Computer-implemented method for assisting a user in debugging roles in a software system

Abstract

The disclosed includes the steps of: providing a predetermined set of recorded roles whereby the user associated with the recorded roles contains at least a permission allowing the user to get access to resources of a technical system during execution of the software system on the technical system, computing a plurality of combinations of intersection sets based on the predetermined recorded roles if the at least one permission of the first and the at least one permission of the second further role overlaps, creating a Venn diagram with a first and second graphical display element representing a first role and a second further role respectively; and displaying the Venn diagram for use by a user in debugging the roles in the software system, wherein the first and the second display element is placed in a visual representation to give the user the cue for each of the intersection sets.

Claims

1. A computer-implemented method for assisting a user in debugging roles in a software system comprising the steps of: providing a predetermined set of recorded roles whereby the user associated with at least one of the recorded roles which contains at least a permission allowing the user to get access to resources of a technical system during execution of the software system on the technical system, computing a plurality of combinations of intersection sets based on the predetermined recorded roles if the at least one permission of a first of the roles and the at least one permission right of a second further role of the roles overlaps, creating a Venn diagram with a first graphical display element representing the first role and at least a second further graphical display element representing the at least one second further role; and displaying the Venn diagram for use by a user in debugging the roles in the software system, wherein the first and the second display element is placed in a visual representation so as to give the user the cue for one or for each of the intersection sets.

2. The method according to claim 1, wherein the plurality of intersection sets is computed according to the following steps: partitioning the predetermined set of recorded roles into disjoint groups; forming each combination of the roles in each group; classifying each of the formed combinations in a first category defined by combinations with at least one exclusive permission or in a second category defined by combinations with at least one overlapping permission or in a third category defined by combinations with unified permissions.

3. The method according to claim 2, wherein if a combination of the formed combinations is a mismatch of said categories then this combination is removed and said display elements are reorganized and presented.

4. The method according to claim 3, wherein a tooltip including supplementary information regarding the permissions appears when hovering over an intersection set of the presented display elements via user interaction.

5. The method according to claim 1, wherein an intersection set gets a higher priority than other intersection sets and is marked as such if the permission of the first role is more privileged than the permission of the second role or vice versa.

6. A visual display for use by a user in debugging roles in a software system, comprising a Venn diagram responsive to a predetermined set of recorded roles whereby the user associated with at least one of the recorded roles which contains at least a permission allowing the user to get access to resources of a technical system during execution of the software system on the technical system, wherein the Venn diagram includes: a first graphical display element representing a first role; and at least a second further graphical display element representing at least a second further role; a plurality of combinations of intersection sets computed, by a computing module connected with the visual display, and displayed based on the predetermined recorded roles if the at least one permission of the first and the at least one permission of the second further role overlaps, a visual representation of the first and the second display element is placed on the visual display so as to give the user the cue for one or for each of the intersection sets.

7. The visual display according to claim 6, wherein the visual representation of said display elements is reorganized after computation of the plurality of intersections sets by: partitioning the predetermined set of recorded roles into disjoint groups; forming each combination of the roles in each group; classifying each of the formed combinations in a first category defined by combinations with at least one exclusive permission or in a second category defined by combinations with at least one overlapping permission or in a third category defined by combinations with unified permissions, and after removal of a combination if such combination of the formed combinations is a mismatch of said categories.

8. The visual display according to claim 7, wherein the visual representation of said display elements shows a tooltip including supplementary information regarding the permissions appears when hovering over an intersection set of the presented display elements via user interaction.

9. A computer program product including a non-transitory computer readable storage medium having instructions, which when executed by a processor, perform actions which is being executed by one or more processors of a computer or of the visual display according to claim 1 in order to execute a method.

Description

BRIEF DESCRIPTION

(1) The foregoing and other aspects of the present invention are best understood from the following detailed description when read in connection with the accompanying drawings. For the purpose of illustrating the invention, there are shown in the drawings embodiments that are presently preferred, it being understood, however, that the invention is not limited to the specific instrumentalities disclosed. In the figures, identical or functionally identical elements are denoted by identical reference signs. Included in the drawings are the following figures:

(2) FIG. 1 illustrates a Venn diagram according to the invention, and

(3) FIG. 2 depicts a portion of the Venn diagram which includes supplementary information showing exclusive or overlapping access rights,

(4) FIG. 3 illustrates the algorithm how to build a Venn diagram, in particular how to compute the intersection sets:

(5) FIG. 4 illustrates the algorithm how to build a Venn diagram, in particular how to compute the intersection sets:

(6) FIG. 5 illustrates the algorithm how to build a Venn diagram, in particular how to compute the intersection sets:

(7) FIG. 6 illustrates the algorithm how to build a Venn diagram, in particular how to compute the intersection sets:

(8) FIG. 7 illustrates the algorithm how to build a Venn diagram, in particular how to compute the intersection sets:

(9) FIG. 8 depicts a reorganized Venn diagram if a further role is introduced; and

(10) FIG. 9 schematically shows a system connected with a visual display which is configured to perform the inventive method.

DETAILED DESCRIPTION

(11) Turning to the drawings, FIG. 9 shows an illustrative environment 10 for assisting a user in debugging roles in a software system on a technical system 14 according to an embodiment. To this extent, environment 10 includes a computer system 20 that can perform a process described herein in order to create a Venn diagram. In particular, computer system 20 is shown including a debugging program 30, which is used by a user in order to debug roles in a not shown software system which is stored on the technical system 14.

(12) Computer system 20 is shown including processing component 22 (e.g., one or more processors), a storage component 24 (e.g., a storage hierarchy), an input/output (I/O) component 26 (e.g., one or more I/O interfaces and/or a visual display device), and a communications pathway 28. In general, processing component 22 executes program code. Such as the debugging program 30, which is at least partially stored in Storage component 24. While executing program code, processing component 22 can read and/or write data to/from storage component 24 and/or I/O component 26. Pathway 28 provides a communications link between each of the components in computer system 20. I/O component 26 can comprise one or more visual display devices, which enable a human user 12 to interact with computer system 20 and/or one or more communications devices to enable a system user 16 to communicate with computer system 20 using any type of communications link.

(13) As used herein, it is understood that program code means any collection of instructions, in any language, code or notation, that cause a computing device having an information processing capability to perform a particular function either directly or after any combination. Further, it is understood that some of the functionality discussed herein may not be implemented or additional functionality may be included as part of computer system 20.

(14) However, it is understood that computer system 20 and debugging program 30 are only representative of various possible equivalent computer systems that may perform a process described herein. To this extent, in other embodiments, the functionality provided by computer system 20 and development program 30 can be at least partially implemented by one or more computing devices that include any combination of general and/or specific purpose hardware with or without program code. In each embodiment, the hardware and program code, if included, can be created using Standard engineering and programming techniques, respectively.

(15) As used herein, the term a technical system refers, for example, to a device, apparatus or a plant. A technical system can, for example, be a field device. Typically, the technical system comprises a plurality of interconnected hardware components and/or a software system which may comprises software modules. Furthermore, the technical system can, for example, comprise at least one component having a communication interface configured to connect an apparatus/system to an environment, user and/or other system.

(16) Here and in the following, interface, function, storage as well as other units or devices referred to, may for example be software modules of a computer program for carrying out the computer-implemented method. Alternatively, the modules may interact with respective hardware components with software for carrying out the respective steps stored on them.

(17) Embodiments of the invention provide a solution that utilizes a Venn diagram to enable user(s) to interactively explore the issues from multiple perspectives simultaneously. Utilizing the Venn diagram, e.g. as shown in FIGS. 1 and 2, user(s) will be enabled to get more structured information in a fast way. For example, the technical system can comprise a Software system and system data comprising a predetermined set of recorded roles, whereby at least one of the recorded roles contains at least a permission allowing the user to get access to resources of a technical system during execution of the software system on the technical system.

(18) As indicated above, embodiments of the invention provide a solution that displays the Venn diagram for use by a user in debugging the roles in the software system, wherein the first and the second display element is placed in a visual representation so as to give the user the cue for one or for each of the intersection sets.

(19) In particular, the processing component 22 directly or indirectly connected to the technical system computes a plurality of combinations of intersection sets based on the predetermined recorded roles if the at least one permission of the first and the at least one permission of the second further role overlaps.

(20) A Venn diagram, as shown for instance in FIG. 1, is generated that includes a circle V, U, S, T for each role R1, R2, R3, R4 and displays visual representation so as to give the user the cue for one or for each of the intersection sets, which is computed based on the predetermined recorded roles if the at least one permission e.g. A2 of the first role S and the at least one permission of the second further role T overlaps.

(21) For example, the access rights e.g. A3 are displayed using tags for each role that are placed in each circle. Two or more circles can overlap in which case the roles in circle have access rights which overlap. An intersection set may get a higher priority than other intersection sets and is marked as such if the permission of the first role is more privileged than the permission of the second role or vice versa.

(22) In this manner, a user can utilize the Venn diagram to identify relationships between various roles and the corresponding access rights, and as a result, more readily identify high value/priority entries.

(23) In FIG. 2 examples for tooltips TP4, TP14 are shown whereby each tooltip includes additional/supplementary information like exclusive access rights of a pointed circle and/or combined access rights of overlapping circles. Such information is available, if an unique intersection is focussed by the user.

(24) In order to draw a Venn diagram as such each permission (access right) is found in the diagram only once but belongs to each circle (role). The following algorithm is applied:

(25) 1. Parse the input. A predetermined set of recorded roles is provided whereby the user associated with at least one of the recorded roles which contains at least a permission allowing the user to get access to resources of a technical system during execution of the software system on the technical system. Such recorded roles are configurable.

