CN106650508A - Method and device for determining data access permission of user group for data element group - Google Patents

Method and device for determining data access permission of user group for data element group Download PDF

Info

Publication number
CN106650508A
CN106650508A CN201611141689.5A CN201611141689A CN106650508A CN 106650508 A CN106650508 A CN 106650508A CN 201611141689 A CN201611141689 A CN 201611141689A CN 106650508 A CN106650508 A CN 106650508A
Authority
CN
China
Prior art keywords
user
group
resource
computer
given
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611141689.5A
Other languages
Chinese (zh)
Inventor
雅科夫·费特尔松
欧哈德·科库
伊札·凯撒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Varonis Systems Inc
Original Assignee
Varonis Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Varonis Systems Inc filed Critical Varonis Systems Inc
Priority to CN201611141689.5A priority Critical patent/CN106650508A/en
Publication of CN106650508A publication Critical patent/CN106650508A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for determining user access permission for the computer resource of one storage unit. The method comprises the following steps of: grouping users into a plurality of user groups, wherein all group members of at least one user group have at least almost same user/ resource access permission for the computer resources; grouping the resources into a plurality of resource groups, wherein all parts of at least one resource group have at least almost same resource/ user access permission; determining whether a given user is a group member in one user group or not, and if the given user is the group member in one user group, enabling the user/ resource access permission of the user group to belong to the given user; and determining whether a given resource belongs to one part of one resource group, and if the given resource belongs to one part of the resource group, enabling the resource/ user access permission of the resource group to belong to the given resource.

