1. Field of the Invention
This invention relates to computer security. More particularly, this invention relates to visualization of user access permissions on a computer system.
2. Description of the Related Art
Data security policies typically determine who has access to an organization's stored data on various computer systems. These policies are rarely static. Users from within the organization, e.g., employees, partners, contractors, can pose a threat as severe as threats from outside the organization. Thus, as the structure and personnel makeup of the organization change, the security policy should be adjusted from time to time. Yet, information technology departments often find it difficult to manage user access rights and to ensure that needed information is conveniently available, while still protecting the organization's sensitive data.
Large business organizations may operate enterprise computer systems comprising large numbers of servers, often geographically distributed. Storage elements in these systems may be accessible in many combinations by large numbers of users, possibly numbering in the hundreds of thousands. Various personnel associated with data access authorizations, including information technology personnel, operational personnel such as account managers, and third party reviewers such as the legal department of the enterprise, may need to routinely inquire as to user access rights to enterprise data.
Maintaining a conventional localized or distributed database suitable to respond to queries for determining the privileges of any particular user or group of users within the enterprise, or conversely, to determine the privileges relating to a particular storage element or group of storage elements, could overwhelm even the capabilities of today's sophisticated database management programs. Storage and retrieval of such data as needed to service queries may have an adverse affect on the storage capacities of various servers. Execution of such queries may impact performance of the servers, and would impair the overall efficiency of the enterprise. Because response to such queries often necessitates an exhaustive iterative search through the directories of many file servers and their access control lists, the response time of such queries becomes unacceptably prolonged.
Access control technologies have not been optimally implemented in enterprises that utilize diverse access control models. The state of the art today is such that there is no easy way for system administrators to know who is capable of accessing what in such environments. As a result, in many organizations an unacceptably high proportion of users has incorrect access privileges. The related problems of redundant access rights and orphan accounts of personnel who have left the organization have also not been fully solved. Hence, there is a need for improvements in controlling user file permissions in order to improve data security, prevent fraud, and improve company productivity. Furthermore, misuse of data access, even by authorized users, is a concern of those charged with simplification and automation of system security.
Current techniques available to information technology personnel include review and maintenance of access control lists, in conjunction with administration of user names, passwords, and the extension of such techniques to include biometrics, encryption, and limitation of access to a single sign-on. Such techniques are inefficient, often inaccurate, and become impractical in the context of large, complex organizations whose structure and personnel are constantly changing.