Anyone who has ever tried to share a computer file between two computers has probably seem the ‘permission denied’ dialog. This is what I call a ‘dead-end-dialog.’ The dialog informs you of a problem but doesn’t help you solve it.
“xyz is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.”
OK so as a user who exactly am I supposed to contact? I may not know who the system administrator is, and even if I do… The system administrator claims that I do have access permissions. So where is the disconnect? The dialog is a dead-end because the user doesn’t know where to go and neither does the administrator. Even if ‘everybody’ is given permissions that doesn’t mean it will work.
In security UI design there is a common mistake that is made. The belief is that keeping ‘bad’ people out is more important then anything. In fact many designs take this so far that they don’t design for the opposite case. You need to make sure that the ‘good’ people can actually get in. The dialog is a dead-end because it doesn’t provide a mechanism to request permissions.
Web 1.0 security- Setup groups, permissions, security and settings so that the right people have access. If they get denied they are out of luck or they have to contact the admin to fix the problem.
Web 2.0 security – People request permissions for the resources that they need right from the UI. As people make requests administrators approve/deny requests and the groups and settings are built automatically. The admin doesn’t have to hunt for the right place or the right setting, they don’t have to worry about allow/deny groups and ultimately they can setup auto-rules for certain resources.