• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A system for operating an enterprise computer network including multiple network objects, said system comprising: monitoring and collection functionality for obtaining continuously updated information regarding at least one of access permissions and actual usage of said network objects; and entitlement review by owner functionality operative: to present to at least one owner of at least one network object a visually sensible indication of authorization status, said visually sensible indication of authorization status including at least a list of users and user groups having access permissions to said at least one network object; to require said at least one owner to review said authorization status to confirm or modify said authorization status; and responsive to said at least one owner confirming or modifying said authorization status, to require said at least one owner to approve said authorization status.
    公开号:EP3691221A1
    申请号:EP20166003.2
    申请日:2011-01-20
    公开日:2020-08-05
    发明作者:Ohad Korkus;Yakov Faitelson;Ophir Kretzer-Katzir;David Bass
    申请人:Varonis Systems Inc;
    IPC主号:H04L63-00
    专利说明:
    [0001] Reference is made to U.S. Patent Application Serial No. 12/673,691, filed February 16, 2010 , and entitled "ENTERPRISE LEVEL DATA MANAGEMENT", which is a National Phase Application of PCTIL201000069 filed January 27, 2010 and entitled "ENTERPRISE LEVEL DATA MANAGEMENT", the disclosure of which is hereby incorporated by reference and priority of which is hereby claimed pursuant to 37 CFR 1.78(a) (1) and (2)(i).
    [0002] Reference is also made to U.S. Patent Application Serial No. 12/814,807, filed June 14, 2010 , and entitled "ACCESS PERMISSIONS ENTITLEMENT REVIEW", the disclosure of which is hereby incorporated by reference and priority of which is hereby claimed pursuant to 37 CFR 1.78(a) (1) and (2)(i).
    [0003] Reference is also made to the following patents and patent applications, owned by assignee, the disclosures of which are hereby incorporated by reference: U.S. Patent Nos. 7,555,482 and 7,606,801 ; U.S. Published Patent Application Nos. 2007/0244899 , 2008/0271157 , 2009/0100058 , 2009/0119298 and 2009/0265780 ; and U.S. Provisional Patent Application No. 61/240,726 . FIELD OF THE INVENTION
    [0004] The present invention relates to data management generally and more particularly enterprise level data management. BACKGROUND OF THE INVENTION
    [0005] The following patent publications are believed to represent the current state of the art: U.S. Patent Nos.: 5,465,387 ; 5,899,991 ; 6,338,082 ; 6,393,468 ; 6,928,439 ; 7,031,984 ; 7,068,592 ; 7,403,925 ; 7,421,740 ; 7,555,482 and 7,606,801 ; and U.S. Published Patent Application Nos.: 2003/0051026 ; 2004/0249847 ; 2005/0108206 ; 2005/0203881 ; 2005/0120054 ; 2005/0086529 ; 2006/0064313 ; 2006/0184530 ; 2006/0184459 and 2007/0203872 . SUMMARY OF THE INVENTION
    [0006] The present invention provides improved systems and methodologies for data management.
    [0007] There is thus provided in accordance with a preferred embodiment of the present invention a system for operating an enterprise computer network including multiple network objects, the system including monitoring and collection functionality for obtaining continuously updated information regarding at least one of access permissions and actual usage of the network objects, and entitlement review by owner functionality operative to present to at least one owner of at least one network object a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of the at least one network object.
    [0008] Preferably, the system resides on a computer server which is connected to an enterprise level network to which is connected a multiplicity of computers and storage devices.
    [0009] In accordance with a preferred embodiment of the present invention, the entitlement review by owner functionality is operative to periodically present to the at least one owner of the at least one network object the visually sensible indication of authorization status. Additionally, the visually sensible indication of authorization status includes a list of network objects owned by the at least one owner of the at least one network object.
    [0010] Preferably, for each of the list of network objects, the visually sensible indication of authorization status includes a list of users and user groups having access permissions to each of the list of network objects. Additionally, for each of the list of users and user groups having access permissions to each of the list of network objects the authorization status includes at least an indication of whether the access permissions were not authorized by the at least one owner of the at least one network object.
    [0011] There is also provided in accordance with another preferred embodiment of the present invention a system for operating an enterprise computer network including multiple network objects, the system including monitoring and collection functionality for obtaining continuously updated information regarding at least one of access permissions and actual usage of the network objects, and entitlement review by owner functionality operative to present to at least one owner of at least one network object a visually sensible indication of authorization status, and to require the at least one owner to confirm or modify the authorization status.
