Systems and methodologies for controlling access to a file system

US 10,320,798 B2
Filed: 02/01/2016
Issued: 06/11/2019
Est. Priority Date: 02/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling access to a the system having data elements, comprising the steps of:

maintaining a record of respective actual accesses by users of said file system to said data elements, said users being organized in a user hierarchy;

employing entitlement review by owner functionality for automatically proposing a removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said data elements, and wherein following an implementation of said proposed simulated removal, members of said set retain respective proposed residual access permissions to said data elements, said entitlement review by owner functionality being configured to present to at least one owner of said data elements, a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of said data elements, and to require the at least one owner to confirm or modify the authorization status;

automatically ascertaining, prior to said implementation of said proposed removal, whether at least one of said respective actual accesses are disallowed to non-members of said set by said respective proposed residual access permissions, said non-members of said set having actual access profiles which are similar to the actual access profiles of said members of said set, said members of said set being nondescendants of said non-members of said set in said user hierarchy; and

responsive to said automatically ascertaining that said at least one of said respective actual accesses are not disallowed to said non-members of said set by said respective proposed residual access permissions, obtaining a consent to said proposed removal from at least one of a data owner of said data elements and a data authorizer established to act on behalf of said data owner of said data elements.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling access to a file system having data elements, including the steps of maintaining a record of respective actual accesses by users of the file system to the data elements, defining a proposed removal of a set of the users from a superset of the users, wherein members of the superset have common access privileges to a portion of the data elements, and wherein following an implementation of the proposed removal, members of the set retain respective proposed residual access permissions, ascertaining, prior to the implementation of the proposed removal, that at least one of the respective actual accesses are disallowed to the members of the set, or to non-members of the set having actual access profiles which are similar to the actual access profiles of the members of the set, by the respective proposed residual access permissions, and generating an error indication, responsively to the ascertaining.

Citations

8 Claims

1. A computer-implemented method for controlling access to a the system having data elements, comprising the steps of:
- maintaining a record of respective actual accesses by users of said file system to said data elements, said users being organized in a user hierarchy;
  
  employing entitlement review by owner functionality for automatically proposing a removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said data elements, and wherein following an implementation of said proposed simulated removal, members of said set retain respective proposed residual access permissions to said data elements, said entitlement review by owner functionality being configured to present to at least one owner of said data elements, a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of said data elements, and to require the at least one owner to confirm or modify the authorization status;
  
  automatically ascertaining, prior to said implementation of said proposed removal, whether at least one of said respective actual accesses are disallowed to non-members of said set by said respective proposed residual access permissions, said non-members of said set having actual access profiles which are similar to the actual access profiles of said members of said set, said members of said set being nondescendants of said non-members of said set in said user hierarchy; and
  
  responsive to said automatically ascertaining that said at least one of said respective actual accesses are not disallowed to said non-members of said set by said respective proposed residual access permissions, obtaining a consent to said proposed removal from at least one of a data owner of said data elements and a data authorizer established to act on behalf of said data owner of said data elements.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A computer-implemented method according to claim 1, wherein said data elements comprise files and directories, and wherein said file system comprises a hierarchy of said files and directories, and wherein said portion of said data elements comprises:
    - a first directory; and
      
      all of said files and directories below said first directory in said hierarchy.
  - 3. A computer-implemented method according to claim 1, wherein said users have memberships in respective alternative user groups, each of said alternative user groups having group permissions to access respective alternative portions of said data elements, wherein said respective proposed residual access permissions of said users comprise said group permissions of said alternative user groups.
  - 4. A computer-implemented method according to claim 1, wherein said step of maintaining a record comprises constructing an aggregated table of unique actual accesses by said users.
  - 5. A computer-implemented method according to claim 1, wherein said step of defining a proposed removal is performed automatically.

6. A computer-implemented system comprising a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to control access to a file system having data elements stored thereon, said system comprising:
- actual access monitoring functionality operable for maintaining a record of respective actual accesses by users of said file system to said data elements, said users being organized in a user hierarchy;
  
  user removal proposition functionality operable for employing entitlement review by owner functionality for automatically proposing a removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said data elements, and wherein following an implementation of said proposed simulated removal, members of said set retain respective proposed residual access permissions to said data elements, said entitlement review by owner functionality being configured to present to at least one owner of said data elements, a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of said data elements, and to require the at least one owner to confirm or modify the authorization status;
  
  residual access permissions ascertaining functionality communicating with said actual access monitoring functionality and with said user removal proposition functionality and operable;
  
  for automatically ascertaining, prior to said implementation of said proposed removal proposed by said user removal proposition functionality, whether at least one of said respective actual accesses recorded by said actual access monitoring functionality are disallowed to non-members of said set by said respective proposed residual access permissions, said non-members of said set having actual access profiles which are similar to the actual access profiles of said members of said set, said members of said set being nondescendants of said non-members of said set in said user hierarchy; and
  
  responsive to said automatically ascertaining that said at least one of said respective actual accesses are not disavowed to said non-members of said set by said respective proposed residual access permissions, for obtaining a consent to said proposed removal from at least one of a data owner of said data elements and a data authorizer established to act on behalf of said data owner of said data elements.
- View Dependent Claims (7, 8)
- - 7. A computer-implemented system of claim 6, wherein said data elements comprise files and directories, and wherein said file system comprises a hierarchy of said files and directories, and wherein said portion of said data elements comprises:
    - a first directory; and
      
      all of said files and directories below said first directory in said hierarchy.
  - 8. A computer-implemented system of claim 6 and wherein said users have memberships in respective alternative user groups, each of said alternative user groups having group permissions to access respective alternative portions of said data elements, wherein said respective proposed residual access permissions of said users comprise said group permissions of said alternative user groups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Systems, Inc.
Inventors
Faitelson, Yakov, Korkus, Ohad
Primary Examiner(s)
Casanova, Jorge A

Application Number

US15/012,176
Publication Number

US 20160149925A1
Time in Patent Office

1,226 Days
Field of Search

707781, 707783, 707785, 707786
US Class Current
CPC Class Codes

G06F 16/11   File system administration,...

G06F 16/1774   Locking methods, e.g. locki...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

Systems and methodologies for controlling access to a file system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methodologies for controlling access to a file system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links