Microsoft Corporation
LEAST-PRIVILEGE RESOURCE PERMISSION MANAGEMENT

Abstract:

The least-privilege permission needed for an identity, such as a user account, application, user group, or process, to access a resource of a tenant of a cloud service is determined from a predicted future resource usage. The predicted future resource usage is based on the resource usage history of an identity, the resource usage history of similar identities and the resource usage history of its peers. Similar identities are determined from node embeddings of a graph that represents the assigned permissions of an identity to a resource and the usage activity at a resource. The permissions needed to perform the predicted future resource usage is compared with the current permission assignments to determine the bare minimum permission that an identity needs for its ongoing and future workflow.