In this work we ask the question: what are the challenges of managing a physical or file system access-control policy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identified three sets of real-world requirements that are either ignored or inadequately addressed by technology: 1) policies are made/implemented by multiple people; 2) policy makers are distinct from policy implementers; and 3) access-control systems don't always have the capability to implement the desired policy. We present our interview results and propose several possible solutions to address the observed issues. Author Keywords Access control, policy creation ACM Classification Keywords D.4.6 Security and protection, K.4.3 OrganizationalImpacts, K.6.5 Authentication
Lujo Bauer, Lorrie Faith Cranor, Robert W. Reeder,