Automatic policy generation based on role entitlements and identity attributes
First Claim
1. A method of automatically generating a policy for a role, said role comprising a plurality of identities having attributes that include entitlements and non-entitlement attributes, comprising:
- automatically obtaining a list of attributes possessed by all of the identities in said role;
automatically extracting from said list of attributes a first list of entitlements common to all of said predetermined number of the identities in said role;
automatically forming a policy for said role that said first list of entitlements will be given to an identity subsequently added to said role;
automatically extracting from said list of attributes a second list of entitlements not common to all identities in said role;
automatically creating a vector, considering each identity associated with an entitlement in said second list, mapping the set of non-entitlement attributes possessed by said identity to the non-commonly-owned entitlements possessed by said identity;
when a new identity having attributes is added to said role, automatically iterating through said vector to determine the identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity; and
automatically forming an additional policy for said role recommending that said new identity be given the entitlements of said most closely matching identity.
1 Assignment
0 Petitions
Accused Products
Abstract
Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.
68 Citations
8 Claims
-
1. A method of automatically generating a policy for a role, said role comprising a plurality of identities having attributes that include entitlements and non-entitlement attributes, comprising:
-
automatically obtaining a list of attributes possessed by all of the identities in said role; automatically extracting from said list of attributes a first list of entitlements common to all of said predetermined number of the identities in said role; automatically forming a policy for said role that said first list of entitlements will be given to an identity subsequently added to said role; automatically extracting from said list of attributes a second list of entitlements not common to all identities in said role; automatically creating a vector, considering each identity associated with an entitlement in said second list, mapping the set of non-entitlement attributes possessed by said identity to the non-commonly-owned entitlements possessed by said identity; when a new identity having attributes is added to said role, automatically iterating through said vector to determine the identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity; and automatically forming an additional policy for said role recommending that said new identity be given the entitlements of said most closely matching identity. - View Dependent Claims (2, 3)
-
-
4. A method of assigning entitlements to a new identity upon joining a role, comprising:
-
providing a role comprising a plurality of identities having attributes that include entitlements and non-entitlement attributes; automatically generating a conditional policy for said role based on said entitlements, said conditional policy comprising recommending that when a new identity having attributes is added to said role, said new identity be assigned the entitlements possessed by the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity; and when a new identity having attributes is subsequently added to said role, applying said policy to said new identity; wherein the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity is determined by; automatically obtaining a list of entitlements not common to all identities in said role; automatically creating a vector, for each identity associated with an entitlement in said list, mapping the set of non-entitlement attributes possessed by said identity to the non-commonly-owned entitlements possessed by said identity; and automatically iterating through said vector, comparing the non-entitlement attributes of each role identity to the non-entitlement attributes of said new identity, to determine the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity. - View Dependent Claims (5)
-
-
6. A computer readable medium including one or more computer programs operative to cause a computer to generate at least one policy for a role comprising a plurality of identities having attributes that include entitlements and non-entitlement attributes, the computer programs causing the computer to perform the steps of:
-
obtaining a list of attributes possessed by all of the identities in said role; extracting from said list of attributes a first list of entitlements common to all of said predetermined number of the identities in said role; forming a policy for said role that said first list of entitlements will be given to an identity subsequently added to said role; extracting from said list of attributes a second list of entitlements not common to all identities in said role; creating a vector, for each identity associated with an entitlement in said second list;
mapping the set of non-entitlement attributes possessed by said identity to the non-commonly-owned entitlements possessed by said identity;when a new identity having attributes is added to said role, iterating through said vector to determine the identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity; and forming an additional policy for said role recommending that said new identity be given the entitlements of said most closely matching identity. - View Dependent Claims (7, 8)
-
Specification