Visualization of access permission status
First Claim
1. A method for displaying data access privilege status for data in an enterprise, comprising:
- defining user groups offering common rights of access to a plurality of file servers, said user groups comprising ancestral user groups having members that are other user groups, and participant members of said other user groups having access rights that derive from said user groups and respective ancestral user groups thereof, said file servers being organized as a hierarchy of storage elements having ancestors;
maintaining a user database of said user groups and said members, entries in said user database comprising identifiers of respective said ancestral user groups;
maintaining a storage element permissions database containing only non-inherited access permissions for distinctive storage elements, and an inheritance indicator employing identical permission profiles, that identifies other said distinctive storage elements that are ancestral thereto in said hierarchy thereby to reduce data storage requirements;
consulting said user database to determine a user-oriented set of user groups offering respective said common rights of access to selected ones of said participant members;
consulting said storage element permissions database to determine a storage element-oriented set of said user groups that provide said common rights of access to selected ones of said storage elements; and
reporting members of said storage element-oriented set and said user-oriented set.
0 Assignments
0 Petitions
Accused Products
Abstract
Queries regarding access permissions of users and rights to directories in a complex enterprise are executed in near real-time, using lookups to tables that form a condensed database maintained for each file server. User information is condensed by arranging users in user groups having common data access rights. Directory permissions storage is condensed by showing only distinctive permissions to a directory in a table entry, and referencing inherited permissions of parent directories. The tables indicate recursive and ancestral relationships among the user groups and directories. They are developed and updated in advance of any queries. A consolidated view of the query results is presented on a single display screen. Using the tables results can be obtained without exhaustive searches of large file system tables.
-
Citations
12 Claims
-
1. A method for displaying data access privilege status for data in an enterprise, comprising:
-
defining user groups offering common rights of access to a plurality of file servers, said user groups comprising ancestral user groups having members that are other user groups, and participant members of said other user groups having access rights that derive from said user groups and respective ancestral user groups thereof, said file servers being organized as a hierarchy of storage elements having ancestors; maintaining a user database of said user groups and said members, entries in said user database comprising identifiers of respective said ancestral user groups; maintaining a storage element permissions database containing only non-inherited access permissions for distinctive storage elements, and an inheritance indicator employing identical permission profiles, that identifies other said distinctive storage elements that are ancestral thereto in said hierarchy thereby to reduce data storage requirements; consulting said user database to determine a user-oriented set of user groups offering respective said common rights of access to selected ones of said participant members; consulting said storage element permissions database to determine a storage element-oriented set of said user groups that provide said common rights of access to selected ones of said storage elements; and reporting members of said storage element-oriented set and said user-oriented set. - View Dependent Claims (2, 3, 4)
-
- 5. A computer product for displaying data access privilege status for data in an enterprise, including a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to define user groups possessing common rights of access to a plurality of file servers, said user groups comprising ancestral user groups having members that are other user groups, and participant members of said other user groups having access rights that derive from said user groups and respective ancestral user groups thereof, said file servers being organized as a hierarchy of storage elements having ancestors, maintain a user database of said user groups and said members, entries in said user database comprising identifiers of respective said ancestral user groups, maintain a storage element permissions database containing only non-inherited access permissions for distinctive storage elements and an inheritance indicator employing identical permission profiles, that identifies other said distinctive storage elements that are ancestral thereto in said hierarchy thereby to reduce data storage requirements, consult said user database to determine a user-oriented set of user groups offering respective said common rights of access to selected ones of said participant members, consult said storage element permissions database to determine a storage element-oriented set of said user groups that offer provide said common rights of access to selected ones of said storage elements, respectively, and reporting members of said storage element-oriented set and said user-oriented set.
-
9. A data processing system for displaying data access privilege status for data in an enterprise, comprising:
-
a processor linked to a plurality of file servers, said file servers being organized as a hierarchy of storage elements having ancestors, a display; and a memory accessible by said processor, wherein said processor is operative to define user groups possessing common rights of access to said file servers, said user groups comprising ancestral user groups having members that are other user groups, and participant members of said other user groups having access rights that derive from said user groups and respective ancestral user groups thereof, to maintain a user database of said user groups and said members, entries in said user database comprising identifiers of respective said ancestral user groups and to maintain a storage element permissions database containing only non-inherited access permissions for distinctive storage elements and an inheritance indicator employing identical permission profiles, that identifies other said distinctive storage elements that are ancestral thereto in said hierarchy thereby to reduce data storage requirements, to consult said user database to determine a user-oriented set of user groups offering respective said common rights of access to selected ones of said participant members and consult said storage element permissions database to determine a storage element-oriented set of said user groups that provide said common rights of access to selected ones of said storage elements, and to report members of said storage element-oriented set and said user-oriented set. - View Dependent Claims (10, 11, 12)
-
Specification