Access control design: Avoiding a labyrinth of unknown-unknowns

When building multi-user systems we often need to deny access, to certain areas for certain users. Over the years I’ve come to realize that we ought to do this as transparently as possible.

Case in point, I once encountered a workplace where they had just installed a new and secure network file system™. All users had received access to a folder structure housing important workplace files.

One important detail though, was that if you didn’t have access to folders you would simply not see them. This was a source of frequent confusion, because in various conversations people would mention files which not everyone had access to.

When requesting access to folders, instructions would sometimes be misunderstood, and users could receive a thumbs-up that they had been given access, and much later learn that they mistakenly had not been given access to all the requested folders. On one hand users were told to read up on workplace documentation, and on the other hand they risked not having enough access. Beyond confusion and frustration, this also threatened to seed workplace mistrust.

Users should know what they don’t have access to: I’d argue that this is a decent rule-of-thumb when designing access controls. In the aforementioned case they could have implemented a rule, where all users should at least be able to see all folders, including the inaccessible ones. This would have made it possible for users to easily see if they had access to everything they needed, and request missing access grants by naming concrete folder names. Naturally, it should be made clear that no folder names could contain sensitive information with this approach.

Users should know exactly what’s missing to get access: Building on the previous point, users should also be able to easily learn exactly what type of access is required, to access a given inaccessible system. Maybe they simply need to name the folder they want access to, or maybe their workplace user just need to be granted a particular access role.

For programmers it’s very easy to hide large parts of the system based on the user’s role, with no explanations. Users are then left to fend for themselves. In the best case users haphazardly learn what accesses they lack and get them granted, or in the worst case they waste a lot of time sussing out missing accesses, all the while fearing ridicule.