Developing simple and expressive access controls -- interfaces to specify policies that define who should have access to resources and under what circumstances -- is a longstanding challenge in usable security. We present Sketch-based Access Control (SBAC), a sketch-based, AI-assisted access control authoring system that combines the expressive power of sketching with the interpretive capabilities of multimodal large language models (MLLMs) to support the interpretation and validation of policy specifications as they are iteratively refined. Through a formative study with 14 participants, we identified three design requirements and developed a human-AI collaborative workflow composed of three stages -- Specify, Analyze, and Test -- enabled by the system's ability to maintain and interpret evolving access control specifications. In a user evaluation with 14 participants grounded in their real-world access control scenarios, we found the system and the workflow helped participants progressively refine initially underspecified preferences into more complete and precise policies -- surfacing gaps they had not anticipated, resolving ambiguities through dialogue, and validating policy behavior through concrete scenarios.

翻译：开发简洁且富有表现力的访问控制机制——即定义谁在何种情况下有权访问资源的策略规约接口——是可用的安全性领域长期面临的挑战。我们提出了基于草图的访问控制（SBAC），一种基于草图、AI辅助的访问控制创作系统，该系统结合了草图的表达能力与多模态大语言模型（MLLMs）的解析能力，支持对策略规约在迭代精化过程中的解释与验证。通过一项包含14名参与者的形成性研究，我们确定了三项设计需求，并开发了一种由三个环节组成的人机协同工作流——包括规约、分析与测试环节——该工作流得益于系统维护与解读演化中访问控制规约的能力。在一项针对14名参与者、基于其真实世界访问控制场景的用户评估中，我们发现该系统及其工作流帮助参与者将初始未充分明确的需求逐步精化为更完整、更精确的策略——揭示了他们未曾预见的漏洞，通过对话消除歧义，并通过具体场景验证策略行为。