The present disclosure relates in general to the management of roles that control user access to computer systems. More specifically, the present disclosure relates to systems and methodologies for the automated tuning of such roles, wherein a given individual may be assigned to multiple roles, and wherein a given individual having multiple roles may perform actions that belong to more than one of that individual's assigned roles.
Computer systems utilize access permissions to allow individuals to gain access to and perform prescribed operations or actions within the computer system. In general, a permission grants the holder of the permission authorization to perform an operation on a specific object, such as a computer file.
Role-based access control (RBAC) is an access control technology used in a variety of computer systems to restrict system access to authorized users. Following this technology, a role may be defined as a set of permissions. Roles are created for various job functions, and users are assigned to particular roles. Through the assignment to role, users receive permission to access certain data or to perform specific operations. Once users are assigned to roles, each role could be seen as a User-Permission-Assignment (UPA) table.
In an ideal arrangement, only those users who have a current business requirement to access a given set of computer resources should possess the respective permissions to access such resources. However, ongoing changes occur in both the information technology (IT) environment and the personnel of an organization. For example, servers can be decommissioned and new servers can be added or introduced. Organization employees come and go. These natural changes are likely to result in UPAs becoming obsolete or non-optimal over time. Inaccurate, obsolete, overly generous or overly provisioned computer access permissions can create significant security risks. In order to account for these changes, roles that are initially defined and deployed in an RBAC system should thereafter be assessed and certified at specified time intervals. It is, however, a challenge to regularly assess and certify permissions, particularly in large and disperse IT environments having millions of users and permissions.
Role tuning (or adjustment) is the process of analyzing roles to achieve optimal security administration based on the role each individual plays within an organization. Some known role adjustment methodologies include the analysis of logs of actual access events performed by users. However, such known role adjustment methodologies rely on the assumption that either the role information (i.e., information that identifies under which role a user performs the action) is present in the log file or the user could be assigned to a single role. However, in practice the information that identifies the role under which a user performs the action may be unavailable, and a given individual may be assigned to multiple roles. An individual having multiple roles will likely perform access events that fall into more than one role. Other anomaly access event patterns can emerge that are not addressed by known role adjustment techniques.
Accordingly, it is desirable to provide role tuning systems and methodologies that better account for the realities of how roles (or appropriative UPAs) are actually utilized.