1. Field of the Invention
This invention relates to computer security. More particularly, this invention relates to modification of user access permissions on a computer system.
2. Description of the Related Art
Data security policies typically determine who has access to an organization's stored data on various computer systems. These policies are rarely static. Users from within the organization, e.g., employees, partners, contractors, can pose a threat as severe as threats from outside the organization. Thus, as the structure and personnel makeup of the organization change, the security policy should be adjusted from time to time. Yet, information technology departments often find it difficult to manage user access rights and to ensure that needed information is conveniently available, while still protecting the organization's sensitive data.
Access control technologies have not been optimally implemented in enterprises that utilize diverse access control models. The state of the art today is such that there is no easy way for system administrators to know who is accessing what in such environments. As a result, in many organizations an unacceptably high proportion of users has incorrect access privileges. The related problems of redundant access rights and orphan accounts of personnel who have left the organization have also not been fully solved. Hence, there is a need for improvements in controlling user file permissions in order to improve data security, prevent fraud, and improve company productivity. Furthermore, misuse of data access, even by authorized users, is a concern of those charged with simplification and automation system security.
Current techniques available to information technology personnel include review and maintenance of access control lists, in conjunction with administration of user names, passwords, and the extension of such techniques to include biometrics, encryption, and limitation of access to a single sign-on. Such techniques are inefficient, often inaccurate, and become impractical in the context of large, complex organizations whose structure and personnel are constantly changing.
Aids to security are available for enterprises using particular operating systems or environments. These are often involve role-based access control, a technique that has been the subject of considerable interest for the last several years by governmental organizations, and has more recently been adopted in commercial enterprises.