IDENTIFYING UNUSED PRIVILEGES IN A DATABASE SYSTEM
First Claim
1. A method comprising:
- identifying a set of privileges that are available to one or more requesting entities;
monitoring a set of database accesses initiated by the one or more requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges;
based on the set of privileges and the first subset, identifying a second subset, of the set of privileges, that have not been used by any of the one or more requesting entities;
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for identifying unused privileges are provided. Database accesses are monitored to generate privilege usage data. Privilege usage data for each database access may indicate a user, a utilized privilege, an object that is the target of the privilege, and a role to which the privilege is granted. The privilege usage data is compared to database authorization data that indicates all (or a subset) of granted privileges. A result of the comparison is unused privilege data that indicates what granted privileges were not utilized. A role graph may be generated that indicates one or more privileges that were utilized and one or more privileges that were not utilized along with role paths providing the privileges.
29 Citations
24 Claims
-
1. A method comprising:
-
identifying a set of privileges that are available to one or more requesting entities; monitoring a set of database accesses initiated by the one or more requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges; based on the set of privileges and the first subset, identifying a second subset, of the set of privileges, that have not been used by any of the one or more requesting entities; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
determining that a first privilege with respect to a first database object was not utilized by a first requesting entity; determining a first grant path from the first requesting entity to the first privilege through a set of one or more of roles; causing data about the first grant path to be displayed; wherein the method is performed by one or more computing devices. - View Dependent Claims (10, 11, 12)
-
-
13. One or more storage media storing instructions which, when executed by one or more processors, cause:
-
identifying a set of privileges that are available to one or more requesting entities; monitoring a set of database accesses initiated by the one or more requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges; based on the set of privileges and the first subset, identifying a second subset, of the set of privileges, that have not been used by any of the one or more requesting entities. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. One or more storage media storing instructions which, when executed by one or more processors, cause:
-
determining that a first privilege with respect to a first database object was not utilized by a first requesting entity; determining a first grant path from the first requesting entity to the first privilege through a set of one or more of roles; causing data about the first grant path to be displayed. - View Dependent Claims (22, 23, 24)
-
Specification