US 12,452,279 B1
Role-based permission by a data platform
Theodore M. Reed, Berkeley Heights, NJ (US); Bao Nguyen, Newcastle, WA (US); Kenneth Beasley, Herndon, VA (US); Joshua L. Vertes, Venice, CA (US); Adin Aoki, Union, KY (US); Brandon Maister, New York, NY (US); Ravi Kiran Kumar, Pleasanton, CA (US); Sowmya A Karmali, Tustin, CA (US); and Yijou Chen, Cupertino, CA (US)
Assigned to Fortinet, Inc., Sunnyvale, CA (US)
Filed by Lacework, Inc., Mountain View, CA (US)
Filed on May 21, 2024, as Appl. No. 18/670,205.
Application 18/670,205 is a continuation of application No. 18/416,350, filed on Jan. 18, 2024, granted, now 12,021,888.
Application 18/416,350 is a continuation in part of application No. 18/517,747, filed on Nov. 22, 2023.
Application 18/517,747 is a continuation of application No. 18/119,045, filed on Mar. 8, 2023, granted, now 11,882,141, issued on Jan. 23, 2024.
Application 18/119,045 is a continuation of application No. 17/510,179, filed on Oct. 25, 2021, granted, now 11,637,849, issued on Apr. 25, 2023.
Application 17/510,179 is a continuation of application No. 16/786,822, filed on Feb. 10, 2020, granted, now 11,157,502, issued on Oct. 26, 2021.
Application 16/786,822 is a continuation of application No. 16/134,806, filed on Sep. 18, 2018, granted, now 10,614,071, issued on Apr. 7, 2020.
Claims priority of provisional application 63/532,955, filed on Aug. 16, 2023.
Claims priority of provisional application 63/440,544, filed on Jan. 23, 2023.
Claims priority of provisional application 62/650,971, filed on Mar. 30, 2018.
Claims priority of provisional application 62/590,986, filed on Nov. 27, 2017.
Int. Cl. H04L 9/40 (2022.01); G06F 9/455 (2018.01); G06F 9/54 (2006.01); G06F 16/2455 (2019.01); G06F 16/901 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 43/045 (2022.01); H04L 43/06 (2022.01); H04L 67/306 (2022.01); H04L 67/50 (2022.01)
CPC H04L 63/1425 (2013.01) [G06F 9/455 (2013.01); G06F 9/545 (2013.01); G06F 16/9024 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 43/045 (2013.01); H04L 43/06 (2013.01); H04L 63/10 (2013.01); H04L 67/306 (2013.01); H04L 67/535 (2022.05); G06F 16/2456 (2019.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
accessing, by a data platform configured to monitor a compute environment, data representative of a first role associated with a set of permissions with respect to resources within the compute environment and specifying a group of identities assigned to the first role, wherein the first role is assumable by each identity included in the group of identities to access the resources in accordance with the set of permissions;
determining, by the data platform, that a first subgroup of one or more identities included in the group of identities only uses a first subset of permissions included in the set of permissions to access the resources within the compute environment without using a second subset of permissions included in the set of permissions to access the resources within the compute environment, wherein the determining the first subgroup of one or more identities comprises:
monitoring each identity included in the group of identities and each permission included in the set of permissions over a predetermined time period; and
determining, based on the monitoring, permissions used by each identity included in the group of identities and identities using each permission during the predetermined time period; and
performing, by the data platform based on the determining that the first subgroup of one or more identities only uses the first subset of permissions, an operation to reduce permissions usable by the first subgroup of one or more identities to the first subset of permissions.