Automated role discovery
First Claim
1. A method of automatic role discovery, comprising:
- automatically extracting identities and associated attributes from one or more data sources;
automatically clustering said identities to form recommended roles, based on said attributes; and
incorporating said recommended roles into a role based control system.
1 Assignment
0 Petitions
Accused Products
Abstract
An automated, bottom-up role discovery method for a role based control system includes automatically extracting identities and attributes from data sources and automatically clustering the identities based on the attributes to form recommended roles. The recommended roles may be modified by intervention of an administrator. Additionally, the recommended roles may be aggregated by defining the role definition as an attribute of each constituent identity, and re-clustering the identities to generate refined roles. The recommended, modified, and/or refined roles may then be utilized in a role based control system, such as a role based access control system. Periodically performing the role discovery process provides a means to audit a role based access control system.
133 Citations
22 Claims
-
1. A method of automatic role discovery, comprising:
-
automatically extracting identities and associated attributes from one or more data sources;
automatically clustering said identities to form recommended roles, based on said attributes; and
incorporating said recommended roles into a role based control system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of auditing the access permissions of an information technology (IT) system via a role based access control system, comprising:
-
automatically generating initial roles of identities having access to said IT system, based on attributes associated with said identities;
later, automatically generating subsequent roles of identities then having access to said IT system, based on attributes then associated with said identities; and
comparing said initial roles and said subsequent roles to discover erroneous system accesses. - View Dependent Claims (13, 14)
-
-
15. A method of refining roles in a role based control system, comprising:
-
automatically generating initial roles of identities based on attributes associated with said identities; and
aggregating said initial roles to generate refined roles. - View Dependent Claims (16, 17, 18)
-
-
19. An automated method of role based access control, comprising:
-
automatically extracting identities and associated attributes from one or more data sources;
automatically clustering said identities to form initial recommended roles, based on said attributes;
optionally aggregating said initial recommended roles by defining the role description of at least two said recommended roles as an attribute of each identity in each said roles and automatically generating initial refined roles of identities based on attributes associated with said identities, including said newly defined attributes. incorporating said initial recommended roles and optionally said initial refined roles into said role based control system;
later, automatically extracting identities and associated attributes from said data sources;
automatically clustering said identities to form subsequent recommended roles, based on said attributes;
optionally aggregating said subsequent recommended roles to form subsequent refined roles;
incorporating said subsequent recommended roles and optionally said subsequent refined roles into said role based control system; and
comparing said initial roles and said subsequent roles to discover erroneous system accesses.
-
-
20. A computer readable medium including one or more computer programs operative to cause a computer to generate roles suitable for a role based control system, the computer programs causing the computer to perform the steps of:
-
extracting identities and associated attributes from one or more data sources;
clustering said identities to form recommended roles, based on said attributes; and
incorporating said recommended roles into a role based control system. - View Dependent Claims (21, 22)
-
Specification