| 摘要 |
A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user. |
| 主权项 |
1. A method, performed by a computer, with regard to analyzing cumulative entitlements in an information system including a plurality of users, each user having a corresponding user account, the information system including a plurality of roles, each role having none or a subset of the users or other roles assigned to it, and wherein the information system includes a plurality of securable assets, each securable asset corresponding to an access control list, each access control list including access control entries that identify at least one role or user account having access to the corresponding securable asset, the method comprising: in the computer, determining which roles a given one of the users is assigned to directly or transitively; in the computer, determining a set of access control lists that identify any of the identified roles or the given user; in the computer, determining an effective system-level access granted to the given user in view of the access control entries in the set of access control lists, wherein determining the effective system-level access includes resolving any access conflicts as a function of operating system rules or according to access check methodologies, wherein an access check methodology is defined as the process by which access control mechanisms of the information system protect the securable assets, by subjecting a user's access request to a given securable asset, to an access check that processes the user's security affiliations as defined by the user's roles assignments and the access control list corresponding to the given securable asset to determine whether to allow the access requested; and in the computer, mapping the effective system-level access granted to the given user into tasks to determine a cumulative access entitlement set for the given user, wherein the cumulative access entitlement set includes tasks that the given user is entitled to perform with regard to the securable assets corresponding to the set of access control lists. |