    [0012] Preferably, the system resides on a computer server which is connected to an enterprise level network to which is connected a multiplicity of computers and storage devices.
    [0013] In accordance with a preferred embodiment of the present invention, the entitlement review by owner functionality is operative to periodically present to the at least one owner of the at least one network object the visually sensible indication of authorization status and to periodically require the at least one owner to confirm or modify the authorization status. Additionally, the visually sensible indication of authorization status includes a list of network objects owned by the at least one owner of the at least one network object.
    [0014] Preferably, for each of the list of network objects, the visually sensible indication of authorization status includes a list of users and user groups having access permissions to each of the list of network objects. Additionally, for each of the list of users and user groups having access permissions to each of the list of network objects the authorization status includes at least an indication of whether the access permissions were not authorized by the at least one owner of the at least one network object and a revocation recommendation to the at least one owner of the at least one network object recommending whether the access permissions should be revoked from the user or user group.
    [0015] Preferably, the revocation recommendation includes a textual justification for the revocation recommendation. Additionally or alternatively the entitlement review by owner functionality includes access permissions modifying functionality. Preferably, the access permissions modifying functionality is preset to modify access permissions in accordance with the revocation recommendations.
    [0016] In accordance with a preferred embodiment of the present invention, when the at least one owner of the at least one network object utilizes the access permissions modifying functionality to modify access permissions to any of the list of network objects, the entitlement review by owner functionality requires the at least one owner of the at least one network object to write a justification for modifying access permissions to any of the list of network objects. Preferably, when the at least one owner of the at least one network object chooses to disregard the revocation recommendation associated with the at least one network object, the entitlement review by owner functionality requires the at least one owner of the at least one network object to write a justification for disregarding the revocation recommendation associated with the at least one network object.
    [0017] There is further provided in accordance with yet another preferred embodiment of the present invention a method for operating an enterprise computer network including multiple network objects, the method including monitoring and collecting continuously updated information regarding at least one of access permissions and actual usage of the network objects, and presenting to at least one owner of at least one network object an entitlement review which includes a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of the at least one network object.
    [0018] There is yet further provided in accordance with still another preferred embodiment of the present invention a method for operating an enterprise computer network including multiple network objects, the method including monitoring and collecting continuously updated information regarding at least one of access permissions and actual usage of the network objects, and presenting to at least one owner of at least one network object an entitlement review which includes a visually sensible indication of authorization status, and requiring the at least one owner to confirm or modify the authorization status. BRIEF DESCRIPTION OF THE DRAWINGS
    [0019] The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which:Figs. 1A and IB are simplified illustrations of the operation of an access permissions entitlement system, constructed and operative in accordance with a preferred embodiment of the present invention. DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
    [0020] Reference is now made to Figs. 1A and 1B which are simplified diagrams illustrating an access permissions entitlement system, constructed and operative in accordance with a preferred embodiment of the present invention.
    [0021] This system is preferably suitable for operating an enterprise computer network including multiple network objects such as disparate users, user groups and network resources, and includes: monitoring and collection functionality for obtaining continuously updated information regarding at least one of access permissions and actual usage of the network objects; and entitlement review by owner functionality operative to present to at least one owner of at least one network object a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by the at least one owner of the at least one network object, and to require the at least one owner to confirm or modify the authorization status.
    [0022] The term "network object" for the purposes of this application is defined to include user generated enterprise computer network resources on any commercially available computer operating system. Examples of network objects include structured and unstructured computer data resources such as files and folders, and user groups.
    [0023] The owner of a network object is responsible for the authorization of permissions to the network object. For example, permissions may include read or write permissions to a file, modification permissions to a folder (e.g. permissions to create or delete files), and modification permissions to a user group (e.g. permissions to add or remove a user from the group).
    [0024] As seen in Fig. 1A, the system may reside on a server 100, connected to an enterprise level network 102, to which may be connected hundreds or thousands of computers 104 and storage devices 106. A matrix (not shown) is defined at any given time, including all of the network objects in the enterprise at that time. Various aspects of changes made to access permissions of network objects and actual usage of network objects are applied to the matrix by the system.
