Policy scope management
Abstract
The appropriate scoping of an access policy can be determined using the observed access and usage of various resources covered under that policy. Information about access requests received over a period of time can be logged, and actions represented in the log data can be mapped to the permissions of the access policy. A new access policy can be generated that includes grant permissions only for those actions that were received and/or granted during the monitored period of time. The new policy can be processed using policy logic to ensure that changes in permission comply with rules or policies for the target resources. The new policy can be at least partially implemented, or can be provided to an authorized user, who can choose to adopt or deny the new policy, or to accept some of the recommendations for modifying the current policy.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computer-implemented method comprising:
receiving a first set of permissions relating to a set of resources in a multi-tenant environment; receiving a request to access one or more resources of the set of resources; determining at least one type of access corresponding to the received request; determining that the at least one type of access is associated with the first set of permissions; adjusting at least one scope associated with the first set of permissions based on the at least one type of access; and generating, based at least in part on the adjusted scope, a second set of permissions, the second set of permissions maintaining permissions granted using the first set of permissions.
2 . The computer-implemented method of claim 1 , further comprising:
accessing, based at least in part on at least one scope associated with the second set of permissions, one or more resources of the set of resources.
3 . The computer-implemented method of claim 1 , further comprising:
determining the at least one scope, associated with the first set of permissions, based at least in part on at least one previous request to access at least one of the one or more resources of the set of resources.
4 . The computer-implemented method of claim 1 , wherein the first set of permissions include permissions associated with at least one access request or at least one authentication request, the permissions defining a set of actions associated with at least one of the one or more resources of the set of resources.
5 . The computer-implemented method of claim 1 , further comprising:
analyzing the second set of permissions to ensure that any changes in permissions either result in a narrowing of the at least one scope, associated with the first set of permissions, or do not violate other permissions of the second set of permissions.
6 . A computer-implemented method, comprising:
obtaining a first set of permissions applied to a set of resources in a multi-tenant environment; receiving a request to access one or more resources of the set of resources; determining at least one type of access corresponding to the received request; determining that the at least one type of access corresponds to at least one scope associated with the first set of permissions; adjusting, based at least in part on the at least one type of access, the at least one scope; and generating, based at least in part on the adjusted scope, a second set of permissions, the second set of permissions maintaining permissions granted using the first set of permissions.
7 . The computer-implemented method of claim 6 , further comprising:
accessing, based at least in part on at least one scope associated with the second set of permissions, one or more resources of the set of resources.
8 . The computer-implemented method of claim 6 , further comprising:
obtaining a policy template for the set of electronic resources for use in generating the second set of permissions.
9 . The computer-implemented method of claim 6 , further comprising:
determining, based at least in part on the at least one scope associated with the first set of permissions, that the type of access is a least privileged access; and analyzing the second set of permissions to ensure that at least one scope associated with the second set of permissions is reduced.
10 . The computer-implemented method of claim 6 , further comprising:
determining at least one event executed for at least one resource of the one or more resources of the set of resources, wherein the at least one event is mapped to at least one permission of the first set of permissions to determine the permission under which the at least one event was granted access.
11 . The computer-implemented method of claim 10 , further comprising:
determining at least one scope associated with the second set of permissions, wherein the at least one scope associated with the second set of permissions is narrower than the at least one scope associated with the first set of permissions.
12 . The computer-implemented method of claim 6 , further comprising:
wherein the second set of permissions does not remove denied permissions from the first set of permissions and maintains access that was previously granted in the first set of permissions.
13 . The computer-implemented method of claim 6 , further comprising:
determining that the second set of permissions applies to a specific task, the task performed on behalf of a user; and wherein at least one scope of the second set of permissions is based at least in part on the user.
14 . The computer-implemented method of claim 6 , further comprising:
validating the first set of permissions against permissible actions granted to at least one user associated with a customer account to ensure that the first set of permissions reflect the appropriate permissions.
15 . The computer-implemented method of claim 6 , further comprising:
wherein a scope of the second set of permissions grants only permissions granted in the first set of permissions.
16 . The computer-implemented method of claim 6 , further comprising:
detecting at least one suspicious request; generating an alert for the at least one suspicious request; and providing a recommendation to change at least one permission of the first set of permissions to deny access corresponding to the at least one suspicious request.
17 . A system, comprising:
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to:
obtain a first set of permissions applied to a set of resources in a multi-tenant environment;
receive a request to access one or more resources of the set of resources;
determine at least one type of access corresponding to the received request;
determine that the at least one type of access corresponds to at least one scope associated with the first set of permissions;
adjust, based at least in part on the at least one type of access, the at least one scope; and
generate, based at least in part on the adjusted scope, a second set of permissions, the second set of permissions maintaining permissions granted using the first set of permissions.
18 . The system of claim 17 , wherein the instructions when executed further cause the system to:
access, based at least in part on at least one scope associated with the second set of permissions, one or more resources of the set of resources.
19 . The system of claim 17 , wherein the instructions when executed further cause the system to:
generate the second set of permissions to only grant permission for access corresponding to a set of actions performed with respect to the first set of permissions.
20 . The system of claim 17 , wherein the instructions when executed further cause the system to:
analyze the second set of permissions to ensure that any changes in permissions either result in a narrowing of the at least one scope associated with the first set of permissions, or do not violate other permissions of the second set of permissions.Join the waitlist — get patent alerts
Track US2023370473A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.