Method and apparatus for ascertaining data access permission of groups of users to groups of data elements

US 9,641,334 B2
Filed: 07/07/2009
Issued: 05/02/2017
Est. Priority Date: 07/07/2009
Status: Active Grant

First Claim

Patent Images

1. In an enterprise computer system including multiple servers and multiple storage units, a method for ascertaining access permissions of users to computer resources on at least one storage unit of said multiple storage units, the method comprising employing a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by at least one of said multiple servers, cause said at least one of said multiple servers to:

periodically, at regular intervals of time, cluster users having at least partially identical user/resource access permissions to said computer resources, into a multiplicity of user clusters;

periodically, at regular intervals of time, cluster said computer resources having at least partially identical resource/user access permissions thereto into a multiplicity of resource clusters which are independent of said user clusters;

in response to a query received via one of said multiple servers as to whether a multiplicity of users have access permissions to a multiplicity of resources;

ascertain whether a first user of said multiplicity of users has user/resource access permissions to a first resource of said multiplicity of resources;

ascertain whether said first user is a member of a first user cluster;

ascertain whether second users of said multiplicity of users are members of said first user cluster;

ascertain whether said first resource is a member of a first resource cluster;

ascertain whether second resources of said multiplicity of resources are members of said first resource cluster; and

if;

said first user has user/resource access permissions to said first resource of said multiplicity of resources; and

said first user is a member of said first user cluster; and

said second users are members of said first user cluster; and

said first resource is a member of said first resource cluster; and

said second resources are members of said first resource cluster,then;

respond to said query by stating that said first and second users have said user/resource access permissions to said first and second resources;

without checking if said first user has user/resource access permissions to said second resources; and

without checking if said second users have user/resource access permissions to said second resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for ascertaining access permissions of users to computer resources on a storage unit, the method including grouping users into a plurality of user groups wherein all members of at least one of the user groups have at least nearly identical user/resource access permissions to the computer resources, grouping resources into a plurality of resource groups wherein all members of at least one of the resource groups have at least nearly identical resource/user access permissions, ascertaining whether a given user is a member of a user group, if the given user is a member of a user group, ascribing to the given user the user/resource access permissions of the user group, ascertaining whether a given resource is a member of a resource group, and if the given resource is a member of a resource group, ascribing to the given resource the resource/user access permissions of the resource group.

91 Citations

View as Search Results

13 Claims

1. In an enterprise computer system including multiple servers and multiple storage units, a method for ascertaining access permissions of users to computer resources on at least one storage unit of said multiple storage units, the method comprising employing a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by at least one of said multiple servers, cause said at least one of said multiple servers to:
- periodically, at regular intervals of time, cluster users having at least partially identical user/resource access permissions to said computer resources, into a multiplicity of user clusters;
  
  periodically, at regular intervals of time, cluster said computer resources having at least partially identical resource/user access permissions thereto into a multiplicity of resource clusters which are independent of said user clusters;
  
  in response to a query received via one of said multiple servers as to whether a multiplicity of users have access permissions to a multiplicity of resources;
  
  ascertain whether a first user of said multiplicity of users has user/resource access permissions to a first resource of said multiplicity of resources;
  
  ascertain whether said first user is a member of a first user cluster;
  
  ascertain whether second users of said multiplicity of users are members of said first user cluster;
  
  ascertain whether said first resource is a member of a first resource cluster;
  
  ascertain whether second resources of said multiplicity of resources are members of said first resource cluster; and
  
  if;
  
  said first user has user/resource access permissions to said first resource of said multiplicity of resources; and
  
  said first user is a member of said first user cluster; and
  
  said second users are members of said first user cluster; and
  
  said first resource is a member of said first resource cluster; and
  
  said second resources are members of said first resource cluster,then;
  
  respond to said query by stating that said first and second users have said user/resource access permissions to said first and second resources;
  
  without checking if said first user has user/resource access permissions to said second resources; and
  
  without checking if said second users have user/resource access permissions to said second resources.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1 and wherein said periodically cluster users comprises causing said at least one of said multiple servers to:
    - identify a set of user security groups, each of said user security groups having access permissions to at least one of said computer resources on said at least one storage unit of said multiple storage units;
      
      identify, for each user of said multiplicity of users, a subset of said user security groups of which said user is a member; and
      
      if a first subset of said user security groups, of which said user of said multiplicity of users is a member, is identical to a second subset of said user security groups, of which a different user of said multiplicity of users is a member, cluster said user and said different user in a first cluster with respect to said at least one storage unit of said multiple storage units.
  - 3. A method according to claim 1 and wherein said periodically cluster users comprises causing said at least one of said multiple servers to divide said computer resources into at least two portions, and cluster said users, among said multiplicity of users, into a first cluster wherein all members of said first cluster have at least partially identical user/resource access permissions to computer resources included in one of said at least two portions.
  - 4. A method according to claim 1 and wherein said computer resources are arranged in a computer resource hierarchy.
  - 5. A method according to claim 4 and wherein said periodically cluster resources comprises causing said at least one of said multiple servers to:
    - retrieve, for each resource in said computer resource hierarchy, the resource/user access permissions of said resource and the resource/user access permissions of an immediate ancestor of said resource in said computer resource hierarchy; and
      
      if said resource/user access permissions of said immediate ancestor are identical to said resource/user access permissions of said resource, cluster said resource and said immediate ancestor in a common resource cluster.
  - 6. A method according to claim 5 and wherein said cluster said resource comprises causing said at least one of said multiple servers to:
    - provide a pointer from said resource to said immediate ancestor; and
      
      extend pointers which point to said resource to point to said immediate ancestor.

7. A computer product for controlling data access by users of an enterprise computer system including multiple servers and multiple storage units, the computer product including a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by at least one of said multiple servers, cause said at least one of said multiple servers to ascertain access permissions of users to computer resources on at least one storage unit of said multiple storage units, the product comprising:
- user clustering functionality for periodically, at regular intervals of time, clustering users having at least partially identical user/resource access permissions to said computer resources on said at least one storage unit of said multiple storage units, into a multiplicity of user clusters;
  
  computer resource clustering functionality for periodically, at regular intervals of time, clustering said computer resources having at least partially identical resource/user access permissions thereto into a multiplicity of resource clusters which are independent of said user clusters;
  
  user access permissions ascribing functionality, in response to a query as to whether a multiplicity of users have access permissions to a multiplicity of resources, operative to;
  
  ascertain whether a first user of said multiplicity of users has user/resource access permissions to a first resource of said multiplicity of resources;
  
  ascertain whether said first user is a member of a first user cluster;
  
  ascertain whether second users of said multiplicity of users are members of said first user cluster;
  
  ascertain whether said first resource is a member of a first resource cluster;
  
  ascertain whether second resources of said multiplicity of resources are members of said first resource cluster; and
  
  if;
  
  said first user has user/resource access permissions to said first resource of said multiplicity of resources; and
  
  said first user is a member of said first user cluster;
  
  said second users are members of said first user cluster; and
  
  said first resource is a member of said first resource cluster; and
  
  said second resources are members of said first resource cluster,then;
  
  respond to said query by stating that said first and second users have said user/resource access permissions to said first and second resources;
  
  without checking if said first user has user/resource access permissions to said second resources; and
  
  without checking if said second users have user/resource access permissions to said second resources.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer product according to claim 7 and wherein said user clustering functionality comprises:
    - user security group identification functionality for identifying a plurality of user security groups, each of said user security groups having access permissions to at least one of said computer resources on said at least one storage unit;
      
      user security group subset identification functionality for identifying, for each user of said multiplicity of users, a subset of said user security groups of which said user is a member; and
      
      user subset comparison functionality for clustering said user and a different user in a first cluster, with respect to said at least one storage unit, if a first subset of said user security groups of which said user is a member is identical to a second subset of said user security groups of which said different user is a member.
  - 9. The computer product according to claim 7 and also comprising a computer resource dividing functionality for dividing said computer resources into at least two portions, and wherein said user clustering functionality clusters users, among said multiplicity of users, into a first cluster wherein all members of said first cluster have at least partially identical user/resource access permissions to computer resources included in one of said at least two portions.
  - 10. The computer product according to claim 9 and wherein said computer resource dividing functionality comprises:
    - fraction calculating functionality for calculating, for each user of said multiplicity of users, a fraction of said computer resources to which said user has access permissions, and to compare said fraction to a threshold value;
      
      user denoting functionality for denoting each user, for whom said fraction is smaller than said threshold value, as a degenerate security group; and
      
      portion defining functionality for defining a first portion of said computer resources to be the union of all computer resources which include access permissions for any degenerate security group.
  - 11. The computer product according to claim 7 and wherein said computer resources are arranged in a computer resource hierarchy.
  - 12. The computer product according to claim 11 and wherein said computer resource clustering functionality comprises:
    - resource/user access permissions retrieval functionality for retrieving, for each resource in said computer resource hierarchy, the resource/user access permissions of said resource and the resource/user access permissions of an immediate ancestor of said resource in said computer resource hierarchy; and
      
      resource/user access permissions comparison functionality, for comparing said resource/user access permissions of said resource to said resource/user access permissions of said immediate ancestor, and if said resource/user access permissions of said immediate ancestor are identical to said resource/user access permissions of said given resource, to cluster said resource and said immediate ancestor in said a common resource cluster.
  - 13. The computer product according to claim 12 and wherein said resource/user access permissions comparison functionality provides a pointer from said resource to said immediate ancestor and extends pointers which point to said resource to point to said immediate ancestor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Systems, Inc.
Inventors
Faitelson, Yakov, Korkus, Ohad, Keysar, Yzhar
Primary Examiner(s)
Le, David

Application Number

US12/498,675
Publication Number

US 20110010758A1
Time in Patent Office

2,856 Days
Field of Search

713201
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/468   Specific access rights for ...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 9/32   including means for verifyi...

Method and apparatus for ascertaining data access permission of groups of users to groups of data elements

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

91 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for ascertaining data access permission of groups of users to groups of data elements

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others