Automatic privilege determination
First Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving, via a network and by a logging service of a system including one or more processors executing instructions from one or more memories, an access control policy, the access control policy identifying privileges of a client to use one or more resources to perform authorized actions with the one or more resources;
receiving, via the network and by the logging service of the system, information about a set of actions performed by the client with the one or more resources;
analyzing, by a policy determination service of the system, the information about the set of performed actions with respect to the privileges granted by the access control policy to identify utilization of the privileges granted by the access control policy to the client; and
modifying, by the policy determination service of the system and based at least in part on the utilization of the privileges, the access control policy to form a modified policy by at least;
adding, by the policy determination service of the system, a first privilege to the access control policy to authorize a first action, the first action not previously authorized under the access control policy;
orremoving, by the policy determination service of the system, a second privilege from the access control policy to de-authorize a second action.
1 Assignment
0 Petitions
Accused Products
Abstract
An access control policy can be received. The access control policy can identify privileges of a client to use resources to perform authorized actions with the resources. A set of related actions that are related to the authorized actions can be determined. The access control policy can be modified to include at least one related action.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving, via a network and by a logging service of a system including one or more processors executing instructions from one or more memories, an access control policy, the access control policy identifying privileges of a client to use one or more resources to perform authorized actions with the one or more resources; receiving, via the network and by the logging service of the system, information about a set of actions performed by the client with the one or more resources; analyzing, by a policy determination service of the system, the information about the set of performed actions with respect to the privileges granted by the access control policy to identify utilization of the privileges granted by the access control policy to the client; and modifying, by the policy determination service of the system and based at least in part on the utilization of the privileges, the access control policy to form a modified policy by at least; adding, by the policy determination service of the system, a first privilege to the access control policy to authorize a first action, the first action not previously authorized under the access control policy;
orremoving, by the policy determination service of the system, a second privilege from the access control policy to de-authorize a second action. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system, comprising:
-
one or more processors; and memory, including instructions executable by the one or more processors to cause the computer system to at least; detect, by a logging service of the computer system, denied actions requested by a client via a network, the denied actions being denied performance over a period of time based at least in part on an access control policy; identify, by a policy determination service of the computer system, a subset of the denied actions that are denied more than a threshold amount; confirm, by the policy determination service, that at least one denied action of the subset is within a scope of allowable actions, the scope of allowable actions defining which actions are allowed by the access control policy; and apply, by the policy determination service, a revised access control policy based at least in part on the confirmation, the revised access control policy including the subset of the denied actions. - View Dependent Claims (9, 10, 11, 12, 20)
-
-
13. A computer-implemented method, comprising:
-
receiving, via a network and by a logging service of a system including one or more processors executing instructions from one or more memories, an access control policy that identifies privileges of a client to use one or more resources to perform authorized actions with the one or more resources; comparing, via the network and by a policy determination service of the system, the authorized actions with other actions performed by at least one other client to identify a set of related actions that are related to the authorized actions, at least one related action of the set of related actions missing from the access control policy; and authorizing, by the policy determination service of the system, the at least one related action under the access control policy. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification