US20040128537A1 - Retrospective policy safety net - Google Patents

Retrospective policy safety net Download PDF

Info

Publication number
US20040128537A1
US20040128537A1 US10/331,742 US33174202A US2004128537A1 US 20040128537 A1 US20040128537 A1 US 20040128537A1 US 33174202 A US33174202 A US 33174202A US 2004128537 A1 US2004128537 A1 US 2004128537A1
Authority
US
United States
Prior art keywords
policy
access
step
entries
comparing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/331,742
Inventor
Mary Zurko
George Blakley
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US10/331,742 priority Critical patent/US20040128537A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BLAKLEY, GEORGE R., III, ZURKO, MARY ELLEN
Publication of US20040128537A1 publication Critical patent/US20040128537A1/en
Application status is Abandoned legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Abstract

These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.

Description

    BACKGROUND OF THE INVENTION
  • 1. Field of the Invention [0001]
  • This invention generally relates to methods and systems for evaluating access policy changes, and more specifically, to methods and systems for determining how a policy change would have influenced past actions as a predictor for future problems. [0002]
  • 2. Background Art [0003]
  • It is often difficult for computer network administrators to be sure they are doing something both secure and efficient when they change policy information that controls user behavior. Prior art procedures for changing policy information generally focus on controlling access to information but do not apply to all potentially restrictive policy information. [0004]
  • An administrator may discover that some resource, like a discussion database, has its Access Control List (ACL) set to allow anyone to read it. To tighten security, they will remove that entry. Now, they need to be concerned with a surge of help desk calls from the people who were relying on that access to get their job done, who are not explicitly listed in the remaining ACL. [0005]
  • The concept of one active policy and several latent policies is known. Latent policies can be queried against before becoming active, to understand the impact of changes. However, most administrators who change policies do not know what to check, and what to ask about, and do not have the time to think about it. [0006]
  • SUMMARY OF THE INVENTION
  • An object of this invention is to improve methods and systems for evaluating access policy changes. [0007]
  • Another object of the invention is to determine how a policy change would have influenced past actions. [0008]
  • A further object of the present invention is to compare a policy change against some history of past actions and to tell a computer network administrator what happened in the past that could not happen in the future because of this change. [0009]
  • A further object of the invention is to make changes to a policy based on a comparison with a past policy and a prediction about how important that change will be going forward. [0010]
  • These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions. [0011]
  • For example, these predetermined actions may be (i) making the change with a warning, (ii) rejecting the change, (iii) making a different change so that the things that happened in the log are still allowed, but some other things are not allowed (newly disallowed), and (iv) displaying the problem to the administrator and let them decide what to do. The choice among these actions might be configured in a number of ways. For instance, sites can configure which of those actions are appropriate. Alternatively, which actions the system takes can be based on information in the policies, in the changes, in the users that would be denied or their attributes, or in the actions that would be denied and their attributes. For example, a configuration could say that if the users who would be denied an access are listed in the corporate directory as active employees and the action that they took that would be denied is less than one week old, alter the policy to continue to allow the action and log the warning to an administrator. [0012]
  • Also, the invention may be embodied in a live system. In one embodiment, further steps may include submitting either or both of the second policy or the changes to the first policy that produce that second policy. In addition, in a preferred procedure, the present invention can tell someone changing a policy how that policy change would have influenced past (retrospective) actions. It compares the policy change against some history of past actions, and tells the administrator what happened in the past that could not happen in the future because of this change. The administrator can consider whether that is going to be desirable or not. The preferred procedure includes configuring which of a set of four courses of action to take. [0013]
  • Further benefits and advantages of the invention will become apparent from a consideration of the following detailed description, given with reference to the accompanying drawings, which specify and show preferred embodiments of the invention.[0014]
  • BRIEF DESCRIPTION OF THE DRAWING
  • FIG. 1 is a flow chart illustrating a preferred procedure embodying this invention. [0015]
  • FIG. 2 illustrates the operation of this invention. [0016]
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • This invention, generally, relates to a method and system for evaluating access policy changes. With references to FIGS. 1 and 2, the method comprises the step [0017] 12 of providing an access control mechanism 14 having a first policy 16, and an audit log 20 having entries 22 of accesses made under that first policy. The method comprises the further steps, represented at 24, 26 and 30, respectively, of submitting a second policy 32 to the access control mechanism, comparing at 34 the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.
  • For example, these predetermined actions may be (i) making the change with a warning, (ii) rejecting the change, (iii) making a different change so that the things that happened in the log are still allowed, but some other things are not allowed (newly disallowed), and (iv) displaying, as represented at [0018] 36, the problem to the administrator and let them decide what to do. The choice among these actions might be configured in a number of ways. For instance, sites can configure which of those actions are appropriate. Alternatively, which actions the system takes can be based on information in the policies, in the changes, in the users that would be denied or their attributes, or in the actions that would be denied and their attributes. For example, a configuration could say that if the users who would be denied an access are listed in the corporate directory as active employees and the action that they took that would be denied is less than one week old, alter the policy to continue to allow the action and log the warning to an administrator.
  • The present invention, it may be noted, may be embodied in a live system. In addition, in a preferred procedure, the present invention can tell someone changing a policy how that policy change would have influenced past (retrospective) actions. It compares the policy change against some history of past actions, and tells the administrator what happened in the past that could not happen in the future because of this change. The administrator can consider whether that is going to be desirable or not. The preferred procedure includes configuring which of a set of four courses of action to take. [0019]
  • The most straightforward implementation of this invention involves a simple access control mechanism (say an ACL) and a log or audit history of actions that were controlled by the access control mechanism. For example, take a Domino ACL with the ability to compute a person's current effective access, and an audit log of accesses to a Domino database that includes the identity of the person taking the action and the particular action. The actions that can be taken are directly mapped to permissions in the ACL via a table. For example, the read action is mapped to the reader level. [0020]
  • When a change to the ACL is being made or proposed, with any suitable algorithm, some number of audit entries are compared against the new ACL. The effective access of the person in the audit entry is calculated, and that access is compared to the action in the audit record. If the action in the audit record is no longer allowed, it is displayed for the administrator in some form that allows the administrator to understand what it was and why it would be no longer allowed by the new ACL. [0021]
  • The system of this invention can be configured to take a number of actions, depending on site policy. For instance, the change can be made (and a warning logged) or the change can be rejected (with notification). As another example, the system can modify the change to “fix” it, so that the past event in the audit log would still be allowed, but other events covered by the original change would be newly disallowed. This is possible for policy modifications that target a group of users, a group of actions, a group of objects, or a number of contextual constraints. [0022]
  • For example, if the change to an ACL is to deny an action to a group of users (or to remove a group of users from an ACL such that actions previously allowed would be denied), then a companion “fix up” change would add an entry for the single user in the conflicting audit event to allow that action, such that it would take precedence over the new group disallowed entry, or it would maintain the ability to take the action that removing an entry would disallow. Similar examples are possible for the other types of groupings. [0023]
  • Any suitable hardware may be used to practice the present invention. For example, any suitable computer or computer network may be used to implement the access control mechanism [0024] 14, and any suitable monitor or display 36 may be used to display the results of comparing the log entries to the second policy.
  • While it is apparent that the invention herein disclosed is well calculated to fulfill the objects stated above, it will be appreciated that numerous modifications and embodiments may be devised by those skilled in the art, and it is intended that the appended claims cover all such modifications and embodiments as fall within the true spirit and scope of the present invention. [0025]

Claims (18)

What is claimed is:
1. A method of evaluating an access policy change, comprising the steps of:
providing an access control mechanism having a first policy, and an audit log having entries of accesses made under said first policy;
submitting a second policy to said access control mechanism;
comparing said entries to said second policy; and
based on the results of the comparing step, taking one of a predetermined number of actions.
2. A method according to claim 1, wherein:
each entry in the log identifies a person and an associated action; and
the comparing step includes the step of, for each of a group of the entries, determining whether the person identified in the action has access under the second policy to the associated action.
3. A method according to claim 1, wherein the taking step includes the step of displaying any of said entries which do not have access under said second policy.
4. A method according to claim 1, wherein the taking step includes the step of modifying the second policy, using one of a group of predefined procedures, based on the results of the comparing step.
5. A method according to claim 4, wherein a defined group of users has access to a specified action under the first policy and do not have access to the specified action under the second policy, and wherein the modifying step includes the step of altering the second policy so that said second policy provides a subset of said group of users with access to the specified action.
6. A method according to claim 1, wherein the comparing step includes the step of comparing said entries to the second policy before the second policy becomes active.
7. A system for evaluating an access policy change, comprising:
means providing an access control mechanism having a first policy, and an audit log having entries of accesses made under said first policy, said access control mechanism including
means for receiving a second policy;
means for comparing said entries to said second policy; and
comprises means for taking one of a predetermined number of actions based on the results of the comparing means.
8. A system according to claim 7, wherein:
each entry in the log identifies a person and an associated action; and
the means for comparing includes means for determining, for each of a group of the entries,
action.
9. A system according to claim 7, wherein the means for taking includes means for displaying any of said entries which do not have access under said second policy.
10. A system according to claim 7, wherein the means for taking includes means for modifying the second policy, using one of a group of predefined procedures, based on the results of the comparing means.
11. A system according to claim 9, wherein a defined group of users has access to a specified action under the first policy and do not have access to the specified action under the second policy, and wherein the modifying means includes means for altering the second policy so that said second policy provides a subset of said group of users with access to the specified action.
12. A system according to claim 11, wherein the comparing means compares said entries to the second policy before the second policy becomes active.
13. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for evaluating an access policy change, said method steps comprising:
providing an access control mechanism having a first policy, and an audit log having entries of accesses made under said first policy;
submitting a second policy to said access control mechanism;
comparing said entries to said second policy; and
based on the results of the comparing step, taking one of a predetermined number of actions.
14. A program storage device according to claim 13, wherein:
each entry in the log identifies a person and an associated action; and
the comparing step includes the step of, for each of a group of the entries, determining whether
the person identified in the action has access under the second policy to the associated action.
15. A program storage device according to claim 13, wherein the taking step includes the step of displaying any of said entries which do not have access under said second policy
16. A program storage device according to claim 15, wherein the taking step includes the step of modifying the second policy, using one of a group of predefined procedures, based on the results of the taking step.
17. A program storage device according to claim 16, wherein a defined group of users has access to a specified action under the first policy and do not have access to the specified action under the second policy, and wherein the modifying step includes the step of altering the second policy so that said second policy provides a subset of said group of users with access to the specified action.
18. A method according to claim 13, wherein the comparing step includes the step of comparing said entries to the second policy before the second policy becomes active.
US10/331,742 2002-12-30 2002-12-30 Retrospective policy safety net Abandoned US20040128537A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/331,742 US20040128537A1 (en) 2002-12-30 2002-12-30 Retrospective policy safety net

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US10/331,742 US20040128537A1 (en) 2002-12-30 2002-12-30 Retrospective policy safety net
US12/607,633 US8474006B2 (en) 2002-12-30 2009-10-28 Retrospective policy safety net
US13/838,358 US8904476B2 (en) 2002-12-30 2013-03-15 Retrospective policy safety net
US14/521,989 US9148433B2 (en) 2002-12-30 2014-10-23 Retrospective policy safety net
US14/823,423 US9503458B2 (en) 2002-12-30 2015-08-11 Retrospective policy safety net

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/607,633 Continuation US8474006B2 (en) 2002-12-30 2009-10-28 Retrospective policy safety net

Publications (1)

Publication Number Publication Date
US20040128537A1 true US20040128537A1 (en) 2004-07-01

Family

ID=32654815

Family Applications (5)

Application Number Title Priority Date Filing Date
US10/331,742 Abandoned US20040128537A1 (en) 2002-12-30 2002-12-30 Retrospective policy safety net
US12/607,633 Expired - Fee Related US8474006B2 (en) 2002-12-30 2009-10-28 Retrospective policy safety net
US13/838,358 Expired - Fee Related US8904476B2 (en) 2002-12-30 2013-03-15 Retrospective policy safety net
US14/521,989 Active US9148433B2 (en) 2002-12-30 2014-10-23 Retrospective policy safety net
US14/823,423 Active US9503458B2 (en) 2002-12-30 2015-08-11 Retrospective policy safety net

Family Applications After (4)

Application Number Title Priority Date Filing Date
US12/607,633 Expired - Fee Related US8474006B2 (en) 2002-12-30 2009-10-28 Retrospective policy safety net
US13/838,358 Expired - Fee Related US8904476B2 (en) 2002-12-30 2013-03-15 Retrospective policy safety net
US14/521,989 Active US9148433B2 (en) 2002-12-30 2014-10-23 Retrospective policy safety net
US14/823,423 Active US9503458B2 (en) 2002-12-30 2015-08-11 Retrospective policy safety net

Country Status (1)

Country Link
US (5) US20040128537A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075461A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having a centralized policy
US20060075469A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Integrated access authorization
US20060075462A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having embedded policies
US20060288050A1 (en) * 2005-06-15 2006-12-21 International Business Machines Corporation Method, system, and computer program product for correlating directory changes to access control modifications
EP1643343A3 (en) * 2004-10-01 2007-01-10 Microsoft Corporation Integrated access authorization
US7904956B2 (en) 2004-10-01 2011-03-08 Microsoft Corporation Access authorization with anomaly detection
JP2011197747A (en) * 2010-03-17 2011-10-06 Ricoh Co Ltd Database access management system, management method, and program
JP2012155546A (en) * 2011-01-26 2012-08-16 Fujitsu Ltd Access control data edition support program, access control data edition support device and access control data edition support method
US20140165189A1 (en) * 2012-12-08 2014-06-12 International Business Machines Corporation Directing Audited Data Traffic to Specific Repositories
US20150012967A1 (en) * 2012-03-09 2015-01-08 Mcafee, Inc. System and method for flexible network access control policies in a network environment
US20150295932A1 (en) * 2014-04-09 2015-10-15 Dell Products L.P. Access control list lockout prevention system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9769173B1 (en) * 2014-10-27 2017-09-19 Amdocs Software Systems Limited System, method, and computer program for allowing users access to information from a plurality of external systems utilizing a user interface

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6327618B1 (en) * 1998-12-03 2001-12-04 Cisco Technology, Inc. Recognizing and processing conflicts in network management policies
US6408336B1 (en) * 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
US6470339B1 (en) * 1999-03-31 2002-10-22 Hewlett-Packard Company Resource access control in a software system
US6484261B1 (en) * 1998-02-17 2002-11-19 Cisco Technology, Inc. Graphical network security policy management
US20020178380A1 (en) * 2001-03-21 2002-11-28 Gold Wire Technology Inc. Network configuration manager
US6499110B1 (en) * 1998-12-23 2002-12-24 Entrust Technologies Limited Method and apparatus for facilitating information security policy control on a per security engine user basis
US20030115204A1 (en) * 2001-12-14 2003-06-19 Arkivio, Inc. Structure of policy information for storage, network and data management applications
US6711687B1 (en) * 1998-11-05 2004-03-23 Fujitsu Limited Security monitoring apparatus based on access log and method thereof
US20050004823A1 (en) * 2002-10-28 2005-01-06 Hnatio John H. Systems and methods for complexity management
US6941455B2 (en) * 2000-06-09 2005-09-06 Northrop Grumman Corporation System and method for cross directory authentication in a public key infrastructure

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4956769A (en) 1988-05-16 1990-09-11 Sysmith, Inc. Occurence and value based security system for computer databases
US5557747A (en) 1993-06-22 1996-09-17 Rogers; Lawrence D. Network policy implementation system for performing network control operations in response to changes in network state
JPH07141296A (en) 1993-11-15 1995-06-02 Hitachi Ltd Security management device in open decentralized environment
WO1997025798A1 (en) 1996-01-11 1997-07-17 Mrj, Inc. System for controlling access and distribution of digital property
US5991877A (en) 1997-04-03 1999-11-23 Lockheed Martin Corporation Object-oriented trusted application framework
JP3937548B2 (en) 1997-12-29 2007-06-27 カシオ計算機株式会社 Data access apparatus and a program recording medium
US6339826B2 (en) 1998-05-05 2002-01-15 International Business Machines Corp. Client-server system for maintaining a user desktop consistent with server application user access permissions
US6571274B1 (en) * 1998-11-05 2003-05-27 Beas Systems, Inc. Clustered enterprise Java™ in a secure distributed processing system
US7418489B2 (en) 2000-06-07 2008-08-26 Microsoft Corporation Method and apparatus for applying policies
US6925075B2 (en) 2000-07-31 2005-08-02 Telefonaktiebolaget Lm Ericsson Method and system for inter-operability between mobile IP and RSVP during route optimization
US7283971B1 (en) 2000-09-06 2007-10-16 Masterlink Corporation System and method for managing mobile workers
AU2001286799B2 (en) 2000-09-08 2005-07-07 Symantec Corporation Providing secure network access for short-range wireless computing devices
CA2326851A1 (en) 2000-11-24 2002-05-24 Redback Networks Systems Canada Inc. Policy change characterization method and apparatus
US6920558B2 (en) 2001-03-20 2005-07-19 Networks Associates Technology, Inc. Method and apparatus for securely and dynamically modifying security policy configurations in a distributed system
US7096367B2 (en) 2001-05-04 2006-08-22 Microsoft Corporation System and methods for caching in connection with authorization in a computer system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6408336B1 (en) * 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
US6484261B1 (en) * 1998-02-17 2002-11-19 Cisco Technology, Inc. Graphical network security policy management
US6711687B1 (en) * 1998-11-05 2004-03-23 Fujitsu Limited Security monitoring apparatus based on access log and method thereof
US6327618B1 (en) * 1998-12-03 2001-12-04 Cisco Technology, Inc. Recognizing and processing conflicts in network management policies
US6499110B1 (en) * 1998-12-23 2002-12-24 Entrust Technologies Limited Method and apparatus for facilitating information security policy control on a per security engine user basis
US6470339B1 (en) * 1999-03-31 2002-10-22 Hewlett-Packard Company Resource access control in a software system
US6941455B2 (en) * 2000-06-09 2005-09-06 Northrop Grumman Corporation System and method for cross directory authentication in a public key infrastructure
US20020178380A1 (en) * 2001-03-21 2002-11-28 Gold Wire Technology Inc. Network configuration manager
US20030115204A1 (en) * 2001-12-14 2003-06-19 Arkivio, Inc. Structure of policy information for storage, network and data management applications
US20050004823A1 (en) * 2002-10-28 2005-01-06 Hnatio John H. Systems and methods for complexity management

