| 发明名称 |
Automated role and entitlements mining using network observations |
| 摘要 |
A role and entitlements mining system uses network intelligence to facilitate role definition. The system records traffic on a network. The traffic is analyzed to identify the user and application involved. The matched data is then provided to an analytics engine, which analyzes that data to attempt to derive an initial set of one or more roles and the application entitlements for each role. Each role derived by the analytics engine identifies one or more users who are identified as belonging to the role, as well as one or more application entitlements. Preferably, one or more directory services are then interrogated for known group and user relationships to detect whether the roles identified by the analytics engine can be modified or enriched. Evaluation of the known group and user relationships provides a way to identify a more granular set of role definitions. A role-based access control policy is then generated. |
| 申请公布号 |
US9154507(B2) |
申请公布日期 |
2015.10.06 |
| 申请号 |
US201213652188 |
申请日期 |
2012.10.15 |
| 申请人 |
International Business Machines Corporation |
发明人 |
Ashley Paul A.;Court John W.;Hockings Christopher J. |
| 分类号 |
G06F17/00;H04L29/06;G06F21/55 |
主分类号 |
G06F17/00 |
| 代理机构 |
|
代理人 |
LaBaw Jeffrey S.;Judson David H. |
| 主权项 |
1. A method to generate a role-based access control (RBAC) policy, comprising:
collecting traffic data from a computer network; based on the collected traffic data, identifying a user and an application being used by the user to generate role and entitlement mining data; analyzing the role and entitlement mining data from multiple users and multiple applications to generate one or more candidate roles, wherein a candidate role is generated by an analytics engine executing on a hardware element and is defined by an identifier, one or more users, and one or more application entitlements; and generating the RBAC policy using at least the candidate role. |
| 地址 |
Armonk NY US |
