Patent Grant
9870480
The present invention relates to data management systems and methodologies generally and more particularly to data access permission management systems and methodologies.
The following patent publications are believed to represent the current state of the art:
U.S. Pat. Nos. 5,465,387; 5,899,991; 6,338,082; 6,393,468; 6,928,439; 7,031,984; 7,068,592; 7,403,925; 7,421,740; 7,555,482 and 7,606,801; and
U.S. Published Patent Application Nos.: 2003/0051026; 2004/0249847; 2005/0108206; 2005/0203881; 2005/0120054; 2005/0086529; 2006/0064313; 2006/0184530; 2006/0184459 and 2007/0203872.
The present invention seeks to provide improved data access permission management systems and methodologies. There is thus provided in accordance with a preferred embodiment of the present invention an enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, the system including a learned access permissions subsystem operative to learn the current access permissions of users in the enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects, a learned actual access subsystem operative to learn the actual access history of the users in the enterprise to the network objects and to provide an indication of which users have had actual access to which network objects, and a computer security policy administration subsystem, receiving the indications from the learned access permission subsystem and the learned actual access subsystem and being operative to automatically replace pre-selected user-security group-based access permissions with at least partially actual access based access permissions without disrupting user access to the network objects.
In accordance with a preferred embodiment of the present invention, the computer security policy administration subsystem includes replacement initiation functionality which automatically initiates automatic replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.
Preferably, the system also includes a pre-replacement notification and authorization subsystem automatically operative prior to execution of the replacement to notify predetermined stakeholders in predetermined ones of the network objects of changes in access permissions expected to take place as the result of the replacement, to request their authorization and in the absence of the authorization to prevent execution of the replacement in respect of at least some of the network objects and at least some of the users for which authorization was not received. Preferably, the user security group is MICROSOFT® EVERYONE GROUP.
Additionally, the computer security policy administration subsystem is operative to automatically replace pre-selected user-security group-based access permissions with access permissions partially based on actual access and partially based on pre-existing access permissions which are not the pre-selected user-security group-based access permissions. Alternatively, the computer security policy administration subsystem is operative to automatically replace pre-selected user-security group-based access permissions with access permissions at least partially based on actual access and at least partially based on similarity of actual access profiles of users to users having had actual access. Alternatively, the computer security policy administration subsystem is operative to automatically replace pre-selected user-security group-based access permissions with access permissions based on pre-existing access permissions which are not the pre-selected user-security group-based access permissions.
Preferably, the computer security policy administration subsystem includes simulation initiation functionality which automatically initiates simulation of replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.
There is also provided in accordance with another preferred embodiment of the present invention an enterprise system for simulating replacement of a user security group-based computer security policy by a computer security policy, the system including a learned access permission subsystem operative to learn the current access permissions of users in the enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects, a learned actual access subsystem operative to learn the actual access history of the users in the enterprise to the network objects and to provide an indication of which users have had actual access to which network objects, and a computer security policy simulation subsystem, receiving the indications from the learned access permission subsystem and the learned actual access subsystems and being operative to automatically simulate replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions without disrupting user access to the network objects.
In accordance with a preferred embodiment of the present invention, the system also includes a pre-replacement notification and authorization subsystem automatically operative to notify predetermined stakeholders in predetermined ones of the network objects of changes in access permissions expected to take place as the result of the replacement, to request their authorization. Preferably, the user security group is the MICROSOFT® EVERYONE GROUP.
There is further provided in accordance with yet another preferred embodiment of the present invention a method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, the method including learning the current access permissions of users in the enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects, learning the actual access history of the users in the enterprise to the network objects and to provide an indication of which users have had actual access to which network objects, and receiving the indications and automatically replacing pre-selected user-security group-based access permissions with at least partially actual access based access permissions without disrupting user access to the network objects.
In accordance with a preferred embodiment of the present invention, the method includes automatically initiating automatic replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.
Preferably, the method also includes prior to execution of the replacement to notify predetermined stakeholders in predetermined ones of the network objects of changes in access permissions expected to take place as the result of the replacement, to request their authorization and in the absence of the authorization to prevent execution of the replacement in respect of at least some of the network objects and at least some of the users for which authorization was not received. Preferably, the user security group is MICROSOFT® EVERYONE GROUP.
Additionally, the method includes automatically replacing pre-selected user-security group-based access permissions with access permissions partially based on actual access and partially based on pre-existing access permissions which are not the pre-selected user-security group-based access permissions. Alternatively, the method includes automatically replacing pre-selected user-security group-based access permissions with access permissions at least partially based on actual access and at least partially based on similarity of actual access profiles of users to users having had actual access. Alternatively, the method includes automatically replacing pre-selected user-security group-based access permissions with access permissions based on pre-existing access permissions which are not the pre-selected user-security group-based access permissions.
Preferably, the method includes automatically initiating simulation of replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.
There is yet further provided in accordance with still another preferred embodiment of the present invention a method for simulating replacement of a user security group-based computer security policy by a computer security policy, the method including learning the current access permissions of users in the enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects, learning the actual access history of the users in the enterprise to the network objects and to provide an indication of which users have had actual access to which network objects, and receiving the indications and automatically simulating replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions without disrupting user access to the network objects.
In accordance with a preferred embodiment of the present invention, the method also includes notifying predetermined stakeholders in predetermined ones of the network objects of changes in access permissions expected to take place as the result of the replacement, to request their authorization. Preferably, the user security group is the MICROSOFT® EVERYONE GROUP.
The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which:
Reference is now made to
As seen generally in
a learned access permissions subsystem 110 operative to learn the current access permissions of users in the enterprise to network objects residing in the enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects;
a learned actual access subsystem 112 operative to learn the actual access history of the users in the enterprise to the network objects and to provide an indication of which users have had actual access to which network objects; and
a computer security policy administration subsystem 114, receiving the indications from the learned access permission subsystem 110 and the learned actual access subsystem 112 and being operative to automatically replace pre-selected user-security group-based access permissions with at least partially actual access based access permissions without disrupting user access to the network objects.
The term “network object” for the purposes of this application is defined to include user generated enterprise computer network resources on any commercially available computer operating system. Examples of network objects include structured and unstructured computer data resources such as files and folders, and user groups.
Turning now to
As shown in
As seen in
Alternatively, as seen in
Reference is now made to
As shown in
It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the present invention includes both combinations and subcombinations of the various features described hereinabove as well as modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not in the prior art.
Reference is made to U.S. Provisional Patent Application Ser. No. 61/348,806, filed May 27, 2010 and entitled “AUTOMATING ENFORCEMENT OF IT WORKFLOWS”, the disclosure of which is hereby incorporated by reference and priority of which is hereby claimed pursuant to 37 CFR 1.78(a) (4) and (5)(i). Reference is also made to the following patents and patent applications, owned by assignee, the disclosures of which are hereby incorporated by reference: U.S. Pat. Nos. 7,555,482 and 7,606,801; and U.S. Published Patent Application Nos. 2007/0244899, 2008/0271157, 2009/0100058, 2009/0119298 and 2009/0265780.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5465387 | Mukherjee | Nov 1995 | A |
| 5889952 | Hunnicutt et al. | Mar 1999 | A |
| 5899991 | Karch | May 1999 | A |
| 6308173 | Glasser et al. | Oct 2001 | B1 |
| 6338082 | Schneider | Jan 2002 | B1 |
| 6393468 | McGee | May 2002 | B1 |
| 6772350 | Belani et al. | Aug 2004 | B1 |
| 6928439 | Satoh | Aug 2005 | B2 |
| 7017183 | Frey et al. | Mar 2006 | B1 |
| 7031984 | Kawamura et al. | Apr 2006 | B2 |
| 7068592 | Duvaut et al. | Jun 2006 | B1 |
| 7403925 | Schlesinger et al. | Jul 2008 | B2 |
| 7421740 | Fey et al. | Sep 2008 | B2 |
| 7555482 | Korkus | Jun 2009 | B2 |
| 7568230 | Lieberman et al. | Jul 2009 | B2 |
| 7606801 | Faitelson et al. | Oct 2009 | B2 |
| 7716240 | Lim | May 2010 | B2 |
| 8621610 | Oberheide et al. | Dec 2013 | B2 |
| 8639724 | Sorenson et al. | Jan 2014 | B1 |
| 20020026592 | Gavrila et al. | Feb 2002 | A1 |
| 20030051026 | Carter et al. | Mar 2003 | A1 |
| 20040186809 | Schlesinger et al. | Sep 2004 | A1 |
| 20040249847 | Wang et al. | Dec 2004 | A1 |
| 20040254919 | Giuseppini | Dec 2004 | A1 |
| 20050086529 | Buchsbaum | Apr 2005 | A1 |
| 20050108206 | Lam et al. | May 2005 | A1 |
| 20050120054 | Shulman et al. | Jun 2005 | A1 |
| 20050203881 | Sakamoto et al. | Sep 2005 | A1 |
| 20050246762 | Girouard et al. | Nov 2005 | A1 |
| 20050278334 | Fey et al. | Dec 2005 | A1 |
| 20050278785 | Lieberman | Dec 2005 | A1 |
| 20060064313 | Steinbarth et al. | Mar 2006 | A1 |
| 20060075503 | Bunker et al. | Apr 2006 | A1 |
| 20060090208 | Smith | Apr 2006 | A1 |
| 20060184459 | Parida | Aug 2006 | A1 |
| 20060184530 | Song et al. | Aug 2006 | A1 |
| 20060277184 | Faitelson et al. | Dec 2006 | A1 |
| 20060288050 | Wilson | Dec 2006 | A1 |
| 20070073698 | Kanayama et al. | Mar 2007 | A1 |
| 20070094265 | Korkus | Apr 2007 | A1 |
| 20070101387 | Hua et al. | May 2007 | A1 |
| 20070112743 | Giampaolo et al. | May 2007 | A1 |
| 20070156659 | Lim | Jul 2007 | A1 |
| 20070156693 | Soin et al. | Jul 2007 | A1 |
| 20070203872 | Flinn et al. | Aug 2007 | A1 |
| 20070244899 | Faitelson et al. | Oct 2007 | A1 |
| 20070261121 | Jacobson | Nov 2007 | A1 |
| 20070266006 | Buss | Nov 2007 | A1 |
| 20070282855 | Chen et al. | Dec 2007 | A1 |
| 20080031447 | Geshwind et al. | Feb 2008 | A1 |
| 20080034402 | Botz et al. | Feb 2008 | A1 |
| 20080172720 | Botz et al. | Jul 2008 | A1 |
| 20080271157 | Faitelson et al. | Oct 2008 | A1 |
| 20090100058 | Faitelson et al. | Apr 2009 | A1 |
| 20090119298 | Faitelson et al. | May 2009 | A1 |
| 20090150981 | Amies et al. | Jun 2009 | A1 |
| 20090193015 | Jang | Jul 2009 | A1 |
| 20090265780 | Korkus et al. | Oct 2009 | A1 |
| 20090320088 | Gill et al. | Dec 2009 | A1 |
| 20100023491 | Huang et al. | Jan 2010 | A1 |
| 20100070881 | Hanson et al. | Mar 2010 | A1 |
| Number | Date | Country |
|---|---|---|
| 158889 | Mar 2005 | CN |
| Entry |
|---|
| An International Search Report and a Written Opinion both dated Jun. 13, 2011 which issued during the prosecution of Applicant's PCT/IL11/00076. |
| USPTO OA dated Oct. 31, 2008 in connection with U.S. Appl. No. 11/635,736. |
| USPTO OA dated Aug. 1, 2008 in connection with U.S. Appl. No. 11/258,256. |
| USPTO OA dated Feb. 12, 2008 in connection with U.S. Appl. No. 11/258,256. |
| USPTO OA dated Dec. 14, 2010 in connection with U.S. Appl. No. 11/786,522. |
| USPTO OA dated Dec. 14, 2010 in connection with U.S. Appl. No. 11/789,884. |
| USPTO OA dated Jul. 9, 2010 in connection with U.S. Appl. No. 11/789,884. |
| International Search Report and a Written Opinion both dated May 20, 2010 issued during of PCT/IL10/00069. |
| Genunix; “Writing Filesystems-VFS and Vnode interfaces”, 5 pages, Oct. 2007. |
| S.R. Kleiman; “Vnodes: An Architecture for Multiple File System Types in Sun UNIX”, USENIX Association: Summer Conference Proceedings, Atlanta 1986, pp. 1-10. |
| Findutils—GNU Project—Free Software Foundation (FSF), 3 pages, Nov. 2006, 3 pages. |
| Sahadeb De, et al; “Secure Access Control in a Multi-user Geodatabase”, available on the Internet at the URL http://www10.giscafe.com.2005. |
| Sara C. Madeira, et al; “Biclustering Algorithms for Biological Data Analysis; A Survey”, Mar. 2004; http://www.cs.princeton.edu/courses/archive/spr05/cos598E/bib/bicluster.pdf. |
| Sara C. Madeira; “Clustering, Fuzzy Clustering and Biclustering: An Overview”, pp. 31-53, Jun. 27, 2003. |
| USPTO NFOA dated Sep. 14, 2012 in connection with U.S. Appl. No. 12/861,967. |
| International Search Report and Written Opinion both dated Apr. 13, 2012 which issued during the prosecution of Applicant's PCT/IL11/00902. |
| An International Preliminary Report on Patentability dated Jul. 30, 2013, which issued during the prosecution of Applicant's PCT/IL2011/000902. |
| An Office Action dated Mar. 25, 2015, which issued during the prosecution of U.S. Appl. No. 13/384,452. |
| “It is the best to use everyone group when setting administrator security authority”, Computer and Network, vol. 2010, No. 2, p. 41, Feb. 2010. |
| Notification of The First Chinese Office Action dated Apr. 22, 2015; Appln. No. 2011800362789. |
| U.S. Appl. No. 61/240,726, filed Sep. 9, 2009. |
| U.S. Appl. No. 61/348,806, filed May 27, 2010. |
| U.S. Appl. No. 12/673,691, filed Jan. 27, 2010. |
| Number | Date | Country | |
|---|---|---|---|
| 20110296490 A1 | Dec 2011 | US |
| Number | Date | Country | |
|---|---|---|---|
| 61348806 | May 2010 | US |
