Context aware recertification

US 9,607,142 B2
Filed: 09/09/2011
Issued: 03/28/2017
Est. Priority Date: 09/09/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method, in a data processing system having a processor implemented in hardware, for recertification of a user access entitlement, comprising;

collecting, from a system resource of the data processing system, access information representative of accesses of the system resource by a user access entitlement of a specific user;

determining, by the processor, that recertification of the user access entitlement, with regard to the system resource, is to be performed;

determining, by the processor, a pattern of access based on the access information for the user access entitlement; and

outputting, by the processor, a recertification request graphical user interface to a user based on the pattern of access, wherein the graphical user interface comprises a representation of the pattern of access and one or more graphical user interface elements for receiving a user input specifying acceptance or denial of the recertification of the user access entitlement, wherein the representation of the pattern of access comprises a comparison of a first access metric associated with the user access entitlement of the specific user to a second access metric associated with one or more other user access entitlements of one or more other specific users, and wherein the first access metric and the second access metric are statistical values indicative of previous access operations by corresponding user access entitlements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for facilitating recertification of a user access entitlement. These mechanisms collect, from a system resource of the data processing system, access information representative of accesses of the system resource by a user access entitlement. These mechanisms determine that recertification of the user access entitlement, with regard to the system resource, is to be performed and a pattern of access is determined based on the access information for the user access entitlement. A recertification request graphical user interface is output to a user based on the pattern of access. The graphical user interface includes the pattern of access and one or more graphical user interface elements for receiving a user input specifying acceptance or denial of the recertification of the user access entitlement.

25 Citations

View as Search Results

21 Claims

1. A method, in a data processing system having a processor implemented in hardware, for recertification of a user access entitlement, comprising;
- collecting, from a system resource of the data processing system, access information representative of accesses of the system resource by a user access entitlement of a specific user;
  
  determining, by the processor, that recertification of the user access entitlement, with regard to the system resource, is to be performed;
  
  determining, by the processor, a pattern of access based on the access information for the user access entitlement; and
  
  outputting, by the processor, a recertification request graphical user interface to a user based on the pattern of access, wherein the graphical user interface comprises a representation of the pattern of access and one or more graphical user interface elements for receiving a user input specifying acceptance or denial of the recertification of the user access entitlement, wherein the representation of the pattern of access comprises a comparison of a first access metric associated with the user access entitlement of the specific user to a second access metric associated with one or more other user access entitlements of one or more other specific users, and wherein the first access metric and the second access metric are statistical values indicative of previous access operations by corresponding user access entitlements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein collecting access information from the system resource comprises receiving the access information from an agent component executing on an end system associated with the system resource.
  - 3. The method of claim 1, wherein determining that recertification of the user access entitlement with regard to the system resource is to be performed comprises determining that a triggering condition specified in a recertification policy of the data processing system has occurred with regard to the user access entitlement.
  - 4. The method of claim 1, wherein determining a pattern of access comprises:
    - determining, by the processor, a context to use as a basis for determining the pattern of access, wherein the context comprises at least one of an identity sub-context, resource sub-context, or transaction sub-context; and
      
      determining, by the processor, the pattern of access by analyzing a portion of the access information, specifying previous access operations previously executed, corresponding to one or more of the identity sub-context, resource sub-context, or transaction sub-context.
  - 5. The method of claim 4, wherein determining the context to use as a basis for determining the pattern of access comprises:
    - sending, by the processor, a recertification notification to a user computing device indicating that recertification of the user access entitlement is necessary;
      
      performing, by the processor, a login operation of the user computing device; and
      
      in response to performing the login operation successfully, providing, by the processor, to the user computing device, a graphical user interface for inputting characteristics of the context.
  - 6. The method of claim 1, wherein the one or more other user access entitlements are user access entitlements having a group association corresponding to a same group identifier as the user access entitlement for which recertification is sought.
  - 7. The method of claim 6, wherein the graphical user interface comprises the pattern of access in the form of a graphical depiction of the first metric relative to the second metric and one or more threshold values.
  - 8. The method of claim 1, further comprising:
    - determining, by the processor, a recommendation as to whether to accept or deny the recertification of the user access entitlement based on results of the determination of the pattern of access, wherein the recertification graphical user interface further comprises the recommendation.
  - 9. The method of claim 4, wherein the identity sub-context view comprises context information specifically identifying the specific user associated with the user access entitlement, the resource sub-context view comprises context information specifying a specific resource being accessed the user access entitlement, and the transaction sub-context comprises context information for analyzing types of access operations performed by the specific user in comparison to other corresponding access operations.
  - 10. The method of claim 1, wherein the comparison of the first access metric associated with the user access entitlement of the specific user to the second access metric associated with one or more other user access entitlements of one or more other specific users comprises at least one of:
    - a first comparison the specific user'"'"'s number of hours since a last logon access operation for logging on to the system resource, to the one or more other specific users'"'"' number of hours since a last logon access operation for logging on to the system resource;
      
