Systems and methods for managing user permissions
First Claim
1. A system for managing user permissions in a computer network environment, the system comprising:
- a collection server;
a first computing device of a plurality of network devices communicatively coupled to the collection server, the first computing device comprising;
a first resource,a first data structure associated with the first resource, the first data structure identifying a first security identifier (SID) and a first permission granted to the first SID with respect to the first resource,a second resource,a second data structure associated with the second resource, the second data structure identifying a second SID and a second permission granted to the second SID with respect to the second resource, anda first SID index associating the first and second SIDs with, respectively, the first and second resources; and
an aggregate index stored on the collection server, the aggregate index associating each of the first and second SIDs with the first computing device and associating a third SID with a second computing device of the plurality of network devices.
23 Assignments
0 Petitions
Accused Products
Abstract
Multi-tiered systems and methods for identifying and monitoring user permissions in a computer network are described. A data structure, such as an index, for each network device identifies all the security identifiers (SIDs) and their associated permissions for accessing the resources on the network device. Each data structure can be initially populated by scanning access control lists (ACLs) of the respective network device. A collection server in communication with the network devices stores an aggregate index that identifies the SIDs in the network and the network devices on which each SID is granted, denied or revoked one or more permissions. The individual data structures and/or aggregate index are updated based on permission changes detected through real-time or periodic monitoring. The aggregate index can also be replicated to multiple servers. In certain examples, the multi-tiered arrangement facilitates identifying the network resources for which a user has been granted, denied or revoked a permission.
47 Citations
20 Claims
-
1. A system for managing user permissions in a computer network environment, the system comprising:
-
a collection server; a first computing device of a plurality of network devices communicatively coupled to the collection server, the first computing device comprising; a first resource, a first data structure associated with the first resource, the first data structure identifying a first security identifier (SID) and a first permission granted to the first SID with respect to the first resource, a second resource, a second data structure associated with the second resource, the second data structure identifying a second SID and a second permission granted to the second SID with respect to the second resource, and a first SID index associating the first and second SIDs with, respectively, the first and second resources; and an aggregate index stored on the collection server, the aggregate index associating each of the first and second SIDs with the first computing device and associating a third SID with a second computing device of the plurality of network devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for managing user permissions in a network system, the method comprising:
-
for each of a plurality of computing devices of a network system; scanning a plurality of data structures, each data structure being associated with at least one of a plurality of resources on the computing device, identifying from the plurality of data structures a plurality of security identifiers (SIDs) associated with a plurality of permissions granted to the plurality of SIDs with respect to the plurality of resources, and compiling a SID index associating the plurality of SIDs with the plurality of resources; transmitting from each of the plurality of computing devices the respective plurality of SIDs and an identification of the corresponding computing device; and compiling at a collection server an aggregate index associating each of the plurality of SIDs with the identification of the corresponding computing device on which the particular SID was found. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A multi-tiered system for managing user permissions on a plurality of network devices, the multi-tiered system comprising:
-
a plurality of computing devices, each computing device further comprising; means for identifying from a plurality of data structures attached to a plurality of resources on the computing device a plurality of security identifiers (SIDs) associated with a plurality of permissions granted to the plurality of SIDs for accessing the plurality of resources, and first means for associating each of the plurality of SIDs with the plurality of resources; means for transmitting from each of the plurality of computing devices the respective plurality of SIDs and an identification of the corresponding computing device; and second means for associating each of the plurality of SIDs with the identification of the corresponding computing device on which each particular SID was found. - View Dependent Claims (20)
-
Specification