Evaluating removal of access permissions

US 20080271157A1
Filed: 04/26/2007
Published: 10/30/2008
Est. Priority Date: 04/26/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling access to a file system having storage elements, comprising the steps of:

maintaining a record of respective actual accesses by users of said file system to said storage elements;

defining a proposed removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements;

automatically determining, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and

generating an error indication, responsively to said step of automatically determining.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for controlling access to a file system. A record of actual accesses by users of the file system is maintained. Before a user is removed from a set of users or before a privilege for a set of users to access a data element is removed, it is determined whether the actual recorded accesses of the user are allowed by residual access permissions that would remain after implementing the proposed removal of access permission. An error condition is generated if the proposed removal of the access permission would have prevented at least one of the actual accesses. In another aspect of the invention, the system determines if the users would have alternate access to the storage element following implementation of the proposal.

92 Citations

View as Search Results

20 Claims

1. A computer-implemented method for controlling access to a file system having storage elements, comprising the steps of:
- maintaining a record of respective actual accesses by users of said file system to said storage elements;
  
  defining a proposed removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements;
  
  automatically determining, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and
  
  generating an error indication, responsively to said step of automatically determining.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said storage elements comprise files and directories, and wherein said file system comprises a hierarchy of said files and directories, and wherein said portion of said storage elements comprises:
    - a first directory; and
      
      all of said files and directories below said first directory in said hierarchy.
  - 3. The method of claim 1, wherein said users have memberships in respective alternative user groups, each of said alternative user groups having group permissions to access respective alternative portions of said storage elements, wherein said respective proposed residual access permissions of said users comprise said group permissions of said alternative user groups.
  - 4. The method of claim 1, wherein said step of maintaining a record comprises constructing an aggregated table of unique actual accesses by said users.
  - 5. The method according to claim 1, wherein said step of defining a proposed removal is performed automatically.
  - 6. The method of claim 1, further comprising the steps of automatically establishing that said respective proposed residual access permissions allow at least one of said members of said set associated therewith to access one of said storage elements in said portion and responsively thereto generating another error indication.

7. A computer-implemented method for controlling access by users of a file system having storage elements, comprising the steps of:
- defining a proposed removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements;
  
  automatically determining that said respective proposed residual access permissions allow at least one of said members of said set to access one of said storage elements in said portion; and
  
  generating an error indication responsively to said step of automatically determining.
- View Dependent Claims (8)
- - 8. The method of claim 7, wherein said users have memberships in respective alternative user groups, each of said alternative user groups having group permissions to access respective alternative portions of said storage elements, wherein said respective proposed residual access permissions of said users comprise said group permissions of said alternative user groups.

9. A computer software product for controlling access to a file system having storage elements, including a tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to:
- maintain a record of respective actual accesses by users of said file system to said storage elements;
  
  receive a proposed removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements;
  
  make a determination, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and
  
  responsively to said determination generate an error indication.
- View Dependent Claims (10, 11, 12)
- - 10. The computer software product of claim 9, wherein said users have memberships in respective alternative user groups, each of said alternative user groups having group permissions to access respective alternative portions of said storage elements, wherein said respective proposed residual access permissions of said users comprise said group permissions of said alternative user groups.
  - 11. The computer software product of claim 9, wherein said record comprises an aggregated table of unique actual accesses by said users.
  - 12. The computer software product of claim 9, wherein said computer is further instructed to establish that said respective proposed residual access permissions allow at least one of said members of said set associated therewith to access one of said storage elements in said portion and responsively thereto to generate another error indication.

13. A data processing system for controlling access to a file system having storage elements, comprising:
- a processor;
  
  a memory accessible to said processor and having objects instantiated therein, wherein said processor, using said objects, is operative to;
  
  maintain a record of respective actual accesses by users of said file system to said storage elements;
  
  receive a proposed removal of a set of said users from a superset of said users wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements;
  
  make a determination, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and
  
  responsively to said determination generate an error indication.
- View Dependent Claims (14, 15)
- - 14. The data processing system of claim 13, wherein said users have memberships in respective alternative user groups, each of said alternative user groups having group permissions to access respective alternative portions of said storage elements, wherein said respective proposed residual access permissions of said users comprise said group permissions of said alternative user groups.
  - 15. The data processing system of claim 13, wherein said processor is operative to establish that said respective proposed residual access permissions allow at least one of said members of said set associated therewith to access one of said storage elements in said portion and responsively thereto to generate another error indication.

16. A computer-implemented method for controlling access to a file system having storage elements, comprising the steps of:
- maintaining a record of respective actual accesses by users of said file system to said storage elements;
  
  defining a proposed removal of a right to access a designated storage element by a set of said users, wherein members of said set have common access privileges to at least said designated storage element, and wherein following an implementation of said proposed removal, said members of said set retain respective proposed residual access permissions to said storage elements;
  
  automatically determining, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and
  
  generating an error indication, responsively to said step of automatically determining.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein said users have memberships in respective alternative user groups, each of said alternative user groups having group permissions to access respective alternative portions of said storage elements, wherein said respective proposed residual access permissions of said users comprise said group permissions of said alternative user groups.
  - 18. The method of claim 16, wherein said step of maintaining a record comprises constructing an aggregated table of unique actual accesses by said users.
  - 19. The method according to claim 16, wherein said step of defining a proposed removal is performed automatically.
  - 20. The method of claim 16, further comprising the steps of automatically establishing that said respective proposed residual access permissions allow at least one of said members of said set associated therewith to access said designated storage element and responsively thereto generating another error indication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Systems, Inc.
Inventors
Faitelson, Yakov, Korkus, Ohad, Kretzer, Ophir

Granted Patent

US 8,239,925 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Evaluating removal of access permissions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Evaluating removal of access permissions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links