Description

For determining method and device of the user's group to the data access authority of data elements groups
Technical field
The present invention relates to data security arts, more particularly to the data peace of the ample resources in large organization and user Entirely.
Background technology
Following United States Patent (USP) is considered as to represent the present state of the art:U.S. Patent number 6772350, United States Patent (USP) Numbers 6308173 and U.S. Patent number 5889952.
The content of the invention
It is an object of the invention to provide a kind of for determining user to the large organization with ample resources and user In computer resource access rights method and system.
Therefore, according to a preferred embodiment of the present invention, there is provided one kind determines that one first multi-user is stored at least one The method of the access rights of one second multiplex computer resource in unit, methods described includes:
By the user grouping in first multi-user into one first many groups, wherein the institute of the least one set of more than first group There is group member to there is at least almost identical user/resource to visit the second multiplex computer resource of at least one memory cell Ask authority;
Resource in the second multiplex computer resource is grouped into one second many groups, wherein at least the one of more than second group All parts of group have at least almost identical resource/access privilege;
Determine that whether a given user is a group member of the one of which of more than described first group;
If the given user is a group member of the one of which of more than described first group, by more than first group The user/resource access rights of the one of which be attributed to the given user,
Determine that whether a given resource is a part for the one of which of more than described second group, and
If the given resource is a part for the one of which of more than described second group, by more than second group The resource/access privilege of the one of which be attributed to the given resource.
According to a preferred embodiment of the present invention, the grouping user step includes validating that one group of user security group, Mei Yisuo State user security group to an at least memory cell at least described in one second multiplex computer resource there are access rights;For institute Each user of the first multi-user is stated, a subset of the user security group is confirmed, wherein in the son of the user security group Concentrate, the user is a group member;And if one first subset of the user security group is same as the user security group One yield in the second subset, then relative to an at least memory cell, in single group in more than first group, by one One user and a second user are grouped;Wherein, in one first subset of the user security group, reuse described first more The first user at family is a group member;In a yield in the second subset of the user security group, the second use of first multi-user Family is a group member.
According to a preferred embodiment of the present invention, the grouping user step is included the second multiplex computer resource Be divided at least two parts, and in first multi-user by the user grouping into more than first group, wherein The computer resource of a portion during all group members of the one of which of individual group are to being included at least two parts more than described first With at least almost identical user/resource access rights.
Another preferred embodiment of the invention, the partiting step includes each use to first multi-user Family, calculates the sub-fraction resource that the user has the second multiplex computer resource of access rights, and compares institute State fraction resource and a threshold value;By the fraction resource less than each user of the threshold value, come with a degradation secure group Represent;And it is the set of all computer resources to define a Part I of the second multiplex computer resource, wherein institute State access rights of the computer resource including any one degradation secure group.
Another preferred embodiment of the invention, the computer resource in the second multiplex computer resource is pacified In coming computer resource layering.It is preferred that the grouping resources step include for computer resource layering in it is each Resource, retrieves the resource/access privilege of the resource in computer resource layering, and in the computer Resource/the access privilege of the lineal stock (immediate ancestor) of of the resource in resource hierarchy;And If resource/the access privilege of the lineal stock is same as the resource/access privilege of the resource, described second In single group in multiple groups, the resource and the lineal stock are grouped.Additionally or alternatively, the packet Resources step includes providing a pointer, and by the resource the lineal stock is pointed to, and extends and point to the pointer of the resource extremely Point to the lineal stock.
According to another preferred embodiment of the invention, additionally provide a kind of for determining one first multi-user at least one The method of the access rights of one second multiplex computer resource of memory cell, methods described includes:More than described first are reused User grouping in family is one first many groups, wherein more than described first the least one set of group all group members to it is described at least The second multiplex computer resource of one memory cell has at least almost identical user/resource access rights;Determine one Whether given user is a group member of the one of which of more than described first group, and if the given user is described first One group member of multiple groups of the one of which, by the user/resource of the one of which of more than described first groups institute is attributed to State given user.
According to another preferred embodiment of the invention, the grouping user step includes:Confirm one group of user security group, it is each The user security group has access rights to the second multiplex computer resource at least described in of an at least memory cell; For each user of first multi-user, a subset of the user security group is confirmed, wherein in the user security In the subset of group, the user is a group member;And if one first subset of the user security group is same as user's peace One yield in the second subset of full group, then relative to an at least memory cell, in single group in more than first group, One first user and a second user are grouped;Wherein in one first subset of the user security group, described first The first user of multi-user is a group member;In a yield in the second subset of the user security group, first multi-user Second user is a group member.
Another preferred embodiment of the invention, the grouping user step includes providing second multiplex computer Source is divided at least two parts, and in first multi-user by the user grouping into more than first group, wherein The calculating of a portion during all group members of the one of which of group are to being included in described at least two parts more than described first There is machine resource at least almost identical user/resource to access resource.It is preferred that the partiting step includes:To described first Each user of multi-user, calculates the little portion that the user has the second multiplex computer resource of access rights Divide resource, and relatively more described fraction resource and a threshold value;The fraction resource is less than into each user of the threshold value, with One degradation secure group is representing;And a Part I of definition the second multiplex computer resource is all computer resources Set, wherein the access rights of the computer resource including any one degradation secure group.
Another preferred embodiment of the invention, additionally provides a kind of for determining one first multi-user at least The method of the access rights of one second multiplex computer resource of one memory cell, methods described includes:It is multiple by described second Resource in computer resource is grouped into more than one group, wherein all parts of the least one set in the plurality of group have at least Almost identical resource/access privilege;Determine that whether a given resource is a part for the plurality of group of one of which; And if the given resource is a part for the plurality of group of the one of which, by described in the plurality of group its In one group of resource/access privilege be attributed to the given resource.
Another preferred embodiment of the invention, the computer resource in the second multiplex computer resource is pacified In coming computer resource layering.It is preferred that the grouping resources step includes:For in computer resource layering Each resource, retrieves the resource/access privilege of the resource in computer resource layering, and in the meter Resource/the access privilege of the lineal stock of of the resource in calculation machine resource hierarchy;And if the lineal stock Resource/access privilege is same as the resource/access privilege to the resource, and one is single in more than second group In group, the resource and the lineal stock are grouped.
According to a preferred embodiment of the present invention, the grouping resources step includes:One pointer is provided, is referred to by the resource To the lineal stock, and extend and point to the pointer of the resource to pointing to the lineal stock.
Another preferred embodiment of the invention, there is provided one kind is stored for determining one first multi-user at least one The device of the access rights of one second multiplex computer resource in unit, described device includes:
User grouping function, one first many groups will be grouped into first multi-user, wherein more than described first All group members of the least one set in group have at least to the second multiplex computer resource of an at least memory cell Almost identical user/resource access rights;
Computer resource block functions, the computer resource in the second multiplex computer resource is grouped into one second Multiple groups, wherein all parts of the group of at least one of individual group more than described second have at least almost identical resource/user Access rights;
Access privilege belongs to function, to determine whether a given user is more than described first one of which organized One group member, if the given user is a group member of the one of which of more than described first groups, more than described first The user of the one of which in individual group/resource access rights are attributed to the given user;And
Computer resource access rights belong to function, for determining whether a given computer resource is more than second group One of which a part, if the given computer resource is of the one of which of group more than described second Point, then resource/the access privilege of the one of which in more than second group is attributed into the given computer Resource.
According to a preferred embodiment of the present invention, the user grouping function includes:User security group acknowledge function, to Confirm more than one user security group, each user security group is to an at least memory cell at least described in one more than second Re-computation machine resource has access rights;User security group subset confirms function, to for the every of first multi-user One user, confirms a subset of the user security group, wherein in the subset of the user security group, the user is one group Member;And user's subset comparing function, if being same as the user security group to one first subset of the user security group A yield in the second subset, then relative to an at least memory cell, in single group of more than described first group, by one the One user and a second user are grouped;Wherein, in one first subset of the user security group, the first user is One group member;In a yield in the second subset of the user security group, the second user is a group member.
According to a preferred embodiment of the invention, described device also includes a computer resource partition functionality, to by institute State the second multiplex computer resource and be divided at least two parts, wherein the user grouping function more than described first to reuse By user grouping into more than first group in family, wherein all group members of the one of which of more than described first group are to being included in The computer resource of a portion in described at least two parts has at least almost identical user/resource access rights.
According to a preferred embodiment of the invention, the computer resource partition functionality includes:Fraction Resource Calculation work( Can, to each user to first multi-user, calculate the user and there is the described second multiple of access rights The sub-fraction resource of computer resource, and relatively more described fraction resource and a threshold value;User represents function, to will be described Fraction resource is represented less than each user of threshold value with a degradation secure group;And part defined function, to define The Part I for stating the second multiplex computer resource is the set of all computer resources, wherein the computer resource includes The access rights of any one degradation secure group.It is preferred that the computer resource in the second multiplex computer resource is pacified In coming computer resource layering.
According to another preferred embodiment of the invention, the computer resource block functions include:Resource/user's access right Limit search function, for each resource in computer resource layering, to retrieve in computer resource layering The resource resource/access privilege, and of the resource in computer resource layering lineal begins Resource/the access privilege in source;Resource/access privilege comparing function, visits to the resource/user of relatively more described resource Resource/the access privilege of authority and the lineal stock is asked, if the access resource phase of the resource/user of the lineal stock The access rights of the resource/user of the given resource are same as, in single group in more than second group, by the money Source and the lineal stock are grouped.
Another preferred embodiment of the invention, the resource/access privilege comparing function, to provide a finger Pin, by the resource the lineal stock is pointed to, and is extended and pointed to the pointer of the resource to pointing to the lineal stock.
Another preferred embodiment of the invention, additionally provides a kind of for determining one first multi-user at least The device of the access rights of one second multiplex computer resource of one memory cell, described device includes user grouping function, uses With by the user grouping in first multi-user as one first many groups, wherein the least one set in more than first group All group members the second multiplex computer resource of an at least memory cell is had at least almost identical user/ The access rights of resource;And access privilege ownership function, to determine whether a given user is more than described first One group member of individual group of one of which, if the given user is a group of the one of which of more than described first group User/resource the access rights of the one of which of more than described first groups are attributed to the given user by member.
According to a preferred embodiment of the present invention, the user grouping function includes:User security group acknowledge function, to Confirm more than one user security group, each user security group is to an at least memory cell at least described in one more than second Re-computation machine resource has access rights;User security group subset confirms function, to for the every of first multi-user One user, confirms a subset of the user security group, wherein in the subset of the user security group, the user is one group Member;User's subset comparing function, if being same as the one of the user security group to one first subset of the user security group Yield in the second subset, then relative to an at least memory cell, in single group of more than described first group, one first is used Family and a second user are grouped, wherein in one first subset of the user security group, the first user is one group Member;In a yield in the second subset of the user security group, the second user is a group member.
Another preferred embodiment of the invention, described device also includes a computer resource partition functionality, to incite somebody to action The second multiplex computer resource is divided at least two parts, wherein the user grouping function is to multiple described first By user grouping into more than first group in user, wherein all group members of the one of which of more than described first group are to including The computer resource of a portion in described at least two parts has at least almost identical user/resource access right Limit.It is preferred that the computer resource partition functionality includes fraction Resource Calculation function, to first multi-user Each user, calculate the fraction resource that the user has the second multiplex computer resource of access rights, and The comparison fraction resource and a threshold value;User represents function, to the fraction resource is every less than the threshold value One user, is represented with a degradation secure group;And part defined function, to define the second multiplex computer resource One Part I is the set of all computer resources, wherein the computer resource includes the access of any one degradation secure group Authority.
Another preferred embodiment of the invention, additionally provides a kind of for determining one first multi-user at least The device of the access rights of one second multiplex computer resource of one memory cell, described device includes that computer resource is grouped work( Can, the resource in the second multiplex computer resource is grouped into one second many groups, wherein more than second group In least one set all parts have at least almost identical resource/access privilege;And computer resource access right Limit ownership function, to determine that whether a given computer resource is a part for the one of which of more than described second group, If the given computer resource is a part for the one of which of more than described second group, by more than second group The resource/access privilege of the one of which be attributed to the given computer resource.It is preferred that more than described second Computer resource in re-computation machine resource is arranged in computer resource layering.
Another preferred embodiment of the invention, the computer resource block functions include:Resource/user's access right Limit search function, for each resource in computer resource layering, to retrieve in computer resource layering Resource/access privilege, and the resource/use of a lineal stock of the resource in computer resource layering Family access rights;And resource/access privilege comparing function, to the resource/access privilege of relatively more described resource With the resource/access privilege of the lineal stock, if the resource/access privilege of the lineal stock be same as it is described Resource/the access privilege of resource, in single group of more than described second group, by the resource and the lineal stock It is grouped.
Another preferred embodiment of the invention, the resource/access privilege comparing function, to provide a finger Pin, by the resource the lineal stock is pointed to, and is extended and pointed to the pointer of the resource to pointing to the lineal stock.
