Evaluating removal of access permissions
First Claim
1. A method of eliminating membership of a person in a user group which has access permissions to storage elements in an enterprise, the method comprising:
- initially specifying by a computer a proposed person and a proposed user group in which said proposed person is a member, wherein membership of said proposed person in said proposed user group is proposed to be eliminated;
thereafter ascertaining actually accessed storage elements which were actually accessed by said proposed person in the past;
thereafter for each of said actually accessed storage elements, ascertaining which authorized user groups have access permissions thereto;
thereafter ascertaining in which of said authorized user groups said proposed person has membership;
thereafter for each of said actually accessed storage elements, ascertaining that said person has membership in at least one of said authorized user groups having access permissions thereto, other than said proposed user group; and
proceeding to eliminate said membership of said proposed person in said proposed group, only if each of said actually accessed storage elements has access permissions thereto from said at least one of said authorized user groups in which said person has membership, other than said proposed user group.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for controlling access to a file system. A record of actual accesses by users of the file system is maintained. Before a user is removed from a set of users or before a privilege for a set of users to access a data element is removed, it is determined whether the actual recorded accesses of the user are allowed by residual access permissions that would remain after implementing the proposed removal of access permission. An error condition is generated if the proposed removal of the access permission would have prevented at least one of the actual accesses. In another aspect of the invention, the system determines if the users would have alternate access to the storage element following implementation of the proposal.
-
Citations
7 Claims
-
1. A method of eliminating membership of a person in a user group which has access permissions to storage elements in an enterprise, the method comprising:
-
initially specifying by a computer a proposed person and a proposed user group in which said proposed person is a member, wherein membership of said proposed person in said proposed user group is proposed to be eliminated; thereafter ascertaining actually accessed storage elements which were actually accessed by said proposed person in the past; thereafter for each of said actually accessed storage elements, ascertaining which authorized user groups have access permissions thereto; thereafter ascertaining in which of said authorized user groups said proposed person has membership; thereafter for each of said actually accessed storage elements, ascertaining that said person has membership in at least one of said authorized user groups having access permissions thereto, other than said proposed user group; and proceeding to eliminate said membership of said proposed person in said proposed group, only if each of said actually accessed storage elements has access permissions thereto from said at least one of said authorized user groups in which said person has membership, other than said proposed user group. - View Dependent Claims (2, 3, 4)
-
-
5. A system for eliminating membership of a person in a user group which has access permissions to storage elements in an enterprise, the system comprising:
-
at least one processing device that is adapted to perform each of the following functionalities; proposed person and proposed user group specifying functionality operative for initially specifying a proposed person and a proposed user group in which said proposed person is a member, wherein membership of said proposed person in said proposed user group is proposed to be eliminated; storage element actual access ascertaining functionality operative for ascertaining actually accessed storage elements which were actually accessed by said proposed person in the past; user groups access permissions ascertaining functionality operative for ascertaining, for each of said actually accessed storage elements, which authorized user groups have access permissions thereto; user groups membership ascertaining functionality operative for ascertaining in which of said authorized user groups said proposed person has membership; storage element access permissions ascertaining functionality operative for ascertaining, for each of said actually accessed storage elements, that said person has membership in at least one of said authorized user groups having access permissions thereto, other than said proposed user group; and membership elimination functionality operative for eliminating said membership of said proposed person in said proposed group, only if each of said actually accessed storage elements has access permissions thereto from said at least one of said authorized user groups in which said person has membership, other than said proposed user group. - View Dependent Claims (6, 7)
-
Specification