Sketch-based Access Control: A Multimodal Interface for Translating User Preferences into Intent-Aligned Policies

TL;DR

This paper introduces SBAC, a sketch-based, AI-assisted system that helps users create and refine access control policies through a multimodal interface and human-AI collaboration.

Contribution

It presents a novel multimodal interface combining sketching and large language models for accessible, iterative access control policy authoring and validation.

Findings

Participants successfully refined policies, uncovering gaps and resolving ambiguities.

The system supported iterative policy development through Specify, Analyze, and Test stages.

Participants found the workflow improved policy clarity and confidence.

Abstract

Developing simple and expressive access controls -- interfaces to specify policies that define who should have access to resources and under what circumstances -- is a longstanding challenge in usable security. We present Sketch-based Access Control (SBAC), a sketch-based, AI-assisted access control authoring system that combines the expressive power of sketching with the interpretive capabilities of multimodal large language models (MLLMs) to support the interpretation and validation of policy specifications as they are iteratively refined. Through a formative study with 14 participants, we identified three design requirements and developed a human-AI collaborative workflow composed of three stages -- Specify, Analyze, and Test -- enabled by the system's ability to maintain and interpret evolving access control specifications. In a user evaluation with 14 participants grounded in their real-world access control scenarios, we found the system and the workflow helped participants progressively refine initially underspecified preferences into more complete and precise policies -- surfacing gaps they had not anticipated, resolving ambiguities through dialogue, and validating policy behavior through concrete scenarios.