    [0025] Periodically, the system presents to all network object owners in the network a data entitlement review. For example, as seen in Fig. 1A, on July 1, 2009 at 9:00 AM a network object owner 110 is provided with a quarterly entitlement review 112, which the network object owner 110 is required to review, modify if necessary and approve.
    [0026] The quarterly entitlement review 112 preferably includes a list of folders owned by the network object owner 110. For each folder, the entitlement review 112 preferably includes a list of users and user groups currently having access permissions to the folder, and for each of the users and user groups currently having access permissions to the folder, the entitlement review 112 preferably includes: an indication of whether the access permissions were not previously authorized by the network object owner 110; a revocation recommendation, which may be provided by the system to the network object owner 110 recommending that the access permissions be revoked from the user or user group; access permissions modifying functionality comprising an "allow" option and a "remove" option, whereby the system preselects one of the two options on the basis of the current state of the system and the revocation recommendation; and an explanation text field to be filled in by the network object owner 110 upon modifying the current access permissions, whether as a result of a revocation recommendation or not, or upon deciding to disregard a revocation recommendation. Where a revocation recommendation is provided by the system, the explanation field will be pre-filled by the system, and will contain a brief justification for the revocation recommendation.
    [0027] For example, as seen in Fig. 1A, the entitlement review 112 indicates that Dan, Sam and Tom, as well as members of user groups group 1 and group 2 currently have access permissions to folder 1, and also indicates that the owner 110 has not authorized Tom's access permissions to folder 1. The entitlement review 112 includes a revocation recommendation to revoke access permissions to folder 1 from Dan, justified by the fact that Dan does not actually access folder 1. The entitlement review 112 also includes a revocation recommendation to revoke access permissions to folder 1 from Tom, justified by the fact that Tom's access permissions to folder 1 were not authorized by owner 110.
    [0028] As seen in Fig. 1A, at a later time, such as at 9:30 AM, the network object owner 110 reviews the entitlement review 112 and decides to continue to allow Dan access permissions to folder 1, notwithstanding a contrary revocation recommendation provided by the system, and writes a justifying explanation for doing so, the explanation being that Dan requires access to folder 1. The network object owner 110 also decides to revoke access permissions to folder 1 from Tom as recommended by the system.
    [0029] Upon completing the review and modification of the entitlement review 112, the network object owner 110 preferably approves the report, for example by ticking a check box next to an appropriately worded approval. The network object owner 110 then submits the completed report, for example by clicking a submit button, whereby the report is then submitted to the system and is preferably sent to the enterprise IT manager 114. The system utilizes information in the report to modify access permissions of users to network objects, for example by modifying access permissions of specific users to specific network objects, or by modifying group memberships of specific users whereby membership in specific groups may allow access to specific network objects.
    [0030] Additionally or alternatively, as seen in Fig. 1B, the quarterly entitlement review 112 provided to the network object owner 110 on July 1, 2009 at 9:00 AM preferably includes a list of user groups owned by the network object owner 110. For each user group, the entitlement review 112 preferably includes a list of users currently having access permissions to the user group, and for each of the users currently having access permissions to the user group, the entitlement review 112 preferably includes an indication whether the access permissions were not authorized by the network object owner 110; a revocation recommendation which may be provided by the system to the network object owner 110, recommending that the access permissions be revoked from the user; an owner decision option button comprising an "allow" option and a "remove" option, whereby the system preselects one of the two options on the basis of the current state of the system and the revocation recommendation; and an explanation text field to be filled in by the network object owner 110 upon modifying the current access permissions whether as a result of a revocation recommendation or not, or upon deciding to disregard a revocation recommendation. Where a revocation recommendation is provided by the system, the explanation field will be pre-filled by the system, and will contain a brief justification for the revocation recommendation.
    [0031] For example, as seen in Fig. 1B, the entitlement review 112 indicates that Dan, Sam and Tom currently have access permissions to group 1, and also indicates that the owner 110 has not authorized Tom's access permissions to group 1. The entitlement review 112 includes a revocation recommendation to revoke access permissions to group 1 from Dan, justified by the fact that Dan does not actually access group 1. The entitlement review 112 also includes a revocation recommendation to revoke access permissions to group 1 from Tom, justified by the fact that Tom's access permissions to group 1 were not authorized by owner 110.
