US 12,468,639 B2
Privilege level assignments to groups
Naama Kraus, Haifa (IL); Moshe Israel, Ramat-Gan (IL); Tamer Salman, Haifa (IL); Moshe Shalala, Rishon Lezion (IL); Rotem Lurie, Tel Aviv (IL); and Avihai Dvir, Bruchin (IL)
Assigned to MICROSOFT TECHNOLOGY LICENSING, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on Jan. 9, 2023, as Appl. No. 18/094,845.
Application 18/094,845 is a continuation of application No. 16/907,026, filed on Jun. 19, 2020, granted, now 11,580,037.
Prior Publication US 2023/0161716 A1, May 25, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 12/00 (2006.01); G06F 9/455 (2018.01); G06F 9/46 (2006.01); G06F 12/14 (2006.01); G06F 13/00 (2006.01); G06F 21/62 (2013.01)
CPC G06F 12/1491 (2013.01) [G06F 9/45533 (2013.01); G06F 9/468 (2013.01); G06F 21/6218 (2013.01); G06F 2221/2141 (2013.01)] 15 Claims
OG exemplary drawing
 
1. An apparatus comprising:
a processor; and
a memory on which is stored machine-readable instructions that, when executed by the processor, cause the processor to:
query an access log stored in a distributed access store to identify a plurality of members that perform a common duty or function;
determine historical usage of a plurality of resources that one or more members of the plurality of members has accessed;
determine a plurality of privilege levels associated with the plurality of members for accessing one or more of the plurality of resources;
determine a plurality of lowest privilege levels of the plurality of privilege levels that a first subset of members of the plurality of members have used to access data on a first resource of the plurality of resources to perform the common duty or function based on historical usage of the first resource;
determine that a majority of the first subset of members comprise a lowest privilege level from the plurality of the lowest privilege levels;
assign the lowest privilege level as an assigned privilege level to the plurality of members, wherein for the assigned privilege level comprises a highest access level that each member in the plurality of members is assigned to access the data on the first resource;
determine a count of members in the plurality of members who used one or more privilege levels that are lower than the assigned privilege level over a predefined time period;
iteratively partition the plurality of members into a plurality of subgroups based on a determination that the count exceeds a predefined threshold value,;
assign members of the plurality of members who did not use the one or more privilege levels that are lower than the assigned privilege level to a first sub-group of the plurality of sub-groups;
assign members of the plurality of members who used the one or more privilege levels that are lower than the assigned privilege level to a second sub-group of the plurality of subgroups; and
modify the assigned privilege level stored in a data store for a second subset of members in the second sub-group to a lower privilege level than the assigned privilege level, thereby restricting access to the first resource by the second subset of members in the second sub-group to the lower privilege level.