Description of the drawings
With reference to the present invention is will be more fully understood and understood with reference to following drawings and detailed description, wherein:
Fig. 1 is that a preferred embodiment of the present invention represents the brief signal in a large organization with substantial amounts of resource and user Figure;
Fig. 2 is that a preferred embodiment of the present invention represents a kind of for determining in a large organization with substantial amounts of resource and user Brief schematic flow sheet of the middle user to the method for the access rights of resource;
Fig. 3 A and Fig. 3 B is the Part Methods of Fig. 2 methods describeds, represents together for the visit in a large organization based on user The brief schematic flow sheet of the method for asking authority to be grouped user;
Fig. 4 A and Fig. 4 B is the Part Methods of Fig. 2 methods describeds, represents together for the resource-based visit in a large organization The brief schematic flow sheet of the method for asking authority to be grouped resource;And
Fig. 5 A, 5B and 5C are the Part Methods of Fig. 2 methods describeds, and the inquiry response for calculating access rights is represented together The brief schematic flow sheet of method.
Specific embodiment
Data Security generally determines that who is able to access that the data of a tissue, and the data are typically stored in different meters In calculation machine system.These strategies are seldom static, and some reasons come from the user of the tissue, such as employee, conjunction The threat that partner people or contractor can cause to sensitive data is serious as the threat come outside self-organizing.Accordingly, as Constitute structure and the personnel of organizational change, it should make corresponding adjustment to security strategy.Information technology sector is frequently found protecting While shield enterprise's sensitive data, manage the access rights of user data and guarantee that the convenient information needed that obtains is difficult.
The operated computer system of large enterprise's tissue includes a large amount of servers, and the server is typically Regional Distribution 's.A large number of users can access the memory element in computer system.The different crowd being associated with data access entitlement includes Information technologist, operating personnel such as account manager, and third party commentator such as legal adviser, to particular data Access privilege needs to make daily inquiry.
It is existing that one traditional local or distributed data base maintenance (maintenance) can overwhelm (overwhelm) The most complicated data administrator ability having, wherein local or distributed data base is applied to any special user or user The inquiry response of the access rights of group, or on the contrary, for relative to the access of a special memory element or sets of memory elements The inquiry response of authority.Store and retrieve as inquiry service desired data, the memory capacity of different server may be had Negative effect.In addition, performing such inquiry may affect the performance of server, computer system may be then reduced Whole efficiency.Further, the catalogue by multiple file servers and its access control are generally needed due to processing inquiry response List processed to carry out a comprehensive iterative search, therefore for the time of such a inquiry response becomes unacceptable It is long.
Access control technology is not most preferably implemented in the system using various access control models.To system manager For, it is desirable to which user is authorized to and can access each specific data item in the environment of knowing like this, in prior art In the case of there is not yet simple method.Therefore, in many tissues, having more than the number of users of inappropriate access rights to make People cannot receive.Also lack a kind of for redundant access authority and the phase of the orphan account of the personnel for being no longer belong to tissue simultaneously The solution of pass problem.Accordingly, it would be desirable to improved on control access privilege, so that data safety, prevents fraud Behavior and the production efficiency of improvement company.Further, those are responsible for personnel's meeting of simplification and the automation of security of system Concern misuse data access authority, what even authorized user was misapplied.
With reference to shown in Fig. 1, a large organization with one first multi-user and one second multiplex computer resource is represented, The computer resource such as computer documents there may be in multiple file servers.The user and file server may It is distributed by region independently of their function.
According to a preferred embodiment of the present invention, when the inquiry of access rights is responded, the second multiplex computer money One hierarchy in source, and/or a group of first multi-user is according to their relative meters being stored in a particular server The access rights of calculation machine resource and be deployed, then have the more preferable response time to such a inquiry.
With regard to a given user, term " user/resource access rights " is related to be located in a particular server or storage list Series of computation machine resource in unit, wherein given user has access rights to the computer resource.Therefore, relatively In a specific server or memory cell, if two users have identical user/resource access rights, then described two User to being stored in above-mentioned server or memory cell in computer resource list there are identical access rights.
Further it is to be understood that in the context of the present invention, term " access rights " is related to read authority, write power Limit and execution authority, or any of which combination.For example, if a given user has the power of reading to given resource Limit, even if the user does not have write authority or performs authority to given resource, then the given user still has visit Ask authority.
According to a preferred embodiment of the present invention, as shown in Figure 1, there is provided one kind is used to determine first multi-user pair The method of the access rights of the second multiplex computer resource of an at least memory cell, wherein, the first multi-user reference number Word 102 is represented that the second multiplex computer resource reference numeral 104 is represented that memory cell reference numeral 106 gives To represent, the memory cell is preferably multiple file servers.
It is preferred that the one first many user's groups defined in the first multi-user 102, wherein more than first user's group In all group members of each user's group there is at least almost identical use to the computer resource of a given file server 106 Family/resource access rights.
For example, as shown in figure 1, in the personnel of Accounting Department, either in India, Brazil or Canada, they are probably The group member of same user's group, is designated as alphabetical A herein.Similarly, in the personnel of research and development department, either in Spain, bar West or India, they are probably the group member of same user's group, and alphabetical D is designated as herein.
Similarly, the one second many computer resources defined in the second multiplex computer resource, wherein described All parts of each computer resource in two multiplex computer resources have at least almost identical resource/user's access right Limit, for example an identical user's group or almost identical user's group can access each computer documents in a given group.
For example, as shown in figure 1, the All Files for being related to accounts payable can be the part of same computer resource group, this Place is designated as alphabetical " a ".Similarly, the All Files for developing Yishanmen can be the part of same computer resource group, this Place is designated as letter ' d '.
It should be understood that all group members of each user's group have at least almost identical user/resource access right Limit.For example, all group members of user's group A can access the account of company, and all group members of user's group D can access engineering text Part.
Similarly, it should which all parts for being understandable that each computer resource group have at least almost identical money Source/access privilege, for example, bookkeeper can access all parts of computer resource group " a ", and design engineer can visit Ask all parts of computer resource group " d ".
In response to an inquiry or on the contrary in order to prepare one to show the access rights of specific user or computer resource The report of overview, it is possible to quickly to confirm that whether a given user is the one of which in more than first user's group One group member, if if, quickly the user of the one of which in more than first user's group/resource access rights are attributed into institute State given user.Similarly, it is possible to quickly to confirm whether a given computer resource is more than described second and calculates A part for one of which in machine resource group, if if, quickly by more than the second computer resource group wherein One group of resource/access privilege is attributed to the given computer resource.
Therefore, time-consuming iterative processing used in the prior art can be avoided.
It should be understood that embodiments of the invention have only been divided into user's group or computer resource group, but not Meeting user's group and computer resource group are all within protection scope of the present invention.
With reference to shown in Fig. 2, by explanation according to a preferred embodiment of the present invention, the method to perform following steps.
