Automatic privilege determination

US 10,158,670 B1
Filed: 02/12/2016
Issued: 12/18/2018
Est. Priority Date: 05/01/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, via a network and by a logging service of a system including one or more processors executing instructions from one or more memories, an access control policy, the access control policy identifying privileges of a client to use one or more resources to perform authorized actions with the one or more resources;

receiving, via the network and by the logging service of the system, information about a set of actions performed by the client with the one or more resources;

analyzing, by a policy determination service of the system, the information about the set of performed actions with respect to the privileges granted by the access control policy to identify utilization of the privileges granted by the access control policy to the client; and

modifying, by the policy determination service of the system and based at least in part on the utilization of the privileges, the access control policy to form a modified policy by at least;

adding, by the policy determination service of the system, a first privilege to the access control policy to authorize a first action, the first action not previously authorized under the access control policy;

orremoving, by the policy determination service of the system, a second privilege from the access control policy to de-authorize a second action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control policy can be received. The access control policy can identify privileges of a client to use resources to perform authorized actions with the resources. A set of related actions that are related to the authorized actions can be determined. The access control policy can be modified to include at least one related action.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, via a network and by a logging service of a system including one or more processors executing instructions from one or more memories, an access control policy, the access control policy identifying privileges of a client to use one or more resources to perform authorized actions with the one or more resources;
  
  receiving, via the network and by the logging service of the system, information about a set of actions performed by the client with the one or more resources;
  
  analyzing, by a policy determination service of the system, the information about the set of performed actions with respect to the privileges granted by the access control policy to identify utilization of the privileges granted by the access control policy to the client; and
  
  modifying, by the policy determination service of the system and based at least in part on the utilization of the privileges, the access control policy to form a modified policy by at least;
  
  adding, by the policy determination service of the system, a first privilege to the access control policy to authorize a first action, the first action not previously authorized under the access control policy;
  
  orremoving, by the policy determination service of the system, a second privilege from the access control policy to de-authorize a second action.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - generating a policy change request that identifies one or more proposed modifications to the access control policy;
      
      providing the policy change request to a user associated with the client; and
      
      receiving authorization from the user to modify the access control policy in accordance with the policy change request.
  - 3. The computer-implemented method of claim 1, wherein identifying the utilization of the privileges by the client comprises identifying one or more of underperformed privileges, non-performed privileges, or failed requests based on the privileges.
  - 4. The computer-implemented method of claim 1, further comprising providing the modified policy to a service provider for enforcement with respect to actions performed by the client.
  - 5. The computer-implemented method of claim 1, wherein receiving the information about the set of actions comprises receiving a log that includes the set of actions.
  - 6. The computer-implemented method of claim 1, wherein the client is configured to perform at least a portion of the set of actions during a training period.
  - 7. The computer-implemented method of claim 1, wherein a sequence of actions is performed using the first action, and wherein the performance of the sequence of actions would fail without performing the first action.

8. A computer system, comprising:
- one or more processors; and
  
  memory, including instructions executable by the one or more processors to cause the computer system to at least;
  
  detect, by a logging service of the computer system, denied actions requested by a client via a network, the denied actions being denied performance over a period of time based at least in part on an access control policy;
  
  identify, by a policy determination service of the computer system, a subset of the denied actions that are denied more than a threshold amount;
  
  confirm, by the policy determination service, that at least one denied action of the subset is within a scope of allowable actions, the scope of allowable actions defining which actions are allowed by the access control policy; and
  
  apply, by the policy determination service, a revised access control policy based at least in part on the confirmation, the revised access control policy including the subset of the denied actions.
- View Dependent Claims (9, 10, 11, 12, 20)
- - 9. The computer system of claim 8, wherein the confirmation comprises sending a request to an authorized client that is configured to confirm the revised access control policy.
  - 10. The computer system of claim 9, wherein the request sent to the authorized client is configured to allow a confirmation of the revised access control policy through selection of an interface element.
  - 11. The computer system of claim 8, wherein the denied actions are determined from observations of communications of the client.
  - 12. The computer system of claim 11, wherein the observations are configured to be performed by a proxy.
  - 20. The computer system of claim 8, wherein:
    - the memory includes additional instructions executable by the one or more processors to cause the computer system to at least, subsequent to confirming that the at least one denied action of the subset is within the scope of allowable actions;
      
      provide a request for revision of the access control policy for presentation at a second client associated with an administrator;
      
      receive information from the second client indicating approval of the request for revision; and
      
      generate the applied revised access control policy by modifying the access control policy to include the subset of the denied actions in response to receiving the information; and
      
      applying the revised access control policy comprises enabling, after generating the applied revised access control policy, the client to perform the at least one denied action from the subset of the denied actions.

13. A computer-implemented method, comprising:
- receiving, via a network and by a logging service of a system including one or more processors executing instructions from one or more memories, an access control policy that identifies privileges of a client to use one or more resources to perform authorized actions with the one or more resources;
  
  comparing, via the network and by a policy determination service of the system, the authorized actions with other actions performed by at least one other client to identify a set of related actions that are related to the authorized actions, at least one related action of the set of related actions missing from the access control policy; and
  
  authorizing, by the policy determination service of the system, the at least one related action under the access control policy.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer-implemented method of claim 13, wherein the set of related actions form a sequence of actions, and wherein performance of the sequence of actions would fail without performing the at least one related action.
  - 15. The computer-implemented method of claim 13, wherein the access control policy authorizes the at least one related action with restrictions based at least upon those of the set of related actions.
  - 16. The computer-implemented method of claim 13, further comprising sending a request to an authorized client to authorize modification of the access control policy.
  - 17. The computer-implemented method of claim 16, wherein the request is configured to display an interface element that allows a user to authorize the modification by selecting the interface element.
  - 18. The computer-implemented method of claim 13, further comprising:
    - obtaining a set of actions related to the client; and
      
      applying the access control policy to the set of actions to determine which actions of the set of actions would have failed the modified access control policy.
  - 19. The computer-implemented method of claim 13, wherein the set of related actions exceeds a threshold of observation in other access control policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Brandwine, Eric Jason, Kramer, Reto
Primary Examiner(s)
Brown, Anthony D

Application Number

US15/042,780
Time in Patent Office

1,040 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

Automatic privilege determination

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic privilege determination

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links