Enterprise security management system using hierarchical organization and multiple ownership structure

摘要

A hierarchical security model for networked computer users is described. Files and resources are controlled or created by users within the network. Each user within the network has an account that is managed by a network administrator. The account specifies the user identifier and password. Users are grouped into organizations depending upon function or other organizational parameter. The groups within the network are organized hierarchically in terms of access and control privileges. Users within a higher level group may exercise access and control privileges over files or resources owned by users in a lower level group. The account for each user further specifies the group that the owner belongs to and an identifier for any higher level groups that have access privileges over the user's group. All users within a group inherit the rights and restrictions of the group.

主权项

1. A method comprising:
identifying an administrator that has access rights and permissions to all network resources in a set of network resources; assigning a first set of identifiers to a first set of users; grouping the first set of users into a plurality of groups; creating a hierarchical structure for the groups including determining a hierarchical relationship among the groups and the administrator wherein access rights and permissions are established for each group and wherein parent groups inherit access rights and permissions for their respective child groups and wherein the hierarchical structure includes one or more lines that each represent a direct path of related groups to the administrator; for each user in the first set, associating one or more network resources in the set of network resources with a respective user wherein the one or more network resources are not the same for any user in the first set of users; assigning a second set of identifiers to one or more of the first set of users, the second set of identifiers associating a respective one of the first set of users with at least one of a second set of users wherein the at least one of the second set of users is granted permission to access the one or more network resources associated with the respective one of the first set of users, wherein the at least one of the second set of users is not the administrator and not a group associated with the respective one of the first set of users or a parent or child group associated with the respective one of the first set of users and wherein the assigning of the second set of identifiers enables sharing of ownership over a respective network resource with a user that is outside of a line in the hierarchy associated with the respective one of the first set of users; receiving a request from a requestor among the second set of users to access a network resource associated with one of the first set of users; determining whether the requestor has permission to access the network resource; determining which privileges the requestor is given relative to the network resource including when or if the requestor has permission to access the network resource; and providing the requestor with the network resource based on the determined privilege.