Evaluating removal of access permissions
First Claim
1. A computer-implemented method for controlling access to a file system having storage elements, comprising the steps of:
- maintaining a record of respective actual accesses by users of said file system to said storage elements;
defining a proposed removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements;
automatically determining, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and
generating an error indication, responsively to said step of automatically determining.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for controlling access to a file system. A record of actual accesses by users of the file system is maintained. Before a user is removed from a set of users or before a privilege for a set of users to access a data element is removed, it is determined whether the actual recorded accesses of the user are allowed by residual access permissions that would remain after implementing the proposed removal of access permission. An error condition is generated if the proposed removal of the access permission would have prevented at least one of the actual accesses. In another aspect of the invention, the system determines if the users would have alternate access to the storage element following implementation of the proposal.
92 Citations
20 Claims
-
1. A computer-implemented method for controlling access to a file system having storage elements, comprising the steps of:
-
maintaining a record of respective actual accesses by users of said file system to said storage elements; defining a proposed removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements; automatically determining, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and generating an error indication, responsively to said step of automatically determining. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for controlling access by users of a file system having storage elements, comprising the steps of:
-
defining a proposed removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements; automatically determining that said respective proposed residual access permissions allow at least one of said members of said set to access one of said storage elements in said portion; and generating an error indication responsively to said step of automatically determining. - View Dependent Claims (8)
-
-
9. A computer software product for controlling access to a file system having storage elements, including a tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to:
-
maintain a record of respective actual accesses by users of said file system to said storage elements; receive a proposed removal of a set of said users from a superset of said users, wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements; make a determination, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and responsively to said determination generate an error indication. - View Dependent Claims (10, 11, 12)
-
-
13. A data processing system for controlling access to a file system having storage elements, comprising:
-
a processor; a memory accessible to said processor and having objects instantiated therein, wherein said processor, using said objects, is operative to; maintain a record of respective actual accesses by users of said file system to said storage elements; receive a proposed removal of a set of said users from a superset of said users wherein members of said superset have common access privileges to a portion of said storage elements, and wherein following an implementation of said proposed removal, members of said set retain respective proposed residual access permissions to said storage elements; make a determination, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and responsively to said determination generate an error indication. - View Dependent Claims (14, 15)
-
-
16. A computer-implemented method for controlling access to a file system having storage elements, comprising the steps of:
-
maintaining a record of respective actual accesses by users of said file system to said storage elements; defining a proposed removal of a right to access a designated storage element by a set of said users, wherein members of said set have common access privileges to at least said designated storage element, and wherein following an implementation of said proposed removal, said members of said set retain respective proposed residual access permissions to said storage elements; automatically determining, prior to said implementation of said proposed removal, that at least one of said respective actual accesses are disallowed to said members of said set by said respective proposed residual access permissions; and generating an error indication, responsively to said step of automatically determining. - View Dependent Claims (17, 18, 19, 20)
-
Specification