    [0032] As seen in Fig. 1B, at a later time, such as at 9:30 AM, the network object owner 110 reviews the entitlement review 112 and decides to continue to allow Dan access permissions to group 1, notwithstanding a contrary revocation provided by the system, and writes a justifying explanation for doing so, the explanation being that Dan requires access to group 1. The network object owner 110 also decides to revoke access permissions to group 1 from Tom as recommended by the system.
    [0033] Upon completing the review and modification of the entitlement review 112, the network object owner 110 preferably approves the report, for example by ticking a check box next to an appropriately worded approval. The network object owner 110 then submits the completed report, for example by clicking a submit button, whereby the report is then submitted to the system and is preferably sent to the enterprise IT manager 114. The system utilizes information in the report to modify access permissions of users to network objects, for example by modifying access permissions of specific users to specific network objects, or by modifying group memberships of specific users whereby membership in specific groups may allow access to specific network objects.
    [0034] It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the present invention includes both combinations and subcombinations of the various features described hereinabove as well as modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not in the prior art.
    权利要求:
    Claims (10)
    [0001] A system for operating an enterprise computer network including multiple network objects, said system comprising:
    monitoring and collection functionality for obtaining continuously updated information regarding at least one of access permissions and actual usage of said network objects; and
    entitlement review by owner functionality operative:
    to present to at least one owner of at least one network object a visually sensible indication of authorization status, said visually sensible indication of authorization status including at least a list of users and user groups having access permissions to said at least one network object;
    to require said at least one owner to review said authorization status to confirm or modify said authorization status; and
    responsive to said at least one owner confirming or modifying said authorization status, to require said at least one owner to approve said authorization status.
    [0002] A system according to claim 1 and wherein said system resides on a computer server which is connected to an enterprise level network to which is connected a multiplicity of computers and storage devices.
    [0003] A system according to claim 1 and wherein said visually sensible indication of authorization status comprises a list of network objects owned by said at least one owner of said at least one network object.
    [0004] A system according to claim 3 and wherein for each of said list of users and user groups having access permissions to said each of said list of network objects said authorization status includes at least:
    an indication of whether said access permissions were not authorized by said at least one owner of said at least one network object; and
    a revocation recommendation to said at least one owner of said at least one network object recommending whether said access permissions should be revoked from the user or user group.
    [0005] A system according to claim 4 and wherein said revocation recommendation includes a textual justification for said revocation recommendation.
    [0006] A system according to claim 5 and wherein said entitlement review by owner functionality includes access permissions modifying functionality.
    [0007] A system according to claim 6 and wherein said access permissions modifying functionality is preset to modify access permissions in accordance with said revocation recommendations.
    [0008] A system according to claim 7 and wherein when said at least one owner of said at least one network object utilizes said access permissions modifying functionality to modify access permissions to any of said list of network objects, said entitlement review by owner functionality requires said at least one owner of said at least one network object to write a justification for modifying access permissions to any of said list of network objects.
    [0009] A system according to claim 7 and wherein when said at least one owner of said at least one network object chooses to disregard said revocation recommendation associated with said at least one network object, said entitlement review by owner functionality requires said at least one owner of said at least one network object to write a justification for disregarding said revocation recommendation associated with said at least one network object.
    [0010] A computer-implemented method for operating an enterprise computer network including multiple network objects, said method comprising:
    monitoring and collecting continuously updated information regarding at least one of access permissions and actual usage of said network objects; and
    presenting to at least one owner of at least one network object an entitlement review which comprises a visually sensible indication of authorization status;
    requiring said at least one owner to confirm or modify said authorization status; and
    responsive to said at least one owner confirming or modifying said authorization status, requiring said at least one owner to approve said authorization status.
    类似技术:
    公开号 | 公开日 | 专利标题
    US9639672B2|2017-05-02|Selective access to portions of digital content
    Patel2019|A framework for secure and decentralized sharing of medical imaging data via blockchain consensus
    US10999373B2|2021-05-04|Information management of data associated with multiple cloud services
    US10764254B2|2020-09-01|Systems and methods of secure data exchange
    US9762553B2|2017-09-12|Systems and methods of secure data exchange
    US9760697B1|2017-09-12|Secure interactive electronic vault with dynamic access controls
    US9547770B2|2017-01-17|System and method for managing collaboration in a networked secure exchange environment
    US9959333B2|2018-05-01|Unified access to personal data
    US10216919B2|2019-02-26|Access blocking for data loss prevention in collaborative environments
    US9798737B2|2017-10-24|Systems and methods for in-place records management and content lifecycle management
    US9514327B2|2016-12-06|Litigation support in cloud-hosted file sharing and collaboration
    US9591038B2|2017-03-07|Feature set differentiation by tenant and user
    US9213805B2|2015-12-15|Approach for managing access to data on client devices
    US8966445B2|2015-02-24|System for supporting collaborative activity
    US20170093870A1|2017-03-30|Email effectivity facilty in a networked secure collaborative exchange environment
    RU2620997C2|2017-05-30|Automatic detection of relationships for forming report based on data spreadsheet
    US8977661B2|2015-03-10|System, method and computer readable medium for file management
    AU2013202553B2|2015-10-01|Information management of mobile device data
    CA2944218C|2018-09-11|Secure workflow and data management facility
    CN102460389B|2014-10-29|Methods and systems for launching applications into existing isolation environments
    US9262643B2|2016-02-16|Encrypting files within a cloud computing environment
    AbuKhousa et al.2012|e-Health cloud: opportunities and challenges
    RU2475840C2|2013-02-20|Providing digital credentials
    US8332470B2|2012-12-11|Methods and apparatus providing collaborative access to applications
    KR101590076B1|2016-02-01|Method for managing personal information
    同族专利:
    公开号 | 公开日
    EP2529299B1|2020-05-06|
    US9106669B2|2015-08-11|
    US20140059654A1|2014-02-27|
    CN102907063A|2013-01-30|
    IN2012DN06455A|2015-10-09|
    US20150304335A1|2015-10-22|
    US20170223025A1|2017-08-03|
    US9660997B2|2017-05-23|
    US20110061111A1|2011-03-10|
    US8578507B2|2013-11-05|
    EP2529299A1|2012-12-05|
    US9912672B2|2018-03-06|
    CN102907063B|2015-07-22|
    EP2529299A4|2017-03-22|
    WO2011092684A1|2011-08-04|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    法律状态:
    2020-07-03| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
    2020-07-03| PUAI| Public reference made under article 153(3) epc to a published international application that has entered the european phase|Free format text: ORIGINAL CODE: 0009012 |
    2020-08-05| AK| Designated contracting states|Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
    2020-08-05| AC| Divisional application: reference to earlier application|Ref document number: 2529299 Country of ref document: EP Kind code of ref document: P |
    2020-10-14| RIN1| Information on inventor provided before grant (corrected)|Inventor name: FAITELSON, YAKOV Inventor name: KORKUS, OHAD Inventor name: KRETZER-KATZIR, OPHIR Inventor name: BASS, DAVID |
    2021-01-15| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
    2021-02-17| RBV| Designated contracting states (corrected)|Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
    2021-02-17| 17P| Request for examination filed|Effective date: 20210112 |
    2021-06-01| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: GRANT OF PATENT IS INTENDED |
    2021-06-01| GRAP| Despatch of communication of intention to grant a patent|Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
    2021-06-30| INTG| Intention to grant announced|Effective date: 20210602 |
    2021-09-21| GRAS| Grant fee paid|Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
    2021-09-24| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
    2021-09-24| GRAA| (expected) grant|Free format text: ORIGINAL CODE: 0009210 |
    2021-10-27| AK| Designated contracting states|Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
    2021-10-27| AC| Divisional application: reference to earlier application|Ref document number: 2529299 Country of ref document: EP Kind code of ref document: P |
    2021-10-27| REG| Reference to a national code|Ref country code: GB Ref legal event code: FG4D |
    2021-10-29| REG| Reference to a national code|Ref country code: CH Ref legal event code: EP |
    2021-11-15| REG| Reference to a national code|Ref country code: AT Ref legal event code: REF Ref document number: 1442893 Country of ref document: AT Kind code of ref document: T Effective date: 20211115 |
    2021-11-18| REG| Reference to a national code|Ref country code: DE Ref legal event code: R096 Ref document number: 602011072031 Country of ref document: DE |
    2021-11-24| REG| Reference to a national code|Ref country code: IE Ref legal event code: FG4D |
    2021-11-26| REG| Reference to a national code|Ref country code: DE Ref legal event code: R079 Ref document number: 602011072031 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: H04L0029060000 Ipc: H04L0065000000 |
    2022-02-25| REG| Reference to a national code|Ref country code: LT Ref legal event code: MG9D |
    优先权:
    申请号 | 申请日 | 专利标题
    [返回顶部]