Access control: stay simple

Once a web-based product reaches a certain level of maturity, the question of access control rears its head. Say you are making a resource available – who has access to see it? who has access to edit it?

There are two rough categories of solutions to this problem. The first more techie and complex solution is: “let the user decide everything”. Lets say you can perform different operations on a resource (edit, copy, share,..) – the user will decide what level of access each user or group of users gets. This quickly evolves into complex feature lists, each individually controlled by toggling it on or off for complex user¬†hierarchy¬†and groups. A sample of this is live in your desktop operating system:

File permissions in MS Windows

File permissions in MS Windows

The file permission dialog box in windows includes seven different feature toggles, and this is just in the “simplified” control. The horrors lie dormant under an innocent “advanced” button.

On the other hand lies a philosophy of setting several pre-prepared classes of access and letting the user pick one. For example: share by allowing public access, shared-key access (access only to people who know something) or completely private. A nice example of this is the Picasa picture album settings tab.

Permissions in Picasa: private, shared or public
Permissions in Picasa: private, shared or public

In these products, you can select to share with the: world (no control) friends (only people who have, say, a link) or nobody (private).

Over the course of a typical product lifetime, where access control is a feature, the pull towards “feature toggles” exists, and is sometimes very tempting. Beware! once you go that way, you can’t go back – the “advanced” button will always be there to be misunderstood.

A nice approach by some other applications – Facebook, for example, is letting you create lists for each of the pre-set permission (in facebook, the permission is either to share or not to share). This is a nice solution that approaches the problem from the customers point of view: “I want to share with the world… except my mother :-)

Select exactly who to share with and who to hide from
Select exactly who to share with and who to hide from

My experience shows that even if customers initially demand complex feature toggles, after some use they grow to appreciate the simplicity of a small set of predefined access classes.

About these ads

One thought on “Access control: stay simple

  1. Good post man.
    Less is more (always in UX UI). A good prof to that is all the products of 37 signals.
    Simple and less ‘power’ to the user get them more productive and happy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s