Method and system for assessing cumulative access entitlements of an entity in a system
First Claim
1. A method, performed by a computer, with regard to analyzing cumulative entitlements in an information system including a plurality of users, each user having a corresponding user account, the information system including a plurality of security groups, each security group including a subset of the users or other security groups, and wherein the information system includes a plurality of securable assets, each securable asset corresponding to an access control list, each access control list including access control entries that identify at least one security group or user account having access to the corresponding securable asset, wherein the securable assets include the user accounts, the method comprising:
- in the computer, determining which security groups directly include or transitively include a given one of the users;
in the computer, determining a set of access control lists that identify any of the security groups or the given user;
in the computer, determining an effective system-level access granted to the given user in view of the access control entries in the set of access control lists, wherein determining the effective system-level access includes resolving any access conflicts as a function of operating system rules or according to access check methodologies, wherein an access check methodology is defined as the process by which access control mechanisms of the information system protect the securable assets, by subjecting a user'"'"'s access request to a given securable asset, to an access check that processes the user'"'"'s security affiliations as defined by the security groups and the access control list corresponding to the given securable asset to determine whether to allow the access requested; and
in the computer, mapping the effective system-level access granted to the given user into administrative tasks to determine a cumulative access entitlement set for the given user, wherein the cumulative access entitlement set includes administrative tasks that the given user is entitled to perform with regard to the securable assets corresponding to the set of access control lists.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user.
-
Citations
28 Claims
-
1. A method, performed by a computer, with regard to analyzing cumulative entitlements in an information system including a plurality of users, each user having a corresponding user account, the information system including a plurality of security groups, each security group including a subset of the users or other security groups, and wherein the information system includes a plurality of securable assets, each securable asset corresponding to an access control list, each access control list including access control entries that identify at least one security group or user account having access to the corresponding securable asset, wherein the securable assets include the user accounts, the method comprising:
-
in the computer, determining which security groups directly include or transitively include a given one of the users; in the computer, determining a set of access control lists that identify any of the security groups or the given user; in the computer, determining an effective system-level access granted to the given user in view of the access control entries in the set of access control lists, wherein determining the effective system-level access includes resolving any access conflicts as a function of operating system rules or according to access check methodologies, wherein an access check methodology is defined as the process by which access control mechanisms of the information system protect the securable assets, by subjecting a user'"'"'s access request to a given securable asset, to an access check that processes the user'"'"'s security affiliations as defined by the security groups and the access control list corresponding to the given securable asset to determine whether to allow the access requested; and in the computer, mapping the effective system-level access granted to the given user into administrative tasks to determine a cumulative access entitlement set for the given user, wherein the cumulative access entitlement set includes administrative tasks that the given user is entitled to perform with regard to the securable assets corresponding to the set of access control lists. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented system for analyzing cumulative entitlements in an information system including a plurality of users, each user having a corresponding user account, the information system including a plurality of security groups, each security group including a subset of the users or other security groups, and wherein the information system includes a plurality of securable assets, each securable asset corresponding to an access control list, each access control list including access control entries that identify at least one security group or user account having access to the corresponding securable asset, wherein the securable assets include the user account, comprising:
-
a computing device configured to, for a given one of the users, determine which security groups directly include or transitively include the given user; the computing device being further configured to determine a set of access control lists that identify any of the security groups or the given user; the computing device being further configured to determine an effective system-level access granted to the given user in view of the access control entries in the set of access control lists, wherein the determination of the effective system-level access includes resolving any access conflicts as a function of operating system rules or according to access check methodologies, wherein an access check methodology is defined as the process by which access control mechanisms of the information system protect the securable assets, by subjecting a user'"'"'s access request to a given securable asset, to an access check that processes the user'"'"'s security affiliations as defined by the security groups and the access control list corresponding to the given securable asset to determine whether to allow the access requested; and the computing device being further configured to map the effective system-level access granted to the given user into administrative tasks to determine a cumulative access entitlement set for the given user, wherein the cumulative access entitlement set includes administrative tasks that the given user is entitled to perform with regard to the securable assets corresponding to the set of access control lists. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification