Automatic policy generation based on role entitlements and identity attributes

US 7,284,000 B2
Filed: 12/19/2003
Issued: 10/16/2007
Est. Priority Date: 12/19/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of automatically generating a policy for a role, said role comprising a plurality of identities having attributes that include entitlements and non-entitlement attributes, comprising:

automatically obtaining a list of attributes possessed by all of the identities in said role;

automatically extracting from said list of attributes a first list of entitlements common to all of said predetermined number of the identities in said role;

automatically forming a policy for said role that said first list of entitlements will be given to an identity subsequently added to said role;

automatically extracting from said list of attributes a second list of entitlements not common to all identities in said role;

automatically creating a vector, considering each identity associated with an entitlement in said second list, mapping the set of non-entitlement attributes possessed by said identity to the non-commonly-owned entitlements possessed by said identity;

when a new identity having attributes is added to said role, automatically iterating through said vector to determine the identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity; and

automatically forming an additional policy for said role recommending that said new identity be given the entitlements of said most closely matching identity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

68 Citations

View as Search Results

8 Claims

1. A method of automatically generating a policy for a role, said role comprising a plurality of identities having attributes that include entitlements and non-entitlement attributes, comprising:
- automatically obtaining a list of attributes possessed by all of the identities in said role;
  
  automatically extracting from said list of attributes a first list of entitlements common to all of said predetermined number of the identities in said role;
  
  automatically forming a policy for said role that said first list of entitlements will be given to an identity subsequently added to said role;
  
  automatically extracting from said list of attributes a second list of entitlements not common to all identities in said role;
  
  automatically creating a vector, considering each identity associated with an entitlement in said second list, mapping the set of non-entitlement attributes possessed by said identity to the non-commonly-owned entitlements possessed by said identity;
  
  when a new identity having attributes is added to said role, automatically iterating through said vector to determine the identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity; and
  
  automatically forming an additional policy for said role recommending that said new identity be given the entitlements of said most closely matching identity.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 further comprising:
    - obtaining approval of said recommendation; and
      
      giving said new identity said entitlements.
  - 3. The method of claim 1 wherein automatically creating said vector comprises automatically applying Association Rule Mining to the non-entitlement attributes and non-commonly-owned entitlements for each identity in said second list.

4. A method of assigning entitlements to a new identity upon joining a role, comprising:
- providing a role comprising a plurality of identities having attributes that include entitlements and non-entitlement attributes;
  
  automatically generating a conditional policy for said role based on said entitlements, said conditional policy comprising recommending that when a new identity having attributes is added to said role, said new identity be assigned the entitlements possessed by the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity; and
  
  when a new identity having attributes is subsequently added to said role, applying said policy to said new identity;
  
  wherein the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity is determined by;
  
  automatically obtaining a list of entitlements not common to all identities in said role;
  
  automatically creating a vector, for each identity associated with an entitlement in said list, mapping the set of non-entitlement attributes possessed by said identity to the non-commonly-owned entitlements possessed by said identity; and
  
  automatically iterating through said vector, comparing the non-entitlement attributes of each role identity to the non-entitlement attributes of said new identity, to determine the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity.
- View Dependent Claims (5)
- - 5. The method of claim 4 wherein automatically creating said vector comprises automatically applying Association Rule Mining to the non-entitlement attributes and non-commonly-owned entitlements for each said role identity in said list.

6. A computer readable medium including one or more computer programs operative to cause a computer to generate at least one policy for a role comprising a plurality of identities having attributes that include entitlements and non-entitlement attributes, the computer programs causing the computer to perform the steps of:
- obtaining a list of attributes possessed by all of the identities in said role;
  
  extracting from said list of attributes a first list of entitlements common to all of said predetermined number of the identities in said role;
  
  forming a policy for said role that said first list of entitlements will be given to an identity subsequently added to said role;
  
  extracting from said list of attributes a second list of entitlements not common to all identities in said role;
  
  creating a vector, for each identity associated with an entitlement in said second list;
  
  mapping the set of non-entitlement attributes possessed by said identity to the non-commonly-owned entitlements possessed by said identity;
  
  when a new identity having attributes is added to said role, iterating through said vector to determine the identity whose non-entitlement attributes most closely match the non-entitlement attributes of said new identity; and
  
  forming an additional policy for said role recommending that said new identity be given the entitlements of said most closely matching identity.
- View Dependent Claims (7, 8)
- - 7. The computer readable medium of claim 6, said computer programs further causing the computer to perform the steps of:
    - obtaining approval of said recommendation; and
      
      giving said new identity said entitlements.
  - 8. The computer readable medium of claim 7 wherein creating said vector comprises applying Association Rule Mining to the non-entitlement attributes and non-commonly-owned entitlements for each identity in said second list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sampathkumar, Govindaraj, Shankar, Hari, Gupta, Pratik, Kuehr-McLaren, David G., Taank, Sumit, Williams, Vincent C., Cutcher, Sharon L., Stube, Brian A.
Primary Examiner(s)
Nguyen; Cam Linh

Application Number

US10/741,708
Publication Number

US 20050138061A1
Time in Patent Office

1,397 Days
Field of Search

707/9, 726/2, 726/1
US Class Current

1/1
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 17/00   Digital computing or data p...

G06Q 10/00   Administration; Management

G06Q 10/06   Resources, workflows, human...

G06Q 10/10   Office automation; Time man...

Y10S 707/99939   Privileged access

Automatic policy generation based on role entitlements and identity attributes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic policy generation based on role entitlements and identity attributes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links