×

Automatic removal of global user security groups

  • US 10,318,751 B2
  • Filed: 12/19/2017
  • Issued: 06/11/2019
  • Est. Priority Date: 05/27/2010
  • Status: Active Grant
First Claim
Patent Images

1. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, said system comprising:

  • a learned access permissions subsystem comprising at least one processor and at least one memory comprising computer code, said learned access permissions subsystem operative to learn current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects;

    a learned actual access subsystem comprising at least one processor and at least one memory comprising computer code, said learned actual access subsystem operative to learn an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects; and

    a computer security policy administration subsystem comprising at least one processor and at least one memory comprising computer code, said computer security policy administration subsystem operable for receiving said indications from said learned access permission subsystem and said learned actual access subsystem and being operative to automatically replace access permissions of a pre-selected user security group to said network objects by;

    automatically removing all access permissions of said pre-selected user security group to said network objects, regardless of whether members of said pre-selected user security group have actually accessed said network objects; and

    automatically providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically removing all access permissions step, said automatically providing access permissions comprising at least one of;

    automatically granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to an existing user group having access permissions to said network objects; and

    automatically creating a user group having access permissions to said network objects and automatically granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to said created user group having access permissions to said network objects;

    said computer security policy administration subsystem also comprising a replacement initiator which automatically initiates said automatic replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×