WO2011092686A1 - Time dependent access permissions - Google Patents
Time dependent access permissions Download PDFInfo
- Publication number
- WO2011092686A1 WO2011092686A1 PCT/IL2011/000078 IL2011000078W WO2011092686A1 WO 2011092686 A1 WO2011092686 A1 WO 2011092686A1 IL 2011000078 W IL2011000078 W IL 2011000078W WO 2011092686 A1 WO2011092686 A1 WO 2011092686A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- users
- operator
- advance
- access permissions
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present invention relates to data management systems and methodologies generally and more particularly to data access permission management systems and methodologies.
- the present invention seeks to provide improved data access permission management systems and methodologies.
- a network object access permission management system useful with a computer network including at least one server and a multiplicity of clients, the system including an access permissions subsystem which governs access permissions of users to network objects in the computer network in real time and a future condition based permissions instruction subsystem providing instructions to the access permission subsystem to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
- the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects at future times set in advance by the operator.
- the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects in response to the occurrence of future events selected in advance by the operator.
- the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant and thereafter revoke access permissions of the users to the network objects at future times set in advance by the operator.
- the future condition based permission instruction subsystem provides instructions to the access permission subsystem to revoke and thereafter regrant pre-existing access permissions of the users to the network objects at future times set in advance by the operator. Additionally or alternatively, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant to the users access permissions to the network objects for a limited duration set in advance by the operator.
- the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects based on changes in at least one characteristic of at least one user of the network object indicated in advance by the operator. Additionally or alternatively, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects based on changes in at least one characteristic of the network object indicated in advance by the operator.
- the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects based on activity of at least one user related to the network object as indicated in advance by the operator. Additionally or alternatively, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects based on changes in at least one classification of the network object indicated in advance by the operator.
- a network object access permission management method useful with a computer network including at least one server and a multiplicity of clients, the method including providing instructions to grant or revoke access permissions of users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance, and governing access permissions of the users to network objects in the computer network in real time in response to the instructions.
- the method includes providing instructions to grant or revoke access permissions of the users to the network objects at future times set in advance by the operator.
- the method includes providing instructions to grant or revoke access permissions of the users to the network objects in response to the occurrence of future events selected in advance by the operator.
- the method includes providing instructions to grant and thereafter revoke access permissions of the users to the network objects at future times set in advance by the operator.
- the method includes providing instructions to revoke and thereafter regrant pre-existing access permissions of the users to the network objects at future times set in advance by the operator. Additionally or alternatively, the method includes providing instructions to grant to the users access permissions to the network objects for a limited duration set in advance by the operator.
- the method includes providing instructions to grant or revoke access permissions of the users to the network objects based on changes in at least one characteristic of at least one user of the network object indicated in advance by the operator. Additionally or alternatively, the method includes providing instructions to grant or revoke access permissions of the users to the network objects based on changes in at least one characteristic of the network object indicated in advance by the operator.
- the method includes providing instructions to grant or revoke access permissions of the users to the network objects based on activity of at least one user related to the network object as indicated in advance by the operator. Additionally or alternatively, the method includes providing instructions to grant or revoke access permissions of the users to the network objects based on changes in at least one classification of the network object indicated in advance by the operator.
- Figs. 1A, IB, 1C, ID, and IE are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for revoking and thereafter regranting pre-existing access permissions of a user to network objects at future times set in advance by an operator;
- FIGs. 2A, 2B, 2C, 2D, and 2E are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for revoking and thereafter regranting pre-existing access permissions of a user to network objects in response to a future event set in advance by an operator;
- FIGs. 3A, 3B and 3C are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for changing access permissions of a user to network objects in response to a future event at a known date set in advance by an operator;
- FIGs. 4A, 4B and 4C are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for changing access permissions of a user to network objects in response to a future event associated with a related user at a known date set in advance by an operator;
- Fig. 5 is a simplified flowchart indicating steps in the operation of the data access permission management system of Fig. 1;
- Fig. 6 is another simplified flowchart indicating steps in the operation of the data access permission management system of Fig. 1.
- FIGs. 1A, IB, 1C, ID and IE are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for revoking and thereafter regranting pre-existing access permissions of a user to network objects at future times set in advance by an operator.
- the network object access permission management system is useful with a computer network 100 including at least one server 102 and a multiplicity of clients 104.
- One or more storage elements 106 are also preferably provided.
- the system preferably resides on the server 102 and preferably includes:
- an access permissions subsystem 110 which governs access permissions of users to network objects in the computer network 100 in real time;
- a future condition-based permissions instruction subsystem 112 providing instructions to the access permission subsystem 110 to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
- network object for the purposes of this application is defined to include user generated enterprise computer network resources on any commercially available computer operating system.
- network objects include structured and unstructured computer data resources such as files and folders, and user groups.
- Access permissions of users to network objects may include for example, read or write permissions to a file, modification permissions to a folder (e.g. permissions to create or delete files), and modification permissions to a user group (e.g. permissions to add or remove a user from the group).
- Fig. 1A shows a stage in typical operation of the data access permission management system, wherein an IT manager employs the future condition-based permission instruction subsystem 112 for revoking all access permissions for an employee about to go on vacation.
- the IT manager sets a future start date and a duration for the revocation, after which duration, the access permissions will be automatically restored.
- Fig. IB shows that at 12:01AM on July 15, the future start date set by the IT manager, the future condition-based permission instruction subsystem 112 automatically provides instructions to the access permission subsystem to immediately revoke all access permissions to the employee.
- Fig. ID illustrates that automatically upon expiration of the above duration, the future condition-based permission instruction subsystem automatically provides instructions to the access permission subsystem to immediately regrant all access permissions to the employee and Fig. IE illustrates that thereafter, the employee employs the restored access permissions.
- FIGs. 2A, 2B, 2C, 2D, and 2E are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for revoking and thereafter regranting pre-existing access permissions of a user to network objects in response to a future event set in advance by an operator.
- the network object access permission management system is useful with a computer network 200 including at least one server 202 and a multiplicity of clients 204.
- One or more storage elements 206 are also preferably provided.
- the system preferably resides on the server 202 and preferably includes:
- an access permissions subsystem 210 which governs access permissions of users to network objects in the computer network 200 in real time;
- a future condition-based permissions instruction subsystem 212 providing instructions to the access permission subsystem 210 to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
- Fig. 2A shows a stage in typical operation of the data access permission management system, wherein an IT manager employs the future condition-based permission instruction subsystem 212 for revoking all access permissions for an employee who is about to give birth and go on maternity leave.
- the IT manager sets a condition for revoking access permissions, i.e. maternity leave, after which duration, the access permissions will be automatically restored.
- Fig. 2B shows that at 12:01AM on July 15, the future condition-based permission instruction subsystem 212 routinely queries a human resources system 218 residing on a server 220 connected to the network 200, whether the employee has given birth and is now on maternity leave. Upon discovering that the employee is now indeed on maternity leave, the future condition-based permission instruction subsystem 212 orders the access permissions subsystem 210 to revoke all access permissions from the employee.
- Fig. 2D illustrates that on July 29 the future condition-based permission instruction subsystem 212 routinely queries the human resources system 218 and discovers that the employee is no longer on maternity leave.
- the future condition-based permission instruction subsystem 212 immediately orders the access permissions subsystem 210 to regrant all access permissions to the employee, and
- Fig. 2E illustrates that thereafter, the employee employs the restored access permissions.
- FIGS. 3A, 3B and 3C are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for changing access permissions of a user to network objects in response to a future event at a known date set in advance by an operator
- the network object access permission management system is useful with a computer network 300 including at least one server 302 and a multiplicity of clients 304.
- One or more storage elements 306 are also preferably provided.
- the system preferably resides on the server 302 and preferably includes:
- an access permissions subsystem 310 which governs access permissions of users to network objects in the computer network 300 in real time;
- a future condition-based permissions instruction subsystem 312 providing instructions to the access permission subsystem 310 to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
- Fig. 3A shows a stage in typical operation of the data access permission management system, wherein an IT manager employs the future condition-based permission instruction subsystem 312 for revoking all access permissions for an employee to certain enterprise resources and for granting access permissions for the employee to other enterprise resources, due to the employee transferring to another department in the enterprise.
- the IT manager sets a future start date for the simultaneous revocation and granting of access permissions.
- Fig. 3B shows that at 12:01AM on July 15, the future start date set by the
- the future condition-based permission instruction subsystem 312 automatically provides instructions to the access permission subsystem 310 to immediately revoke all existing access permissions to the employee, and to grant new, alternative, access permissions to the employee.
- FIGs. 4A, 4B and 4C are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for changing access permissions of a user to network objects in response to a future event associated with a related user at a known date set in advance by an operator.
- the network object access permission management system is useful with a computer network 400 including at least one server 402 and a multiplicity of clients 404.
- One or more storage elements 406 are also preferably provided.
- the system preferably resides on the server 402 and preferably includes:
- an access permissions subsystem 410 which governs access permissions of users to network objects in the computer network 400 in real time;
- a future condition-based permissions instruction subsystem 412 providing instructions to the access permission subsystem 410 to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
- Fig. 4A shows a stage in typical operation of the data access permission management system, wherein an IT manager employs the future condition-based permission instruction subsystem 412 for revoking all access permissions for an employee to certain enterprise resources and for granting access permissions for the employee to other enterprise resources, due to the employee transferring to another department in the enterprise as a result of the employee's manager transferring to another department in the enterprise.
