DESC:FIELD OF THE INVENTION
The present embodiment relates to a system and a method for User Access Management (UAM), and more particularly relates to the system and the method for automatic User Access Management (UAM) code generation based on Attribute Based Access Control (ABAC).
BACKGROUND OF THE INVENTION
A User Access Management (UAM) system monitors user’s permissions and access rights to files, systems, and services. This ensures and helps in protecting organizations from data loss and security breaches.
Traditionally, the UAM softwares were manually coded as per the needs and requirements of the user. A variety of user access controls are available in the market and include the following:
Discretionary Access Control/Mandatory Access Control (DAC/MAC): Restricts access to objects based on the identity of subjects and/or groups to which they belong;
Identity based Access Control List (IBAC/ACLs): Individual privileges of the subject to perform operations (read, write, edit, delete, etc.) are managed on an individual basis by the object owner. Each objects needs its own ACL and set of privileges assigned to each subject;
Role based Access Control (RBAC): Pre-defined roles that carry a specific set of privileges associated with them and to which subjects are assigned;
Attribute Based Access Control system (ABAC): Authorization to perform a set of operations is determined by evaluating attributes;
The disadvantages associated with the available systems include that there is no option/means to customize on additional parameters than they have been originally designed for.
Therefore, there is a need of a UAM system and a UAM method that allows the addition or customization on the already existing parameters.
OBJECTIVES OF THE INVENTION
An objective of the present embodiment is to provide auto adaptive and evolvable UAM software and thereby saving billions of dollars in maintenance and support.
Another objective of the present embodiment is to provide self-aware interoperable UAM software components.
Yet another objective of the present embodiment is to provide more robust and highly flexible UAM software with an order of magnitude higher in the level of automation.
Yet another objective of the present embodiment is to provide UAM software that can be auto-generated as per user requirements.
SUMMARY OF THE INVENTION
In an aspect, a computer-implemented User Access Management (UAM) method for modifications on pre-existing parameters is provided. The method includes the following steps: 1) Classifying Attribute Based Access Control (ABAC) attributes under identity, environment, resource and operations from a Statement or scope of Work (SOW) document. The ABAC attributes are classified through artificially intelligent Natural Language Processing (NLP) system. 2) Categorizing user requirements into a plurality of feature groups. The plurality of feature groups are normalized into domain elements (NDE) or fundamental software constructs (FSC). 3) Generating identity, environment, resources, and operations with their gathered attributes into the class and its variables with default access or method as per Object Oriented Programming (OOP). 4) Auto-generating the code for enforcement as a standard pre-defined configuration module.
The preceding is a simplified summary to provide an understanding of some aspects of embodiments of the present invention. This summary is neither an extensive nor exhaustive overview of the present invention and its various embodiments. The summary presents selected concepts of the embodiments of the present invention in a simplified form as an introduction to the more detailed description presented below. As will be appreciated, other embodiments of the present invention are possible utilizing, alone or in combination, one or more of the features set forth above or described in detail below.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 illustrates a computer-implemented User Access Management (UAM) method (100), according to an embodiment herein.
To facilitate understanding, like reference numerals have been used, where possible, to designate like elements common to the figures.
DETAILED DESCRIPTION
As used throughout this application, the word "may" is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include”, “including”, and “includes” mean including but not limited to.
The phrases “at least one”, “one or more”, and “and/or” are open-ended expressions that are both conjunctive and disjunctive in operation. For example, each of the expressions “at least one of A, B and C”, “at least one of A, B, or C”, “one or more of A, B, and C”, “one or more of A, B, or C” and “A, B, and/or C” means A alone, B alone, C alone, A and B together, A and C together, B and C together, or A, B and C together.
The term “a” or “an” entity refers to one or more of that entity. As such, the terms “a” (or “an”), “one or more” and “at least one” can be used interchangeably herein. It is also to be noted that the terms “comprising”, “including”, and “having” can be used interchangeably.
The present embodiment provides the computer-implemented User Access Management (UAM) method that allows the addition or customization on the already existing parameters. The computer-implemented UAM method is based on Attribute Based Access Control (ABAC). The computer-implemented UAM method is based on the user requirements of the UAM. The computer-implemented UAM method allows the addition of new attributes and editing or deletion of old attributes while the system is operational.
In ABAC method, the authorization to perform a set of operations is determined by evaluating attributes. The attributes are associated with a subject, an environment, a resource and operations. Attributes are evaluated against policy, rules and relationships to determine the allowable operations for a given set of attributes.
The computer-implemented UAM method includes the following steps:
At step 102, ABAC attributes are classified/identified under identity, environment, resource and operations. In an embodiment, the client requirements are listed in a Statement or scope of Work (SOW) document. In an embodiment, the ABAC attributes are classified through artificially intelligent Natural Language Processing (NLP) system. In an embodiment, policies and privileges are classified/identified from the SOW document. In another embodiment, policies and privileges can be configured after the UAM system is generated.