With reference now to Fig. 2, it is represented according to a preferred embodiment of the present invention, has that ample resources and user's is big one In type tissue, brief schematic flow sheet of the user to the commonsense method of the access rights of computer resource is determined.
As shown in Fig. 2 in one first preproduction phase, the user in the tissue gives according to it relative in the tissue one The access rights of fixed server and be grouped, as shown at step 200.Especially, for each server, in the tissue User be divided into multiple user's groups, wherein the file in the user's corresponding service device in each group have it is similar or most Good identical access rights.With reference to reference to shown in Fig. 3, the method being grouped to user below will be described in closer detail.
As shown in step 202, in one second preproduction phase, the computer resource in the tissue is according to the access to it Authority and be grouped.Especially, in a hierarchical server system, indicate unless there are other, a computer resource should be straight with it It is that stock equally has identical access rights.Therefore, computer resource can be grouped, so that each sub- level computer resource The accesses control list of its parent computer resource is pointed to, rather than replicates accesses control list, the sub- level computer of each of which The access rights that resource has are same as the access rights of parent computer resource.With reference to reference to shown in Fig. 4, will have more below The method that the explanation of body ground is grouped to computer resource.
It should be understood that the step of being grouped to user 200 and the step of be grouped to computer resource 202 can be performed with any one order, or executed in parallel, or are preferably periodically executed, so as in the tissue to Family access rights and/or the change of hierarchical structure of computer resource make explanations.
In one first processing stage, its group member or institute after the above-mentioned preparatory stage, typically via the tissue The department for stating tissue proposes the inquiry of an access rights, as indicated in step 204.One typical inquiry potentially includes user Collection and a memory element subset.A such a inquiry response will be listed for each user in user's subset to institute State the access rights of each memory element in memory element subset.
For example, an inquiry can include all users in the tissue as user's subset, given by one Computer resource is used as the memory element subset.The inquiry response will can determine whether which user has access institute in all users State the authority of given computer resource.In another example, the inquiry can include providing in all computers of the tissue Source is used as the memory element subset, and the user that is given is used as user's subset.The inquiry response will can determine whether Which memory element can be accessed by the given user in all memory elements.
As depicted at step 206, inquiry is processed, and calculates its response.Typically, each user for row in queries, Inquiry response includes that the user-accessible arranges the list of a subgroup of computer resource in queries.With reference to reference to Fig. 5 institutes Show, the method calculated to inquiry response below will be described in closer detail.Then, the inquiry response is ported to proposition access rights The personal or team of inquiry, as indicated in step 208.
Referring now to shown in Fig. 3 A and Fig. 3 B, it is represented together for the access rights in a large organization based on user The brief schematic flow sheet of the method to be grouped to user, and the method constitutes the first preparation rank of method shown in Fig. 2 Section 200.The purpose of so packet is in order to create user's group, wherein the user in sole user's group is stored in one relatively giving Server in computer resource there are similar or preferably identical access rights.
The prerequisite for creating such user's group is to define user security group, and it is preferentially implemented in first shown in Fig. 3 A Step 300.The pre-defined user security group of system manager.Typically, user security group and the different departments in the tissue It is corresponding.User security group can include a such as accounting user security group, a research and development user security group etc..Each respective user Secure group belongs to the user of the corresponding department of the user security group including those.User may belong to the use of at least more than one Family secure group.For example, the secretary of a research and development department may belong to a management user security group and a research and development user security group.
Each user security group has preallocated access rights for the computer resource of a given server.One gives The accesses control list of computer resource is list of the user security group to the access rights of the computer resource.
As shown in Figure 3A, a server is chosen, as shown at step 300.It is to be understood that be, it is only relative to be stored in the quilt The access privilege of the computer resource in server chosen and user is grouped.
Subsequently, the accesses control list of the computer resource being stored in the selected server will be reviewed, so as to (extract) those user security groups are extracted, therefore those belong to the user of its user security group at least some computer money Source has access rights, and wherein computer resource is stored in server, as shown in step 302.
For a pair of any given users are listed in any one described user security group being extracted belonging to it, compare it The access privilege of the computer resource being stored in the selected server, to check them relative to all storages Whether the computer resource in the selected server is identical, as judged shown in step 304.If this couple of user is to storage Computer resource in the selected server is respectively provided with identical access rights, relative to the selected service Device, they are allocated to identical initial user group, as shown at step 306.Otherwise, relative to the selected server, They are allocated to two different initial user groups, as depicted in step 308.
These initial user groups are that methods described is intended to create the leading person of user's group.The initial user group may need Further refinement, as described below, to obtain the end user's group wanted.It should be understood that two users can be right The selected server has very similar access rights, except the access of one or two specific computer resource Authority is different.This it may happen that, for example, when the root of the server including some users, in this case, Two users may have identical to access all computer resources in the server in addition to the root Authority, each of which user may have access rights to his or she specific root, but may be generally to other The root of user does not have access rights.
Even if there are the bigger potential initial user group with the closely similar access rights although differing, this feelings Condition may result in the server, and to be grouped into multiple small-sized initial user groups even single (singletons).Following article It is described, by the virtual server that the computer resource in the server is virtually divided at least two, to solve The certainly situation.
Therefore, user distributed to initial user group below, as shown in step 304, step 306 and step 308, and is audited Produced initial user group quantity and initial user group size.It is preferred that the quantity of initial user group is presetting with one first Threshold value compare, as judged shown in step 310, the quantity of single initial user group is compared with one second presetting threshold value Compared with as judged shown in step 312.If the quantity of the initial user group is not less than the first threshold, and described single initial The quantity of user's group terminates not less than Second Threshold, then user's distribution.At present, the initial user group and single initial use Family group constitutes user's group, refers to the above, especially the step 200 in Fig. 2.
Go to Fig. 3 B, it can be seen that if the quantity of initial user group exceedes the first threshold, if and/or single initial use The quantity of family group exceedes the Second Threshold, then the server is divided into two virtual servers, such as step 314 institute Show.According to an embodiment, a virtual grate of the server is performed, for each specific user or user security group, storage The quantity of the computer resource in the server is determined, and wherein specific user or user security group allow to access the clothes Business device, as shown in step 316.Then, calculating the specific user or user security group allows the computer resource of access Sub-fraction resource, and compare with sub-fraction resource threshold, such as 1%, such as judge step 318.
If a specific user or user security group allow the fraction resource of the computer resource for accessing less than described little Part resource threshold value, the user or user security group represent with a degradation secure group, as shown at step 320.Otherwise, it is described User or user security group represent with an important safety group, as denoted by step 322.
The set of the computer resource of the access rights comprising the degradation secure group is defined as a virtual server, and Represented with an inorganization virtual server, as depicted at step 324.The inorganization virtual server is believed to comprise a small amount of tool There are the computer resource of similar accesses control list, and/or the user with identical access rights on a small quantity.Based on the inorganization Computer resource in virtual server, user is distributed to initial user group, and this is possible to that substantial amounts of initial user can be produced Group and/or single initial user group, are inefficient, therefore are non-essential.
