| 发明名称 | Retrospective policy safety net | ||
| 摘要 | These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions. | ||
| 申请公布号 | US8904476(B2) | 申请公布日期 | 2014.12.02 |
| 申请号 | US201313838358 | 申请日期 | 2013.03.15 |
| 申请人 | International Business Machines Corporation | 发明人 | Zurko Mary Ellen;Blakley, III George R. |
| 分类号 | G06F21/00;G06F21/62 | 主分类号 | G06F21/00 |
| 代理机构 | Scully, Scott, Murphy & Presser PC | 代理人 | Scully, Scott, Murphy & Presser PC ;Tang, Esq. Jeff |
| 主权项 | 1. A method of evaluating an access policy change by determining how a policy change, from a first access policy to a second access policy, would have influenced past access requests, as a predictor of future problems with using the second access policy, the method comprising the steps of: using a computer hardware to implement an access control mechanism having a first access policy, the first access policy including a first access control list of users and identifying specified actions that each of the users on the first access control list has access to; providing an audit log having entries of accesses made in the past to said specified actions under the first access policy as provided to the access control mechanism and implemented by said computer hardware, each entry in the audit log identifying a person and an associated specified action; submitting a second access policy to said access control mechanism, the second access policy including a second access control list of users and identifying specified actions that each of the users on the second access control list has access to, and wherein some of the users, who made said accesses in the past to said specified actions under said first access policy, are denied access to said specified actions under the second access policy; informing an administrator of what happened in the past under the first access policy that could not happen in the future under the second access policy due to the policy change, including comparing a number of entries on the audit log, made under the first access policy, to the second access control list of users to determine which of the persons, identified in said number of entries in the audit log, are not given access, according to the second access control list of users, to the specified actions to which said persons were given access under the first access policy; and based on the results of the comparing, taking one of a predetermined number of actions. | ||
| 地址 | Armonk NY US | ||