Evidence-based role based access control

The invention claimed is: 1. A method for assigning roles to multiple users of a computer system, comprising: assigning, to the multiple users, respective sets of original roles for accessing data stored on the computer system; performing, in response to requests from the multiple users, multiple operations on the data; generating a transaction log file comprising a plurality of entries, each of the entries storing attributes of a given operation; identifying, by a processor based on the entries in the log file, a respective set of learned roles for each of the multiple users by defining, for each transaction log entry, a connection comprising one or more of the attributes and indicating a path from one of the multiple users to a given table accessed by the one of the users, identifying a unique set of the connections, defining a set of initial roles in a one-to-one correspondence with the unique set of the connections, each of the initial roles comprising an initial set of the users and a set of initial permissions, and applying, by the processor to the initial roles, a Hierarchical Clustering algorithm to identify the set of learned roles, each of the learned roles comprising a set of clustered permissions and associated with a subsequent set of the users; assigning, to each given user, the respective sets of the learned roles associated with the given user; and restricting, to the multiple users based on their respective assigned learned roles, access to the data on the computer system. 2. The method according to claim 1 , wherein the data comprises a database comprising one or more tables, and wherein the original and the learned roles comprise access permissions for each of the tables. 3. The method according to claim 1 , wherein applying the Hierarchical Clustering algorithm comprises creating a first tree data structure comprising nodes representing the initial roles, and comprising performing a cluster analysis on the learned roles to identify any of the nodes that can be rolled up to their respective parent nodes, and rolling up the identified nodes to their respective parent nodes, thereby creating a second tree data structure, and wherein the learned roles comprise the roles represented by the second tree data structure. 4. An apparatus for assigning roles to multiple users of a computer system, comprising: a memory configured to store multiple original roles for accessing data; and a processor configured: to assign, to the multiple users, respective sets of original roles, to perform, in response to requests from the multiple users, multiple operations on the data, to generate a transaction log file comprising a plurality of entries, each of the entries storing attributes of a given operation, to identify, based on the entries in the log file, a respective set of the learned roles for each of the multiple users by defining, for each transaction log entry, a connection comprising one or more of the attributes and indicating a path from one of the multiple users to a given table accessed by the one of the users, identifying a unique set of the connections, defining a set of initial roles in a one-to-one correspondence with the unique set of the connections, each of the initial roles comprising an initial set of the users and a set of initial permissions, and applying, to the initial roles, a Hierarchical Clustering algorithm to identify the set of learned roles, each of the learned roles comprising a set of clustered permissions and associated with a subsequent set of the users, to assign, to each given user, the respective sets of the learned roles associated with the given user, and to restrict, to the multiple users based on their respective assigned learned roles, access to the data on the computer system. 5. The apparatus according to claim 4 , wherein the data comprises a database comprising one or more tables, and wherein the original and the learned roles comprise access permissions for each of the tables. 6. The apparatus according to claim 4 , wherein the processor is configured to apply the Hierarchical Clustering algorithm by creating a first tree data structure comprising nodes representing the initial roles, and wherein the processor is configured to perform a cluster analysis on the learned roles to identify any of the nodes that can be rolled up to their respective parent nodes, and to roll up the identified nodes to their respective parent nodes, thereby creating a second tree data structure, and wherein the learned roles comprise the roles represented by the second tree data structure. 7. A computer program product for assigning roles to multiple users of a computer system, the computer program product comprising: a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising: computer readable program code configured to assign, to the multiple users, respective sets of original roles for accessing data stored on the computer system; computer readable program code configured to perform, in response to requests from the multiple users, multiple operations on the data; computer readable program code configured to generate a transaction log file comprising a plurality of entries, each of the entries storing attributes of a given operation; computer readable program code configured to identify, based on the entries in the log file, a respective set of learned roles for each of the multiple users by defining, for each transaction log entry, a connection comprising one or more of the attributes and indicating a path from one of the multiple users to a given table accessed by the one of the users, identifying a unique set of the connections, defining a set of initial roles in a one-to-one correspondence with the unique set of the connections, each of the initial roles comprising an initial set of the users and a set of initial permissions, and applying, to the initial roles, a Hierarchical Clustering algorithm to identify the set of learned roles, each of the learned roles comprising a set of clustered permissions and associated with a subsequent set of the users; computer readable program code configured to assign, to each given user, the respective sets of the learned roles associated with the given user; and computer readable program code configured to restrict, to the multiple users based on their respective assigned learned roles, access to the data on the computer system. 8. The computer program product according to claim 7 , wherein the data comprises a database comprising one or more tables, and wherein the original and the learned roles comprise access permissions for each of the tables. 9. The computer program product according to claim 7 , wherein the computer readable program code is configured to applying the Hierarchical Clustering algorithm by creating a first tree data structure comprising nodes representing the initial roles, and comprising computer readable program code configured to perform a cluster analysis on the learned roles to identify any of the nodes that can be rolled up to their respective parent nodes, and to roll up the identified nodes to their respective parent nodes, thereby creating a second tree data structure, and wherein the learned roles comprise the roles represented by the second tree data structure.