Automated role adjustment in a computer system

摘要

An embodiment of the invention is associated with a system having a role for controlling user access, the role comprising users, permissions, and a set of rules. The embodiment records each of a succession of access events in an access log, each event comprising an instance of the system being accessed by a user. The embodiment further analyzes recorded access events in the access log at selected time intervals, to detect a condition or violation of rules of the set of rules. Responsive to detecting a condition or violation, the embodiment selectively determines whether any change to the users or permissions of a specified role is needed. Each needed change is then implemented.

主权项

1. In association with a computer system wherein a specified role controls user access, the specified role comprises one or more users and one or more permissions, and a set of prespecified rules pertains to the specified role, a computer implemented method comprising the steps of:
recording, by a processor unit of the computer system, access data pertaining to each of a succession of access events in an access log, wherein each event comprises an instance of the computer system being accessed by a particular user; analyzing, by the processor unit, recorded data contained in the access log at selected time intervals, in order to detect one of a plurality of prespecified conditions including the prespecified condition of the specified user is a dormant user; responsive to detecting a prespecified condition, selectively determining, by the processor unit, whether any change to the users or to the permissions of the specified role is needed; and implementing, by the processor unit, each needed change to the users, including removing the specified user from the specified role when the prespecified condition of the specified user is the dormant user, or to the permissions.