| 发明名称 | Retrospective policy safety net | ||
| 摘要 | These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions. | ||
| 申请公布号 | US9503458(B2) | 申请公布日期 | 2016.11.22 |
| 申请号 | US201514823423 | 申请日期 | 2015.08.11 |
| 申请人 | International Business Machines Corporation | 发明人 | Zurko Mary Ellen;Blakley, III George R. |
| 分类号 | G06F21/00;H04L29/06;G06F21/62 | 主分类号 | G06F21/00 |
| 代理机构 | Scully, Scott, Murphy & Presser, P.C. | 代理人 | Scully, Scott, Murphy & Presser, P.C. |
| 主权项 | 1. A method of changing an access policy based on a comparison of the access policy with another access policy, the method comprising the steps of: using a computer hardware to implement an access control mechanism having a first access policy identifying specified actions that each of a first group of users has access to; providing an audit log having entries of accesses made in the past to said specified actions under the first access policy as implemented by said computer hardware, each entry in the audit log identifying one of said first group of users and an associated specified action; submitting a second access policy to said access control mechanism, the second access policy identifying the ones of the specified actions that each of a second group of users has access to, and wherein some of the first group of users, who made said accesses in the past to said specified actions under said first access policy, are denied access to said specified actions under the second access policy; comparing a number of entries on the audit log to the second access policy to determine how a policy change from the first access policy to the second access policy would have influenced past access requests, as a predictor of problems with using the second access policy, including determining which ones of the first group of users, identified in said number of entries in the audit log, who were given access to the associated specified actions under the first access policy are not given access to the associated specified actions under the second access policy; and when access to one of the associated specified actions in the audit log is not allowed under the second access policy, displaying said one action to an administrator to see. | ||
| 地址 | Armonk NY US | ||