Will not belong to the computer resource in the server of the inorganization virtual server and be defined as one second virtual clothes Business device, and represented with a tissue virtual server, as shown at step 326.The tissue virtual server is believed to comprise tool There is the file of similar accesses control list, so that the access rights based on computer resource, user is distributed to initial user group, This is possible to produce an a small amount of tissue initial user group.
Then, the server is divided into two virtual servers, the tissue virtual server is selected, and conduct Can be allocated relative to user to the server of initial user group, as shown in step 328.Subsequently, based on to being stored in described group The access rights of the computer resource in virtual server are knitted, again distributes user to initial user group, with reference to reference to above-mentioned Step 302 is to step 308.At present, these initial user groups and single initial user group constitute user's group, with reference to the above, The especially step 200 shown in Fig. 2.
Referring now to shown in Fig. 4 A and Fig. 4 B, it is represented together for the resource-based access rights in a large organization The brief schematic flow sheet of the method to be grouped to computer resource, and the method constitutes second of method shown in Fig. 2 Preparatory stage 202.
As shown in Figure 4 A, the node of the computer resource layering is chosen, to process, as shown by step 400.Preferably Ground, computer resource layering is processed by leaf to root, in this case, chooses the first node for processing to be The node of the bottom in leaf, or computer resource layering.
For selected node, check whether a lineal stock is stored in layering, as judged shown in step 402.If quilt There is no a lineal stock in the node chosen, can derive that it is the root in the layering.The node is designated as a phase heteromerism Point, as indicated by a step 404, and process terminates.Otherwise, the accesses control list of the node will be extracted, as shown at 405, is taken out The accesses control list of the lineal stock of selected node is taken, as shown at step 406.Subsequently, selected node is compared The accesses control list of accesses control list and the lineal stock of selected interior joint, as judged shown in step 408.
If it should be understood that be associated with node being processed without clear and definite accesses control list, just by The node of process inherits the accesses control list being associated with the lineal stock, and the process proceeds, such as step 410 institute Show.
Go to Fig. 4 B, it can be seen that if the lineal stock of the accesses control list of selected node and selected node Accesses control list be identical, a pointer is added in the layering, and wherein the pointer is pointed to selected by selected node The accesses control list of the lineal stock of interior joint, as indicated at step 410.In addition, pointing to the access control row of selected interior joint All pointers of table move to the accesses control list of the lineal stock for pointing to selected interior joint, as shown at step 41.One represents institute State the processed process of node to indicate to be added to selected node, as as-shown at step 414.
If the accesses control list of selected node is different from the access control row of the lineal stock of selected node Table, the node is designated as a different node, and as indicated in step 416, one represents that the process that the node has been processed represents quilt Selected node is added to, as indicated in step 418.
Subsequently, the rank of layering is reviewed belonging to selected node, to determine whether there is untreated in that rank Node, as judged shown in step 420.If having untreated node in the rank of selected node, choose other in that one-level New node, as shown in step 422, the process of that node as described above and is combined and proceeded with reference to step 402-418.It is no Then, a node is chosen, its rank in the layering is higher than the rank of selected node, the node is, for example, selected The lineal stock of node, as indicated at 424, the process of the node is as described above and with reference to reference to the continuation of step 402-418 Carry out.
Referring now to shown in Fig. 5 A, Fig. 5 B and Fig. 5 C, it represents together the method for the inquiry response for calculating an access rights Brief schematic flow sheet, 206 the step of the method constitutes Fig. 2 methods describeds.
Referring to shown in Fig. 5 A, a computer resource group to be processed is defined, as shown at 500.When start to process one Inquiry, the computer resource group is typically empty, and is just filled when the inquiry is processed.
As shown in Figure 5A, for comprising each computer resource in queries, execution step 501, it is included in checking All different computer resource nodes in inquiry.
Shown in step 502, for each computer resource for including in queries, detect whether to include the computer money One different node of source layering.
If computer resource is really including the different node of computer resource layering, then it is added to be processed Computer resource group, as indicated in step 504, if computer resource does not include a different node, pointer associated there is followed One source node, the wherein source node include a different node, as shown in step 506.
In step 508 is judged, it is determined that including source node computer resource whether be previously added to it is to be processed Computer resource group, the wherein source node include a different node.If including source node computer resource previously not by Add to computer resource group to be processed, then be added into the computer resource group now, as indicated in step 510.If bag The computer resource for including source node had previously been added to computer resource group to be processed, and this would not again be added to this Group, but in computer resource group to be processed, can be associated with currently processed computer resource, so as to provide One complete inquiry response, as illustrated in step 512., typically by a pointer is defined come what is completed, the pointer is by currently for this The computer resource of reason points to the entity of lineal stock, wherein the lineal stock is included in computer resource group to be processed It is interior.
As shown in step 513, a user being included in inquiry is chosen, the access rights of the user will be to be processed.
Go to shown in Fig. 5 B, as shown in step 514, choose a computer resource, it is included in resource group to be processed It is interior, and determine that it is present in which physical server, as shown in step 515.Subsequently, relative to the clothes existing for computer resource Business device, determines the particular group of users belonging to the user, as shown at stage 516.Then, in the process for processing the computer resource In, the access rights for calculating another user for belonging to identical particular group of users are checked whether, such as judge step 518.
If access rights of another user to given computer resource had previously been had calculated that, and another user belongs to Identical particular group of users, then the access rights for being calculated are allocated to the active user, as indicated in step 520.Otherwise, Access rights of the user to computer resource, and/or the user's group belonging to the user are extracted from accesses control list to meter The access rights of calculation machine resource, wherein the accesses control list is associated with the computer resource, as shown in step 522.
Subsequently, check that any computer resource being included in described group whether there is, wherein being included in described group Computer resource is not yet processed relative to selected user, such as judges step 524.
Referring to shown in Fig. 5 C, if there is a such a computer resource, the computer resource is chosen, such as step 526 institute Show.Relative to selected user, the process of the computer resource is entered as described above and with reference to step 512 to step 522 OK.If there is no a such a computer resource, any user comprising in queries will be checked whether there is, wherein user Access rights are not yet calculated, referring to judging shown in step 528.If there is a such a user, the user is chosen, such as walked Shown in rapid 530, the access rights of user are processed as described above and with reference to step 514 to step 522.
Referring to shown in step 532, relative to each computer resource being included in computer resource group to be processed, When the access rights of all users in having calculated that inquiry, an inquiry response is generated, it includes a paired list, the list Including one in pairs, for being included in original query in user and computer resource.It should be understood that when generation is as this During one inquiry response of sample, the result of each computer resource is repeatedly provided, so as to comprising each computer in queries Resource provides an inquiry response, and each of which computer resource includes a different source node, at least one and is included in Computer resource in inquiry.
Those skilled in the art be to be understood that the present invention be not limited to above especially it is represented and Description.The scope of the present invention not only includes the set of different characteristic above and time set, is also readding including those of ordinary skill Read the improvement done to feature after foregoing description, and the improved feature is not present in prior art.

