System for controlling access to target systems and applications

US 10,681,055 B2
Filed: 09/24/2019
Issued: 06/09/2020
Est. Priority Date: 02/20/2018
Status: Active Grant

First Claim

Patent Images

1. A system for controlling access to one or more target systems and/or applications, the system comprising:

an input/output (IO) subsystem configured to receive profile data that defines one or more features associated with a target individual from a first user management system, and to communicate instructions to one or more target systems to facilitate access to the one or more target systems and/or applications by the target individual, the target individual being a person;

a storage device that includes a model that relates profile data that defines features associated with a plurality of individuals with one or more entitlements of those individuals, the model comprising a list of the plurality of individuals and the individual'"'"'s associated features and the one or more entitlements, each entitlement indicative of target system/application access;

a processor in communication with the IO subsystem and the storage device; and

non-transitory computer readable media in communication with the processor that stores instruction code which, when executed by the processor, causes the processor to;

control the IO subsystem to receive the profile data associated with a target individual;

generate, based on the profile data and the model, a listing that associates the one or more entitlements with the target individual, and confidence values of the association of the one or more entitlements, each confidence value indicative of whether the target individual should be granted a corresponding entitlement;

wherein generation of the listing comprises;

creation, from the model, of a model decision tree graph based on the profile data, the model decision tree graph including nodes for each of one or more features of the plurality of individuals, and determine, from the model decision tree graph, one or more entitlements to grant to the target individual based on features of the target individual; and

determine, from the profile data, one or more entitlements to grant to the target individual, wherein the profile data comprises employment role data of the target individual and entitlement data of other employees;

for each entitlement having a corresponding confidence value higher than a predetermined threshold, control the IO subsystem to communicate an instruction to a target system associated with the entitlement to allow the target individual access to the target system;

receive usage information from one or more of the target systems, the usage information being indicative of how often individuals utilize each target system;

when the usage information associated with a given individual received from a given target system indicates usage below a predetermined threshold;

communicate an instruction to the given target system to revoke, from the given individual, a corresponding entitlement associated with the given target system; and

update the model to reflect that the given individual no longer has the corresponding entitlement.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling access to one or more of a plurality of target systems includes receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals. Each entitlement is indicative of target system access. The method further includes generating a model that relates the one or more features and the one or more entitlements of the plurality of individuals. Profile data that defines one or more features associated with a target individual is received from a first user management system. A listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements is generated based on the profile data and the model. Each confidence value is indicative of whether the target individual should be granted a corresponding entitlement. For each entitlement having a corresponding confidence value higher than a predetermined threshold, an instruction is communicated to a target system associated with the entitlement to allow the target individual access to the target system.

16 Citations

View as Search Results

10 Claims

1. A system for controlling access to one or more target systems and/or applications, the system comprising:
- an input/output (IO) subsystem configured to receive profile data that defines one or more features associated with a target individual from a first user management system, and to communicate instructions to one or more target systems to facilitate access to the one or more target systems and/or applications by the target individual, the target individual being a person;
  
  a storage device that includes a model that relates profile data that defines features associated with a plurality of individuals with one or more entitlements of those individuals, the model comprising a list of the plurality of individuals and the individual'"'"'s associated features and the one or more entitlements, each entitlement indicative of target system/application access;
  
  a processor in communication with the IO subsystem and the storage device; and
  
  non-transitory computer readable media in communication with the processor that stores instruction code which, when executed by the processor, causes the processor to;
  
  control the IO subsystem to receive the profile data associated with a target individual;
  
  generate, based on the profile data and the model, a listing that associates the one or more entitlements with the target individual, and confidence values of the association of the one or more entitlements, each confidence value indicative of whether the target individual should be granted a corresponding entitlement;
  
  wherein generation of the listing comprises;
  
  creation, from the model, of a model decision tree graph based on the profile data, the model decision tree graph including nodes for each of one or more features of the plurality of individuals, and determine, from the model decision tree graph, one or more entitlements to grant to the target individual based on features of the target individual; and
  
  determine, from the profile data, one or more entitlements to grant to the target individual, wherein the profile data comprises employment role data of the target individual and entitlement data of other employees;
  
  for each entitlement having a corresponding confidence value higher than a predetermined threshold, control the IO subsystem to communicate an instruction to a target system associated with the entitlement to allow the target individual access to the target system;
  
  receive usage information from one or more of the target systems, the usage information being indicative of how often individuals utilize each target system;
  
  when the usage information associated with a given individual received from a given target system indicates usage below a predetermined threshold;
  
  communicate an instruction to the given target system to revoke, from the given individual, a corresponding entitlement associated with the given target system; and
  
  update the model to reflect that the given individual no longer has the corresponding entitlement.
- View Dependent Claims (2, 3, 4)
- - 2. The system according to claim 1, wherein the model includes a plurality of probabilities, each being indicative of a probability that an individual of the plurality of individuals having a given feature of the one or more features has a given entitlement of the one or more entitlements, wherein the instruction code causes the processor to:
    - select a subset of probabilities of the model that are associated with the one or more features associated with the target individual;
      
      determine, from the subset of probabilities, maximum probabilities associated with each entitlement that is itself associated with the subset of probabilities; and
      
      select entitlements associated with an N highest maximum probabilities as entitlements to be granted to the target individual.
  - 3. The system according to claim 2, wherein the plurality of probabilities of the model includes probabilities indicative of a probability that the individual of the plurality of individuals having a given combination of features of the one or more features has a given entitlement of the one or more entitlements, andwherein a selected subset of probabilities includes probabilities that are associated with combinations of the one or more features associated with the target individual.
  - 4. The system according to claim 1, wherein the instruction code causes the processor to:
    - generate a plurality of classifiers based on different subsets of the plurality of individuals;
      
      for each classifier, generate a confidence value for each possible entitlement to be granted to the target individual;
      
      aggregate the confidence values for each possible entitlement from each classifier; and
      
      select entitlements having aggregated confidence values above a predetermined threshold as entitlements to be granted to the target individual.

5. A method for controlling access to one or more target systems, the method comprising:
- receiving profile data that defines one or more features associated with a plurality of individual persons with one or more entitlements of those individual persons, each entitlement indicative of target system access;
  
  generating a model comprising a list of the plurality individual persons and their associated features and the one or more entitlements, the model configured to relate the one or more features and the one or more entitlements of the plurality of individual persons;
  
  receiving profile data that defines one or more features associated with a target individual person from a first user management system;
  
  generating, based on the profile data and the model, a listing that includes one or more entitlements associated with the target individual person, and confidence values associated with the one or more entitlements, each confidence value indicative of whether the target individual person should be granted a corresponding entitlement;
  
  wherein generation of the listing comprises;
  
  creating, from the model, of a model decision tree graph based on the profile data, the model decision tree graph including nodes for each of one or more features of the plurality of individual persons, and determining, from the model decision tree graph, one or more entitlements to grant to the target individual person based on features of the target individual person; and
  
  determining, from the profile data, one or more entitlements to grant to the target individual person, wherein the profile data comprises employment data of the target individual person and entitlement data of other employees;
  
  for each entitlement having a corresponding confidence value higher than a predetermined threshold, communicating an instruction to a target system associated with the entitlement to allow the target individual person access to the target system;
  
  receiving usage information from one or more of the target systems, the usage information being indicative of how often the individual persons utilize each target system;
  
  communicating an instruction to the target system to revoke a corresponding entitlement associated with the target system from a given individual person when the usage information associated with the given individual person received from the target system indicates usage below a predetermined threshold; and
  
  updating the model to reflect that the given individual person no longer has the corresponding entitlement.
- View Dependent Claims (6, 7, 8)
- - 6. The method according to claim 5, wherein the model includes a plurality of probabilities, each being indicative of a probability that an individual person of the plurality of individual persons having a given feature of the one or more features has a given entitlement of the one or more entitlements, wherein the method further comprises:
    - selecting a subset of probabilities of the model that are associated with the one or more features associated with the target individual person;
      
      determining, from the subset of probabilities, maximum probabilities associated with each entitlement that is itself associated with the subset of probabilities; and
      
      selecting entitlements associated with an N highest maximum probabilities as entitlements to be granted to the target individual person.
  - 7. The method according to claim 6, wherein the plurality of probabilities of the model include probabilities indicative of a probability that the individual person of the plurality of individual persons having a given combination of features of the one or more features has a given entitlement of the one or more entitlements, andwherein a selected subset of probabilities includes probabilities that are associated with combinations of the one or more features associated with the target individual person.
  - 8. The method according to claim 5, further comprising:
    - generating a plurality of classifiers based on different subsets of the plurality of individual persons;
      
      for each classifier, generating a confidence value for each possible entitlement to be granted to the target individual person;
      
      aggregating the confidence values for each possible entitlement from each classifier; and
      
      selecting entitlements having aggregated confidence values above a predetermined threshold as entitlements to be granted to the target individual person.

9. Non-transitory computer readable media that stores instruction code for controlling access to one or more target systems, the instruction code being executable by a machine for causing the machine to perform acts comprising:
- receiving profile data that defines one or more features associated with a plurality of individual persons with one or more entitlements of those individual persons, each entitlement indicative of target system access;
  
  generating a model that relates the one or more features and the one or more entitlements of the plurality of individual persons, the model comprising a list of the plurality individual persons and their associated features and the one or more entitlements;
  
  receiving profile data that defines one or more features associated with a target individual person from a first user management system;
  
  generate, based on the profile data and the model, a listing that includes one or more entitlements associated with the target individual person, and confidence values associated with the one or more entitlements, each confidence value indicative of whether the target individual person should be granted a corresponding entitlement;
  
  wherein generation of the listing comprises the machine performing acts to;
  
  create, from the model, a model decision tree graph based on the profile data, the model decision tree graph including nodes for each of one or more features of the plurality of individual persons, and determine, from the model decision tree graph, one or more entitlements to grant to the target individual person based on features of the target individual person; and
  
  determine, from the profile data, one or more entitlements to grant to the target individual person, wherein the profile data comprises employment role data of the target individual person and entitlement data of other employees;
  
  orfor each entitlement having a corresponding confidence value higher than a predetermined threshold, communicate an instruction to a target system associated with the entitlement to allow the target individual person access to the target system;
  
  receive usage information from one or more of the target systems, the usage information being indicative of how often individual persons utilize each target system;
  
  when the usage information associated with a given individual person received from a given target system indicates usage below a predetermined threshold;
  
  communicate an instruction to the given target system to revoke, from the given individual person, a corresponding entitlement associated with the given target system; and
  
  update the model to reflect that the given individual person no longer has the corresponding entitlement.
- View Dependent Claims (10)
- - 10. The non-transitory computer readable media according to claim 9, wherein the model includes a plurality of probabilities, each being indicative of a probability that an individual person among the plurality of individual persons having a given feature of the one or more features has a given entitlement of the one or more entitlements, wherein the instruction code is executable by the machine for causing the machine to perform additional acts comprising:
    - selection of a subset of probabilities of the model that are associated with the one or more features associated with the target individual person;
      
      determine, from the subset of probabilities, maximum probabilities associated with each entitlement that is itself associated with the subset of probabilities; and
      
      select entitlements associated with an N highest maximum probabilities as entitlements to be granted to the target individual person.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Thexton, Rexall E., Tandon, Gaurav, Shukla, Sanjeev, McCoy, Anthony, Mudiyanselage, Sidath, Poole, Andrew, Craddock, Hannah, Ain, Qurrat Ul, Connolly, Colleen, Kamiab, Farbod
Primary Examiner(s)
Gee, Jason K

Application Number

US16/581,087
Publication Number

US 20200021597A1
Time in Patent Office

259 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

G06N 7/01   Probabilistic graphical mod...

G06Q 10/1053   Employment or hiring

H04L 63/102   Entity profiles

System for controlling access to target systems and applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

System for controlling access to target systems and applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links