AUTOMATED ROLE ADJUSTMENT IN A COMPUTER SYSTEM

US 20140215604A1
Filed: 08/19/2013
Published: 07/31/2014
Est. Priority Date: 01/31/2013
Status: Active Grant

First Claim

Patent Images

1. In association with a computer system wherein a specified role controls user access, the specified role comprises one or more users and one or more permissions, and a set of prespecified rules pertains to the specified role, a computer program product executable in a recordable storage medium comprising:

instructions for recording access data pertaining to each of a succession of access events in an access log, wherein each event comprises an instance of the computer system being accessed by a particular user;

instructions for analyzing recorded data contained in the access log at selected time intervals, in order to detect one of a plurality of prespecified conditions;

instructions responsive to detecting a prespecified condition, for selectively determining whether any change to the users or to the permissions of the specified role is needed; and

instructions for implementing each needed change to the users or to the permissions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment of the invention is associated with a system having a role for controlling user access, the role comprising users, permissions, and a set of rules. The embodiment records each of a succession of access events in an access log, each event comprising an instance of the system being accessed by a user. The embodiment further analyzes recorded access events in the access log at selected time intervals, to detect a condition or violation of rules of the set of rules. Responsive to detecting a condition or violation, the embodiment selectively determines whether any change to the users or permissions of a specified role is needed. Each needed change is then implemented.

Citations

20 Claims

1. In association with a computer system wherein a specified role controls user access, the specified role comprises one or more users and one or more permissions, and a set of prespecified rules pertains to the specified role, a computer program product executable in a recordable storage medium comprising:
- instructions for recording access data pertaining to each of a succession of access events in an access log, wherein each event comprises an instance of the computer system being accessed by a particular user;
  
  instructions for analyzing recorded data contained in the access log at selected time intervals, in order to detect one of a plurality of prespecified conditions;
  
  instructions responsive to detecting a prespecified condition, for selectively determining whether any change to the users or to the permissions of the specified role is needed; and
  
  instructions for implementing each needed change to the users or to the permissions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer program product of claim 1, wherein:
    - the specified role is one of multiple roles that are respectively provided to control access to the computer system, wherein each role is provided in accordance with a role based access control (RBAC) policy.
  - 3. The computer program product of claim 1, wherein:
    - responsive to analyzing specified access data contained in the access log that pertains to a specified user, detecting a condition that the specified user is a dormant user, and then removing the specified user from the specified role.
  - 4. The computer program product of claim 3, wherein:
    - the specified access data includes information showing that the time since the last activation of the specified role by the specified user is greater than a predetermined time limit.
  - 5. The computer program product of claim 1, wherein:
    - responsive to analyzing specified access data contained in the access log that pertains to a specified permission granted by the specified role, detecting a condition that the time since the last use of the specified permission, in association with the specified role, is greater than a predetermined time limit, whereupon the specified permission is removed from the specified role.
  - 6. The computer program product of claim 5, wherein:
    - the specified permission is granted by one or more roles that are each superior to the specified role, the specified access data is used to compute, for each superior role, the time since the last use of the specified permission granted by that superior role, and it is determined that the computed times for all of the superior roles are respectively greater than the predetermined time limit.
  - 7. The computer program product of claim 1, wherein:
    - responsive to analyzing access data contained in the access log, and detecting a condition that the time since any user has activated the specified role exceeds a predetermined time limit, the specified role is discontinued.
  - 8. The computer program product of claim 1, wherein:
    - recorded data contained in the access log is analyzed to detect a condition selected from a group consisting of role size, role risk, role concurrency, permission-based separation of duties, and overlapping roles.
  - 9. The computer program product of claim 8, wherein:
    - responsive to detecting a condition of role risk, permissions determined to be of a high sensitivity are placed in a role different from a role containing permissions that are determined to be of a low sensitivity.
  - 10. The computer program product of claim 1, wherein:
    - analyzing recorded data contained in the access log includes operating a role monitoring component that is provided with a data access layer having a query interface and an event flow interface.
  - 11. The computer program product of claim 10, wherein:
    - one or more analysis modules are each plugged into the data access layer, to support analysis for a selected corresponding condition.
  - 12. The computer program product of claim 11, wherein:
    - events recorded in the access log are respectively played back through an event analysis module, to detect one or more specified types of conditions.
  - 13. The computer program product of claim 11, wherein:
    - a different analysis module is provided for use in detecting each of a plurality of prespecified conditions, including at least superfluous permissions, dormant users, and role concurrency.
  - 14. The computer program product of claim 1, wherein:
    - the selected time intervals comprise periodic time intervals or aperiodic time intervals, selectively.
  - 15. The computer program product of claim 1, wherein:
    - the specified role enables a user to access each one of multiple computer systems.

16. In association with an access control system wherein a specified role controls user access, the specified role comprises one or more users and one or more permissions, and a set of prespecified rules pertains to the specified role, a computer system comprising:
- a bus;
  
  a memory connected to the bus, wherein program code is stored on the memory; and
  
  a processor unit connected to the bus, wherein the processor unit executes the program code;
  
  to record access data pertaining to each of a succession of access events in an access log, wherein each event comprises an instance of the computer system being accessed by a particular user;
  
  to analyze recorded data contained in the access log at selected time intervals, in order to detect one of a plurality of prespecified conditions;
  
  responsive to detecting a prespecified condition, to selectively determine whether any change to the users or to the permissions of the specified role is needed; and
  
  to implement each needed change to the users or to the permissions.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer system of claim 16, wherein:
    - the specified role is one of multiple roles that are respectively provided to control access to the computer system, wherein each role is provided in accordance with a role based access control (RBAC) policy.
  - 18. The computer system of claim 16, wherein:
    - responsive to analyzing specified access data contained in the access log that pertains to a specified user, detecting a condition that the specified user is a dormant user, and then removing the specified user from the specified role.
  - 19. The computer system of claim 18, wherein:
    - the specified access data includes information showing that the time since the last activation of the specified role by the specified user is greater than a predetermined time limit.
  - 20. The computer system of claim 16, wherein:
    - responsive to analyzing specified access data contained in the access log that pertains to a specified permission granted by the specified role, detecting a condition that the time since the last use of the specified permission, in association with the specified role, is greater than a predetermined time limit, whereupon the specified permission is removed from the specified role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Giblin, Christopher J., Vukovic, Maja

Granted Patent

US 9,087,148 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/21
CPC Class Codes

G06F 11/328   Computer systems status dis...

G06F 11/3438   monitoring of user actions ...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

AUTOMATED ROLE ADJUSTMENT IN A COMPUTER SYSTEM

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED ROLE ADJUSTMENT IN A COMPUTER SYSTEM

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links