Automatic removal of global user security groups
First Claim
1. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, said system comprising:
- a learned access permissions subsystem comprising at least one processor and at least one memory comprising computer code, said learned access permissions subsystem operative to learn current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects;
a learned actual access subsystem comprising at least one processor and at least one memory comprising computer code, said learned actual access subsystem operative to learn an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects; and
a computer security policy administration subsystem comprising at least one processor and at least one memory comprising computer code, said computer security policy administration subsystem operable for receiving said indications from said learned access permission subsystem and said learned actual access subsystem and being operative to automatically replace access permissions of a pre-selected user security group to said network objects by;
automatically removing all access permissions of said pre-selected user security group to said network objects, regardless of whether members of said pre-selected user security group have actually accessed said network objects; and
automatically providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically removing all access permissions step,said computer security policy administration subsystem also comprising replacement initiation functionality which automatically initiates said replacement of said access permissions of said pre-selected user security group to said network objects based only on a schedule predetermined by an administrator.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, including a learned access permissions subsystem operative to learn current access permissions of users to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects, a learned actual access subsystem operative to learn actual access history of users in the enterprise to the network objects and to provide indications of which users have had actual access to which network objects, and a computer security policy administration subsystem, receiving indications from the learned access permission subsystem and the learned actual access subsystem and being operative to automatically replace pre-selected user-security group-based access permissions with at least partially actual access-based access permissions without disrupting access to network objects.
-
Citations
18 Claims
-
1. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, said system comprising:
-
a learned access permissions subsystem comprising at least one processor and at least one memory comprising computer code, said learned access permissions subsystem operative to learn current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects; a learned actual access subsystem comprising at least one processor and at least one memory comprising computer code, said learned actual access subsystem operative to learn an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects; and a computer security policy administration subsystem comprising at least one processor and at least one memory comprising computer code, said computer security policy administration subsystem operable for receiving said indications from said learned access permission subsystem and said learned actual access subsystem and being operative to automatically replace access permissions of a pre-selected user security group to said network objects by; automatically removing all access permissions of said pre-selected user security group to said network objects, regardless of whether members of said pre-selected user security group have actually accessed said network objects; and automatically providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically removing all access permissions step, said computer security policy administration subsystem also comprising replacement initiation functionality which automatically initiates said replacement of said access permissions of said pre-selected user security group to said network objects based only on a schedule predetermined by an administrator. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An enterprise system for simulating replacement of a user security group-based computer security policy by a computer security policy, said system comprising:
-
a learned access permission subsystem comprising at least one processor and at least one memory comprising computer code, said learned access permissions subsystem operative to learn current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects; a learned actual access subsystem comprising at least one processor and at least one memory comprising computer code, said learned actual access subsystem operative to learn an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects; a computer security policy simulation subsystem comprising at least one processor and at least one memory comprising computer code, said computer security policy administration subsystem being operable for receiving said indications from said learned access permission subsystem and said learned actual access subsystem and being operative to automatically simulate replacing access permissions of a pre-selected user security group to said network objects by; automatically simulating removal of all access permissions of said pre-selected user security group to said network objects regardless of whether members of said pre-selected user security group have actually accessed said network objects; and automatically simulating providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically simulating removing all access permissions step; a pre-replacement notification and authorization subsystem comprising at least one processor and at least one memory comprising computer code, said pre-replacement notification and authorization subsystem automatically operative to notify predetermined stakeholders in predetermined ones of the network objects of changes in access permissions expected to take place as a result of the replacement, to request their authorization; and said computer security policy administration subsystem also comprising replacement initiation functionality which, responsive to said authorization, automatically initiates said replacement of said access permissions of said pre-selected user security group to said network objects based only on a schedule predetermined by an administrator. - View Dependent Claims (9)
-
-
10. A method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, said method comprising using at least one processor to execute computer code stored in at least one memory for:
-
learning current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects; learning an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects; receiving said indications and automatically replacing access permissions of a pre-selected user security group to said network objects by; automatically removing all access permissions of said pre-selected user security group to said network objects, regardless of whether members of said pre-selected user security group have actually accessed said network objects; and automatically providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically removing all access permissions step; and automatically initiating said replacement of said access permissions of said pre-selected user security group to said network objects based only on a schedule predetermined by an administrator. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A method for simulating replacement of a user security group-based computer security policy by a computer security policy, said method comprising using at least one processor to execute computer code stored in at least one memory for:
-
learning current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects; learning an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects; receiving said indications and automatically simulating replacing access permissions of a pre-selected user security group to said network objects by; automatically simulating removal of all access permissions of said pre-selected user security group to said network objects regardless of whether members of said pre-selected user security group have actually accessed said network objects; and automatically simulating providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically simulating removing all access permissions step; notifying predetermined stakeholders in predetermined ones of said network objects of changes in access permissions expected to take place as a result of said replacement, to request their authorization; and responsive to said authorization, automatically initiating said replacement of said access permissions of said pre-selected user security group to said network objects based only on a schedule predetermined by an administrator. - View Dependent Claims (18)
-
Specification