Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: A framework instantiates an application from its disk snapshots. The disk snapshots are taken from a different network environment and migrated to a virtualized environment. Modifications to operating systems and hypervisors are avoided, and no special network isolation support is required. The framework is extensible and plug-in based, allowing product experts to provide knowledge about discovering, updating, starting and stopping of software components. This knowledge base is compiled into a plan that executes various interleaved configuration discovery, updates and start tasks such that a required configuration model can be discovered with minimal start and update task execution. The plan generation automatically stitches together knowledge for the various products, thus significantly simplifying the knowledge specification.

Abstract: A framework instantiates an application from its disk snapshots taken from a different network environment and migrated to a virtualized environment. Modifications to operating systems and hypervisors are avoided, and no special network isolation support is required. The framework is extensible and plug-in based, allowing product experts to provide knowledge about discovering, updating, starting and stopping of software components. This knowledge base is compiled into a plan that executes various interleaved configuration discovery, updates and start tasks such that a required configuration model can be discovered with minimal start and update task execution. The plan generation automatically stitches together knowledge for the various products, thus significantly simplifying the knowledge specification. Once discovery is complete, the framework utilizes the discovered model to update stale network configurations across software stack and customize configurations beyond network settings.

Abstract: The present invention discloses a solution for managing policy artifacts using a configuration management database (CMDB). Policies can be associated with a number of information technology resources, such as servers, businesses applications and the like. The solution permits automatic tagging of the policies (auto-discovery) as they enter the CMDB. For example, when a policy is added, it can be compared against a set of tagging rules. Multiple rules can match a new policy, which results in multiple tags being added for the policy. The policy specific tags can be optionally indexed for faster searching. Once indexed, the CMDB can support policy and policy tag based queries. In one embodiment, policy artifacts can be manipulated within a CMDB tool in a manner consistent with how the CMDB tool handles configuration items (CIs).

Abstract: A method, apparatus, and computer instructions for responding to a threat condition within the network data processing system. A threat condition within the network data processing system is detected. At least one routing device is dynamically reconfigured within the network data processing system to isolate or segregate one or more infected data processing systems within the network data processing system. This dynamic reconfiguration occurs in response to the threat condition being detected.

Abstract: A method of controlling password changes in a system having a plurality of data processing systems having separate password registries. Contents of passwords in the password registries of the data processing systems are controlled using password content policies that are centrally shared between the plurality of data processing systems.

Abstract: The present invention discloses a solution for managing policy artifacts using a configuration management database (CMDB). Policies can be associated with a number of information technology resources, such as servers, businesses applications and the like. The solution permits automatic tagging of the policies (auto-discovery) as they enter the CMDB. For example, when a policy is added, it can be compared against a set of tagging rules. Multiple rules can match a new policy, which results in multiple tags being added for the policy. The policy specific tags can be optionally indexed for faster searching. Once indexed, the CMDB can support policy and policy tag based queries. In one embodiment, policy artifacts can be manipulated within a CMDB tool in a manner consistent with how the CMDB tool handles configuration items (CIs).

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: A method, apparatus, and computer instructions for responding to a threat condition within the network data processing system. A threat condition within the network data processing system is detected. At least one routing device is dynamically reconfigured within the network data processing system to isolate or segregate one or more infected data processing systems within the network data processing system. This dynamic reconfiguration occurs in response to the threat condition being detected.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: An automated, bottom-up role discovery method for a role based control system includes automatically extracting identities and attributes from data sources and automatically clustering the identities based on the attributes to form recommended roles. The recommended roles may be modified by intervention of an administrator. Additionally, the recommended roles may be aggregated by defining the role definition as an attribute of each constituent identity, and re-clustering the identities to generate refined roles. The recommended, modified, and/or refined roles may then be utilized in a role based control system, such as a role based access control system. Periodically performing the role discovery process provides a means to audit a role based access control system.

Abstract: A role hierarchy is automatically generated by hierarchically ranking roles in a role based control system, each role including a plurality of identities having attributes. Iteratively at each hierarchical level: each non-cohesive role (wherein, in this case, at least one attribute is not possessed by every identity in the role) is replaced, at the same hierarchical level, by a cohesive role formed by grouping identities having at least one common attribute. The remaining identities are clustered into children roles based on attributes other than the common attribute, and the children roles are added to the role hierarchy at a hierarchical level below the cohesive role. If no common attribute exists in the non-cohesive role, the role is clustered into two or more new roles based on all the attributes in the role, and the non-cohesive role is replaced with the new roles at the same hierarchical level.

Abstract: A method of controlling password changes in a system having a plurality of data processing systems having separate password registries. Contents of passwords in the password registries of the data processing systems are controlled using password content policies that are centrally shared between the plurality of data processing systems.