Two fundamental problems were identified: (1) lack of understanding of what the policy components are (i.e. how authorization policies are structured), and (2) lack of understanding of the underlying policy paradigm (i.e. what should go into the policy, and what should be left out). Conceptual design (CD) techniques were used to revise the user interface (UI) labels so that e-Scientists and developers were better able to describe access policy components from labels, and match labels with components (t = 6.28, df = 7, p = 0.000 two-tailed). CD, instructional text, bubble help, UI behaviour and alert boxes were used to shape users' models of the policy paradigm. The final prototype improved users' efficiency and effectiveness by more than doubling the speed with which expert users could write authorization policies, and facilitating users without specialist security knowledge to overcome the policy paradigm and components problems, enabling them to complete 80% of basic and 75% of advanced authorization policy-writing tasks in a usability trial

Topics: QA76
Year: 2004
OAI identifier:

Suggested articles


  1. (2000). 1-6). The Streamlined Cognitive Walkthrough Method, Working Around Social Constraints Encountered in a Software Development Company. Paper presented at the CHI 2000, The Hague, The Netherlands. doi
  2. (1997). Conceptual Design Reconsidered - The Case of the Internet Session Directory Tool. Paper presented at the HCI '97, doi
  3. (1998). Ergonomic requirements for office work with visual display terminals (VDTs). doi
  4. (1994). Faster, cheaper!! Are usability inspection methods as effective as empirical testing? In
  5. (1994). Heuristic Evaluation. In
  6. (1994). How to Conduct a Heuristic Evaluation, [Web page]. Available: [2003,
  7. (2003). Implementing Role Based Access Controls Using X.509 Attribute Certificates. doi
  8. (1994). Minimising conceptual baggage: making choices about metaphor. Paper presented at the People and computers IX, doi
  9. (2002). OASIS eXtensible Access Control Markup Language (XACML) v1.0, 12 doi
  10. (2003). Paper prototyping: The fast and easy way to design and refine user interfaces. doi
  11. (1999). The Inmates Are Running the Asylum: Why High-tech Products Drive Us Crazy and How to Restore the Sanity:

To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.