Claims (1)

1. a kind of for determining method of the user to the access rights of the computer resource in an at least memory cell, its feature exists In methods described includes using a non-transitory tangible computer computer-readable recording medium, computer program is stored in the medium and is referred to Order, the instruction makes computer when being read by computer:
Regularly, at regular intervals, by user grouping into a multi-user group, wherein the user provides to the computer Source has at least a portion identical user/resource access rights;
Regularly, at regular intervals, the computer resource is grouped into a multiple resources group, wherein computer money Source has at least a portion identical resource/access privilege;
Whether response one has the inquiry of access rights with regard to a multi-user to a multiple resources, performs following action:
At least one first given money in determining at least first user in the multi-user whether to the multiple resources Source has user/resource access rights, and described at least one first given user be in the multi-user group at least one The group member of first user group, and described at least one first given resource is the group member of an at least first resource group;
If at least first user in the multi-user to the multiple resources at least one first given money Source has user/resource access rights, and described at least one first given user be in the multi-user group at least one The group member of first user group, and described at least one first given resource is the group member of an at least first resource group, then will be described The access rights of at least group member of a first user group belong to the group member of an at least first resource group;
At least one second given money in determining at least second user in the multi-user whether to the multiple resources Source has user/resource access rights, and described at least one second given user be in the multi-user group at least one The group member of second user group, and described at least one second given resource is the group member of an at least Secondary resource group;
If at least second user in the multi-user to the multiple resources at least one second given money Source has user/resource access rights, and described at least one first given user be in the multi-user group at least one The group member of second user group, and described at least one second given resource is the group member of an at least Secondary resource group, then will be described The access rights of at least group member of a second user group belong to the group member of an at least Secondary resource group.
CN201611141689.5A 2010-12-29 2010-12-29 Method and device for determining data access permission of user group for data element group Pending CN106650508A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611141689.5A CN106650508A (en) 2010-12-29 2010-12-29 Method and device for determining data access permission of user group for data element group