(26) 2. Partition the Roles (here A, B, C, D and see FIG. 3) into disjoint groups e.g. given Roles with permissions a1, a2; b1, b2, b3, b4: A=a1,a2 B=b1,b2 C=b1,b3 D=b3,b4 into group 1: A=a1,a2 group 2: B=b1,b2 C=b1,b3 D=b3,b4

(27) 3. Get all combinations of roles per group e.g. group 1: A group 2: B C D B, C B, D C, D B, C, D

(28) 4. For each combination: prepare input data, find and classify each combination in a category: a. combined, exclusive permissions and permission intersection of the combination: group 1: combination [A] exclusive permissions [a1, a2] combination [A] combined permissions [a1, a2] combination [A] permissions intersection [a1, a2] group 2: combination [B] exclusive permissions [b2] combination [B] combined permissions [b1, b2] combination [B] permissions intersection [b1, b2] . . . etc. for single roles combination [B, C] exclusive permissions [b1] combination [B, C] combined permissions [b1, b2, b3] combination [B, C] permissions intersection [b1] combination [B, D] exclusive permissions [ ] combination [B, D] combined permissions [b1, b2, b3, b4] combination [B, D] permissions intersection [ ] note the empty intersection . . . etc. for two-role combinations combination [B, C, D] exclusive permissions [ ] combination [B, C, D] combined permissions [b1, b2, b3, b4] combination [B, C, D] permissions intersection [ ] note the empty intersection b. Try to remove large empty confusing overlaps, which do not match based on the following criteria: the permission intersection must not be empty e.g. given: A=a,b B=b,c C=c,d D=d,e the previous stage would result in large intersections that suggest role intersections, where there are none. See FIG. 4, before the removal of empty overlaps. See FIG. 5 after the removal.

(29) 5. Combine the disjoint group data into a single input data (simple append) as shown in FIG. 6 where the circles are reorganized.

(30) 6. Enhance the input data with additional information necessary to draw the interactive diagram, such as hints for overlay information. See e.g. the tooltip TPAB in FIG. 6.

(31) 7. Circle size can be fitted. See FIG. 7

(32) 8. An intersection set gets a higher priority than other intersection sets and can be marked as such if the permission of the first role is more privileged than the permission of the second role or vice versa.

(33) In order to optimize input of the role definitions, the previous roles may be referred to the definition of the subsequent roles, whereby the role somebody has been introduced.

Example

(34) reader=read_permission reporter=repor_permission, reader writer=write_permission, reporter admin=admin_permission, writer somebody=reader, reporter
the list of permissions for each role is a set (unique values) from the list of all permissions and roles of a role definition, e.g. Role admin has all known permissions.

(35) FIG. 8 depicts a reorganized Venn diagram if a further role somebody R5 represented by circle W is introduced.

(36) The invention has been described in detail with reference to embodiments thereof and examples. Variations and modifications are possible. Instead of the above-described production process one or more processes can analogously be applied to other technical systems.

(37) For example, a processor, controller, or integrated circuit of the system and/or computer and/or another processor may be configured to implement the acts described herein.

(38) The above-described method may be implemented via a computer program (product) including one or more computer-readable storage media having stored thereon instructions executable by one or more processors of a computing system and/or computing engine. Execution of the instructions causes the computing system to perform operations corresponding with the acts of the method described above.

(39) The instructions for implementing processes or methods described herein may be provided on non-transitory computer-readable storage media or memories, such as a cache, buffer, RAM, FLASH, removable media, hard drive, or other computer readable storage media. A processor performs or executes the instructions to train and/or apply a trained model for controlling a system. Computer readable storage media include various types of volatile and non-volatile storage media. The functions, acts, or tasks illustrated in the figures or described herein may be executed in response to one or more sets of instructions stored in or on computer readable storage media. The functions, acts or tasks may be independent of the particular type of instruction set, storage media, processor or processing strategy and may be performed by software, hardware, integrated circuits, firmware, micro code and the like, operating alone or in combination. Likewise, processing strategies may include multiprocessing, multitasking, parallel processing and the like.

(40) In addition, and alternatively, it is possible that a control device receives other computer-readable control signals in order to initiate the mentioned steering/control process by its processor(s).

(41) The embodiments have been described in detail with reference to embodiments thereof and examples. Variations and modifications may, however, be effected within the spirit and scope of the embodiments covered by the claims. The phrase at least one of A, B and C as an alternative expression may provide that one or more of A, B and C may be used.

(42) The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments of the invention. As used herein, the singular forms a, an, and the are intended to include the plural form as well, unless the context clearly indicates otherwise.

(43) It is to be understood that the elements and features recited in the appended claims may be combined in different ways to produce new claims that likewise fall within the scope of embodiments of the present invention. Thus, whereas the dependent claims appended below depend on only a single independent or dependent claim, it is to be understood that these dependent claims may, alternatively, be made to depend in the alternative from any preceding or following claim, whether independent or dependent, and that such new combinations are to be understood as forming a part of the present specification.

(44) None of the elements recited in the claims are intended to be a means-plus-function element unless an element is expressly recited using the phrase means for or, in the case of a method claim, using the phrases operation for or step for.

(45) While the present invention has been described above by reference to various embodiments, it should be understood that many changes and modifications may be made to the described embodiments. It is therefore intended that the foregoing description be regarded as illustrative rather than limiting, and that it be understood that all equivalents and/or combinations of embodiments are intended to be included in this description.