Systems for network risk assessment including processing of user access rights associated with a network of devices
US-9985983-B2 · May 29, 2018 · US
Usage-based modification of user privileges
US10230734B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10230734-B2 |
| Application number | US-201514962211-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 8, 2015 |
| Priority date | Dec 8, 2015 |
| Publication date | Mar 12, 2019 |
| Grant date | Mar 12, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and techniques to identify and modify unused (or seldom used) access privileges are described. Group membership data may be correlated with access map data to create a user-resource access map identifying privilege levels associated with individual user accounts to access computing resources in a computing system. User activity event logs generated as a result of user accounts accessing the resources may be correlated with the user-resource access map to identify user accounts that do not use (or seldom use) particular privilege levels to access particular resources. The identified user accounts may be modified to remove the unused (or seldom used) privileges levels.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: correlating: group membership data including a plurality of user accounts that includes at least a first user account belonging to a first group and a second group, and a second user account belonging to a third group; and access map data identifying a first privilege level associated with the first group that is used to access a first resource, a second privilege level associated with the second group that is used to access the second resource, and a third privilege level associated with the third group that is used to access the first resource; creating a user-resource access map identifying particular privilege levels corresponding to individual user accounts of the plurality of user accounts to access one or more computer-rooted resources including the first resource and the second resource; determining a set of user activity event logs associated with one or more of the plurality of accounts accessing the one or more computer-rooted resources within a predetermined time period; correlating the set of user activity event logs with the user-resource access map; determining that the first user account did not use the first privilege level to access the first resource above a threshold percentage of time; determining that the first user account used the second privilege level to access the second resource above a threshold percentage of time; determining that removing the first privilege level from the first user account will not modify membership of the first user account in at least the second group; and modifying the first user account to remove the first privilege level based on a determination that removing the first privilege level from the user account will not modify membership of the first user account in at least the second group. 2. The computer-implemented method of claim 1 , wherein the one or more computer-rooted resources include at least one of a database, a server, a user workstation, an email system, a directory, or a file. 3. The computer-implemented method of claim 1 , wherein the first privilege level comprises write access. 4. The computer-implemented method of claim 1 , wherein the second privilege level comprises read access. 5. The computer-implemented method of claim 1 , wherein an individual activity event log of the set of user activity event logs identifies: a particular user account of the plurality of user accounts used to perform an activity; a particular resource of the one or more computer-rooted resources that was accessed by the particular user account; a particular privilege level associated with the particular user account that was used to access the particular resource; and a date and a time at which the access to the particular resource occurred. 6. The computer-implemented method of claim 1 , wherein modifying the first user account to remove the first privilege level comprises: removing the first user account from the first group. 7. The computer-implemented method of claim 1 , wherein modifying the first user account to remove the first privilege level comprises: removing the first privilege level from the first group. 8. One or more non-transitory computer-readable media storing instructions that are executable by one or more processors to perform operations comprising: correlating group membership data including a plurality of user accounts that includes at least a first user account belonging to a first group and a second group, and a second user account belonging to a third group with access map data identifying a first privilege level associated with the first group that is used to access a first resource, a second privilege level associated with the second group that is used to access a second resource, and a third privilege level associated with the third group that is used to access the first resource; creating a user-resource access map identifying particular privilege levels corresponding to individual user accounts of the plurality of user accounts to access one or more computer-rooted resources including the first resource and the second resource; retrieving a set of user activity event logs associated with one or more of the plurality of accounts accessing the one or more computer-rooted resources within a predetermined time period; correlating the set of user activity event logs with the user-resource access map; determining that the first user account did not use the first privilege level to access the first resource above a threshold percentage of time; determining that the first user account used the second privilege level to access the second resource above a threshold percentage of time: determining that removing the first privilege level from the user account will not modify membership of the first user account in at least the second group; and modifying the first user account to remove the first privilege level based on a determination that removing the first privilege level from the user account will not modify membership of the first user account in at least the second group. 9. The one or more non-transitory computer-readable media of claim 8 , wherein the first privilege level comprises write access. 10. The one or more non-transitory computer-readable media of claim 8 , wherein the second privilege level comprises read access. 11. The one or more non-transitory computer-readable media of claim 8 , wherein an individual activity event log of the set of user activity event logs includes: a user account identifier associated with a user account that is used to perform an activity, a resource identifier identifying a resource of the one or more computer-rooted resources that was accessed by the user account, a privilege level identifier identifying a privilege level used to access the resource, and a timestamp indicating a date and a time at which the access to the resource occurred. 12. The one or more non-transitory computer-readable media of claim 8 , wherein modifying the first user account to remove the first privilege level comprises: removing the rust user account from the first group. 13. The one or more non-transitory computer-readable media of claim 8 , wherein modifying the first user account to remove the first privilege level comprises: removing the first privilege level from the first group. 14. A server, comprising: one or more processors; and one or more non-transitory computer-readable media storing instructions that are executable by the one or more processors to: correlating group membership data including a plurality of user accounts that includes at least a first user account belonging to a first group and a second group, and a second user account belonging to a third group with access map data identifying a first privilege level associated with the first group that is used to access a first resource, a second privilege level associated with the second group that is used to access a second resource, and a third privilege level associated with the third group that is used to access the first resource; creating a user-resource access map identifying particular privilege levels corresponding to individual user accounts of the plurality of user accounts to access one or more computer-rooted resources including the first resource and the second resource; retrieving a set of user activity event logs associated with one or more of the plurality of accounts accessing the one or more computer-rooted resources within a predetermined time period; correlating the set of user activity event logs with the user-resource access map; determining that the f
Assignees
Inventors
Classifications
Grouping of entities · CPC title
- H04L63/102Primary
Entity profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10230734B2 cover?
- Systems and techniques to identify and modify unused (or seldom used) access privileges are described. Group membership data may be correlated with access map data to create a user-resource access map identifying privilege levels associated with individual user accounts to access computing resources in a computing system. User activity event logs generated as a result of user accounts accessing…
- Who is the assignee on this patent?
- Quest Software Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/102. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 12 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).