System and method for intelligent agents for decision support in network identity graph based identity management artificial intelligence systems
First Claim
1. An identity management system, comprising:
- a graph data store;
a processor;
a non-transitory, computer-readable storage medium, including computer instructions for;
obtaining historical certification data for an enterprise, the historical certification data comprising a set of historical certification decisions, each historical certification decision comprising a historical access request including an identity and an entitlement, and an approval or denial decision for the historical access request;
enhancing the historical certification data with a value for a feature for each historical access certification decision, the value for the feature determined from an identity graph associated with the enterprise;
training a classifier with the enhanced historical certification data;
receiving an access request including an identity and an entitlement and a request for an approval or denial decision for the access request;
enhancing the received access request with a value for the feature, based on the identity or entitlement of the access request and the identity graph associated with the enterprise;
submitting the enhanced access request to the classifier;
receiving an approval or denial decision for the enhanced access request from the classifier; and
returning the approval or denial decision for the access request to a user of the identity management system, wherein the identity graph associated with the enterprise comprises;
generating a first identity graph from the identity management data by;
creating a node of the first identity graph for each of a set of identities determined from identity management data of the enterprise, the identity management data comprising data on the set of identities and a set of entitlements associated with the set of identities utilized in identity management in the enterprise;
for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, andgenerating a similarity weight for each edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for embodiments of a graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing identities or entitlements of a distributed networked enterprise computing environment. Specifically, in certain embodiments, an artificial intelligence based identity governance systems may include an intelligent decision support agent to provide an approval or denial recommendation for an access request. To provide an approval or denial recommendation, the intelligent agent may utilize a classifier trained on historical certification data. The intelligent agent may utilize features which represent relevant signals to the approval or denial decision including features that may be associated with a network graph of the identities and entitlements of the enterprise computing environment.
-
Citations
21 Claims
-
1. An identity management system, comprising:
-
a graph data store; a processor; a non-transitory, computer-readable storage medium, including computer instructions for; obtaining historical certification data for an enterprise, the historical certification data comprising a set of historical certification decisions, each historical certification decision comprising a historical access request including an identity and an entitlement, and an approval or denial decision for the historical access request; enhancing the historical certification data with a value for a feature for each historical access certification decision, the value for the feature determined from an identity graph associated with the enterprise; training a classifier with the enhanced historical certification data; receiving an access request including an identity and an entitlement and a request for an approval or denial decision for the access request; enhancing the received access request with a value for the feature, based on the identity or entitlement of the access request and the identity graph associated with the enterprise; submitting the enhanced access request to the classifier; receiving an approval or denial decision for the enhanced access request from the classifier; and returning the approval or denial decision for the access request to a user of the identity management system, wherein the identity graph associated with the enterprise comprises; generating a first identity graph from the identity management data by; creating a node of the first identity graph for each of a set of identities determined from identity management data of the enterprise, the identity management data comprising data on the set of identities and a set of entitlements associated with the set of identities utilized in identity management in the enterprise; for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, and generating a similarity weight for each edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
obtaining historical certification data for an enterprise, the historical certification data comprising a set of historical certification decisions, each historical certification decision comprising a historical access request including an identity and an entitlement, and an approval or denial decision for the historical access request; enhancing the historical certification data with a value for a feature for each historical access certification decision, the value for the feature determined from an identity graph associated with the enterprise; training a classifier with the enhanced historical certification data; receiving an access request including an identity and an entitlement and a request for an approval or denial decision for the access request; enhancing the received access request with a value for the feature, based on the identity or entitlement of the access request and the identity graph associated with the enterprise; submitting the enhanced access request to the classifier; receiving an approval or denial decision for the enhanced access request from the classifier; and returning the approval or denial decision for the access request to a user of the identity management system, wherein the identity graph associated with the enterprise comprises; generating a first identity graph from the identity management data by; creating a node of the first identity graph for each of a set of identities determined from identity management data of the enterprise, the identity management data comprising data on the set of identities and a set of entitlements associated with the set of identities utilized in identity management in the enterprise; for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, and generating a similarity weight for each edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium, comprising instruction for:
-
obtaining historical certification data for an enterprise, the historical certification data comprising a set of historical certification decisions, each historical certification decision comprising a historical access request including an identity and an entitlement, and an approval or denial decision for the historical access request; enhancing the historical certification data with a value for a feature for each historical access certification decision, the value for the feature determined from an identity graph associated with the enterprise; training a classifier with the enhanced historical certification data; receiving an access request including an identity and an entitlement and a request for an approval or denial decision for the access request; enhancing the received access request with a value for the feature, based on the identity or entitlement of the access request and the identity graph associated with the enterprise; submitting the enhanced access request to the classifier; receiving an approval or denial decision for the enhanced access request from the classifier; and returning the approval or denial decision for the access request to a user of the identity management system, wherein the identity graph associated with the enterprise comprises; generating a first identity graph from the identity management data by; creating a node of the first identity graph for each of a set of identities determined from identity management data of the enterprise, the identity management data comprising data on the set of identities and a set of entitlements associated with the set of identities utilized in identity management in the enterprise; for each first identity and second identity that share at least one entitlement of the set of entitlements, creating an edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity, and generating a similarity weight for each edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification