Visualization of access permission status

US 8,893,228 B2
Filed: 05/06/2013
Issued: 11/18/2014
Est. Priority Date: 11/06/2007
Status: Active Grant

First Claim

Patent Images

1. A method for indicating data access privilege status for data in an enterprise, the method comprising:

defining user groups offering common rights of access to a plurality of file servers, said file servers being organized as a hierarchy of storage elements having ancestors, said storage elements comprising first storage elements that have only inherited access permissions that are inherited from one of said ancestors thereof, and second storage elements that have at least non-inherited access permissions;

maintaining a storage element permissions database containing only said non-inherited access permissions for said second storage elements, and an inheritance indicator employing at least partially identical permission profiles that identifies other said second storage elements that are ancestral thereto in said hierarchy thereby to reduce data storage requirements; and

consulting said storage element permissions database to ascertain a storage element-oriented set of said user groups that provide said common rights of access to selected ones of said storage elements.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Queries regarding access permissions of users and rights to directories in a complex enterprise are executed in near real-time, using lookups to tables that form a condensed database maintained for each file server. User information is condensed by arranging users in user groups having common data access rights. Directory permissions storage is condensed by showing only distinctive permissions to a directory in a table entry, and referencing inherited permissions of parent directories. The tables indicate recursive and ancestral relationships among the user groups and directories. They are developed and updated in advance of any queries. A consolidated view of the query results is presented on a single display screen. Using the tables results can be obtained without exhaustive searches of large file system tables.

Citations

33 Claims

1. A method for indicating data access privilege status for data in an enterprise, the method comprising:
- defining user groups offering common rights of access to a plurality of file servers, said file servers being organized as a hierarchy of storage elements having ancestors, said storage elements comprising first storage elements that have only inherited access permissions that are inherited from one of said ancestors thereof, and second storage elements that have at least non-inherited access permissions;
  
  maintaining a storage element permissions database containing only said non-inherited access permissions for said second storage elements, and an inheritance indicator employing at least partially identical permission profiles that identifies other said second storage elements that are ancestral thereto in said hierarchy thereby to reduce data storage requirements; and
  
  consulting said storage element permissions database to ascertain a storage element-oriented set of said user groups that provide said common rights of access to selected ones of said storage elements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein said storage element permissions database comprises a first storage element permissions database and a second storage element permissions database, and said step of defining user groups comprises defining first user groups and second user groups, said first storage element permissions database and said first user groups comprising currently existing information, and said second storage element permissions database and said second user groups comprising proposed modifications to said first storage element permissions database and said first user groups, respectively, the method further comprising the steps of:
    - performing said step of consulting a first time using said first storage element permissions database and said first user groups and a second time using said second storage element permissions database and said second user groups to determine a first storage element oriented set and a second storage element oriented set, respectively, andreporting a difference between said first storage element oriented set and said second storage element oriented set.
  - 3. The method according to claim 1, wherein said user groups comprise ancestral user groups having members that are other user groups, and participant members of said other user groups have access rights that derive from said user groups and respective ancestral user groups thereof, the method further comprising the steps of:
    - maintaining a user database of said user groups and said members, entries in said user database comprising identifiers of respective said ancestral user groups; and
      
      consulting said user database to determine a user-oriented set of user groups offering respective said common rights of access to selected ones of said participant members.
  - 4. The method according to claim 3, further comprising the steps of:
    - making a determination that said user-oriented set has an intersection with said directory-oriented set; and
      
      responsively to said determination issuing a report that said participant members are able to access said selected ones of said storage elements.
  - 5. The method according to claim 4, wherein said step of issuing a report is performed by reporting only said second storage elements.
  - 6. The method according to claim 4, wherein said user database comprises a first user database of actual user groups in said enterprise and a second user database of proposed user groups, and said storage element permissions database comprises a first storage element permissions database of actual non-inherited access permissions of said actual user groups and a second storage element permissions database of proposed non-inherited access permissions of said proposed user groups, wherein said steps of consulting said user database, consulting said storage element permissions database, making a determination, and issuing a report are performed a first time using said first storage element permissions database, and said first user database to issue a first report and performed a second time using said second user database and said second storage element permissions database to issue a second report, the method further comprising the step of presenting a single display of said first report and said second report.
  - 7. The method according to claim 6, wherein said single display comprises a first pruned tree display of said storage elements including said first report and a second pruned tree display of said storage elements including said second report.
  - 8. The method according to claim 3, wherein said user database comprises:
    - a table of memberships having entries identifying ones of said user groups that respectively offer said common rights of access to said participant members; and
      
      a table of relationships having entries identifying respective relationships among said user groups and said ancestral user groups thereof, the method further comprising the steps of;
      
      prior to performing said step of consulting said user database constructing said table of memberships and said table of relationships and updating said table of memberships and said table of relationships responsively to changes in a composition of any of said user groups.
  - 9. The method according to claim 1, wherein said storage element permissions database comprises:
    - a table of permissions having entries that identify one of said user groups and a respective one of said second storage elements;
      
      a table of derived relationships having entries that identify one of said second storage elements and a respective instance of said inheritance indicator, the method further comprising the steps of;
      
      prior to performing said step of consulting said storage element permissions database constructing said table of permissions and said table of derived relationships and updating said table of permissions and said table of derived relationships responsively to changes in said non-inherited access permissions.
  - 10. The method according to claim 1 and also comprising displaying an integrated bi-directional display of said storage elements and user groups having access permissions thereto, and of user groups and storage elements to which said user groups have access permissions to.
  - 11. The method according to claim 10 and wherein at least some of said storage elements and said user groups reside on disparate ones of said file servers.
  - 12. The method according to claim 10 and wherein said display of said access permissions comprises at least a description of said access permissions and an explanation of said access permissions.
  - 13. The method according to claim 1 and also comprising:
    - displaying;
      
      for each said user group, a list of users having membership thereto; and
      
      for each said user, a list of said user groups to which said user has membership; and
      
      enabling toggling between displaying said list of users and said list of user groups.

14. A computer product for indicating data access privilege status for data in an enterprise, including a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to define user groups possessing common rights of access to a plurality of file servers, said file servers being organized as a hierarchy of storage elements having ancestors, said storage elements comprising first storage elements that have only inherited access permissions that are inherited from one of said ancestors thereof, and second storage elements that have at least non-inherited access permissions, maintain a storage element permissions database containing only said non-inherited access permissions for said second storage elements, and an inheritance indicator employing at least partially identical permission profiles that identifies other said second storage elements that are ancestral thereto in said hierarchy thereby to reduce data storage requirements, and consult said storage element permissions database to ascertain a storage element-oriented set of said user groups that provide said common rights of access to selected ones of said storage elements, respectively.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 28)
- - 15. The computer product according to claim 14, wherein said user groups comprise ancestral user groups having members that are other user groups, and participant members of said other user groups have access rights that derive from said user groups and respective said ancestral user groups thereof, wherein said computer is further instructed to maintain a user database of said user groups and said members, entries in said user database comprising identifiers of respective said ancestral user groups, and consult said user database to determine a user-oriented set of user groups offering respective said common rights of access to selected ones of said participant members.
  - 16. The computer product according to claim 15, wherein said computer is further instructed to make a determination that said user-oriented set has an intersection with said storage element-oriented set and responsively to said determination issue a report that said participant members are able to access said selected ones of said storage elements.
  - 17. The computer product according to claim 16, wherein said user database comprises a first user database of actual user groups in said enterprise and a second user database of proposed user groups, and said storage element permissions database comprises a first storage element permissions database of actual non-inherited access permissions of said actual user groups and a second storage element permissions database of proposed non-inherited access permissions of said proposed user groups, wherein said computer is further instructed to issue a first report using said first storage element permissions database, and said first user database and to issue a second report using said second user database and said second storage element permissions database, and to present a single display of said first report and said second report.
  - 18. The computer product according to claim 15, wherein said user database comprises:
    - a table of memberships having entries identifying ones of said user groups that respectively offer said common rights of access to said participant members; and
      
      a table of relationships having entries identifying respective relationships among said user groups and said ancestral user groups thereof, wherein said computer is further instructed to construct said table of memberships and said table of relationships and update said table of memberships and said table of relationships responsively to changes in a composition of any of said user groups prior to a consultation of said user database.
  - 19. The computer product according to claim 14, wherein said storage element permissions database comprises:
    - a table of permissions having entries that identify one of said user groups and a respective one of said second storage elements; and
      
      a table of derived relationships having entries that identify one of said second storage elements and a respective instance of said inheritance indicator, wherein said computer is further instructed to construct said table of permissions and said table of derived relationships and update said table of permissions and said table of derived relationships responsively to changes in said non-inherited access permissions prior to a consultation of said storage element permissions database.
  - 20. The computer product according to claim 14 and also comprising an integrated bi-directional display of said storage elements and user groups having access permissions thereto, and of user groups and storage elements to which said user groups have access permissions to.
  - 21. The computer product according to claim 20 and wherein at least some of said storage elements and said user groups reside on disparate ones of said file servers.
  - 22. The computer product according to claim 20 and wherein said display of said access permissions comprises at least a description of said access permissions and an explanation of said access permissions.
  - 23. The computer product according to claim 14 and also comprising a bi-directional user\user group display comprising:
    - for each said user group, a list of users having membership thereto;
      
      for each said user, a list of said user groups to which said user has membership; and
      
      toggle functionality operable for toggling between displaying said list of users and said list of user groups.
  - 25. The data processing system according to claim 14, wherein said user groups comprise ancestral user groups having members that are other user groups, and participant members of said other user groups have access rights that derive from said user groups and respective said ancestral user groups thereof, wherein said processor is operative to maintain a user database of said user groups and said members, entries in said user database comprising identifiers of respective said ancestral user groups, and consult said user database to determine a user-oriented set of user groups offering respective said common rights of access to selected ones of said participant members.
  - 26. The data processing system according to claim 25, wherein said processor is operative to make a determination that said user-oriented set has an intersection with said storage element-oriented set and responsively to said determination issue a report that said participant members are able to access said selected ones of said storage elements.
  - 27. The data processing system according to claim 26, wherein said user database comprises a first user database of actual user groups in said enterprise and a second user database of proposed user groups, and said storage element permissions database comprises a first storage element permissions database of actual non-inherited access permissions of said actual user groups and a second storage element permissions database of proposed non-inherited access permissions of said proposed user groups, wherein said processor is operative to issue a first report using said first storage element permissions database, and said first user database and to issue a second report using said second user database and said second storage element permissions database, and to present a single display of said first report and said second report.
  - 28. The data processing system according to claim 25, wherein said user database comprises:
    - a table of memberships having entries identifying ones of said user groups that respectively offer said common rights of access to said participant members; and
      
      a table of relationships having entries identifying respective relationships among said user groups and said ancestral user groups thereof, wherein said processor is operative to construct said table of memberships and said table of relationships and update said table of memberships and said table of relationships responsively to changes in a composition of any of said user groups prior to a consultation of said user database.

24. A data processing system for indicating data access privilege status for data in an enterprise, the system comprising:
- a processor linked to a plurality of file servers, said file servers being organized as a hierarchy of storage elements having ancestors, said storage elements comprising first storage elements that have only inherited access permissions that are inherited from one of said ancestors thereof, and second storage elements that have at least non-inherited access permissions,a display; and
  
  a memory accessible by said processor, wherein said processor is operative to define user groups possessing common rights of access to said file servers and to maintain a storage element permissions database containing only said non-inherited access permissions for said second storage elements, and an inheritance indicator employing at least partially identical permission profiles that identifies other said second storage elements that are ancestral thereto in said hierarchy thereby to reduce data storage requirements, and consult said storage element permissions database to ascertain a storage element-oriented set of said user groups that provide said common rights of access to selected ones of said storage elements, respectively.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The data processing system according to claim 24, wherein said storage element permissions database comprises:
    - a table of permissions having entries that identify one of said user groups and a respective one of said second storage elements; and
      
      a table of derived relationships having entries that identify one of said second storage elements and a respective instance of said list, wherein said processor is operative to construct said table of permissions and said table of derived relationships and update said table of permissions and said table of derived relationships responsively to changes in said non-inherited access permissions prior to a consultation of said storage element permissions database.
  - 30. The data processing system according to claim 24 and also comprising an integrated bi-directional display of said storage elements and user groups having access permissions thereto, and of user groups and storage elements to which said user groups have access permissions to.
  - 31. The data processing system according to claim 30 and wherein at least some of said storage elements and said user groups reside on disparate ones of said file servers.
  - 32. The data processing system according to claim 30 and wherein said display of said access permissions comprises at least a description of said access permissions and an explanation of said access permissions.
  - 33. The data processing system according to claim 24 and also comprising a bi-directional user\user group display comprising:
    - for each said user group, a list of users having membership thereto;
      
      for each said user, a list of said user groups to which said user has membership; and
      
      toggle functionality operable for toggling between displaying said list of users and said list of user groups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Systems, Inc.
Inventors
Faitelson, Yakov, Korkus, Ohad, Kretzer, Ophir
Primary Examiner(s)
DWIVEDI, MAHESH H

Application Number

US13/887,885
Publication Number

US 20130246477A1
Time in Patent Office

561 Days
Field of Search

726/2
US Class Current

726/2
CPC Class Codes

G06F 16/156   Query results presentation

G06F 16/176   Support for shared access t...

G06F 21/604   Tools and structures for ma...

G06F 21/6227   where protection concerns t...

G06F 2221/2145   Inheriting rights or proper...

Visualization of access permission status

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Visualization of access permission status

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links