A couple of sessions at the VAMP2013 workshop in Helsinki related to complexity and how best to express it to users. Bob Cowles pointed out that current access management systems can involve a lot of complexity even to reach the binary decision whether or not to allow a user to access a resource. This might, for example, involve the user authenticating themselves to their college, the college checking with a department or project that the requested access was within policy and with the resource provider that it was within budget, and finally releasing to the resource sufficient assured information about the user to identify the right account information. Most users probably don’t want to know that all that is going on, but instead to just express their wish to access content and trust the various organisations involved to do the right thing.
In a later open space session we discussed how far that trust should extend, and when organisations should check with the user before going further. There has been a tendency in software, perhaps encouraged by European Data Protection law, to seek the user’s confirmation for every step in complex processes. That’s generally regarded as training users to automatically click “OK” or “proceed” in answer to every question. Finding the right level of granularity is tricky. I wondered whether there might be something to learn from the medical field where decisions fall into three groups:
- those where the patient consents to a complete procedure and its consequences,
- those where individual choices are offered, and
- those (such as selling a spare kidney) that all doctors must refuse to do, even if the patient orders demands it.
In access management terms that might translate to
- doing silently the minimum information transfer and processing that is needed to provide the access the user has requested,
- offering optional services individually to the user, and
- refusing processing – such as unauthorised uses of National Insurance numbers – that is restricted by law.
The middle, optional, group seems to be where the most detailed information and control needs to be offered to the user. Depending on local laws, preferences and technology the user could be invited to enter their own information (for example an e-mail address to subscribe to notifications of updates), to consent to their Identity Provider releasing the required information, or to select additional services knowing that these will require additional transfer and processing.