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201611141689.5A CN106650508A (en) 2010-12-29 2010-12-29 Method and device for determining data access permission of user group for data element group
CN201080071011.9A CN103299268B (en) 2010-12-29 2010-12-29 For determining user's group method and device to the data access authority of data elements groups
PCT/IL2010/001090 WO2012090189A1 (en) 2010-12-29 2010-12-29 Method and apparatus for ascertaining data access permission of groups of users to groups of data elements

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201080071011.9A Division CN103299268B (en) 2010-12-29 2010-12-29 For determining user's group method and device to the data access authority of data elements groups

Publications (1)

Publication Number Publication Date
CN106650508A true CN106650508A (en) 2017-05-10

Family

ID=46382381

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201080071011.9A Active CN103299268B (en) 2010-12-29 2010-12-29 For determining user's group method and device to the data access authority of data elements groups
CN201611141689.5A Pending CN106650508A (en) 2010-12-29 2010-12-29 Method and device for determining data access permission of user group for data element group

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201080071011.9A Active CN103299268B (en) 2010-12-29 2010-12-29 For determining user's group method and device to the data access authority of data elements groups

Country Status (3)

Country Link
EP (1) EP2659351A4 (en)
CN (2) CN103299268B (en)
WO (1) WO2012090189A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110140124A (en) * 2017-12-29 2019-08-16 华为技术有限公司 Grouping is using same key sharing data
CN112465476A (en) * 2020-12-17 2021-03-09 中国农业银行股份有限公司 Access control method, device, equipment and medium

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2849570A1 (en) 2010-09-28 2012-04-05 Atsushi Matsunaga Systems and methods for medical data collection and display
US9251363B2 (en) 2013-02-20 2016-02-02 Varonis Systems, Inc. Systems and methodologies for controlling access to a file system
CN104598778B (en) * 2013-10-30 2018-03-23 中国移动通信集团江苏有限公司 Authority dispatching method and device
CN105528553A (en) * 2014-09-30 2016-04-27 中国移动通信集团公司 A method and a device for secure sharing of data and a terminal
CN105653962B (en) * 2014-11-14 2018-07-31 中国科学院沈阳计算技术研究所有限公司 A kind of user role access authorization for resource model management method of object-oriented
WO2018160407A1 (en) 2017-03-01 2018-09-07 Carrier Corporation Compact encoding of static permissions for real-time access control
WO2018160560A1 (en) 2017-03-01 2018-09-07 Carrier Corporation Access control request manager based on learning profile-based access pathways
US10891816B2 (en) 2017-03-01 2021-01-12 Carrier Corporation Spatio-temporal topology learning for detection of suspicious access behavior

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6772350B1 (en) * 1998-05-15 2004-08-03 E.Piphany, Inc. System and method for controlling access to resources in a distributed environment
US20020026592A1 (en) * 2000-06-16 2002-02-28 Vdg, Inc. Method for automatic permission management in role-based access control systems
US7260555B2 (en) * 2001-12-12 2007-08-21 Guardian Data Storage, Llc Method and architecture for providing pervasive security to digital assets
US9697373B2 (en) * 2004-11-05 2017-07-04 International Business Machines Corporation Facilitating ownership of access control lists by users or groups
US7606801B2 (en) * 2005-06-07 2009-10-20 Varonis Inc. Automatic management of storage access control
US9407662B2 (en) * 2005-12-29 2016-08-02 Nextlabs, Inc. Analyzing activity data of an information management system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110140124A (en) * 2017-12-29 2019-08-16 华为技术有限公司 Grouping is using same key sharing data
CN110140124B (en) * 2017-12-29 2021-04-20 华为技术有限公司 Packet applications share data using the same key
CN112465476A (en) * 2020-12-17 2021-03-09 中国农业银行股份有限公司 Access control method, device, equipment and medium

Also Published As

Publication number Publication date
EP2659351A1 (en) 2013-11-06
CN103299268B (en) 2016-12-28
CN103299268A (en) 2013-09-11
EP2659351A4 (en) 2014-09-10
WO2012090189A1 (en) 2012-07-05

Similar Documents

Publication Publication Date Title
CN103299268B (en) For determining user's group method and device to the data access authority of data elements groups
US9641334B2 (en) Method and apparatus for ascertaining data access permission of groups of users to groups of data elements
EP2718854B1 (en) Role-based security for an object-oriented database system
Yan et al. Applying centrality measures to impact analysis: A coauthorship network analysis
EP1669904B1 (en) Verifying dynamically generated operations on a data store
AU735365B2 (en) A method and apparatus for document management utilizing a messaging system
US6192378B1 (en) Method and apparatus for combining undo and redo contexts in a distributed access environment
Cho et al. Optimizing the secure evaluation of twig queries
US11030334B2 (en) Compartment-based data security
CN101572630B (en) Privilege management system and method based on objects
JP5707250B2 (en) Database access management system, method, and program
US7503075B2 (en) Access trimmed user interface
CN107766249A (en) A kind of software quality comprehensive estimation method of Kernel-based methods monitoring
US7797339B2 (en) Security architecture for content management systems
CN106778310A (en) A kind of data managing method and system
Weippl et al. Content-based Management of Document Access Control.
Sharma Overview of the Database Management System.
Blanco et al. Implementing multidimensional security into OLAP tools
Skinner et al. Defining and protecting meta privacy: a new conceptual framework within information privacy
CN108683581A (en) Mail triggering method and device, electronic equipment and computer readable storage medium
JP6824303B2 (en) Data reference authority management device, data reference authority management method and data reference authority management program
Kieseberg et al. Structural limitations of B+-tree forensics
Kvet et al. Performance study of the index structures in audited environment
Castano An approach to deriving global authorizations in federated database systems
JPH06103498B2 (en) Document classification and access method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170510

WD01 Invention patent application deemed withdrawn after publication