OPTIMIZATION FOR ACCESS POLICIES IN COMPUTER SYSTEMS

Organization Name

International Business Machines Corporation

Inventor(s)

Shawn Patrick Authement of Round Rock TX (US)

Edward Shvartsman of Austin TX (US)

Natalie Isabelle Tagher of Philadelphia PA (US)

Nicholas James Xitco of Austin TX (US)

Dhruv Maniktala of Damascas MD (US)

Aeddon Liu Chipman of Helotes TX (US)

Ben Lopez of Austin TX (US)

OPTIMIZATION FOR ACCESS POLICIES IN COMPUTER SYSTEMS - A simplified explanation of the abstract

This abstract first appeared for US patent application 17826942 titled 'OPTIMIZATION FOR ACCESS POLICIES IN COMPUTER SYSTEMS

Simplified Explanation

- The patent application describes systems and methods for analyzing and optimizing access policies. - The access policy optimization system analyzes access policies to reduce the overall number of policies. - A metric called access control health is computed to measure the current state of the access policies and determine if optimization is needed. - The access data, which includes access policies and access groups, is used for analysis. - A process called policy subgroup mapping is performed to identify subgroups of access policies. - Subgroups with a large number of entries are converted to access groups, users with those policies are added to the corresponding groups, and individual access policies are deleted. - Duplicative and redundant policies are identified and removed from the access data.

Original Abstract Submitted

Disclosed embodiments provide systems and methods for analyzing and optimizing access policies. Access policies are analyzed by an access policy optimization system. In cases where large numbers of users have similar access privileges, the number of overall policies can be significantly reduced. An access control health metric is computed on an original set of access data as a measure of the current state of the access policies. It can be used as an indication that optimization of the access policies is warranted. The access data can include access policies and/or access groups. A policy subgroup mapping process is performed to identify subgroups of access policies. Subgroups with a number of entries exceeding a predetermined value are converted to access groups, the users that have those policies are added to the corresponding access groups, and the individual access policies are deleted. Duplicative and/or redundant policies are identified and removed.