Automated role discovery

US 20050138419A1
Filed: 12/19/2003
Published: 06/23/2005
Est. Priority Date: 12/19/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of automatic role discovery, comprising:

automatically extracting identities and associated attributes from one or more data sources;

automatically clustering said identities to form recommended roles, based on said attributes; and

incorporating said recommended roles into a role based control system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated, bottom-up role discovery method for a role based control system includes automatically extracting identities and attributes from data sources and automatically clustering the identities based on the attributes to form recommended roles. The recommended roles may be modified by intervention of an administrator. Additionally, the recommended roles may be aggregated by defining the role definition as an attribute of each constituent identity, and re-clustering the identities to generate refined roles. The recommended, modified, and/or refined roles may then be utilized in a role based control system, such as a role based access control system. Periodically performing the role discovery process provides a means to audit a role based access control system.

133 Citations

22 Claims

1. A method of automatic role discovery, comprising:
- automatically extracting identities and associated attributes from one or more data sources;
  
  automatically clustering said identities to form recommended roles, based on said attributes; and
  
  incorporating said recommended roles into a role based control system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising:
    - optionally reviewing said recommended roles by an administrator prior to said incorporation; and
      
      optionally modifying said recommended roles by the administrator, said modifications causing an automatic re-clustering of said identities to form revised recommended roles; and
      
      wherein incorporating said recommend roles into a role based control system comprises incorporating said revised recommended roles into said role based control system.
  - 3. The method of claim 2 wherein modifying said recommended roles by the administrator comprises weighting said attributes.
  - 4. The method of claim 2 wherein modifying said recommended roles by the administrator comprises altering which of said attributes are considered in said re-clustering.
  - 5. The method of claim 1 further comprising transforming said attributes extracted from said data sources to a common format prior to said clustering.
  - 6. The method of claim 1 wherein said attributes include entitlements, and wherein said clustering is based on said entitlements.
  - 7. The method of claim 6 wherein said entitlements comprise the associated identity'"'"'s access to resources.
  - 8. The method of claim 1 wherein said role based control system is a role based access control system.
  - 9. The method of claim 1 wherein automatically extracting identities and associated attributes from one or more data sources comprises, for each said data source, automatically forming a list of all identities contained in said data source and, for each said identity, all attributes contained in said data source that are associated with that identity.
  - 10. The method of claim 1 wherein automatically clustering said identities to form recommended roles based on said attributes comprises grouping said identities according to the proximity of disparate identities'"'"' attributes.
  - 11. The method of claim 10 wherein said attributes are entitlements, and wherein identities within each said recommended role have a similar level of access to resources.

12. A method of auditing the access permissions of an information technology (IT) system via a role based access control system, comprising:
- automatically generating initial roles of identities having access to said IT system, based on attributes associated with said identities;
  
  later, automatically generating subsequent roles of identities then having access to said IT system, based on attributes then associated with said identities; and
  
  comparing said initial roles and said subsequent roles to discover erroneous system accesses.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12 wherein automatically generating both said initial roles and said subsequent roles comprises:
    - automatically extracting identities and associated attributes from one or more data sources;
      
      automatically clustering said identities to form recommended roles, based on said attributes; and
      
      incorporating said recommended roles into a role based control system.
  - 14. The method of claim 13 wherein automatically generating both said initial roles and said subsequent roles further comprises:
    - optionally reviewing said recommended roles by an administrator prior to said incorporation; and
      
      optionally modifying said recommended roles by the administrator, said modifications causing an automatic re-clustering of said identities to form revised recommended roles; and
      
      wherein incorporating said recommend roles into a role based control system comprises incorporating said revised recommended roles into said role based access control system.

15. A method of refining roles in a role based control system, comprising:
- automatically generating initial roles of identities based on attributes associated with said identities; and
  
  aggregating said initial roles to generate refined roles.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15 wherein aggregating said initial roles to generate refined roles comprises:
    - defining the role description of at least two said initial roles as an attribute of each identity in each said at least two initial roles; and
      
      automatically generating refined roles of identities based on attributes associated with said identities, including said newly defined attributes.
  - 17. The method of claim 16 wherein automatically generating both said initial roles and said refined roles comprises:
    - automatically extracting identities and associated attributes from one or more data sources;
      
      automatically clustering said identities to form recommended roles, based on said attributes; and
      
      incorporating said recommended roles into said role based control system.
  - 18. The method of claim 17 wherein automatically generating both said initial roles and said refined roles further comprises:
    - optionally reviewing said recommended roles by an administrator prior to said incorporation; and
      
      optionally modifying said recommended roles by the administrator, said modifications causing an automatic re-clustering of said identities to form revised recommended roles; and
      
      wherein incorporating said recommend roles into said role based control system comprises incorporating said revised recommended roles into said role based control system.

19. An automated method of role based access control, comprising:
- automatically extracting identities and associated attributes from one or more data sources;
  
  automatically clustering said identities to form initial recommended roles, based on said attributes;
  
  optionally aggregating said initial recommended roles by defining the role description of at least two said recommended roles as an attribute of each identity in each said roles and automatically generating initial refined roles of identities based on attributes associated with said identities, including said newly defined attributes. incorporating said initial recommended roles and optionally said initial refined roles into said role based control system;
  
  later, automatically extracting identities and associated attributes from said data sources;
  
  automatically clustering said identities to form subsequent recommended roles, based on said attributes;
  
  optionally aggregating said subsequent recommended roles to form subsequent refined roles;
  
  incorporating said subsequent recommended roles and optionally said subsequent refined roles into said role based control system; and
  
  comparing said initial roles and said subsequent roles to discover erroneous system accesses.

20. A computer readable medium including one or more computer programs operative to cause a computer to generate roles suitable for a role based control system, the computer programs causing the computer to perform the steps of:
- extracting identities and associated attributes from one or more data sources;
  
  clustering said identities to form recommended roles, based on said attributes; and
  
  incorporating said recommended roles into a role based control system.
- View Dependent Claims (21, 22)
- - 21. The computer readable medium of claim 20, said computer programs causing the computer to further perform the steps of:
    - displaying said recommended roles prior to said incorporation; and
      
      modifying said recommended roles based on input by an administrator, said modifications causing a re-clustering of said identities to form revised recommended roles; and
      
      wherein incorporating said recommend roles into a role based control system comprises incorporating said revised recommended roles into said role based control system.
  - 22. The computer readable medium of claim 20, said computer programs causing the computer to further perform the steps of transforming said attributes extracted from said data sources to a common format prior to said clustering.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sampathkumar, Govindaraj, Shankar, Hari, Gupta, Pratik, Kuehr-McLaren, David G., Taank, Sumit, Williams, Vincent C., Cutcher, Sharon L., Stube, Brian A.

Application Number

US10/741,634
Publication Number

US 20050138419A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Automated role discovery

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

133 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Automated role discovery

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

133 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links