| 摘要 |
A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user. |
| 主权项 |
1. A method, performed by a computer, with regard to analyzing cumulative entitlements in an information system including a plurality of users, each user having a corresponding user account, the information system including a plurality of security groups, each security group including none or a subset of the users or other security groups, and wherein the information system includes one or more securable assets, each securable asset corresponding to an access control list, each access control list including access control entries that identify at least one security group or user account having access to the corresponding securable asset, the method comprising:
in the computer, determining a set of access control lists that correspond to the securable assets, in the computer, determining a set of users and security groups for whom access is specified in the determined set of access control lists, in the computer, determining a set of users that belong to the determined security groups, directly or transitively, in the computer, determining an effective system-level access granted to the identified users for whom access is specified directly or via direct or transitive group memberships in the set of access control lists that correspond to the securable assets, in view of the access control entries in the set of access control lists that correspond to the given set of securable assets, wherein determining the effective system-level access includes resolving any access conflicts as a function of operating system rules or according to access check methodologies, wherein an access check methodology is defined as the process by which access control mechanisms of the information system protect the securable assets, by subjecting a user's access request to a given securable asset, to an access check that processes the user's security affiliations as defined by the security groups and the access control list corresponding to the given securable asset to determine whether to allow the access requested; and in the computer, mapping the effective system-level access granted to the identified users into tasks to determine a cumulative access entitlement set for the identified users on the securable assets, wherein the cumulative access entitlement set includes tasks that the identified users are entitled to perform with regard to the securable assets corresponding to the set of access control lists. |
