1. Background of the Invention
This invention relates to methods, a system, and an article for displaying privilege state data indicating the privileges of users or groups of users to use different objects supported by a network environment, for example. Such objects can include data or software components. In addition, the method, apparatus, and article can have the capability to receive and set privilege state data defining use privileges of objects for various users or groups of users.
2. Description of the Related Art
In most network environments, the users or groups of users have varying privileges with respect to objects supported by the network. The privileges are generally controlled by a system administrator that uses an application program to set privilege states for all users or groups of users with respect to the objects. For example, in a particular organization, it may be desirable that a user group of corporate officers have access to accounting data supported by the network system, but that other users such as quality control personnel not have access to such information. Such privileges can be set by appropriate definitions of the two groups and privilege settings with respect to the accounting data using the application program. Generally, a different application program running on a network server uses the privilege state settings to enforce restrictions on privileges of the network objects for different users or groups of users.
The complexity of the privilege state data scales rapidly upward with increasing numbers of objects, privileges associated with the objects, and users or user groups on the network system, and therefore administration of privilege states becomes increasingly difficult. In addition, updating of the privilege states is required with changes in the users or users groups, objects, and privileges associated with the objects. Complexity of privilege states is further increased by the fact that some users or groups may xe2x80x9cinheritxe2x80x9d privilege rights from other groups of which they are members. In previous application programs of this nature, the display of privilege state data is generally done in a manner that makes it relatively difficult to understand which users have privilege rights to which objects, and the derivation of those privilege rights, e.g., whether through direct settings or through inheritance. Therefore, setting privilege states as they should be or debugging improper settings is generally relatively difficult with such application programs. It would be desirable to provide methods, a system, and an article that have the capability to display privilege state data in a readily comprehensible manner. In addition, it would be desirable to provide methods, a system, and an article that have the capability to permit privilege state settings to be readily made. Furthermore, it would be desirable to provide methods, a system, and an article that can be used to generate a display that readily permits comprehension of privilege states.
The invented methods, system and article have as their objects to overcome the abovestated problems with previous devices and techniques, and do in fact overcome such problems and provide significant advantages over the prior art.
A first method of the invention comprises generating a display of privilege state in a three-dimensional view. The privilege state data can be used to indicate the privileges of users or groups of users with respect to an object such as data or a software component accessible by such user or group of users. The privilege state data can be represented by graphical symbols indicating xe2x80x9conxe2x80x9d, xe2x80x9cinherited onxe2x80x9d, xe2x80x9cpublic onxe2x80x9d, xe2x80x9coffxe2x80x9d, xe2x80x9cnot setxe2x80x9d, and xe2x80x9cdisabledxe2x80x9d states. The display can include at least one privilege label, object label, and user label arranged along respective axes of the three-dimensional view. The privilege state data can be displayed in one or more cells arranged in association with respective privilege label(s), object label(s), and user label(s). The privilege label identifies at least one privilege, the object label identifies at least one object associated with the privilege, and the user label identifies at least one user or group of users associated with the object. The objects can be data and/or software components accessible by the network system. The privilege labels can identify data access, data view, and data flow privileges to access or transfer data pertaining to the object within or without the network system, and/or use privileges relative to software component objects. The object labels can identify respective data object(s) stored in a database accessible by the network system, or software component object(s) accessible by the network system. The user labels can identify at least one user and/or user group.
A second method of the invention comprises generating a display of privilege state data in an array of cells in a three-dimensional view on a terminal device, the privilege state data of the cells displayed in correspondence with privilege labels, object labels, and user labels arranged along respective transverse axes of the three-dimensional view. The display is generated by the user interface of a terminal device. The privilege labels can be generated based on respective privilege data, the object labels can be generated based on respective object data, and the user data can be generated based on respective user data. The method can include inputting privilege state data with the user interface of the terminal device into at least one cell of the array using at least one privilege label, object label, and user label. The second method can also include determining the privilege data, object data, and user data corresponding to the cell in which the privilege state data is input. The second method can also include storing the privilege state data in a memory in correspondence with respective privilege data, object data, and user data for the cell in which the privilege state data was input. The second method can further include updating the display to include privilege state data input by the user in the inputting step, based on the privilege state data stored in the memory. The privilege state data can include data for xe2x80x9conxe2x80x9d, xe2x80x9cinherited onxe2x80x9d, xe2x80x9cpublic onxe2x80x9d, xe2x80x9coffxe2x80x9d, xe2x80x9cnot setxe2x80x9d, and xe2x80x9cdisabledxe2x80x9d states. The privilege labels, object labels, or user labels can be implemented as software controls. The second method can also include selecting at least one of the privilege labels, object labels, or user labels with the user interface of the terminal device, and modifying the display of the privilege state data by removing or adding cells in the three-dimensional view based on the selected one of the privilege labels, object labels, or user labels. The user data can identify first and second user entities related by a predetermined hierarchical relationship, and the privilege state data can be input in at least one cell corresponding to first user entity in the inputting step. The second method can further include determining whether the second user entity inherits privilege state data from the first user entity, based on the hierarchical relationship. If the determination establishes that the second user entity inherits the privilege state data from the first user entity, the second method includes storing the privilege state data in correspondence with the user data for the second entity and the object data and privilege data for which the privilege state data was input in the inputting step. The second method can further include determining whether a first object inherits the privilege state data of a second object, based on predetermined dependency data. If so, the second method stores the privilege state data for the first object as the privilege state data for the second object for the user data designated by the inputting step. The second method can further include determining whether a first privilege inherits the privilege state data of a second privilege, based on the predetermined dependency data. If the determination establishes that the first privilege inherits the privilege state data of a second privilege, the second method includes storing the privilege state data in correspondence with the first and second privilege data for the object and user data specified by the inputting step.
A network system of the invention comprises at least one terminal device, a data storage unit, and at least one server. The terminal device has a user interface generating a display of privilege state data in an array of cells in a three-dimensional view. The cells are displayed in correspondence with privilege labels, object labels, and user labels arranged along respective transverse axes of the three-dimensional view. The data storage unit is coupled to the terminal device. The data storage unit stores corresponding privilege data, object data, user data, and privilege state data. The terminal device can be used to generate privilege state symbols, privilege labels, object labels, and user labels, based on the privilege state data, privilege data, object data, user data, respectively. The server is coupled to the terminal device and the data storage unit. The server transmits privilege state data, privilege data, object data, and user data between the terminal device and the data storage unit. The display can be generated on the user interface by an application program running on the terminal device. The application program can include an interface to convert privilege state data, privilege data, object data, and user data into privilege state symbols, privilege labels, object labels, user labels, respectively, for display on the user interface of the terminal device.
An article of manufacture of the comprises a storage medium having an application program for generating a display in a three-dimensional view on a terminal device based on privilege state data.
An object of the invention is to display privilege state data in a readily comprehensible manner.
Another object of the invention is to permit privilege state settings to be readily effected.
A further object of the invention is to permit derivation of privilege states to be displayed so as to be readily understandable.
These together with other objects and advantages, which will become subsequently apparent, reside in the details of construction and operation as more fully hereinafter described and claimed, reference being made to the accompanying drawings, forming a part hereof wherein like numerals refer to like parts throughout the several views.