Automatic folder access management
First Claim
1. A computer-implemented method for controlling data access by users of a file system, comprising the steps of:
- receiving a request for a change in user access rights of one of said users to a designated storage element of said file system, wherein said file system comprises storage elements including said designated storage element, each of said storage elements being owned by a single owner that controls said user access rights thereto, and a user repository including groups of said users, wherein users in each of said groups have common access rights to said storage elements;
identifying one of said groups, wherein said identified group has a group owner that controls said membership thereof;
establishing at least one group authorizer to act on behalf of said group owner;
obtaining a consent to said request from said owner of said designated storage element;
obtaining a concurrence from said at least one group authorizer of said identified group to change said membership of said one user therein; and
responsively to said consent and to said concurrence, conforming said user access rights of said one user to said designated storage element to said request by granting said user membership in said identified group or by revoking from said user membership in said identified group.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for decentralizing user data access rights control activities in networked organizations having diverse access control models and file server protocols. A folder management application enables end users of the file system to make requests for access to storage elements, either individually, or by becoming members of a user group having group access privileges. Responsibility for dealing with such requests is distributed to respective group owners and data owners, who may delegate responsibility to authorizers. The application may also consider automatically generated proposals for changes to access privileges. An automatic system continually monitors and analyzes access behavior by users who have been pre-classified into groups having common data access privileges. As the organizational structure changes, these groups are adaptively changed both in composition and in data access rights.
43 Citations
18 Claims
-
1. A computer-implemented method for controlling data access by users of a file system, comprising the steps of:
-
receiving a request for a change in user access rights of one of said users to a designated storage element of said file system, wherein said file system comprises storage elements including said designated storage element, each of said storage elements being owned by a single owner that controls said user access rights thereto, and a user repository including groups of said users, wherein users in each of said groups have common access rights to said storage elements; identifying one of said groups, wherein said identified group has a group owner that controls said membership thereof; establishing at least one group authorizer to act on behalf of said group owner; obtaining a consent to said request from said owner of said designated storage element; obtaining a concurrence from said at least one group authorizer of said identified group to change said membership of said one user therein; and responsively to said consent and to said concurrence, conforming said user access rights of said one user to said designated storage element to said request by granting said user membership in said identified group or by revoking from said user membership in said identified group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
- 9. A computer software product for controlling data access by users of a file system, including a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to receive a request for a change in user access rights of one of said users to a designated storage element of said file system, wherein said file system comprises storage elements including said designated storage element, each of said storage elements being owned by a single owner that controls said user access rights thereto, and a user repository including groups of said users, wherein users in each of said groups have common access rights to said storage elements, said computer being caused by said instructions to identify one of said groups, wherein said identified group has a group owner that controls said membership thereof, to establish at least one group authorizer to act on behalf of said group owner, to obtain a consent to said request from said owner of said designated storage element, to obtain a concurrence from said at least one group authorizer of said identified group to change said membership of said one user therein, and responsively to said consent and to said concurrence to conform said user access rights of said one user to said designated storage element to said request by granting said user membership in said identified group or by revoking from said user membership in said identified group.
-
14. A data processing apparatus for controlling data access by users of a file system, comprising:
-
a processor; and a memory accessible to said processor having instructions resident therein, said processor operative by executing said instructions to receive a request for a change in user access rights of one of said users to a designated storage element of said file system, wherein said file system comprises storage elements including said designated storage element, each of said storage elements being owned by a single owner that controls said user access rights thereto, and a user repository including groups of said users, wherein users in each of said groups have common access rights to said storage elements, to identify one of said groups, wherein said identified group has a group owner that controls said membership thereof, to obtain a consent to said request from said owner of said designated storage element to obtain a concurrence from said at least one group authorizer of said identified group to change said membership of said one user therein, and responsively to said consent and to said concurrence to conform said user access rights of said one user to said designated storage element to said request by granting said user membership in said identified group or by revoking from said user membership in said identified group. - View Dependent Claims (15, 16, 17, 18)
-
Specification