- the IT manager sets a future start date for the simultaneous revocation and granting of access permissions.
- Fig. 4B shows that at 12:01AM on July 15, the future start date set by the IT manager, the future condition-based permission instruction subsystem 412 automatically provides instructions to the access permission subsystem 410 to immediately revoke all existing access permissions to the employee, and to grant new, alternative, access permissions to the employee.
- Fig. 5 is a simplified flowchart indicating steps in the operation of the data access- permission management system of Fig. 1.
- an IT manager utilizes the system by entering to the system an access permissions modification instruction to be implemented by the system upon fulfillment of a future condition.
- the future condition may comprise the occurrence of a future date or an employee related event such as leave of absence of an employee, maternity leave, vacation leave, termination of employment of an employee and transfer of an employee to another department in the enterprise.
- the access permissions modification instruction may comprise granting or revoking access permissions of users to network objects.
- the system continuously monitors relevant resources on the computer enterprise network for the fulfillment of the future condition.
- the resources may include, for example, human resources databases and IT security-related systems.
- Fig. 6 is another simplified flowchart indicating steps in the operation of the data access permission management system of Fig. 1.
- an IT manager utilizes the system by entering to the system a temporary access permissions modification instruction to be implemented by the system for the duration of a future state.
- the future state may comprise the occurrence of a future date or range of dates, or an employee related state such as leave of absence of an employee, maternity leave, vacation leave and temporary transfer of an employee to another department in the enterprise.
- the temporary access permissions modification instruction may comprise temporarily granting or revoking access permissions of users to network objects.
- the system continuously monitors relevant resources on the computer enterprise network for the existence of the state.
- the resources may include, for example, human resources databases and IT security-related systems.
- the system Upon discovering the existence of the state, the system implements the temporary access permissions modification instruction. The system continues to monitor relevant resources on the computer enterprise network for the continued existence of the state.
- the system Upon discovering that the state no longer exists, the system reverses the temporary access permissions modification instruction, and removes the temporary access permissions modification instruction and its related future state from the system.
Abstract
ABSTRACT A network object access permission management system useful with a computer network including at least one server and a multiplicity of clients, the system including an access permissions subsystem which governs access permissions of users to network objects in the computer network in real time and a future condition based permissions instruction subsystem providing instructions to the access permission subsystem to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
Description
TIME DEPENDENT ACCESS PERMISSIONS
REFERENCE TO RELATED APPLICATIONS
Reference is made to U.S. Patent Application Serial No. 12/673,691, filed February 16, 2010, and entitled "ENTERPRISE LEVEL DATA MANAGEMENT", which is a National Phase Application of PCT\IL2010\000069 filed January 27, 2010 and entitled "ENTERPRISE LEVEL DATA MANAGEMENT", the disclosure of which is hereby incorporated by reference and priority of which is hereby claimed pursuant to 37 CFR 1.78(a) (1) and (2)(i).
Reference is also made to U.S. Patent Application Serial No. 12/814,807, filed June 14, 2010, and entitled "ACCESS PERMISSIONS ENTITLEMENT REVIEW", the disclosure of which is hereby incorporated by reference and priority of which is hereby claimed pursuant to 37 CFR 1.78(a) (1) and (2)(i).
Reference is also made to U.S. Patent Application Serial No. 12/861,967 filed August 24, 2010, and entitled "TIME DEPENDENT ACCESS PERMISSIONS", the disclosure of which is hereby incorporated by reference and priority of which is hereby claimed pursuant to 37 CFR 1.78(a) (1) and (2)(i).
Reference is also made to U.S. Provisional Patent Application Serial No.
61/348,822, filed May 27, 2010 and entitled "IMPROVED TOOLS FOR DATA MANAGEMENT BY DATA OWNERS", the disclosure of which is hereby incorporated by reference and priority of which is hereby claimed pursuant to 37 CFR 1.78(a) (4) and (5)(i).
Reference is also made to the following patents and patent applications, owned by assignee, the disclosures of which are hereby incorporated by reference:
U.S. Patent Nos. 7,555,482 and 7,606,801 ;
U.S. Published Patent Application Nos. 2007/0244899, 2008/0271157, 2009/0100058, 2009/0119298 and 2009/0265780; and
U.S. Provisional Patent Application No. 61/240,726.
FIELD OF THE INVENTION
The present invention relates to data management systems and methodologies generally and more particularly to data access permission management systems and methodologies.
BACKGROUND OF THE INVENTION The following patent publications are believed to represent the current state of the art:
U.S. Patent Nos.: 5,465,387; 5,899,991 ; 6,338,082; 6,393,468; 6,928,439; 7,031,984; 7,068,592; 7,403,925; 7,421,740; 7,555,482 and 7,606,801; and
U.S. Published Patent Application Nos.: 2003/00 1026; 2004/0249847; 2005/0108206; 2005/0203881; 2005/0120054; 2005/0086529; 2006/0064313; 2006/0184530; 2006/0184459 and 2007/0203872.
SUMMARY OF THE INVENTION
The present invention seeks to provide improved data access permission management systems and methodologies. There is thus provided in accordance with a preferred embodiment of the present invention a network object access permission management system useful with a computer network including at least one server and a multiplicity of clients, the system including an access permissions subsystem which governs access permissions of users to network objects in the computer network in real time and a future condition based permissions instruction subsystem providing instructions to the access permission subsystem to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
In accordance with a preferred embodiment of the present invention, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects at future times set in advance by the operator. Preferably, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects in response to the occurrence of future events selected in advance by the operator. Additionally or alternatively, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant and thereafter revoke access permissions of the users to the network objects at future times set in advance by the operator.
Preferably, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to revoke and thereafter regrant pre-existing access permissions of the users to the network objects at future times set in advance by the operator. Additionally or alternatively, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant to the users access permissions to the network objects for a limited duration set in advance by the operator.
Preferably, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access
permissions of the users to the network objects based on changes in at least one characteristic of at least one user of the network object indicated in advance by the operator. Additionally or alternatively, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects based on changes in at least one characteristic of the network object indicated in advance by the operator.
Preferably, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects based on activity of at least one user related to the network object as indicated in advance by the operator. Additionally or alternatively, the future condition based permission instruction subsystem provides instructions to the access permission subsystem to grant or revoke access permissions of the users to the network objects based on changes in at least one classification of the network object indicated in advance by the operator.
There is also provided in accordance with another preferred embodiment of the present invention a network object access permission management method useful with a computer network including at least one server and a multiplicity of clients, the method including providing instructions to grant or revoke access permissions of users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance, and governing access permissions of the users to network objects in the computer network in real time in response to the instructions.
In accordance with a preferred embodiment of the present invention, the method includes providing instructions to grant or revoke access permissions of the users to the network objects at future times set in advance by the operator. Preferably, the method includes providing instructions to grant or revoke access permissions of the users to the network objects in response to the occurrence of future events selected in advance by the operator. Additionally or alternatively, the method includes providing instructions to grant and thereafter revoke access permissions of the users to the network objects at future times set in advance by the operator.
Preferably, the method includes providing instructions to revoke and thereafter regrant pre-existing access permissions of the users to the network objects at future times set in advance by the operator. Additionally or alternatively, the method
includes providing instructions to grant to the users access permissions to the network objects for a limited duration set in advance by the operator.
Preferably, the method includes providing instructions to grant or revoke access permissions of the users to the network objects based on changes in at least one characteristic of at least one user of the network object indicated in advance by the operator. Additionally or alternatively, the method includes providing instructions to grant or revoke access permissions of the users to the network objects based on changes in at least one characteristic of the network object indicated in advance by the operator.
Preferably, the method includes providing instructions to grant or revoke access permissions of the users to the network objects based on activity of at least one user related to the network object as indicated in advance by the operator. Additionally or alternatively, the method includes providing instructions to grant or revoke access permissions of the users to the network objects based on changes in at least one classification of the network object indicated in advance by the operator.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which:
Figs. 1A, IB, 1C, ID, and IE are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for revoking and thereafter regranting pre-existing access permissions of a user to network objects at future times set in advance by an operator;
Figs. 2A, 2B, 2C, 2D, and 2E are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for revoking and thereafter regranting pre-existing access permissions of a user to network objects in response to a future event set in advance by an operator;
Figs. 3A, 3B and 3C are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for changing access permissions of a user to network objects in response to a future event at a known date set in advance by an operator;
Figs. 4A, 4B and 4C are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for changing access permissions of a user to network objects in response to a future event associated with a related user at a known date set in advance by an operator;
Fig. 5 is a simplified flowchart indicating steps in the operation of the data access permission management system of Fig. 1; and
Fig. 6 is another simplified flowchart indicating steps in the operation of the data access permission management system of Fig. 1.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
Reference is now made to Figs. 1A, IB, 1C, ID and IE, which are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for revoking and thereafter regranting pre-existing access permissions of a user to network objects at future times set in advance by an operator.
As seen generally in Figs. 1A - IE, the network object access permission management system is useful with a computer network 100 including at least one server 102 and a multiplicity of clients 104. One or more storage elements 106 are also preferably provided. The system preferably resides on the server 102 and preferably includes:
an access permissions subsystem 110 which governs access permissions of users to network objects in the computer network 100 in real time; and
a future condition-based permissions instruction subsystem 112 providing instructions to the access permission subsystem 110 to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
The term "network object" for the purposes of this application is defined to include user generated enterprise computer network resources on any commercially available computer operating system. Examples of network objects include structured and unstructured computer data resources such as files and folders, and user groups.
Access permissions of users to network objects may include for example, read or write permissions to a file, modification permissions to a folder (e.g. permissions to create or delete files), and modification permissions to a user group (e.g. permissions to add or remove a user from the group).
Fig. 1A shows a stage in typical operation of the data access permission management system, wherein an IT manager employs the future condition-based permission instruction subsystem 112 for revoking all access permissions for an employee about to go on vacation. The IT manager sets a future start date and a duration for the revocation, after which duration, the access permissions will be automatically restored.
Fig. IB shows that at 12:01AM on July 15, the future start date set by the IT manager, the future condition-based permission instruction subsystem 112 automatically provides instructions to the access permission subsystem to immediately revoke all access permissions to the employee.
As seen in Fig. 1C, for the duration of the employee's vacation, typically on July 21, access is denied to the employee.
Fig. ID illustrates that automatically upon expiration of the above duration, the future condition-based permission instruction subsystem automatically provides instructions to the access permission subsystem to immediately regrant all access permissions to the employee and Fig. IE illustrates that thereafter, the employee employs the restored access permissions.
Reference is now made to Figs. 2A, 2B, 2C, 2D, and 2E, which are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for revoking and thereafter regranting pre-existing access permissions of a user to network objects in response to a future event set in advance by an operator.
As seen generally in Figs. 2A - 2E, the network object access permission management system is useful with a computer network 200 including at least one server 202 and a multiplicity of clients 204. One or more storage elements 206 are also preferably provided. The system preferably resides on the server 202 and preferably includes:
an access permissions subsystem 210 which governs access permissions of users to network objects in the computer network 200 in real time; and
a future condition-based permissions instruction subsystem 212 providing instructions to the access permission subsystem 210 to grant or revoke access permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
Fig. 2A shows a stage in typical operation of the data access permission management system, wherein an IT manager employs the future condition-based permission instruction subsystem 212 for revoking all access permissions for an employee who is about to give birth and go on maternity leave. The IT manager sets a
condition for revoking access permissions, i.e. maternity leave, after which duration, the access permissions will be automatically restored.
Fig. 2B shows that at 12:01AM on July 15, the future condition-based permission instruction subsystem 212 routinely queries a human resources system 218 residing on a server 220 connected to the network 200, whether the employee has given birth and is now on maternity leave. Upon discovering that the employee is now indeed on maternity leave, the future condition-based permission instruction subsystem 212 orders the access permissions subsystem 210 to revoke all access permissions from the employee.
As seen in Fig. 2C, for the duration of the employee's maternity leave, typically on July 21, access is denied to the employee.
Fig. 2D illustrates that on July 29 the future condition-based permission instruction subsystem 212 routinely queries the human resources system 218 and discovers that the employee is no longer on maternity leave. The future condition-based permission instruction subsystem 212 immediately orders the access permissions subsystem 210 to regrant all access permissions to the employee, and Fig. 2E illustrates that thereafter, the employee employs the restored access permissions.
Reference is now made to Figs. 3A, 3B and 3C, which are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for changing access permissions of a user to network objects in response to a future event at a known date set in advance by an operator
As seen generally in Figs. 3A - 3C, the network object access permission management system is useful with a computer network 300 including at least one server 302 and a multiplicity of clients 304. One or more storage elements 306 are also preferably provided. The system preferably resides on the server 302 and preferably includes:
an access permissions subsystem 310 which governs access permissions of users to network objects in the computer network 300 in real time; and
a future condition-based permissions instruction subsystem 312 providing instructions to the access permission subsystem 310 to grant or revoke access
permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
Fig. 3A shows a stage in typical operation of the data access permission management system, wherein an IT manager employs the future condition-based permission instruction subsystem 312 for revoking all access permissions for an employee to certain enterprise resources and for granting access permissions for the employee to other enterprise resources, due to the employee transferring to another department in the enterprise. The IT manager sets a future start date for the simultaneous revocation and granting of access permissions.
Fig. 3B shows that at 12:01AM on July 15, the future start date set by the
IT manager, the future condition-based permission instruction subsystem 312 automatically provides instructions to the access permission subsystem 310 to immediately revoke all existing access permissions to the employee, and to grant new, alternative, access permissions to the employee.
As seen in Fig. 3C, after transferring to another department in the enterprise, typically on July 21, access to resources belonging to the previous department is denied to the employee, while access to resources belonging to the employee's new department is granted.
Reference is now made to Figs. 4A, 4B and 4C, which are simplified pictorial illustrations of operation of the data access permission management system of an embodiment of the present invention for changing access permissions of a user to network objects in response to a future event associated with a related user at a known date set in advance by an operator.
