System for controlling access to a plurality of target systems and applications

US 10,686,795 B2
Filed: 06/22/2018
Issued: 06/16/2020
Est. Priority Date: 02/20/2018
Status: Active Grant

First Claim

Patent Images

1. A system for controlling access to one or more of a plurality of target systems and/or applications, the system comprising:

an input/output (IO) subsystem configured to receive profile data that defines one or more features associated with a target individual from a first user management system, and to communicate instructions to one or more target systems to facilitate access to the one or more target systems/applications by the target individual;

a storage device that includes a plurality of rules, at least some of the rules arranged in one or more sets of rules, each set of rules being associated with an entitlement of the profile data, each entitlement being indicative of target system/application access, wherein each rule within a set relates a combination of one or more features of the profile data with a confidence value, the confidence value indicative of a ratio of a number of the rules arranged within the one or more sets associated with the entitlement to a total number of the plurality of rules having the combination of the one or more features;

a processor in communication with the IO subsystem and the storage device; and

non-transitory computer readable media in communication with the processor that stores instruction code which, when executed by the processor, causes the processor to;

control the IO subsystem to receive the profile data associated with a target individual;

generate, based on the profile data and the one or more sets of rules, a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements, each confidence value indicative of whether the target individual should be granted a corresponding entitlement; and

for each entitlement having a corresponding confidence value higher than a predetermined threshold, control the IO subsystem to communicate an instruction to a target system associated with the entitlement to allow the target individual access to the target system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling access to one or more of a plurality of target systems includes receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals. Each entitlement is indicative of target system access. The method further includes generating a model that includes one or more sets of rules where each set of rules is associated with an entitlement of the profile data. Each entitlement is indicative of target system/application access. Each rule within a set relates a combination of one or more features of the profile data with a confidence value. Profile data that defines one or more features associated with a target individual is received from a first user management system. A listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements is generated based on the profile data and the rules. Each confidence value is indicative of whether the target individual should be granted a corresponding entitlement. For each entitlement having a corresponding confidence value higher than a predetermined threshold, an instruction is communicated to a target system associated with the entitlement to allow the target individual access to the target system.

14 Citations

View as Search Results

20 Claims

1. A system for controlling access to one or more of a plurality of target systems and/or applications, the system comprising:
- an input/output (IO) subsystem configured to receive profile data that defines one or more features associated with a target individual from a first user management system, and to communicate instructions to one or more target systems to facilitate access to the one or more target systems/applications by the target individual;
  
  a storage device that includes a plurality of rules, at least some of the rules arranged in one or more sets of rules, each set of rules being associated with an entitlement of the profile data, each entitlement being indicative of target system/application access, wherein each rule within a set relates a combination of one or more features of the profile data with a confidence value, the confidence value indicative of a ratio of a number of the rules arranged within the one or more sets associated with the entitlement to a total number of the plurality of rules having the combination of the one or more features;
  
  a processor in communication with the IO subsystem and the storage device; and
  
  non-transitory computer readable media in communication with the processor that stores instruction code which, when executed by the processor, causes the processor to;
  
  control the IO subsystem to receive the profile data associated with a target individual;
  
  generate, based on the profile data and the one or more sets of rules, a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements, each confidence value indicative of whether the target individual should be granted a corresponding entitlement; and
  
  for each entitlement having a corresponding confidence value higher than a predetermined threshold, control the IO subsystem to communicate an instruction to a target system associated with the entitlement to allow the target individual access to the target system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system according to claim 1, wherein the one or more sets of rules are generated by the processor, wherein in generating the one or more sets of rules, the instruction code causes the processor to:
    - select, from the profile data, transactions associated with a given entitlement;
      
      process the selected transactions through a frequent item mining algorithm to determine rules associated with the entitlement;
      
      determine confidence values for each rule; and
      
      store the rules and associated confidence values to the storage device.
  - 3. The system according to claim 2, wherein prior to generating the one or more sets of rules, the instruction code causes the processor to:
    - repetitively process a subset of the profile data to predict a number of rules needed to processes the profile data.
  - 4. The system according claim 2, wherein the instruction code causes the processor to remove redundant rules prior to storing the rules.
  - 5. The system according to claim 2, wherein the frequent item mining algorithm corresponds to an FP-Growth algorithm.
  - 6. The system according to claim 2, wherein the instruction code causes the processor to implement data analytics execution engine to generate a tree diagram of the transactions.
  - 7. The system according to claim 1, wherein the profile data comprises employment role data of a person and entitlement data of other employees.
  - 8. The system according to claim 1, wherein the target individual comprises a person.
  - 9. The system according to claim 1, wherein the instruction code causes the processor to:
    - receive usage information from one or more of the plurality of target systems, the usage information being indicative of how often individuals utilize each target system;
      
      when the usage information associated with a given individual received from a given target system indicates a usage below a predetermined threshold;
      
      communicate an instruction to the target system to revoke a corresponding entitlement associated with the target system from the individual; and
      
      update the model to reflect that the individual no longer has the corresponding entitlement.

10. A method for controlling access to one or more of a plurality of target systems, the method comprising:
- receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals, each entitlement indicative of target system access;
  
  generating one or more sets of rules, each set of rules being associated with an entitlement of the profile data, each entitlement being indicative of target system/application access, wherein each rule within a set relates a combination of one or more features of the profile data with a confidence value, the confidence value indicative of a ratio of a number of the rules arranged within the one or more sets associated with the entitlement to a total number of the plurality of rules having the combination of the one or more features;
  
  receiving profile data that defines one or more features associated with a target individual from a first user management system;
  
  generating, based on the profile data and the one or more sets of rules, a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements, each confidence value indicative of whether the target individual should be granted a corresponding entitlement; and
  
  for each entitlement having a corresponding confidence value higher than a predetermined threshold, communicating an instruction to a target system associated with the entitlement to allow the target individual access to the target system.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method according to claim 10, further comprising:
    - selecting, from the profile data, transactions associated with a given entitlement;
      
      processing the selected transactions through a frequent item mining algorithm to determine rules associated with the entitlement;
      
      determining confidence values for each rule; and
      
      storing the rules and associated confidence values to a storage device.
  - 12. The method according claim 11, further comprising removing redundant rules prior to storing the rules.
  - 13. The method according to claim 11, wherein the frequent item mining algorithm corresponds to an FP-Growth algorithm.
  - 14. The method according to claim 11, further comprising implement the frequent item mining algorithm on a data analytics execution engine to generate a tree diagram of the transactions.
  - 15. The method according to claim 10, further comprising:
    - generating a report that includes the listing of the one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements.
  - 16. The method according to claim 10, further comprising:
    - receiving usage information from one or more of the plurality of target systems, the usage information being indicative of how often individuals utilize each target system;
      
      when the usage information associated with a given individual received from a given target system indicates a usage below a predetermined threshold;
      
      communicating an instruction to the target system to revoke a corresponding entitlement associated with the target system from the individual; and
      
      updating the model to reflect that the individual no longer has the corresponding entitlement.

17. Non-transitory computer readable media that stores instruction code for controlling access to one or more of a plurality of target systems, the instruction code being executable by a machine for causing the machine to perform acts comprising:
- receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals, each entitlement indicative of target system access;
  
  generating one or more sets of rules, each set of rules being associated with an entitlement of the profile data, each entitlement being indicative of target system/application access, wherein each rule within a set relates a combination of one or more features of the profile data with a confidence value, the confidence value indicative of a ratio of a number of the rules arranged within the one or more sets associated with the entitlement to a total number of the plurality of rules having the combination of the one or more features;
  
  receiving profile data that defines one or more features associated with a target individual from a first user management system;
  
  generate, based on the profile data and the one or more sets of rules, a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements, each confidence value indicative of whether the target individual should be granted a corresponding entitlement; and
  
  for each entitlement having a corresponding confidence value higher than a predetermined threshold, communicating an instruction to a target system associated with the entitlement to allow the target individual access to the target system.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable media according to claim 17, wherein the instruction code is executable by the machine for causing the machine to perform additional acts comprising:
    - selecting, from the profile data, transactions associated with a given entitlement;
      
      processing the selected transactions through a frequent item mining algorithm to determine rules associated with the entitlement;
      
      determining confidence values for each rule; and
      
      storing the rules and associated confidence values to a storage device.
  - 19. The non-transitory computer readable according claim 18, wherein the instruction code causes the machine to remove redundant rules prior to storing the rules.
  - 20. The non-transitory computer readable according to claim 18, wherein the frequent item mining algorithm corresponds to an FP-Growth algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Solutions Limited (Accenture PLC)
Inventors
Thexton, Rexall E., Tandon, Gaurav, Shukla, Sanjeev, McCoy, Anthony, Mudiyanselage, Sidath, Poole, Andrew, Craddock, Hannah, Ain, Qurrat Ul, Connolly, Colleen, Kamiab, Farbod
Primary Examiner(s)
Gee, Jason K

Application Number

US16/016,154
Publication Number

US 20190260755A1
Time in Patent Office

725 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

System for controlling access to a plurality of target systems and applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System for controlling access to a plurality of target systems and applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links