Systems and methods for managing user permissions

US 8,938,781 B1
Filed: 11/18/2013
Issued: 01/20/2015
Est. Priority Date: 09/06/2006
Status: Active Grant

First Claim

Patent Images

1. A system for managing user permissions in a computer network environment, the system comprising:

a collection server;

a first computing device of a plurality of network devices communicatively coupled to the collection server, the first computing device comprising;

a first resource,a first data structure associated with the first resource, the first data structure identifying a first security identifier (SID) and a first permission granted to the first SID with respect to the first resource,a second resource,a second data structure associated with the second resource, the second data structure identifying a second SID and a second permission granted to the second SID with respect to the second resource, anda first SID index associating the first and second SIDs with, respectively, the first and second resources; and

an aggregate index stored on the collection server, the aggregate index associating each of the first and second SIDs with the first computing device and associating a third SID with a second computing device of the plurality of network devices.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Multi-tiered systems and methods for identifying and monitoring user permissions in a computer network are described. A data structure, such as an index, for each network device identifies all the security identifiers (SIDs) and their associated permissions for accessing the resources on the network device. Each data structure can be initially populated by scanning access control lists (ACLs) of the respective network device. A collection server in communication with the network devices stores an aggregate index that identifies the SIDs in the network and the network devices on which each SID is granted, denied or revoked one or more permissions. The individual data structures and/or aggregate index are updated based on permission changes detected through real-time or periodic monitoring. The aggregate index can also be replicated to multiple servers. In certain examples, the multi-tiered arrangement facilitates identifying the network resources for which a user has been granted, denied or revoked a permission.

47 Citations

View as Search Results

20 Claims

1. A system for managing user permissions in a computer network environment, the system comprising:
- a collection server;
  
  a first computing device of a plurality of network devices communicatively coupled to the collection server, the first computing device comprising;
  
  a first resource,a first data structure associated with the first resource, the first data structure identifying a first security identifier (SID) and a first permission granted to the first SID with respect to the first resource,a second resource,a second data structure associated with the second resource, the second data structure identifying a second SID and a second permission granted to the second SID with respect to the second resource, anda first SID index associating the first and second SIDs with, respectively, the first and second resources; and
  
  an aggregate index stored on the collection server, the aggregate index associating each of the first and second SIDs with the first computing device and associating a third SID with a second computing device of the plurality of network devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the second computing device comprises:
    - a third resource;
      
      a third data structure associated with the third resource, the third data structure identifying the third SID and a third permission granted to the third SID with respect to the third resource;
      
      a fourth resource;
      
      a fourth data structure associated with the fourth resource, the fourth data structure identifying a fourth SID and a fourth permission granted to the fourth SID with respect to the fourth resource; and
      
      a second SID index associating the third and fourth SIDs with, respectively, the third and fourth resources,wherein the aggregate index further associates the fourth SID with the second computing device.
  - 3. The system of claim 2, wherein the first, second, third and fourth data structures each comprises an access control list (ACL).
  - 4. The system of claim 1, wherein at least one of the first and second SIDs comprises a group SID.
  - 5. The system of claim 1, further comprising:
    - a third device of the plurality of network devices; and
      
      a fifth data structure associated with the third device, the fifth data structure identifying a fifth SID and a fifth permission granted to the fifth SID with respect to the third device, wherein the fifth data structure is stored on one of the plurality of network devices other than the third device.
  - 6. The system of claim 5, wherein the third device does not include an operating system.
  - 7. The system of claim 6, wherein the third device comprises an attached storage device.
  - 8. The system of claim 1, wherein the first computing device further comprises a monitoring module configured to monitor changes in permissions associated with the first resource.
  - 9. The system of claim 8, wherein the first computing device is configured to send selective update data to the aggregate index based on the monitored changes to permissions associated with the first resource.
  - 10. The system of claim 1, wherein the aggregate index further identifies a type of the first resource associated with the first SID.

11. A method for managing user permissions in a network system, the method comprising:
- for each of a plurality of computing devices of a network system;
  
  scanning a plurality of data structures, each data structure being associated with at least one of a plurality of resources on the computing device,identifying from the plurality of data structures a plurality of security identifiers (SIDs) associated with a plurality of permissions granted to the plurality of SIDs with respect to the plurality of resources, andcompiling a SID index associating the plurality of SIDs with the plurality of resources;
  
  transmitting from each of the plurality of computing devices the respective plurality of SIDs and an identification of the corresponding computing device; and
  
  compiling at a collection server an aggregate index associating each of the plurality of SIDs with the identification of the corresponding computing device on which the particular SID was found.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein each of the plurality of data structures comprises a plurality of entries, wherein each data structure entry consists essentially of one of the plurality of SIDs and an identification of one of the plurality of resources.
  - 13. The method of claim 12, wherein the aggregate index comprises a plurality of entries, wherein each aggregate index entry consists essentially of one of the plurality of SIDs and the identification of the corresponding computing device on which the particular SID was found.
  - 14. The method of claim 11, additionally comprising monitoring changes in permissions of the plurality of resources on each of the plurality of computing devices.
  - 15. The method of claim 14, additionally comprising determining if the changes in permissions affect the existence of one of the plurality of SIDs on one of the plurality of computing devices.
  - 16. The method of claim 15, additionally comprising transmitting incremental data with respect to the one of the plurality of SIDs from the one of the plurality of computing devices to the collection server to update the aggregate index.
  - 17. The method of claim 11, wherein one of the plurality of SIDs identified in the aggregate index is associated with multiple computing devices.
  - 18. The method of claim 11, additionally comprising replicating the aggregate index to a plurality of servers.

19. A multi-tiered system for managing user permissions on a plurality of network devices, the multi-tiered system comprising:
- a plurality of computing devices, each computing device further comprising;
  
  means for identifying from a plurality of data structures attached to a plurality of resources on the computing device a plurality of security identifiers (SIDs) associated with a plurality of permissions granted to the plurality of SIDs for accessing the plurality of resources, andfirst means for associating each of the plurality of SIDs with the plurality of resources;
  
  means for transmitting from each of the plurality of computing devices the respective plurality of SIDs and an identification of the corresponding computing device; and
  
  second means for associating each of the plurality of SIDs with the identification of the corresponding computing device on which each particular SID was found.
- View Dependent Claims (20)
- - 20. The system of claim 19, further comprising means for monitoring changes in the plurality of permissions and for updating said first and second means for associating.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
Bobel, Robert
Primary Examiner(s)
Song, Hosuk

Application Number

US14/082,397
Time in Patent Office

428 Days
Field of Search

716 1- 6, 716/12, 716 17- 18, 716 27- 30, 713/150, 713/154, 713/159, 713/164, 713/166, 713/185, 709/202, 709/223, 709/225, 709/229, 726 1- 6, 726/12, 726 17- 18, 726 27- 30
US Class Current

726/2
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

Systems and methods for managing user permissions

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for managing user permissions

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links