As seen generally in Figs. 4A - 4C, the network object access permission management system is useful with a computer network 400 including at least one server 402 and a multiplicity of clients 404. One or more storage elements 406 are also preferably provided. The system preferably resides on the server 402 and preferably includes:
an access permissions subsystem 410 which governs access permissions of users to network objects in the computer network 400 in real time; and
a future condition-based permissions instruction subsystem 412 providing instructions to the access permission subsystem 410 to grant or revoke access
permissions of the users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
Fig. 4A shows a stage in typical operation of the data access permission management system, wherein an IT manager employs the future condition-based permission instruction subsystem 412 for revoking all access permissions for an employee to certain enterprise resources and for granting access permissions for the employee to other enterprise resources, due to the employee transferring to another department in the enterprise as a result of the employee's manager transferring to another department in the enterprise. The IT manager sets a future start date for the simultaneous revocation and granting of access permissions.
Fig. 4B shows that at 12:01AM on July 15, the future start date set by the IT manager, the future condition-based permission instruction subsystem 412 automatically provides instructions to the access permission subsystem 410 to immediately revoke all existing access permissions to the employee, and to grant new, alternative, access permissions to the employee.
As seen in Fig. 4C, after transferring to another department in the enterprise, typically on July 21, access to resources belonging to the previous department is denied to the employee, while access to resources belonging to the employee's new department is granted.
Reference is now made to Fig. 5, which is a simplified flowchart indicating steps in the operation of the data access- permission management system of Fig. 1. As shown in Fig. 5, an IT manager utilizes the system by entering to the system an access permissions modification instruction to be implemented by the system upon fulfillment of a future condition. For example, the future condition may comprise the occurrence of a future date or an employee related event such as leave of absence of an employee, maternity leave, vacation leave, termination of employment of an employee and transfer of an employee to another department in the enterprise. The access permissions modification instruction may comprise granting or revoking access permissions of users to network objects.
The system continuously monitors relevant resources on the computer enterprise network for the fulfillment of the future condition. The resources may include, for example, human resources databases and IT security-related systems.
Upon discovery that the future condition has been fulfilled, the system implements the access permissions modification instruction, and removes the access permissions modification instruction and its related future condition from the system.
Reference is now made to Fig. 6, which is another simplified flowchart indicating steps in the operation of the data access permission management system of Fig. 1. As shown in Fig. 6, an IT manager utilizes the system by entering to the system a temporary access permissions modification instruction to be implemented by the system for the duration of a future state. For example, the future state may comprise the occurrence of a future date or range of dates, or an employee related state such as leave of absence of an employee, maternity leave, vacation leave and temporary transfer of an employee to another department in the enterprise. The temporary access permissions modification instruction may comprise temporarily granting or revoking access permissions of users to network objects.
The system continuously monitors relevant resources on the computer enterprise network for the existence of the state. The resources may include, for example, human resources databases and IT security-related systems.
Upon discovering the existence of the state, the system implements the temporary access permissions modification instruction. The system continues to monitor relevant resources on the computer enterprise network for the continued existence of the state.
Upon discovering that the state no longer exists, the system reverses the temporary access permissions modification instruction, and removes the temporary access permissions modification instruction and its related future state from the system.
It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the present invention includes both combinations and subcombinations of the various features described hereinabove as well as modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not in the prior art.
Claims
1. A network object access permission management system useful with a computer network including at least one server and a multiplicity of clients, the system comprising:
an access permissions subsystem which governs access permissions of users to network objects in said computer network in real time; and
a future condition based permissions instruction subsystem providing instructions to said access permission subsystem to grant or revoke access permissions of said users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance.
2. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to grant or revoke access permissions of said users to said network objects at future times set in advance by said operator.
3. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to grant or revoke access permissions of said users to said network objects in response to the occurrence of future events selected in advance by said operator.
4. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to grant and thereafter revoke access permissions of said users to said network objects at future times set in advance by said operator.
5. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to revoke and thereafter regrant pre-existing access permissions of said users to said network objects at future times set in advance by said operator.
6. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to grant to said users access permissions to said network objects for a limited duration set in advance by said operator.
7. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to grant or revoke access permissions of said users to said network objects based on changes in at least one characteristic of at least one user of said network object indicated in advance by said operator.
8. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to grant or revoke access permissions of said users to said network objects based on changes in at least one characteristic of said network object indicated in advance by said operator.
9. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to grant or revoke access permissions of said users to said network objects based on activity of at least one user related to said network object as indicated in advance by said operator.
10. A network object access permission management system according to claim 1 and wherein said future condition based permission instruction subsystem provides instructions to said access permission subsystem to grant or revoke access permissions of said users to said network objects based on changes in at least one classification of said network object indicated in advance by said operator.
11. A network object access permission management method useful with a computer network including at least one server and a multiplicity of clients, the method comprising:
providing instructions to grant or revoke access permissions of users to network objects in real time in response to future fulfillment of conditions which are established by an operator in advance; and
governing access permissions of said users to network objects in said computer network in real time in response to said instructions.
12. A network object access permission management method according to claim 11 and wherein said method includes providing instructions to grant or revoke access permissions of said users to said network objects at future times set in advance by said operator.
13. A network object access permission management method according to claim 11 and wherein said method includes providing instructions to grant or revoke access permissions of said users to said network objects in response to the occurrence of future events selected in advance by said operator;
14. A network object access permission management method according to claim 11 and wherein said method includes providing instructions to grant and thereafter revoke access permissions of said users to said network objects at future times set in advance by said operator.
15. A network object access permission management method according to claim 1 1 and wherein said method includes providing instructions to revoke and thereafter regrant pre-existing access permissions of said users to said network objects at future times set in advance by said operator.
16. A network object access permission management method according to claim 11 and wherein said method includes providing instructions to grant to said users access permissions to said network objects for a limited duration set in advance by said operator.
17. A network object access permission management method according to claim 11 and wherein said method includes providing instructions to grant or revoke access permissions of said users to said network objects based on changes in at least one characteristic of at least one user of said network object indicated in advance by said operator.
18. A network object access permission management method according to claim 11 and wherein said method includes providing instructions to grant or revoke access permissions of said users to said network objects based on changes in at least one characteristic of said network object indicated in advance by said operator.
19. A network object access permission management method according to claim 11 and wherein said method includes providing instructions to grant or revoke access permissions of said users to said network objects based on activity of at least one user related to said network object as indicated in advance by said operator.
20. A network object access permission management method according to claim 11 and wherein said method includes providing instructions to grant or revoke access permissions of said users to said network objects based on changes in at least one classification of said network object indicated in advance by said operator.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP11736706.0A EP2529300A4 (en) | 2010-01-27 | 2011-01-23 | Time dependent access permissions |
CN2011800163855A CN102822793A (en) | 2010-01-27 | 2011-01-23 | Time dependent access permissions |
Applications Claiming Priority (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IL2010/000069 WO2011030324A1 (en) | 2009-09-09 | 2010-01-27 | Enterprise level data management |
ILPCT/IL2010/000069 | 2010-01-27 | ||
US34882210P | 2010-05-27 | 2010-05-27 | |
US61/348,822 | 2010-05-27 | ||
US12/814,807 | 2010-06-14 | ||
US12/814,807 US8578507B2 (en) | 2009-09-09 | 2010-06-14 | Access permissions entitlement review |
US12/861,967 | 2010-08-24 | ||
US12/861,967 US20110061093A1 (en) | 2009-09-09 | 2010-08-24 | Time dependent access permissions |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011092686A1 true WO2011092686A1 (en) | 2011-08-04 |
Family
ID=47074458
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IL2011/000078 WO2011092686A1 (en) | 2010-01-27 | 2011-01-23 | Time dependent access permissions |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP2529300A4 (en) |
CN (1) | CN102822793A (en) |
WO (1) | WO2011092686A1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10037358B2 (en) | 2010-05-27 | 2018-07-31 | Varonis Systems, Inc. | Data classification |
US10176185B2 (en) | 2009-09-09 | 2019-01-08 | Varonis Systems, Inc. | Enterprise level data management |
US10229191B2 (en) | 2009-09-09 | 2019-03-12 | Varonis Systems Ltd. | Enterprise level data management |
US10320798B2 (en) | 2013-02-20 | 2019-06-11 | Varonis Systems, Inc. | Systems and methodologies for controlling access to a file system |
US20200218796A1 (en) * | 2017-07-05 | 2020-07-09 | Chengdu Qianniucao Information Technology Co., Ltd. | Method for authorizing operation permissions of form-field values |
US11138153B2 (en) | 2010-05-27 | 2021-10-05 | Varonis Systems, Inc. | Data tagging |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105827635A (en) * | 2016-05-09 | 2016-08-03 | 乐视控股(北京)有限公司 | Object access right changing method and system based on object storage |
CN106878002B (en) | 2016-07-05 | 2020-04-24 | 阿里巴巴集团控股有限公司 | Permission revocation method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040205342A1 (en) * | 2003-01-09 | 2004-10-14 | Roegner Michael W. | Method and system for dynamically implementing an enterprise resource policy |
US20080097998A1 (en) * | 2006-10-23 | 2008-04-24 | Adobe Systems Incorporated | Data file access control |
US20080162707A1 (en) * | 2006-12-28 | 2008-07-03 | Microsoft Corporation | Time Based Permissioning |
US20090031418A1 (en) * | 2005-04-21 | 2009-01-29 | Nori Matsuda | Computer, method for controlling access to computer resource, and access control program |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6158010A (en) * | 1998-10-28 | 2000-12-05 | Crosslogix, Inc. | System and method for maintaining security in a distributed computer network |
US20060059117A1 (en) * | 2004-09-14 | 2006-03-16 | Michael Tolson | Policy managed objects |
US20050251851A1 (en) * | 2003-10-10 | 2005-11-10 | Bea Systems, Inc. | Configuration of a distributed security system |
US20060230282A1 (en) * | 2005-04-06 | 2006-10-12 | Hausler Oliver M | Dynamically managing access permissions |
US8132231B2 (en) * | 2007-12-06 | 2012-03-06 | International Business Machines Corporation | Managing user access entitlements to information technology resources |
-
2011
- 2011-01-23 EP EP11736706.0A patent/EP2529300A4/en active Pending
- 2011-01-23 WO PCT/IL2011/000078 patent/WO2011092686A1/en active Application Filing
- 2011-01-23 CN CN2011800163855A patent/CN102822793A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040205342A1 (en) * | 2003-01-09 | 2004-10-14 | Roegner Michael W. | Method and system for dynamically implementing an enterprise resource policy |
US20090031418A1 (en) * | 2005-04-21 | 2009-01-29 | Nori Matsuda | Computer, method for controlling access to computer resource, and access control program |
US20080097998A1 (en) * | 2006-10-23 | 2008-04-24 | Adobe Systems Incorporated | Data file access control |
US20080162707A1 (en) * | 2006-12-28 | 2008-07-03 | Microsoft Corporation | Time Based Permissioning |
Non-Patent Citations (1)
Title |
---|
See also references of EP2529300A4 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10176185B2 (en) | 2009-09-09 | 2019-01-08 | Varonis Systems, Inc. | Enterprise level data management |
US10229191B2 (en) | 2009-09-09 | 2019-03-12 | Varonis Systems Ltd. | Enterprise level data management |
US10037358B2 (en) | 2010-05-27 | 2018-07-31 | Varonis Systems, Inc. | Data classification |
US11042550B2 (en) | 2010-05-27 | 2021-06-22 | Varonis Systems, Inc. | Data classification |
US11138153B2 (en) | 2010-05-27 | 2021-10-05 | Varonis Systems, Inc. | Data tagging |
US10320798B2 (en) | 2013-02-20 | 2019-06-11 | Varonis Systems, Inc. | Systems and methodologies for controlling access to a file system |
US20200218796A1 (en) * | 2017-07-05 | 2020-07-09 | Chengdu Qianniucao Information Technology Co., Ltd. | Method for authorizing operation permissions of form-field values |
US11507651B2 (en) * | 2017-07-05 | 2022-11-22 | Chengdu Qianniucao Information Technology Co., Ltd. | Method for authorizing operation permissions of form-field values |
Also Published As
Publication number | Publication date |
---|---|
EP2529300A4 (en) | 2017-05-03 |
CN102822793A (en) | 2012-12-12 |
EP2529300A1 (en) | 2012-12-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20110061093A1 (en) | Time dependent access permissions | |
WO2011092686A1 (en) | Time dependent access permissions | |
US9679148B2 (en) | Access permissions management system and method | |
EP2405607B1 (en) | Privilege management system and method based on object | |
US11496476B2 (en) | Access permissions management system and method | |
EP2529299B1 (en) | Access permissions entitlement review | |
US10721234B2 (en) | Access permissions management system and method | |
US20080301207A1 (en) | Systems and methods for cascading destruction of electronic data in electronic evidence management | |
US20080301471A1 (en) | Systems and methods in electronic evidence management for creating and maintaining a chain of custody | |
EP2529296A1 (en) | Data management utilizing access and content information | |
US20080300900A1 (en) | Systems and methods for distributed sequestration in electronic evidence management | |
CN111382985A (en) | To-do message integrated pushing system and working method | |
JP2008178054A (en) | Monitoring system for protecting privacy | |
EP2577445A1 (en) | Data tagging | |
CN112308542B (en) | Method and system for realizing intelligent and non-inductive data input | |
US20080301756A1 (en) | Systems and methods for placing holds on enforcement of policies of electronic evidence management on captured electronic | |
US20080301713A1 (en) | Systems and methods for electronic evidence management with service control points and agents | |
EP2959424B1 (en) | Systems and methodologies for controlling access to a file system | |
US20080301172A1 (en) | Systems and methods in electronic evidence management for autonomic metadata scaling | |
JP2010160742A (en) | Device, system and method for authentication processing, and program | |
JPH113264A (en) | File protection system applying setting of file user priority order | |
Iachello et al. | A token-based access control mechanism for automated capture and access systems in ubiquitous computing | |
EP2521061A1 (en) | Semantic access management engine and method for accessing data | |
CN104298895A (en) | Management method for digital resources | |
Chim | An investigation of contractor safety management strategy in Hong Kong |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201180016385.5 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11736706 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011736706 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 7419/DELNP/2012 Country of ref document: IN |