Significant effort has been invested in developing expressive and flexible access-control languages
and systems. However, little work has been done to evaluate these theoretically interesting systems in
practical situations with real users, and few attempts have been made to discover and analyze the accesscontrol
policies that users actually want to implement. In this paper we report on a study in which we
derive the ideal access policies desired by a group of users for physical security in an office environment.
We compare these ideal policies to the policies the users actually implemented with keys and with Grey, a
smartphone-based distributed access-control system. We show quantitatively that Grey allowed our users
to implement their ideal policies more accurately and securely than they could with keys, and describe
where each system fell short. As part of this evaluation we identify conditions that users commonly
required in their desired policies and explain how these conditions can or cannot be implemented with
keys and Grey. Our results and experience can serve to inform the designers of access-control systems
about which features these systems should include if they are to successfully meet users’ needs.