In an embodiment, other non-UAM requirements are classified/identified from the SOW document. In an embodiment, other non-UAM requirements are categorized into a plurality of feature groups (mentioned in Table 1). In an embodiment, non-UAM requirements are classified through artificially intelligent Natural Language Processing (NLP) system. The features under basic, workflow, optimization, integration and reporting together make the attributes under resource in ABAC.
RESOURCES CREATE/ADD READ/VIEW EDIT/UPDATE DELETE RUN/EXEC
Basic Features Applicable Applicable Applicable Applicable NA
Workflow Features NA NA NA NA Applicable
Optimization Features NA NA NA NA NA
Integration/API Features Applicable Applicable Applicable Applicable NA
Reporting Features NA Applicable NA NA Applicable
Table 1: Feature Resources to Privilege Map
At step 104, the client requirements are categorized into a plurality of feature groups or domain design terms. In an embodiment, the client requirements are categorized through artificially intelligent Natural Language Processing (NLP) system. The domain design terms are normalized into domain elements (NDE) or fundamental software constructs (FSC). The fundamental elements or software constructs are mentioned in Table 2.
RESOURCES CREATE/
ADD READ/VIEW EDIT/UPDATE DELETE RUN/EXEC
ENTITY Applicable Applicable Applicable Applicable NA
ATTRIBUTES Applicable Applicable Applicable Applicable NA
RELATIONSHIP Applicable Applicable Applicable Applicable NA
PROCESS NA NA NA NA Applicable
REPORTS NA Applicable NA NA Applicable
Table 2: Domain Model Resources to Privilege Map
In an embodiment, the Normalized Domain Elements (NDE) and Fundamental Software Constructs (FSC) together define the normalized domain model. In an embodiment, the Normalized Domain Elements (NDE) and Fundamental Software Constructs (FSC) may form the resource for ABAC.
At step 106, identity, environment, resources, and operations with their gathered attributes can be code generated into the class and its variables with default access or method as per Object Oriented Programming (OOP). The code for administration may be generated as a standard predefined module. In an embodiment, the code for administration may include policy framing and a method of configuring them.
In an embodiment, Meta policies such as author of the policy, policy effective date, etc. may be captured from the SOW or as default. In another embodiment, the meta-policies may be provided for reconfiguration after auto generation of the software.
In an embodiment, policy can be auto generated in the UAM software based on the above attributes. The created policy van be reconfigured or new policy can be added at the policy administration point. The auto generated policy could also be open for reconfiguration in the future.
In an embodiment, the additional meta-attributes such as attribute authority, attribute creation date, etc. may be provided through configuration or by default.
At step 108, code for enforcement of the system may be auto-generated as a standard pre-defined configurable module.
The foregoing discussion of the present invention has been presented for purposes of illustration and description. It is not intended to limit the present invention to the form or forms disclosed herein. In the foregoing Detailed Description, for example, various features of the present invention are grouped together in one or more embodiments, configurations, or aspects for the purpose of streamlining the disclosure. The features of the embodiments, configurations, or aspects may be combined in alternate embodiments, configurations, or aspects other than those discussed above. This method of disclosure is not to be interpreted as reflecting an intention the present invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment, configuration, or aspect. Thus, the following claims are hereby incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of the present invention.
Moreover, though the description of the present invention has included description of one or more embodiments, configurations, or aspects and certain variations and modifications, other variations, combinations, and modifications are within the scope of the present invention, e.g., as may be within the skill and knowledge of those in the art, after understanding the present disclosure. It is intended to obtain rights which include alternative embodiments, configurations, or aspects to the extent permitted, including alternate, interchangeable and/or equivalent structures, functions, ranges or steps to those claimed, whether or not such alternate, interchangeable and/or equivalent structures, functions, ranges or steps are disclosed herein, and without intending to publicly dedicate any patentable subject matter.

,CLAIMS:WE CLAIM:
1. A computer-implemented User Access Management (UAM) method for modifications on pre-existing parameters, the method includes:
- classifying Attribute Based Access Control (ABAC) attributes under identity, environment, resource and operations from a Statement or scope of Work (SOW) document, wherein the ABAC attributes are classified through artificially intelligent Natural Language Processing (NLP) system;
- categorizing user requirements into a plurality of feature groups, wherein the plurality of feature groups are normalized into domain elements (NDE) or fundamental software constructs (FSC);
- generating identity, environment, resources, and operations with their gathered attributes into the class and its variables with default access or method as per Object Oriented Programming (OOP); and
- auto-generating the code for enforcement as a standard pre-defined configuration module.
2. The computer-implemented method as claimed in claim 1, wherein the non-UAM requirements are categorized into a plurality of feature groups.
3. The computer-implemented method as claimed in claim 1, wherein the plurality of feature groups include basic, workflow, optimization, integration and reporting.
4. The computer-implemented method as claimed in claim 1, wherein the FSC includes entity, attributes, relationship, process and reports.