Automatic folder access management

US 8,561,146 B2
Filed: 04/12/2007
Issued: 10/15/2013
Est. Priority Date: 04/14/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling data access by users of a file system, comprising the steps of:

receiving a request for a change in user access rights of one of said users to a designated storage element of said file system, wherein said file system comprises storage elements including said designated storage element, each of said storage elements being owned by a single owner that controls said user access rights thereto, and a user repository including groups of said users, wherein users in each of said groups have common access rights to said storage elements;

identifying one of said groups, wherein said identified group has a group owner that controls said membership thereof;

establishing at least one group authorizer to act on behalf of said group owner;

obtaining a consent to said request from said owner of said designated storage element;

obtaining a concurrence from said at least one group authorizer of said identified group to change said membership of said one user therein; and

responsively to said consent and to said concurrence, conforming said user access rights of said one user to said designated storage element to said request by granting said user membership in said identified group or by revoking from said user membership in said identified group.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for decentralizing user data access rights control activities in networked organizations having diverse access control models and file server protocols. A folder management application enables end users of the file system to make requests for access to storage elements, either individually, or by becoming members of a user group having group access privileges. Responsibility for dealing with such requests is distributed to respective group owners and data owners, who may delegate responsibility to authorizers. The application may also consider automatically generated proposals for changes to access privileges. An automatic system continually monitors and analyzes access behavior by users who have been pre-classified into groups having common data access privileges. As the organizational structure changes, these groups are adaptively changed both in composition and in data access rights.

43 Citations

View as Search Results

18 Claims

1. A computer-implemented method for controlling data access by users of a file system, comprising the steps of:
- receiving a request for a change in user access rights of one of said users to a designated storage element of said file system, wherein said file system comprises storage elements including said designated storage element, each of said storage elements being owned by a single owner that controls said user access rights thereto, and a user repository including groups of said users, wherein users in each of said groups have common access rights to said storage elements;
  
  identifying one of said groups, wherein said identified group has a group owner that controls said membership thereof;
  
  establishing at least one group authorizer to act on behalf of said group owner;
  
  obtaining a consent to said request from said owner of said designated storage element;
  
  obtaining a concurrence from said at least one group authorizer of said identified group to change said membership of said one user therein; and
  
  responsively to said consent and to said concurrence, conforming said user access rights of said one user to said designated storage element to said request by granting said user membership in said identified group or by revoking from said user membership in said identified group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, further comprising the step of establishing at least one authorizer to act on behalf of said owner, wherein said step of obtaining a consent comprises obtaining said consent from said at least one authorizer.
  - 3. The method according to claim 1, further comprising the step of obtaining a concurrence from said group owner of said identified group to change said membership of said one user therein.
  - 4. The method according to claim 3, wherein said request comprises an addition of said user access rights of said one user to said designated storage element and said step of adjusting a membership comprises accepting said one user as a member of said identified group.
  - 5. The method according to claim 1, further comprising the steps of:
    - monitoring accesses of said users to said storage elements and deriving respective access profiles thereof; and
      
      responsively to said access profiles automatically generating said request.
  - 6. The method according to claim 5, further comprising the step of automatically defining said groups responsively to said access profiles.
  - 7. The method according to claim 1, wherein said request comprises a deletion of said user access rights of said one user to said designated storage element and said step of adjusting a membership comprises removing said one user as a member of said identified group.
  - 8. The method according to claim 1, further comprising the steps of:
    - establishing a rule having at least one satisfaction criterion;
      
      determining that said request complies with said criterion; and
      
      responsively to said step of determining performing said step of obtaining a consent to said request automatically.

9. A computer software product for controlling data access by users of a file system, including a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to receive a request for a change in user access rights of one of said users to a designated storage element of said file system, wherein said file system comprises storage elements including said designated storage element, each of said storage elements being owned by a single owner that controls said user access rights thereto, and a user repository including groups of said users, wherein users in each of said groups have common access rights to said storage elements, said computer being caused by said instructions to identify one of said groups, wherein said identified group has a group owner that controls said membership thereof, to establish at least one group authorizer to act on behalf of said group owner, to obtain a consent to said request from said owner of said designated storage element, to obtain a concurrence from said at least one group authorizer of said identified group to change said membership of said one user therein, and responsively to said consent and to said concurrence to conform said user access rights of said one user to said designated storage element to said request by granting said user membership in said identified group or by revoking from said user membership in said identified group.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer software product according to claim 9, wherein said computer is further instructed to obtain a concurrence from said group owner of said identified group to change said membership of said one user therein.
  - 11. The computer software product according to claim 10, wherein said request comprises an addition of said user access rights of said one user to said designated storage element and said computer is further instructed to add said one user as a member of said identified group.
  - 12. The computer software product according to claim 9, wherein said request comprises a deletion of said user access rights of said one user to said designated storage element and wherein said computer is further instructed to remove said one user as a member of said identified group.
  - 13. The computer software product according to claim 9, further wherein said computer is further instructed to instantiate a rule having at least one satisfaction criterion, make a determination that said request complies with said criterion, and responsively to said determination automatically provide said consent to said request.

14. A data processing apparatus for controlling data access by users of a file system, comprising:
- a processor; and
  
  a memory accessible to said processor having instructions resident therein, said processor operative by executing said instructions to receive a request for a change in user access rights of one of said users to a designated storage element of said file system, wherein said file system comprises storage elements including said designated storage element, each of said storage elements being owned by a single owner that controls said user access rights thereto, and a user repository including groups of said users, wherein users in each of said groups have common access rights to said storage elements, to identify one of said groups, wherein said identified group has a group owner that controls said membership thereof, to obtain a consent to said request from said owner of said designated storage element to obtain a concurrence from said at least one group authorizer of said identified group to change said membership of said one user therein, and responsively to said consent and to said concurrence to conform said user access rights of said one user to said designated storage element to said request by granting said user membership in said identified group or by revoking from said user membership in said identified group.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The data processing apparatus according to claim 14, wherein said processor is operative to obtain a concurrence from said group owner of said identified group to change said membership of said one user therein.
  - 16. The data processing apparatus according to claim 15, wherein said request comprises an addition of said user access rights of said one user to said designated storage element and said processor is instructed by said instructions to add said one user as a member of said identified group.
  - 17. The data processing apparatus according to claim 14, wherein said request comprises a deletion of said user access rights of said one user to said designated storage element and said processor is operative to remove said one user as a member of said identified group.
  - 18. The data processing apparatus according to claim 14, further wherein said processor is operative to instantiate a rule having at least one satisfaction criterion, make a determination that said request complies with said criterion, and responsively to said determination automatically provide said consent to said request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Systems, Inc.
Inventors
Faitelson, Yakov, Korkus, Ohad
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US11/786,522
Publication Number

US 20070244899A1
Time in Patent Office

2,378 Days
Field of Search

726/1, 726/2
US Class Current

726/4
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/6236   between heterogeneous systems

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

Automatic folder access management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Automatic folder access management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others