Systems and methodologies for controlling access to a file system
First Claim
1. A computer-implemented method for controlling access to a the system having data elements, comprising the steps of:
- maintaining a record of respective actual accesses by users of said file system to said data elements, said users being organized in a user hierarchy;
employing entitlement review by owner functionality for automatically proposing a removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said data elements, and wherein following an implementation of said proposed simulated removal, members of said set retain respective proposed residual access permissions to said data elements, said entitlement review by owner functionality being configured to present to at least one owner of said data elements, a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of said data elements, and to require the at least one owner to confirm or modify the authorization status;
automatically ascertaining, prior to said implementation of said proposed removal, whether at least one of said respective actual accesses are disallowed to non-members of said set by said respective proposed residual access permissions, said non-members of said set having actual access profiles which are similar to the actual access profiles of said members of said set, said members of said set being nondescendants of said non-members of said set in said user hierarchy; and
responsive to said automatically ascertaining that said at least one of said respective actual accesses are not disallowed to said non-members of said set by said respective proposed residual access permissions, obtaining a consent to said proposed removal from at least one of a data owner of said data elements and a data authorizer established to act on behalf of said data owner of said data elements.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for controlling access to a file system having data elements, including the steps of maintaining a record of respective actual accesses by users of the file system to the data elements, defining a proposed removal of a set of the users from a superset of the users, wherein members of the superset have common access privileges to a portion of the data elements, and wherein following an implementation of the proposed removal, members of the set retain respective proposed residual access permissions, ascertaining, prior to the implementation of the proposed removal, that at least one of the respective actual accesses are disallowed to the members of the set, or to non-members of the set having actual access profiles which are similar to the actual access profiles of the members of the set, by the respective proposed residual access permissions, and generating an error indication, responsively to the ascertaining.
-
Citations
8 Claims
-
1. A computer-implemented method for controlling access to a the system having data elements, comprising the steps of:
-
maintaining a record of respective actual accesses by users of said file system to said data elements, said users being organized in a user hierarchy; employing entitlement review by owner functionality for automatically proposing a removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said data elements, and wherein following an implementation of said proposed simulated removal, members of said set retain respective proposed residual access permissions to said data elements, said entitlement review by owner functionality being configured to present to at least one owner of said data elements, a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of said data elements, and to require the at least one owner to confirm or modify the authorization status; automatically ascertaining, prior to said implementation of said proposed removal, whether at least one of said respective actual accesses are disallowed to non-members of said set by said respective proposed residual access permissions, said non-members of said set having actual access profiles which are similar to the actual access profiles of said members of said set, said members of said set being nondescendants of said non-members of said set in said user hierarchy; and responsive to said automatically ascertaining that said at least one of said respective actual accesses are not disallowed to said non-members of said set by said respective proposed residual access permissions, obtaining a consent to said proposed removal from at least one of a data owner of said data elements and a data authorizer established to act on behalf of said data owner of said data elements. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented system comprising a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to control access to a file system having data elements stored thereon, said system comprising:
-
actual access monitoring functionality operable for maintaining a record of respective actual accesses by users of said file system to said data elements, said users being organized in a user hierarchy; user removal proposition functionality operable for employing entitlement review by owner functionality for automatically proposing a removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said data elements, and wherein following an implementation of said proposed simulated removal, members of said set retain respective proposed residual access permissions to said data elements, said entitlement review by owner functionality being configured to present to at least one owner of said data elements, a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of said data elements, and to require the at least one owner to confirm or modify the authorization status; residual access permissions ascertaining functionality communicating with said actual access monitoring functionality and with said user removal proposition functionality and operable; for automatically ascertaining, prior to said implementation of said proposed removal proposed by said user removal proposition functionality, whether at least one of said respective actual accesses recorded by said actual access monitoring functionality are disallowed to non-members of said set by said respective proposed residual access permissions, said non-members of said set having actual access profiles which are similar to the actual access profiles of said members of said set, said members of said set being nondescendants of said non-members of said set in said user hierarchy; and responsive to said automatically ascertaining that said at least one of said respective actual accesses are not disavowed to said non-members of said set by said respective proposed residual access permissions, for obtaining a consent to said proposed removal from at least one of a data owner of said data elements and a data authorizer established to act on behalf of said data owner of said data elements. - View Dependent Claims (7, 8)
-
Specification