      a second comparison of the specific user'"'"'s total usage hours of the system resource to the one or more other specific users'"'"' total usage hours of the system resource; and
      
      a third comparison of the specific user'"'"'s frequency of usage of the system resource to the one or more other specific users'"'"' frequency of usage of the system resource.
  - 11. The method of claim 1, wherein the comparison comprises a combination of a selection of two comparisons from the set comprising the first comparison, second comparison, and third comparison, and wherein each of the two comparisons further includes a depiction of a corresponding mean threshold.
  - 12. The method of claim 1, wherein the one or more other specific users comprises a plurality of other specific users and wherein the representation further comprises an indicator, with regard to each of the other specific users, as to whether recertification of the other specific users is recommended to be accepted or rejected.

13. A computer program product comprising a non-transitory computer readable medium having a computer readable program stored therein, wherein the computer readable program, when executed on a computing device of a data processing system, causes the computing device to:
- collect, from a system resource of the data processing system, access information representative of accesses of the system resource by a user access entitlement of a specific user;
  
  determine that recertification of the user access entitlement, with regard to the system resource, is to be performed;
  
  determine a pattern of access based on the access information for the user access entitlement; and
  
  output a recertification request graphical user interface to a user based on the pattern of access, wherein the graphical user interface comprises the pattern of access and one or more graphical user interface elements for receiving a user input specifying acceptance or denial of the recertification of the user access entitlement, wherein the representation of the pattern of access comprises a comparison of a first access metric associated with the user access entitlement of the specific user to a second access metric associated with one or more other user access entitlements of one or more other specific users, and wherein the first access metric and the second access metric are statistical values indicative of previous access operations by corresponding user access entitlements.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The computer program product of claim 13, wherein the computer readable program causes the computing device to collect access information from the system resource by receiving the access information from an agent component executing on an end system associated with the system resource.
  - 15. The computer program product of claim 13, wherein the computer readable program causes the computing device to determine that recertification of the user access entitlement with regard to the system resource is to be performed by determining that a triggering condition specified in a recertification policy of the data processing system has occurred with regard to the user access entitlement.
  - 16. The computer program product of claim 13, wherein the computer readable program causes the computing device to determine a pattern of access by:
    - determining a context to use as a basis for determining the pattern of access, wherein the context comprises at least one of an identity sub-context, resource sub-context, or transaction sub-context; and
      
      determining the pattern of access by analyzing a portion of the access information, specifying previous access operations previously executed, corresponding to one or more of the identity sub-context, resource sub-context, or transaction sub-context.
  - 17. The computer program product of claim 16, wherein the computer readable program causes the computing device to determine the context to use as a basis for determining the pattern of access by:
    - sending a recertification notification to a user computing device indicating that recertification of the user access entitlement is necessary;
      
      performing a login operation of the user computing device; and
      
      in response to performing the login operation successfully, providing to the user computing device, a graphical user interface for inputting characteristics of the context.
  - 18. The computer program product of claim 13, wherein the one or more other user access entitlements are user access entitlements having a group association corresponding to a same group identifier as the user access entitlement for which recertification is sought.
  - 19. The computer program product of claim 18, wherein the graphical user interface comprises the pattern of access in the form of a graphical depiction of the first metric relative to the second metric and one or more threshold values.
  - 20. The computer program product of claim 13, wherein the computer readable program further causes the computing device to:
    - determine a recommendation as to whether to accept or deny the recertification of the user access entitlement based on results of the determination of the pattern of access, wherein the recertification graphical user interface further comprises the recommendation.

21. An apparatus, comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to;
  
  collect, from a system resource of the data processing system, access information representative of accesses of the system resource by a user access entitlement of a specific user;
  
  determine that recertification of the user access entitlement, with regard to the system resource, is to be performed;
  
  determine a pattern of access based on the access information for the user access entitlement; and
  
  output a recertification request graphical user interface to a user based on the pattern of access, wherein the graphical user interface comprises the pattern of access and one or more graphical user interface elements for receiving a user input specifying acceptance or denial of the recertification of the user access entitlement, wherein the representation of the pattern of access comprises a comparison of a first access metric associated with the user access entitlement of the specific user to a second access metric associated with one or more other user access entitlements of one or more other specific users, and wherein the first access metric and the second access metric are statistical values indicative of previous access operations by corresponding user access entitlements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dharmarajan, Manjeri R., Kapadia, Kaushal K., Miriyala, Vigneshwarnath, Nagaratnam, Nataraj, Swamy, Darshini G., Tiwari, Suyesh R.
Primary Examiner(s)
KIM, TAE K

Application Number

US13/228,811
Publication Number

US 20130067538A1
Time in Patent Office

2,027 Days
Field of Search

726 1- 8, 713182-138, 709/223, 709/225, 709/226
US Class Current

1/1
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/06   for supporting key manageme...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

Context aware recertification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Context aware recertification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links