1. Field
The invention disclosed and claimed herein generally pertains to discovering user access rights in a computer system environment such as a large service hosting environment. More particularly, the invention pertains to using discovered access rights, together with data analytics and crowdsourcing, to design or construct a set of role definitions for controlling user access to the system.
2. Description of the Related Art
In connection with data processing systems used in the past, small teams of administrators typically ran servers locally. As an example, 4 administrators could each be responsible for 100 servers. As a common practice to provide security, each administrator would be granted access privileges by giving them a user ID or password, for each server or system that she or he administered. Thus, for the above example a total of 4×100 administrator IDs, or four hundred IDs, would be needed.
More recently, data centers have been developed wherein 40 administrators, by way of example, could be responsible for 1000 servers. For this example, 40×1000 administrator IDs, or 40,000, would be needed for security. Moreover, a current development is the significant expansion of IT delivery centers. These activities are exemplified by 400 administrators each being responsible for 10,000 servers, thus requiring 400×10,000 or 4 million administrator IDs.
The above examples demonstrate the exponential increase in privileged user ID requirements, for access to currently used systems. However, in arrangements wherein an administrator has a privileged user ID on every system that she or he administers, there is an increased risk of user ID mismanagement. There also tends to be increased administration costs.
On the other hand, in systems wherein users share privileged IDs, there is a risk of losing accountability, and there are also issues with password management and security. Moreover, this arrangement tends to be out of step with present regulatory thinking.