Method and apparatus for ascertaining data access permission of groups of users to groups of data elements
First Claim
1. In an enterprise computer system including multiple servers and multiple storage units, a method for ascertaining access permissions of users to computer resources on at least one storage unit of said multiple storage units, the method comprising employing a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by at least one of said multiple servers, cause said at least one of said multiple servers to:
- periodically, at regular intervals of time, cluster users having at least partially identical user/resource access permissions to said computer resources, into a multiplicity of user clusters;
periodically, at regular intervals of time, cluster said computer resources having at least partially identical resource/user access permissions thereto into a multiplicity of resource clusters which are independent of said user clusters;
in response to a query received via one of said multiple servers as to whether a multiplicity of users have access permissions to a multiplicity of resources;
ascertain whether a first user of said multiplicity of users has user/resource access permissions to a first resource of said multiplicity of resources;
ascertain whether said first user is a member of a first user cluster;
ascertain whether second users of said multiplicity of users are members of said first user cluster;
ascertain whether said first resource is a member of a first resource cluster;
ascertain whether second resources of said multiplicity of resources are members of said first resource cluster; and
if;
said first user has user/resource access permissions to said first resource of said multiplicity of resources; and
said first user is a member of said first user cluster; and
said second users are members of said first user cluster; and
said first resource is a member of said first resource cluster; and
said second resources are members of said first resource cluster,then;
respond to said query by stating that said first and second users have said user/resource access permissions to said first and second resources;
without checking if said first user has user/resource access permissions to said second resources; and
without checking if said second users have user/resource access permissions to said second resources.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for ascertaining access permissions of users to computer resources on a storage unit, the method including grouping users into a plurality of user groups wherein all members of at least one of the user groups have at least nearly identical user/resource access permissions to the computer resources, grouping resources into a plurality of resource groups wherein all members of at least one of the resource groups have at least nearly identical resource/user access permissions, ascertaining whether a given user is a member of a user group, if the given user is a member of a user group, ascribing to the given user the user/resource access permissions of the user group, ascertaining whether a given resource is a member of a resource group, and if the given resource is a member of a resource group, ascribing to the given resource the resource/user access permissions of the resource group.
91 Citations
13 Claims
-
1. In an enterprise computer system including multiple servers and multiple storage units, a method for ascertaining access permissions of users to computer resources on at least one storage unit of said multiple storage units, the method comprising employing a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by at least one of said multiple servers, cause said at least one of said multiple servers to:
-
periodically, at regular intervals of time, cluster users having at least partially identical user/resource access permissions to said computer resources, into a multiplicity of user clusters; periodically, at regular intervals of time, cluster said computer resources having at least partially identical resource/user access permissions thereto into a multiplicity of resource clusters which are independent of said user clusters; in response to a query received via one of said multiple servers as to whether a multiplicity of users have access permissions to a multiplicity of resources; ascertain whether a first user of said multiplicity of users has user/resource access permissions to a first resource of said multiplicity of resources; ascertain whether said first user is a member of a first user cluster; ascertain whether second users of said multiplicity of users are members of said first user cluster; ascertain whether said first resource is a member of a first resource cluster; ascertain whether second resources of said multiplicity of resources are members of said first resource cluster; and if; said first user has user/resource access permissions to said first resource of said multiplicity of resources; and said first user is a member of said first user cluster; and said second users are members of said first user cluster; and said first resource is a member of said first resource cluster; and said second resources are members of said first resource cluster, then; respond to said query by stating that said first and second users have said user/resource access permissions to said first and second resources; without checking if said first user has user/resource access permissions to said second resources; and without checking if said second users have user/resource access permissions to said second resources. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer product for controlling data access by users of an enterprise computer system including multiple servers and multiple storage units, the computer product including a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by at least one of said multiple servers, cause said at least one of said multiple servers to ascertain access permissions of users to computer resources on at least one storage unit of said multiple storage units, the product comprising:
-
user clustering functionality for periodically, at regular intervals of time, clustering users having at least partially identical user/resource access permissions to said computer resources on said at least one storage unit of said multiple storage units, into a multiplicity of user clusters; computer resource clustering functionality for periodically, at regular intervals of time, clustering said computer resources having at least partially identical resource/user access permissions thereto into a multiplicity of resource clusters which are independent of said user clusters; user access permissions ascribing functionality, in response to a query as to whether a multiplicity of users have access permissions to a multiplicity of resources, operative to; ascertain whether a first user of said multiplicity of users has user/resource access permissions to a first resource of said multiplicity of resources; ascertain whether said first user is a member of a first user cluster; ascertain whether second users of said multiplicity of users are members of said first user cluster; ascertain whether said first resource is a member of a first resource cluster; ascertain whether second resources of said multiplicity of resources are members of said first resource cluster; and if; said first user has user/resource access permissions to said first resource of said multiplicity of resources; and said first user is a member of said first user cluster; said second users are members of said first user cluster; and said first resource is a member of said first resource cluster; and said second resources are members of said first resource cluster, then; respond to said query by stating that said first and second users have said user/resource access permissions to said first and second resources; without checking if said first user has user/resource access permissions to said second resources; and without checking if said second users have user/resource access permissions to said second resources. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
Specification