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8931035B2 (en) 2004-10-01 2015-01-06 Microsoft Corporation Access authorization having embedded policies
US20060075469A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Integrated access authorization
US20060075462A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having embedded policies
US8453200B2 (en) 2004-10-01 2013-05-28 Microsoft Corporation Access authorization having embedded policies
EP1643343A3 (en) * 2004-10-01 2007-01-10 Microsoft Corporation Integrated access authorization
US7506364B2 (en) 2004-10-01 2009-03-17 Microsoft Corporation Integrated access authorization
US20090150990A1 (en) * 2004-10-01 2009-06-11 Microsoft Corporation Integrated access authorization
US7685632B2 (en) 2004-10-01 2010-03-23 Microsoft Corporation Access authorization having a centralized policy
US7853993B2 (en) 2004-10-01 2010-12-14 Microsoft Corporation Integrated access authorization
US7904956B2 (en) 2004-10-01 2011-03-08 Microsoft Corporation Access authorization with anomaly detection
US20110126260A1 (en) * 2004-10-01 2011-05-26 Microsoft Corporation Access authorization having embedded policies
US20060075461A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having a centralized policy
US8181219B2 (en) 2004-10-01 2012-05-15 Microsoft Corporation Access authorization having embedded policies
US9069941B2 (en) 2004-10-01 2015-06-30 Microsoft Technology Licensing, Llc Access authorization having embedded policies
US20060288050A1 (en) * 2005-06-15 2006-12-21 International Business Machines Corporation Method, system, and computer program product for correlating directory changes to access control modifications
JP2011197747A (en) * 2010-03-17 2011-10-06 Ricoh Co Ltd Database access management system, management method, and program
JP2012155546A (en) * 2011-01-26 2012-08-16 Fujitsu Ltd Access control data edition support program, access control data edition support device and access control data edition support method
US9210193B2 (en) * 2012-03-09 2015-12-08 Mcafee, Inc. System and method for flexible network access control policies in a network environment
US20150012967A1 (en) * 2012-03-09 2015-01-08 Mcafee, Inc. System and method for flexible network access control policies in a network environment
US20140165189A1 (en) * 2012-12-08 2014-06-12 International Business Machines Corporation Directing Audited Data Traffic to Specific Repositories
US9106682B2 (en) * 2012-12-08 2015-08-11 International Business Machines Corporation Method for directing audited data traffic to specific repositories
US9124619B2 (en) * 2012-12-08 2015-09-01 International Business Machines Corporation Directing audited data traffic to specific repositories
US20140165133A1 (en) * 2012-12-08 2014-06-12 International Business Machines Corporation Method for Directing Audited Data Traffic to Specific Repositories
US9973536B2 (en) 2012-12-08 2018-05-15 International Business Machines Corporation Directing audited data traffic to specific repositories
US10110637B2 (en) 2012-12-08 2018-10-23 International Business Machines Corporation Directing audited data traffic to specific repositories
US20150295932A1 (en) * 2014-04-09 2015-10-15 Dell Products L.P. Access control list lockout prevention system
US9509700B2 (en) * 2014-04-09 2016-11-29 Dell Products L.P. Access control list lockout prevention system

Also Published As

Publication number Publication date
US20130205368A1 (en) 2013-08-08
US8474006B2 (en) 2013-06-25
US9148433B2 (en) 2015-09-29
US20100115580A1 (en) 2010-05-06
US20150350216A1 (en) 2015-12-03
US9503458B2 (en) 2016-11-22
US8904476B2 (en) 2014-12-02
US20150046972A1 (en) 2015-02-12

Similar Documents

Publication Publication Date Title
US7506364B2 (en) Integrated access authorization
US7194764B2 (en) User authentication
Dacier et al. Quantitative assessment of operational security: Models and tools
US9548994B2 (en) Integrating security policy and event management
US7987495B2 (en) System and method for multi-context policy management
US8661539B2 (en) Intrusion threat detection
US8880893B2 (en) Enterprise information asset protection through insider attack specification, monitoring and mitigation
US7080077B2 (en) Localized access
CN101569129B (en) Network security systems and methods
US8204999B2 (en) Query string processing
US7134137B2 (en) Providing data to applications from an access system
US8060924B2 (en) On-line centralized and local authorization of executable files
US8566956B2 (en) Monitoring and reporting of data access behavior of authorized database users
US7464162B2 (en) Systems and methods for testing whether access to a resource is authorized based on access information
US7167919B2 (en) Two-pass device access management
AU762418B2 (en) Inappropriate site management software
US20020112083A1 (en) Cache flushing
US8181253B1 (en) System and method for reducing security risk in computer network
US20050060537A1 (en) Managed distribution of digital assets
JP4414092B2 (en) Minimum rights through a restricted token
KR100732789B1 (en) Method and apparatus for monitoring a database system
US7890640B2 (en) Access control in client-server systems
US20050080898A1 (en) System and method for managing computer usage
US8065712B1 (en) Methods and devices for qualifying a client machine to access a network
US20020116642A1 (en) Logging access system events

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ZURKO, MARY ELLEN;BLAKLEY, GEORGE R., III;REEL/FRAME:013977/0707;SIGNING DATES FROM 20030124 TO 20030128

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE