Resource access and group utilization determination

The data management server addresses complex user access rights in large enterprises by providing adaptive security applications for continuous evaluation and risk monitoring, ensuring secure and compliant data access management.

WO2026151583A1PCT designated stage Publication Date: 2026-07-16OLERIA CORP

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
OLERIA CORP
Filing Date
2025-12-17
Publication Date
2026-07-16

AI Technical Summary

Technical Problem

Large enterprises face challenges in comprehensively understanding and managing user access rights due to the dynamic nature of organizational structures and evolving regulatory landscapes, leading to vulnerabilities from unauthorized data access and inadvertent exposure, exacerbated by diverse data sources across heterogeneous IT environments.

Method used

A data management server that provides adaptive security applications, including continuous access evaluation, comprehensive utilization review, and risk monitoring, to streamline data access management and enhance security posture by analyzing access graphs and providing real-time insights for administrators.

Benefits of technology

The solution enables efficient and secure data access management by identifying and mitigating risks, reducing security threats, and enhancing compliance through automated decision-making and proactive measures.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure US2025060052_16072026_PF_FP_ABST
    Figure US2025060052_16072026_PF_FP_ABST
Patent Text Reader

Abstract

A data management system establishes connections with access control systems which are delegated by a domain to control data access and maintain data access history associated with the domain. The system receives heterogeneous sets of metadata related to the data access history and generates graph objects. The graph objects include named entity nodes, account nodes, application nodes, and access event nodes. The named entity node represents a named entity associated with an organization, the account node represents an account granted access to an application, the application node represents the application, and the access event node represents an access event to the application. The system traverses access paths that connect the named entity node and the access event node and identifies one account node that is along the access paths. Based on the account node, the system identifies a type of permission granted to the named entity for accessing the application.
Need to check novelty before this filing date? Find Prior Art

Description

Attorney Docket No.: 40671-65316RESOURCE ACCESS AND GROUP UTILIZATION DETERMINATIONInventors:Adarsh KhareJames AlkoveJagadeesh KundaTECHNICAL FIELD

[0001] The instant disclosure is related to data management of workspace data sources and computer architecture in data management.BACKGROUND

[0002] In contemporary large enterprises, efficient data management stands as a cornerstone of operational success. The proliferation of digital assets, ranging from sensitive corporate information to customer data, requires robust systems to ensure secure access, integrity, and compliance. However, as enterprises expand in scale and complexity, the challenge of comprehensively understanding and managing access rights for individual users can often emerge as a bottleneck.

[0003] The exponential grow th of data within large enterprises introduces a myriad of complexities, such as user access rights. In a typical organizational ecosystem, users span various roles, departments, and hierarchical levels, each with distinct privileges and requirements for accessing data. Traditional methods of managing access rights, such as rolebased access control, often fall short of adequately addressing the nuanced needs of modem enterprises.

[0004] Furthermore, the dynamic nature of organizational structures and evolving regulatory landscapes exacerbate the challenge of maintaining granular control over data access. As employees transition between roles and projects, or leave the organization, ensuring timely adjustments to access permissions becomes a daunting task. This fluidity introduces inherent vulnerabilities, leaving sensitive data susceptible to unauthorized access or inadvertent exposure.

[0005] Compounding this complexity are the diverse data sources and repositories scattered across heterogeneous information technology (IT) environments. From on-premises servers to cloud-based platforms, data may reside in different sources. An organization often needs to reconcile the dynamic interplay between user access rights, data repositories, and evolving organizational structures.Attorney Docket No.: 40671-65316BRIEF DESCRIPTION OF THE DRAWINGS

[0006] FIG. (Figure) 1 is a block diagram of a system environment, in accordance with some embodiments.

[0007] FIG. 2 is a block diagram illustrating an example data pipeline of the data management server, in accordance with some embodiments.

[0008] FIG. 3 is an example of a data schema that may be used by the data management server, in accordance with some embodiments.

[0009] FIG. 4 is a conceptual diagram illustrating an access graph that connects nodes by edges that may take the form of vectors, in accordance with some embodiments.

[0010] FIG. 5 is a conceptual diagram illustrating relationships of events between a source node and a destination node in an example access graph, in accordance with some embodiments.

[0011] FIG. 6 is a conceptual diagram illustrating using an example access graph to determine a type of permission that is granted to a named entity, in accordance with some embodiments.

[0012] FIG. 7 is an example of a graphical user interface provided by the data management server, in accordance with some embodiments.

[0013] FIG. 8 is an example of a graphical user interface showing a contextual access graph for selected events, in accordance with some embodiments.

[0014] FIG. 9 is an example sequence diagram illustrating an example series of interactions to render an access graph, in accordance with some embodiments.

[0015] FIG. 10 is a block diagram illustrating components of an example computing machine, in accordance with some embodiments.

[0016] The figures depict, and the detailed description describes, various non-limiting embodiments for purposes of illustration only.DETAILED DESCRIPTION

[0017] The figures (FIGs.) and the following description relate to preferred embodiments by way of illustration only. One of skill in the art may recognize alternative embodiments of the structures and methods disclosed herein as viable alternatives that may be employed without departing from the principles of what is disclosed.Attorney Docket No.: 40671-65316

[0018] Reference will now be made in detail to several embodiments, examples of which are illustrated in the accompanying figures. It is noted that wherever practicable similar or like reference numbers may be used in the figures and may indicate similar or like functionality. The figures depict embodiments of the disclosed system (or method) for purposes of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles described herein.SYSTEM OVERVIEW

[0019] FIG. (Figure) 1 is a block diagram that illustrates an example of a system environment 100 for managing data access, in accordance with some embodiments. By way of example, the system environment 100 includes an organization 110, workspace data sources 120, a data management server 130, a data store 140, a user device 150, and an identity access management (IAM) service provider 170. The entities and components in the system environment 100 communicate with each other through network 160. In various embodiments, the system environment 100 may include different, fewer, or additional components.

[0020] The components in the execution environment 100 may each correspond to a separate and independent entity or may be controlled by the same entity. For example, in some embodiments, the data management server 130 may control the data store 140. In other embodiments, the data management server 130 and the data store 140 are operated by different entities and the data store 140 provides data storage service to the data management server 130. Likewise, in some embodiments, an organization 110 may control one or more workspace data sources 120, such as in situations where the organization 110 manages part of its own data.

[0021] While each of the components in the system environment 100 is sometimes described in disclosure in a singular form, the system environment 100 may include one or more of each of the components. For example, there can be multiple user devices 150 communicating with the data management server 130 and workspace data sources 120. The data management server 130 may provide data access management services to different unrelated organizations 110, each of which has multiple workspace data sources 120. While a component is described in a singular form in this disclosure, it should be understood that in various embodiments, the component may have multiple instances. Likewise, while some ofAttorney Docket No.: 40671-65316the components are described in a plural form, in some embodiments the component only has a single instance in the system environment 100. For example, in some situations, an organization 110 may use a single workspace data source 120.

[0022] An organization 110 may be any suitable entity such as a government entity, a private business, a profit organization or a non-profit organization. An organization 110 may define an application environment in which a group of individuals, devices, and other agents organize and perform activities and exchange information. The system environment 100 may include multiple organizations 110, which may be customers of the data management server 130 that provide various data management-related services to customers, such as data access management, data policy enforcement, etc. An organization 110 may be referred to as a business, a domain, or an application environment, depending on the situation.

[0023] By way of example, an organization 110 may also be referred to as a domain. In some embodiments, the terms domain and organization may be used interchangeably. A domain refers to an environment for a group of units and individuals to operate and use domain knowledge to organize activities, enforce policies, and operate in a specific way. An example of a domain is an organization, such as a business, an institute, or a subpart thereof, and the data within it. A domain can be associated with a specific domain knowledge ontology, which could include representations, naming, definitions of categories, properties, logics, and relationships among various concepts, data, transactions, and entities that are related to the domain. The boundary of a domain may not completely overlap with the boundary of a business. For example, a domain may be a subsidiary of a company. Various divisions or departments of the organization may have their own definitions, internal procedures, tasks, and entities. In other situations, multiple businesses may share the same domain. In some embodiments, a domain may also be referred to as a workspace. For example, a business may divide its company into multiple workspaces based on geographical regions, for example, North America, Asia Pacific, Europe, the Middle East and North Africa, Australia and New Zealand, etc. Each workspace may be referred to as a domain.

[0024] In some embodiments, an organization 110 may have various types of resources that are under its control. The resources may be directly controlled by the organization 110 within its physical or digital domain or indirectly managed by the organization 110 through one or more w orkspace data sources 120. Examples of resources may include named entities 112 and administrator devices 114. A named entity 112 may each have one or more accounts that are managed and / or controlled by the organization 110. For example, each employee ofAttorney Docket No.: 40671-65316an organization 110 may have one or more organizational accounts that have different access rights to various types of data. Sometimes a group of employees (e.g., the legal team, the sales team, the human resource team, etc.) may also be a named entity that has accounts at the group level. The employees and the organizational accounts are both examples of resources that are controlled by the organization 110. A named entity may also correspond to a nonhuman account (a service account, a machine account, etc.).

[0025] Other examples of resources may be data resources, such as datasets that belong to the organization 110. Data can be related to any aspect of the organization 110. In some situations, the organization 110 may directly control the data resources such as having organization-controlled data servers that store the data resources. In other situations, organization 110 may use one or more third-party software platforms such as software-as-a-service (SaaS) platforms that provide sen ices to the organization 110. Organization data may be stored and generated by those third-party platforms. The organization-controlled data servers and third-party software platforms are examples of workspace data sources 120 that manage the data resources of an organization 110.

[0026] An organization 110 may implement one or more policies specifying access privilege and data requirements related to data resources of the organization 110. For example, the data access rights to a particular data resource (e.g., a dataset) may be assigned based on the roles, positions, hierarchy, and other natures of named entities 112. Each workspace data source 120 may also have its own data access conditions specific to an organization 110. In many situations, data access rights are changed due to circumstances and special requirements. While oftentimes an organization 110 is aware of certain data access rights and restrictions in place, it is usually challenging for the organization 110 to properly document each data access policy and change, whether such documentation is even practical without a data management server 130. For example, an organization 110 may not have a systematic way to implement data access policies among its employees based on the roles of the employees. There can also be multiple administrator devices that grant or revoke access privileges in various situations, some more systematically while others are ad hoc. This makes an organization 110, particularly a larger one, difficult to understand data access situations of various named entities 112 and manage data accordingly. The data management server 130 provides various solutions to improve the data management of organizations 110.

[0027] Named entities 112 associated with an organization 110 may be any suitable entities that are identifiable, such as people, employees, teams, groups, departments,Attorney Docket No.: 40671-65316customers, vendors, contractors, other third parties, subsidiaries, and other sub-organizations. A user in the organization 110 is an example of a named entity 112. A user in this context may refer to a regular employee or an administrator of the named entity who takes the role of managing some resources, such as data resources of the organization 110. An administrator controls an administrator device 114. An organization 110 may maintain a hierarchy of named entities, which contains information about the relationships among the named entities. A hierarchy may take the of an organizational chart and employee hierarchy. Data access policies may be determined based on one or more hierarchies maintained by the organization 110. In some embodiments, an administrator, through an administrator device 114, may review data access information and grant or revoke data access privilege through the service provided by the data management server 130. Each named entity 112 may be associated with various activities and history' of data use of the data resources of the organization 110.

[0028] Workspace data sources 120 are components that maintain and control data for an organization 110. A workplace data source 120 refers to any system, platform, or repository that contains information relevant to an organization’s operations, activities, or employees. Workspace data sources 120 may take different forms. An example of a w orkspace data source 120 may be a data store, such as a data store 140, that stores data of the organization 110. For example, the workspace data source 120 may be a local data server or a Cloud server that stores data directly managed by the organization 110. In another example, a workspace data source 120 may be a software platform that provides service to the organization 110 based on data entered or provided by the organization 110. The softw are platform may be a software-as-a-service (SaaS) platform that runs software using domainspecific data. In some embodiments, the data may be provided by the organization 110 such as through linking the software platform to a data store 140 that stores the data of the organization 110. In some embodiments, the software platform itself may generate data for the organization 110 and store the data at another data store 140 or through the software platform’s servers. In some embodiments, a workspace data source 120 may grant access to data based on access permission.

[0029] Workspace data sources 120 may also be referred to as access control systems. An access control system is delegated by an organization customer to control part of the data access of an organization 110 and maintains a data access history of one or more accounts of the organization 110. For example, a SaaS platform is retained by the organization 110 to generate and manage data associated with the organization 110 and may be an example of anAttorney Docket No.: 40671-65316access control system. The SaaS platform provides data based on the data access permission of individual accounts.

[0030] In various embodiments, examples of workspace data sources 120 may include human resource systems, such as human resources management systems (HRMS) or human capital management (HCM) platforms that store employee data such as personal information, employment history, performance evaluations, and payroll details. Other examples of workspace data sources 120 may include customer relationship management (CRM) systems, including databases that contain information about clients, customers, or business contacts, including interactions, sales history, and customer preferences. Further examples of workspace data sources 120 may include enterprise resource planning (ERP) systems, such as integrated platforms that manage various aspects of business operations, including finance, supply chain, manufacturing, and inventory, generating data on transactions, orders, and inventory levels. Further examples of workspace data sources 120 may include communication and collaboration tools, such as email servers, instant messaging services, and project management tools where workplace communications and collaborations occur, generating data on interactions, discussions, and project progress. Further examples of workspace data sources 120 may include business intelligence (BI) tools and data warehouses that aggregate and analyze data from multiple sources to generate insights and reports for decision-making purposes. Further examples of workspace data sources 120 may include time tracking and attendance systems, including tools used to record employee working hours, absences, and attendance data. Further examples of workspace data sources 120 may include file storage and document management systems, including repositories for storing documents, reports, and other digital assets generated within the organization. In some embodiments, examples of workspace data sources 120 may further include physical devices such as intemet-of-things (IOT) devices that are in the workplace, such as sensors, smart devices, and wearable technology, generating data on environmental conditions, usage patterns, and employee activities.

[0031] A workspace data source 120 may maintain the data access history of an organization 110. Forms of data access history in a workspace data source 120 may include records of who accessed specific files or databases, when they accessed them, and for what purpose. These metadata may be maintained in the form of metadata that captures user authentication details, timestamps, and the actions performed during each access instance. User authentication details may include user accounts, roles, or unique identifiers, whileAttorney Docket No.: 40671-65316timestamps indicate the exact date and time of access. Additionally, the actions performed during access, such as viewing, editing, or deleting files, may be logged to provide records of data interactions. The data access history may also include data permission and authorization history such as when and who grants or revokes data access privilege of a particular named entity 112 to a data resource. Other relevant metadata related to data access may also be stored by the workspace data source 120.

[0032] A workspace data source 120 may provide one or more channels to allow the data and data access history maintained by the workspace data sources 120 to be exported to another entity’. For example, a workspace data source 120 may offer Application Programming Interfaces (APIs), to facilitate the export of both data and data access history- maintained within the workspace to another entity. APIs serve as a structured ways of communication between different software applications, allowing the data management server 130 to receive the data access history upon authorization from an organization 110. APIs may take different forms, such as a Representational State Transfer (REST) API that may take the form of stateless communication method over hypertext transfer protocol (HTTP). Other forms of APIs are also possible, such as GraphQL API with a query language that allow s the data management server 130 to specify the desired fields and relationships in the queries. In some embodiments, APIs may be designed to provide event data to support some entry points to get the events for a given time period. In some implementations, the APIs may provide an events list comprising one or more of ApplicationEndpoint, Resourceinstance and AccessPath. ApplicationEndpoint provides access to all events initiated by the ApplicationEndpoint, the Resourceinstance offers access to all events that interacted with the Resourceinstance, and the AccessPath may offer access to all events in the given access path. In some implementations, the APIs may provide edge attributes such as Event Count, LastEventTime, etc. Event Count may indicate the number of times a specific edge is utilized within an event path, and LastEventTime may denote the most recent timestamp at which the edge was exercised within an event path. If no events exercised the edge during the specified time period, LastEventTime may be marked as null. APIs may also include webhooks, which may’ take the form of HTTP callbacks triggered by’ events in the workspace data source 120, such as data access events. When data access events or data transfer events occur, a workspace data source 120 may send a notification to the data management server 130. The payload of the notification may contain relevant information about the event, including details of the data access history. Other forms of communicationAttorney Docket No.: 40671-65316channels between a workspace data source 120 and the data management server 130 may include a file-based exports that periodically export data access history in a structured file format (e.g., JSON, CSV, XML, YAML, and the like) to a designated location accessible by the data management server 130. In some embodiment, a communication channel may include a database replication or sync to allow the data management server 130 to directly connect to database of the workspace data source 120 for real-time replication or synchronization of data access history. In some embodiments, a communication channel between a workspace data sources 120 and the data management server 130 may take the form of a data stream that allows a continuous flow of data access events or updates from the workspace data source 120. This stream of data typically may include real-time or near-realtime information about various data access activities within the workspace environment, such as user logins, file accesses, modifications, or deletions.

[0033] The data management server 130 provides data management service to one or more organizations 110 to oversee and regulate access to data within an organization 110. The data management server 130 may collect data and related metadata such as data access history of various workspace data sources 120 of an organization 110 and provide analysis to the organization 110 with respect to data access, data policy management and compliance, and centralized data administration and monitoring. Workspace data sources 120 often have a large volume of data traffic and may store metadata related to data access in different nonstandardized formats. In some embodiments, the data management server 130 may transform the metadata according to a standardized data schema and consolidate the data access information from various workspace data sources 120 into a centralized datastore as objects that are arranged according to the standardized data schema. In some embodiments, the data management server 130, using the standardized and consolidated data objects, may provide various applications and analyses related to data management to the organization 110, such as activity -based composite data access and permission graphs, display and illustration of data access permission and restrictions, automatic access policy generation and determination, convenient grant and revocation of data access, and data access risk assessment. The more detailed operations of the data management server 130 and other examples of services and features provided by the data management server 130 are further discussed in this disclosure.

[0034] In some embodiments, the data management server 130 may provide adaptive security application scenarios to help organizations reduce access management and governance complexity. The data management server 130 may help an organization 110 toAttorney Docket No.: 40671-65316reduce the risk level, eliminate the friction in identity management and governance, and enable adaptive security. In some embodiments, the data management server 130 may provide continuous access evaluation. For example, the data management server 130 may provide a dashboard to an organization 110 to provide access and security assessment. The dashboard may take the form of an access utilization dashboard, which can provide a solution that helps organizations 110 to identify and manage inactive user accounts and permissions, thus reducing the risk of security attacks and improving overall security. The dashboard may provide real-time insights and the ability to easily remove or adjust access by an administrator device 114. The dashboard streamlines the process of continuous access evaluation, making it simple for administrators to adhere to compliance and enhance the security posture of an organization 110.

[0035] In some embodiments, the data management server 130 may offer comprehensive utilization review functionalities, encompassing the identification of inactive and dormant accounts, analysis of active accounts and unused permissions, and evaluation of the overall security posture by tracking the percentage of active accounts and the trends over time. The data management server 130 may identify accounts with no user activity or logins within a specified timeframe. Additionally, or alternatively, the data management server 130 may scrutinize active accounts, defined by recent activity within a predetermined period, and examine permissions that remain unused by users over a specified time frame. The access utilization reports may also include trends, such as a sudden increase in data access of a specific account or permission. The data management server 130 may recommend remediation actions to an organization 110 to address dormant accounts and unused permissions, thereby fortifying security measures.

[0036] In some embodiments, the data management server 130 may provide risk monitoring to identify and mitigate potential security and access risks, enhancing overall security posture and compliance through real-time insights and automated decision-making processes. The data management server 130 may provide real-time insights and automated decision-making processes, thereby simplifying the complexify of security and access management. The risk level analysis may take the form of a risk level review that identifies high-risk activities exercised recently. The risk level analysis may also take the form of an overall risk score that may change over a period of time. In remedying the identification of a high-risk activity, the data management server 130 may provide an alert and a suggested action for the organization 110 to address the high-risk activity. In some embodiments, for aAttorney Docket No.: 40671-65316high overall risk score, the data management server 130 may provide suggestions and identify specific activities or data resources that are related to the high-risk score.

[0037] In some embodiments, the data management server 130 may provide access hygiene review capabilities that assess risk levels and monitor risk score trends, prescribing remediation actions for high-risk activities and proactive measures to uplift the risk score. In some embodiments, the data management server 130 may provide access analytics to provide an organization 110 real-time analyses into access governance, risk reduction, and security posture enhancement, allowing for detailed analysis of access activities, resource access, and permission posture through graphical representations.

[0038] In some embodiments, the data management server 130 may provide access analytics that may take various forms to provide real-time analyses for an organization 110 to improve access governance, reduce risks, and enhance security posture. An example of access analytics may be providing detailed access graphs that illustrate access paths and permissions within an organization 110, allowing administrators to access details of various workspace data sources 120 used by the organization 110. The output of the data management server 130 may include analysis of the access graph and event data that identify the risk vulnerabilities and the corresponding severity rankings. In some embodiments, an access graph may include activity analysis based on the access graph query result. Access activities may show the name of the actor, time stamp, risk severity, anomaly versus regular activities, and other suitable indicia. The data management server 130 may provide various access activity analysis features to identify’ accesses that are exercised in an organization 110, such as recent access activities across the organization 110, or certain units in the organization 110. The activity level analysis may be stored and presented in the form of a time series to allow an administrator of the organization 110 to review activities in different timeframes with respect to a specific user, a specific account, and / or a specific data resource. The permission posture may be presented as an access graph to illustrate activities exercised on a permission set.

[0039] By way of example, the data management server 130 may provide a composite data access graph that illustrates connections between accounts and data resources and additionally provides a summary of data access activities of the accounts to the data resources. The data management server 130 may query various sets of metadata received from different workspace data sources 120 and generate graph objects according to a standardized data schema. The graph objects may include nodes that represent accounts, dataAttorney Docket No.: 40671-65316resources, and data access activities. The data management server 130 may also store edges that record connections between two nodes in order to establish a graph. The data management server 130 may use a graph algorithm to generate a graph that illustrates the connections between accounts and data resources. The graph may be generated with respect to a named entity who may have multiple accounts across different workspace data sources 120. The graph may include nodes representing an account and a data resource that is connected to represent the data permission of the named entity to the data resource and a graphical representation of a data access activity level of the account accessing the data resource. The data access activity level may be aggregated from the activity objects representing the instances of the account accessing the data resource. For example, the graphical representation may take the form of a line that connects an account node in the graph and the data node representing the data resource. The thickness of the line may be commensurate with the data access activity level. In some embodiments, the nodes in an access graph are selectable for display of attributes of the selected nodes and for the performance of data access management tasks such as granting or revoking access.

[0040] In some embodiments, the access graphs may be generated in the forms of user access graphs and resource access graphs. In some embodiments, a user access graph may¬ focus on a named entity. For example, a user access graph may illustrate how a specific user gains access to a particular data resource, showing resources accessible to the user along with the access paths, delineating the access permission from identity to role, permission, and finally, the data resource. In some embodiments, a resource access graph may focus on a data resource. For example, the resource access graph may elucidate how access to a particular resource is granted to a specific user, displaying users with access to the resource and their corresponding access paths, illustrating the progression from the resource to permission, role, and identity. These graphical representations offer an understanding of access paths and permissions, facilitating efficient access management and security administration.

[0041] In various embodiments, the data management server 130 may take different suitable forms. For example, while the data management server 130 is described in a singular form, the data management server 130 may include one or more computers that operate independently, cooperatively, and / or distributively. In some embodiments, the data management server 130 may be a server computer that includes one or more processors and memory that stores code instructions that are executed by one or more processors to performAttorney Docket No.: 40671-65316various processes described herein. In some embodiments, the data management server 130 may be a pool of computing devices that may be located at the same geographical location (e.g., a server room) or be distributed geographically (e.g., cloud computing, distributed computing, or in a virtual server network). In some embodiments, the data management server 130 may be a collection of servers that independently, cooperatively, and / or distributively provide various products and services described in this disclosure. The data management server 130 may also include one or more virtualization instances such as a container, a virtual machine, a virtual private server, a virtual kernel, or another suitable virtualization instance. The data management server 130 may provide organizations 110 with various data management services as a form of cloud-based software, such as software as a service (SaaS), through the network 160. In some situations, the data management server 130 may also refer to the entity that operates the data management server 130.

[0042] The system environment 100 may include various data stores 140 that store different types of data for different entities. For example, one or more workspace data sources 120 may each be associated with a data store 140. An organization 110 may also have data stores 140 that store the organization’s data. In this situation, the data store 140 may be an example of one type of workspace data source 120. The data management server 130 may also use one or more data stores 140 to store data related to preference, configurations, and other specific data associated with each organization’s customer. The data access metadata that is standardized by the data management server 130 may also be stored as data objects in one or more data stores 140.

[0043] Each data store 140 includes one or more storage units, such as memory, that take the form of a non-transitory and non-volatile computer storage medium to store various data. The computer-readable storage medium is a medium that does not include a transitory medium, such as a propagating signal or a carrier wave. In one embodiment, the data store 140 communicates with other components by the network 160. This type of data store 140 may be referred to as a cloud storage server. Examples of cloud storage service providers may include AMAZON AWS, DROPBOX, RACKSPACE CLOUD FILES, AZURE, GOOGLE CLOUD STORAGE, etc. In some embodiments, instead of a cloud storage server, a data store 140 may be a storage device that is controlled and connected to the data management server 130. For example, the data store 140 may take the form of memory (e.g., hard drives, flash memory, discs, ROMs, etc.) used by the data management server 130, such as storage devices in a storage server room that is operated by the data management serverAttorney Docket No.: 40671-65316130.

[0044] A user device 150 may also be referred to as a client device. A user device 150 may be controlled by a user who may be the user of the data management server 130, such as an administrator of the organization 110. In such a case, the user device 150 may be an example of the administrator device 114. In some cases, a user device 150 may be controlled by an employee of an organization 110. The user device 150 may be used to gain access to one or more workspace data sources 120, such as to access a software platform provided by one of the workspace data sources 120. The user device 150 may be any computing device. Examples of user devices 150 include personal computers (PC), desktop computers, laptop computers, tablet computers, smartphones, wearable electronic devices such as smartwatches, or any other suitable electronic devices.

[0045] A user device 150 may include a user interface 152 and an application 154. The user interface 152 may be the interface of the application 154 and allow the user to perform various actions associated with application 154. For example, application 154 may be a software application, and the user interface 152 may be the front end. The user interface 152 may take different forms. In one embodiment, the user interface 152 is a software application interface. For example, a business may provide a front-end software application that can be displayed on a user device 150. In one case, the front-end software application is a software application that can be downloaded and installed on a user device 150 via, for example, an application store (App store) of the user device 150. In another case, the front-end software application takes the form of a webpage interface of organization 110 that allows clients to perform actions through web browsers. The front-end software application includes a graphical user interface (GUI) that displays various information and graphical elements. For example, the GUI may be the web interface of a software-as-a-service (SaaS) platform that is rendered by a web browser. In some embodiments, user interface 152 does not include graphical elements but communicates with a server or a node via other suitable ways, such as command windows or application program interfaces (APIs).

[0046] In system environment 100, multiple different types of applications 154 may be operated on a user device 150. Those applications 154 may be published by different entities and be in communication with different components in the system environment 100. For example, in some embodiments, a first application 154 may be a software application that is published as one of the workspace data sources 120 for the employees of the organization 110 to perform work-related tasks. In some embodiments, a second application 154 may be aAttorney Docket No.: 40671-65316data management application published by the data management server 130 for a user to perform data management and view composite data graphs. These are merely examples of various types of applications 154 that may be operated on a user device 150.

[0047] An I AM service provider 170 may refer to a system, server, platform or apparatus for facilitating and managing the authentication, authorization, and governance of user access to resources within a networked environment. An IAM service provider 170 may include one or more computational components configured to establish, enforce, and monitor identity and access policies for users, applications, devices, and services. In some embodiments, an IAM service provider 170 may be used to detect unauthorized access attempts, analyze access behavior to identify patterns, and mitigate security risks. In some embodiments, the IAM service provider 170 operates as a cloud-based service, offering scalable, centralized identify management and access control capabilities. Alternatively, the IAM service provider 170 may be implemented as an on-premise solution or a hybrid deployment, where identity governance is distributed across multiple environments.

[0048] In various embodiments, examples of an IAM service provider 170 may include Amazon Web Services (AWS) IAM, Microsoft Azure Active Directory (Azure AD), Okta, Ping Identity, Google Cloud Identity and Access Management, IBM Security Verify, etc. Some IAM service providers enable secure access control to services and resources through user policies, roles, and permissions. Some IAM service provider may use a cloud-based solution to manage user identities, groups, and / or accesses to resources and applications within the platform ecosystem. Some IAM service providers may offer a comprehensive identify platform that includes single sign-on (SSO), multi-factor authentication (MFA), and lifecycle management, or provide granular role-based permissions to manage access to cloud resources and / or provides adaptive authentication and identify lifecycle management for enterprises. In some implementations, the IAM service provider 170 may include one or more service providers in the system environment 100.

[0049] The communications among an organization 110, a workspace data source 120, the data management server 130, a data store 140, a user device 150, and an IAM service provider 170 may be transmitted via a network 160. The network 160 may be a public network such as the Internet. In one embodiment, the network 160 uses standard communications technologies and / or protocols. Thus, the network 160 can include links using technologies such as Ethernet, 802.11, worldwide interoperability for microwave access (WiMAX), 3G, 4G. LTE. 5G, digital subscriber line (DSL), asynchronous transferAttorney Docket No.: 40671-65316mode (ATM), InfiniBand, PCI Express Advanced Switching, etc. Similarly, the networking protocols used on the network 160 can include multiprotocol label switching (MPLS), the transmission control protocol / Intemet protocol (TCP / IP), the User Datagram Protocol (UDP), the hypertext transport protocol (HTTP), the simple mail transfer protocol (SMTP), the file transfer protocol (FTP), etc. The data exchanged over the network 160 can be represented using technologies and / or formats, including the hypertext markup language (HTML), the extensible markup language (XML), etc. In addition, all or some of the links can be encrypted using conventional encryption technologies such as secure sockets layer (SSL), transport layer security (TLS), virtual private networks (VPNs), Internet Protocol security (IPsec), etc. The network 160 also includes links and packet-switching networks such as the Internet.DATA INGE-THON PlPTLINE ASCHITSGTTn<6

[0050] FIG. 2 is a block diagram illustrating an example data pipeline 200 of the data management server 130, in accordance with some embodiments. FIG. 2 illustrates the data pipeline 200 in which the data management server 130 receives data from various workspace data sources 120, normalizing the data, and rendering the standardized data objects to operational databases (graph and document databases). While the discussion of FIG. 2 is described using one organization 110, the data pipeline 200 may be repeated for multiple organization customers of the data management server 130, with some of the organizations 110 using the same types of workspace data sources 120. The data pipeline 200 includes intermediate storages and separation of data store per organization 110. in accordance with some embodiments.

[0051] The data pipeline 200 may include three main stages which may be referred to as the first stage of data ingression 210, the second stage of data transformation 230, and the third stage operationalization of data 250. The data ingression stage 210 may involve connecting the data management server 130 to various workspace data sources 120 and enabling the data management server 130 to receive data and metadata of an organization 110 from those connected workspace data sources 120. The data transformation stage 230 may involve the data management server 130 standardizing various data formats, generating data objects according to a standardized data schema, and classifying data objects based on attributes defined by the data management server 130. The data transformation stage 230 may also include data enrichment such as performing computations on transformed data andAttorney Docket No.: 40671-65316add data from additional sources (e.g., external sources and open world data) to enrich the normalized data for downstream applications such as risk analysis. The data operationalization stage 250 may involve putting standardized data objects into various downstream applications and storing data in operational databases ready to be rendered for users. In various embodiments, the data pipeline 200 may include additional, fewer, and different stages. The features and functions described in each stage may also be distributed differently from the explicit example discussed in FIG. 2.

[0052] The data ingression stage 210 may include onboarding, channel establishment, some quick conversions of fde formats, and other data ingression steps. The data management server 130 may receive a grant of permission from the organization customer to receive data of the organization customer from a workspace data source 120, such as SaaS platform. In some embodiments, the onboarding may include an initialization of channel establishment that allows the provisioning of the organization customer’s credentials for the organization 110 to authorize the data management server 130 to establish a data connector 212 to pull data from a workspace data source 120. In some embodiments, the data management server 130 may provide an onboarding user interface for the organization 110 to authorize the sharing of organization data with the data management server 130. An instance of a data connector 212 may be created and store a customer-provisioned token for connection with a workspace data source 120.

[0053] Common workspace data sources 120 may include different data connection methods and the data management server 130 may include various data connectors 212 tailored to the workspace data sources 120. Common workspace data sources 120 may include SALESFORCE, SERVICENOW, GOOGLE WORKSPACE, MICROSFOT 365, DROPBOX BUSINESS, SLACK, ASANA, ATLASSIAN, SAP, etc. but examples of workspace data sources 120 are not limited to those explicitly discussed. In some embodiments, the data management server 130 may establish an instance of a data connector 212 per domain (workspace) per data source instance (per software application). For example, an organization 110 may have three domains, North America, Asia Pacific, and Europe Middle East Africa, and all three domains have two workspace data sources 120. In such as case, the data management server 130 may establish size instances of data connectors 212 and establish six data pipelines. In some embodiments, the data pipeline separation may be purely logical. Instances of data connectors 212 and downstream data pipelines may share common computing and processing resources. In some embodiments, each domain may beAttorney Docket No.: 40671-65316treated as a separate organization 110, and data is shared between two domains.

[0054] The data management server 130 may maintain a hierarchy of instances to distinguish various organizations, workspaces, software applications, and data resources that are monitored. For example, a customerlD may be a unique identifier that represents the organization’s customers. The systemWorkspacelD may be a unique identifier that represents a specific workspace within an organization 110. Some organizations 110 might have a single workspace. The applicationlnstancelD may be a unique identifier for a software application instance, such as a SaaS platform that may be an example of workspace data source 120. The applicationName may be the name of the software application.

[0055] In some embodiments, the types of data connectors 212 vary based on the data channels supported by the workspace data sources 120. A workspace data source 120 may provide one or more data channels to allow the data and metadata related to data access history maintained by the workspace data sources 120 to be exported to the data connectors 212. For example, a workspace data source 120 may offer Application Programming Interfaces (APIs). APIs may take different forms, such as a RESTful API, GraphQL API, webhooks, etc. Other forms of data channels between a workspace data source 120 and a data connector 212 may include file-based exports in a structured file format (e.g., JSON or CSV). In some embodiments, a data channel may include a database replication or sync to allow a data connector 212 to directly connect to the database of the workspace data source 120. In some embodiments, a data channel between a workspace data source 120 and a data connector 212 may take the form of a data stream that allows a continuous flow of data and updates from a workspace data source 120.

[0056] In some embodiments, the data ingression stage 210 may involve the storage of raw data and a simple conversion of raw data to a common file format. The file format may be in comma-separated values (CSV), JavaScript Object Notation (JSON), extensible markup language (XML), or another suitable format, such as key-value pairs, tabular, or spreadsheet format. The data management server 130 may store the data in a raw data store 214, such as AMAZON WEB SERVICES (AWS) S3 buckets, AZURE BLOB STORAGE, IBM OBJECT STORAGE, DIGITALOCEAN SPACES, etc. The raw data from different workspace data sources 120 may be converted to a file format such as the CSV format. The raw data files may contain the raw data with identifiers that correspond to source table names in the workspace data sources 120 and columns in CSV files (or another file type) that match the field from the source schema.Attorney Docket No.: 40671-65316

[0057] In some embodiments, the data transformation stage 230 may process and transform the data received from various workspace data sources 120. The data transformation stage 230 may be performed by a data transformer 220, which may include sets of instructions for performing various data transformation operations as discussed below. The data transformer 220 may be a data processing unit to perform data processing tasks. In some embodiments, the data transformer 220 may include memory and one or more processors. The memory stores the instructions. The instructions, when executed, cause one or more processors to perform the data processing tasks.

[0058] The raw data in the raw data store 214 may be treated as the data source in the data transformation stage 230. Data query, normalization, aggregation, and other transformation operations may be performed. The output of the data transformation stage 230 may be created as data objects 240 according to a standardized data schema defined by the data management server 130. The data objects 240 may be structured and standardized and may be stored in a relational database. The data object may be stored in any suitable structured formats, such as comma-separated values (CSV), JavaScript Object Notation (JSON), extensible markup language (XML), or another suitable format, such as key-value pairs, tabular, or spreadsheet format. The created data objects 240 may be stored based on the types of data objects 240 in one or more object tables 236. In some embodiments, formal relational databases may be used. The data management server 130 maintains per-workspace isolation by creating separate database instances for each organization customer and its domains.

[0059] In some embodiments, the data transformation stage 230 may store graph objects according to a data schema 232. The data schema 232 may be defined and standardized by the data management server 130. A graph object includes attributes whose values are generated based on querying the sets of metadata that are stored in the raw data store 214. While the raw data may include different fields and formats based on the workspace data sources 120, the data transformation stage 230 may re-generate the data to create graph objects. The graph objects may include different types such as node objects and edge objects. The node objects may include an account node type. Each account node may represent an account from a workspace data source 120. The node objects may also include a data resource node type. Each data resource node may represent a data source that is stored in a workspace data source 120. The node objects may further include an activity node type. An activity node may represent an instance of data access activity. For example, when anAttorney Docket No.: 40671-65316account accessed a data resource at a workspace data source 120, a data access activity was recorded and the data management server 130 in the data transformation stage 230 captures the activity and creates an activity node. The graph objects may also include an edge type. An edge may identify a connection between any two types of nodes in the data schema 232.

[0060] The data schema 232 implemented within the data management server 130 may define data object formats and attributes for data objects 240 that are commonly various downstream applications of the 130. In some embodiments, the data schema 232 may adopt a network graph model. The data schema 232 may define an integrated representation of a data access graph, where nodes signify elements and edges illustrate the interactions among nodes. The graph data objects 240 created according to the data schema 232 may enable downstream applications to execute various graph theory algorithms, enabling functionalities such as path identification and cluster discovery essential for comprehensive data analysis. The data schema 232 may represent asset classes and individual assets, which permits the mapping of permissions and events for analytical assessment. For instance, within certain SaaS applications, the data schema 232 delineates between broader asset classes (such as “resources”) and granular instances of singular assets (such as “resource instances”). This distinction allows for a nuanced analysis of permissions and events applicable to both the broader asset class and individual instances, thereby enhancing the analytical depth. In some embodiments, the data schema 232 may integrate event or user activities into the accessgraph framework, representing these activities as nodes to establish meaningful relationships between actors and data resources. This integration facilitates the analysis of access path usage, aiding in the identification of underutilized or infrequently accessed pathways within the access-graph structure. The data schema 232 within the data management server 130 provides a framework for data standardization, analysis, and optimization across various downstream applications.

[0061] Without the loss of generality, however, in this disclosure, a data resource may simply refer to a resource or a resource instance unless the two concepts are specifically distinguished. Likewise, a general use of the resource node may refer to either the resource node or a resource instance node.

[0062] While graph objects that are defined according to a data schema 232 are described, the data management server 130 may also create other types of data objects 240. The generation of various data objects 240 may include querying various events from the raw data and selecting the attributes based on a predefined data schema 232. A data objectAttorney Docket No.: 40671-65316created may include the attributes and an identifier signifying the instance of the data obj ect. The data objects 240 of the same type may be stored in a data table that may be queried and sorted structurally based on the attributes of the type of data objects 240.

[0063] The generation of data objects 240 in the data transformation stage 230 may include the data management server 130 querying the raw data based on one or more attributes as defined by the data schema 232. For example, one type of data objects 240 may be account objects that have attributes such as user_name, email, title, accountType, creationDate, lastModifiedDate, etc. The data management server 130 may generate one or more queries to the raw data store 214 for the metadata from various workspace data sources 120 and capture accounts that have one or more of those attributes. In another example, another type of data objects 240 may be activity objects that have attributes such as sourceName, sourceRole, creationDate, lastModifiedDate, activity, etc. The data management server 130 may generate one or more queries to the raw data store 214 for the metadata from various workspace data sources 120 and capture activities that are performed on one or more data objects. In yet another example, the type of data objects 240 may be data resource objects that have attributes such as applicationName, applicationRole, createdDate, lastModifiedDate, userLicenselD, userLicenseStatus, lastActivity, etc. The data management server 130 may generate one or more queries to the raw data store 214 for the metadata from various workspace data sources 120 and capture data resources according to the queries and attributes. In some embodiments, data objects 240 may also include edges that record the connections between two data objects. The data management server 130 may generate one or more queries to identify relationships between various data objects 240. The created data objects may be arranged by types in various one or more object tables 236 and the data objects 240 and corresponding object tables 236 may be stored in the data store 242 as standardized object models. Data objects 240 from different domains or different organizations may be separately stored.

[0064] The data transformation stage 230 may also include data enrichment before data objects 240 are stored. Data enrichment may involve augmenting the existing data with additional information sourced from various external or internal data sources. The additional information may include demographic data, geospatial data, historical trends, or customer behavior patterns. By way of example, the raw data may include internet protocol (IP) addresses. The data management server 130 may connect to an external database to determine the geolocation of an IP address and also any corresponding transmissionAttorney Docket No.: 40671-65316identification information associated with the IP address. The raw data may also include email addresses. The data management server 130 may determine various header information of the email addresses. Other suitable enrichment may include identifying the nature of a data instance and querying any suitable external databases (e.g., public, authority, government, and other available databases) to add one or more attributes to the data that are not originally presented in the raw data. In some embodiments, the data management server 130 may also have heuristics or other algorithms to analyze the data to enrich the raw data to generate one or more attribute values of the output data obj ects 240 in the data transformation stage 230.

[0065] In some embodiments, the data transformation stage 230 may include a risk analysis 238 that may analyze either or both the raw data and the data objects 240. The risk analysis 238 may take the form of a risk level review that identifies high-risk activities, such as usual accesses, exercised recently. The risk level analysis may also take the form of an overall risk score that may change over a period of time. In remedying the identification of a high-risk activity, the data management server 130 may provide an alert and suggest action for the organization 110 to address the high-risk activity. In some embodiments, for a high overall risk score, the data management server 130 may provide suggestions and identify specific activities or data resources that are related to the high-risk score.

[0066] The data objects 240 stored in the data store 242 may serve as standardized object models for the data management server 130 to perform various downstream applications, such as the generation of composite graphs, further risk analysis, data access management, and revocation, data management policy identification and enforcement, and other features of the data management server 130 that are described in this disclosure.

[0067] The third stage in the data management pipeline of the data management server 130 may be the data operationalization stage 250. The data objects 240 may be further organized and transformed into the application-ready stage. This stage may optimize the data so that the data is ready for dow nstream application consumption. Depending on the type of downstream application, the data operationalization stage 250 for each downstream application may be different.

[0068] By w ay of example, one downstream application may be the display and generation of data access composite graphs. In some embodiments, there may be two formats of storage, which are graph database and document database. The data objects 240 in the data store 242 may be converted into graph obj ects that are comparable to a graph databaseAttorney Docket No.: 40671-65316architecture that will serve for graph visualization, graph network queries and implementations of graph network analysis algorithms. The data objects 240 in the data store 242 may also be analyzed by one or more algorithms to generate summary reports that are optimized to provide high-performance access to report pages (such as access utilization, risk summary, etc.) in the document database. In the data operationalization stage 250, the data management server 130 may also store organizational customer data, such as session data, preferences, configurations, etc., and use the customer data to render the graphs and reports. The final results may be rendered in the web application 260, which may be an example of application 154 in FIG. 1. For data access graph rendering, the data management server 130 may use a graph engine 280, such as one or more graph platform API, to render the graphs based on the node and edge objects stored as part of the data objects 240.

[0069] Combining the various stages, the data management server 130 may include the following features in some embodiments. For example, the data management server 130 may provide scalable onboarding with supported applications. Adding new customer instances (a new workspace or a supported application in a workspace) may be configuration-driven. The data management server 130 may perform by updating metadata definition in the ingress stage (connector metadata). Other pipeline stages and processing should be auto-provisioned and triggered automatically.

[0070] The data management server 130 may also provide application features agility. The data management server 130 provides wrapping of external heterogeneous schemas to transform into a standardized object model to decouple applications features development from various external workspace data sources 120. Applications can build features on top of the standardized object model agnostic to underlying SaaS application-specific raw data or changes in risk processing algorithms. When the system introduces new user-facing features in user-facing applications - like new filters, reports, network graph visuals, etc., the sy stem adopts the changes with minimal changes in the final stage only.

[0071] The data management server 130 may also be observability-ready. Each data connector 212 and data ingression pipeline instance may be implemented as per workspace, per application instance in a workspace. This provides observability to track the status and history of each data pipeline instance. This may also provide logging for single pipeline instances run for diagnostics and alerting capability on pipeline failure. The data operationalization stage 250 may provide the following observability features, such as a dashboard to get the status of each pipeline, last execution details (timestamp, success.Attorney Docket No.: 40671-65316failure, data processed statistics), an alert on the failure of any stage on a data pipeline instance, and a way to review the logs of specific data pipeline instances run for diagnostic purposes.

[0072] The data management server 130 may also provide a standardized new SaaS applications onboarding, which follows a standard implementation process for integration. Implementation work may establish a new implementation of a data connector 212 in the data ingression stage 210 and new data processing in risk analysis and data transformation implementation in the data transformation stage 230. The data operationalization stage 250 with application-specific logic (reports, graph analysis) in turn works transparently.EXAMPLE DATA MODEL SCHEMA

[0073] FIG. 3 is an example of a data schema 232 that may be used by the data management server 130, in accordance with some embodiments. In some embodiments, the data schema 232 may be an abstract layer of various schema formats of various applications. Application logic may be built on the data schema 232, which enables the data management server 130 to support a common set of adaptive access features across various downstream applications in the data operationalization stage 250.

[0074] In some embodiments, the common data schema 232 allows the data management server 130 to ingest heterogeneous data models of identity and access management (IAM) schemas, rules, and events from various workspace data sources 120 and transform the data into a common knowledge graph data model that contains objects (nodes) and relationships (edges). In the data transformation stage 230, the data management server 130 may identify the common access graph entities (ApplicationAccount. UserGroup, role, resource, and Resourceinstance).

[0075] In some embodiments, the object model for the data objects 240 according to the data schema 232 may have multiple entities. Examples of the objects include identify, ApplicationAccount. UserGroup, resource, AccessTo, etc. Each object may be a type of node that may be used by the data management server 130 in generating a data access graph. In some embodiments, the various types of objects may have one or more relationships related to other types of objects or the same types of objects (e.g., sub-types). For example, the identity object may be derived from the identity system and represent a named entity. Each identity can have one or more ApplicationAccounts. ApplicationAccount can have membership to one or more UserGroup and / or roles. UserGroup can be nested. UserGroupAttorney Docket No.: 40671-65316can have child UserGroup. A UserGroup can be a member of one or more roles. Roles can be nested. Roles can have child roles. Roles can have permission to one or more data resources. The relationship between an Application Account and a resource may be specified by an AccessTo data object that specifies the role that has access permission to the resource.

[0076] An identity account may represent a unique identity in the data management server 130. An identity account may be a uniquely identifiable identity that represents a named entity within an organization. If a w orkspace data source 120 is an identity system, the data management server 130 may use the identity from the identity system to represent the account. When other workspace data sources 120 (e.g., other SaaS applications) are onboarded before identity system onboarding, the data management server 130 may use employee emails as identifiers of the accounts.

[0077] An ApplicationAccount node (e.g., an account node) may be used to uniquely identify an account in a software application such as a SaaS platform. A named entity identified by an identity account can have multiple ApplicationAccounts in different software applications. For example, an employee can have a first application account in SaaS platform A and a second application account in SaaS platform B.

[0078] A UserGroup node may be a collection of users who can be assigned to a role. A UserGroup allows an organization 110 or a software platform to manage permissions for a specific set of users. Users can be added or removed in a UserGroup nodes. For example, in a data model of an example workspace data source 120. a “profile” may be equivalent to the user group. Other SaaS applications may have a first-class concept of user groups in their object model. The data management server 130 may translate these types of access management data from the w orkspace data source 120 to the object model of the data management server 130 in the data transformation stage 230.

[0079] A role node may be a collection of permissions that can be assigned directly or indirectly to individual users (ApplicationAccount) or a user group. For example, in one SaaS platform, “PermissionSet” and “PermissionSetGroup” may be mapped to the role node in the data management server 130. Roles can be nested where a super role can contain other roles, in that case, the child role permissions may also be applied to parent role permissions.

[0080] A data resource node may be a unique identifier of a data resource that is being protected by permissions in a workspace data source 120, such as an access control system. A data resource can be a database table, an object, a record, a document, an application, a data instance, etc. A data resource is an instance that may require permission to access. InAttorney Docket No.: 40671-65316some embodiments, the data management server 130 may only ingress information (e.g., metadata) that uniquely identifies the data resource but not the actual content or data belonging to the data resource. In some embodiments, the data management server 130 may include an application node that represents a software application such as a SaaS platform.

[0081] In some embodiments, the data management server 130 may also store various edge objects based on the data schema 232. The data management server 130 may include object relationships such as “folder contains files” on the data schema 232 which may be translated to edge objects. Edge objects may include a HasApplicationAccount edge that establishes the relationship between an identity account and an ApplicationAccount node. An identity may be the owner of multiple application accounts.

[0082] Edge objects may also include a MemberOf edge that establishes the relationship between an ApplicationAccount node and a UserGroup node, between a UserGroup node and a role node, and a UserGroup node and another UserGroup node, a role node and another role node, etc. This defines the member relationship among the accounts, groups, and roles in a workspace. In some embodiments, the “MemberOf’ relationships may be provided by IAM service providers 170.

[0083] Edge objects may also include an AccessTo edge that represents permission to a data resource. The AccessTo edge may also include additional boolean attributes to identify the level of permissions enabled by this edge. In some embodiments, edge object may also include EntitledTo and SyncsWith edges that represent various types of permission to an application.

[0084] Each type of data object (node objects or edge objects) may be associated with one or more attributes. Some attributes may be mandatory for the data object type while other attributes may be optional. The attributes shown in FIG. 3 are examples only and each data object type may have additional, fewer, or different attributes. Some of the attribute fields can be a nested field that refers to another object type. For example, the AccessTo object may have a role attribute and a resource attribute to identify which role has access permission to which data resource. Different workspaces may be associated with different prefixes to distinguish the workspace.

[0085] In some embodiments, the nodes or edges may include one or more of the following common attributes in the table below. These attributes are merely examples and the data schema 232 may include other attributes as defined by the data management server 130.Attorney Docket No.: 40671-65316Property Type DescriptioncreatedBy string Identifier of the creator of the nodecreatedDate DateTime Timestamp of the node creationenabled boolean Is this node activelastModifiedBy string Identifier of the last modifier of the node lastModifiedDate DateTime Timestamp of the node's last updatedisplayName string Display string of the object representation in UI nodelD string Internal elementID of the node in a graph database uniquelD string A unique identifier generated during ingestion to uniquely identify a node.

[0086] The data schema 232 may serve to standardize heterogeneous data definitions sourced from different workspace data sources 120, unifying the data into a cohesive representation of access-graph objects, their relationships, events, and associated risks. In some embodiments, the data schema 232 may adopt a network graph model to depict the object structure, where elements are nodes, and the corresponding interactions and connections manifest as edges within a network graph that may be referred to as the access graph.

[0087] The data schema 232 of the access graph, presented in a network graph representation, enables applications to execute various graph theory algorithms. These algorithms encompass path identification, cluster discovery, source-to-destination navigation, etc. This allows the data management server 130 to comprehend the behavior of identity and access configurations, evaluate risk, and assess the impact of changes within the graph structure over time. For example, the access graph data objects may be versioned and time-stamped such that the access graph may be generated as a time series of access graphs. Users reviewing the graph may go back in time to determine the change in access permission, data management, and access activities over time. In some embodiments, the data management server 130 may provide a graph user interface that provides a time scale for users to select the timing in a time series.Attorney Docket No.: 40671-65316

[0088] An example definition of the object model according to a data schema 232 may focus on the representation of data asset classes (resources) and the identification of distinct, granular instances of singular data assets (termed resource instances). This unique representation enables the mapping of permissions and events to both the broader class of data assets (resources) and the specific individual instances (resource instances) for analytical purposes. For instance, in certain workspace data sources 120, users can share tables and individual records within those tables. In the corresponding model according to the data schema 232, the table may be represented as a resource, encompassing all records within the table, while the records themselves are defined as resource instances. Consequently, an edge in the network graph representing permission (AccessTo) can link to the resource when the permission pertains to all records, whereas a permission edge connecting to a resource instance node signifies permissions applicable to an individual record within the table. This versatile model facilitates the representation of diverse asset types and their instances within a unified object model.

[0089] FIG. 4 is a conceptual diagram illustrating an access graph 400 that connects nodes by edges that may take the form of vectors, in accordance with some embodiments. The data model may be a directed graph. Multiple nodes may be connected to form a composite vector. The data store 242 that stores the data objects 240 may take the form of a unified repository of identity, access policies, and events in a graph database. The data store 242 may store data objects 240 as node objects and edge objects.

[0090] The node and edge objects, when connected, may represent an access graph 400 that illustrates the data permission of a named entity to various data resources. For example, the access graph 400 may include an identity account 410, one or more application account nodes 420, one or more user group nodes 430, one or more role nodes 440, and one or more data resource nodes 450. Each type of nodes may include its own set of attributes. For illustration, not all values of the attributes are shown in FIG. 4. The data management server 130 may identify any data permission traversal path that traverses between an identity account 410 (or an application account node 420) and a data resource node 450 to identify data permission between a named entity and a data resource. By way of example, the identity account 410 may have different application accounts for SaaS platform A and SaaS platform B (each may be an example of a workspace data source 120). The application accounts may be represented by the application account nodes 420. For the application account node 420 of the SaaS platform A, the application account may belong to one or more user groups and oneAttorney Docket No.: 40671-65316or more roles, which may be represented by the user group nodes 430 and the role nodes 440. A role may have access permission to one or more data resources that are represented by the one or more data resource nodes 450.

[0091] The data management server 130 may generate node objects and edge objects through queries. The data management server 130 may use structured queries (e.g., structured query language (SQL) queries) to classify data ingested from workspace data sources 120 (e.g., customer’s SaaS platform’s data) into one or more nodes and / or one or more edges based on queries on the attributes (e.g., as reflected in the metadata). For node objects, the data management server 130 may query the raw data store 214 to identify node objects that fit the attributes defined in the data schema 232. The data management server 130 may build queries specific to each workspace data source 120 because each workspace data source 120 has a different metadata format and fields for storing the metadata. For the edge objects, the data management server 130 may query the raw data store 214 and / or attributes in the node objects to identify connections between nodes. Edges may include identify -to-application-account edge, role-member edge, access-to edge, and user-group-member edge, etc., as illustrated in FIG. 3. Each edge may include a unique identifier for the edge, a first node attribute and a second node attribute together serving as an identification of the connection, and one or more other attributes that signify the natures of the edges. For example, access-to edges may have attributes on the type of access. Alternatively, instead of being an edge, the access-to object may also be a node.EXAMPLE EVENT NODES

[0092] In some embodiments, the data objects 240 according to the data schema 232 may include incorporating data events (e.g., user activities such as accessing or modifying the data) as data objects. Those event data objects and the corresponding associations may be incorporated into the access-graph framework. A standard access event may include an actor (e.g., a named entity represented by an identity or an application account) and a subject (a resource or resource Instance) on which the activity occurs. The data management server 130 may represent these activities as nodes within the access graph, establishing relationships between the actor and subject. As the access graph encompasses various connecting pathways between actors and subjects, the 130 may analyze the frequency of access path usage and identify underutilized or infrequently used paths within the access graph structure.

[0093] In some embodiments, event data ingestion may use the same data ingestionAttorney Docket No.: 40671-65316pipeline illustrated in FIG. 2. The data management server 130 may import events as nodes. In some embodiments, the event nodes may be with minimum required attributes and full details of scalar data for events may remain outside of the node objects for memory optimization. The data transformation stage 230 may generate two or more types of event tables. In some embodiments, the first type of event table may be a table for resource access events. The table may contain a list of events with reference to the actor (e.g., an ApplicationAccount node) and acted on node (a resource node) with timestamp and operation performed in the event. The second type of event table may be a table for activity risk detail, which may be a table that contains other attributes related to events. The second type of table allows tabular queries and includes detailed information about the events, such as data that are not stored as part of the event graph objects. An event identifier may be used for both tables to reference an event.

[0094] By modeling the events, the data management server 130 may perform various analyses related to data events and sequences of events. For example, the data management server 130 may identify and build timeseries of events related to specific actor nodes and data resource nodes that have past events. The data management server 130 may also build a time series of overall events and identify7the impacted nodes in the time period. In some embodiments, a resource access event may include the information of the source node (e.g., actor) and the destination node (the data resource or resource instance). In some embodiments, a resource access event may include a list of events with reference to actor (ApplicationEndpoint node) and acted on (Resource / Resourcelnstance) with timestamp and operation performed in the event. The data management server 130 may in turn generate an access graph to allow the detection of possible paths traversing the event. Events can have relationships, such as the sequence of events belonging to a session or generated from specific endpoints. Mapping Event nodes allows the data management server 130 to establish a knowledge base for event relationships.

[0095] FIG. 5 is a conceptual diagram illustrating relationships of events between a source node and a destination node in an example access graph 500, in accordance with some embodiments. The access graph 500 may include a source node, which is an application account node 510. The access graph 500 may also include a destination node, which is a resource instance node 520. In the access graph 500, the application account node 510 and the resource instance node 520 may be connected through one or more access permission traversal paths and access event paths. The connection edges in each path may be referred toAttorney Docket No.: 40671-65316as vectors.

[0096] In some embodiments, an example access permission traversal path may connect the application account node 510 indirectly to a resource instance node 520 by traversing a plurality of intermediate object nodes. For example, the application account node 510 may be a member of a user group node 530 and the user group node 530 is a member of the role node 540. The role represented by the role node 540 may have access permission to the data resource represented by resource instance node 520. The access permission may be represented by the AccessTo edges. As such, the application account node 510 and the resource instance node 520 are indirectly connected through one or more object nodes 530 and 540. In some embodiments, an application account node 510 may have one or more reasons why access permission is granted for the application account to access a data resource. As such, more than one access permission traversal path may be recorded in the access graph. While the access permission traversal path illustrated in this example involves multiple intermediate nodes, in some cases an access permission traversal path may include only the source node and the destination node.

[0097] The activities represented by the access graph 500 may include access events to resources controlled by one or more particular applications and login events to the one or more particular applications. For example, an application account may access an application by simply logging to the application without accessing any resource controlled by the application; alternatively, resource access event is identified as user activity performed on a given resource instance, such as. viewing, updates, creating new resource instance, deletion of existing resource instance and the like. The data management server 130 may store a plurality of event nodes 550a, 550b, and 550c (collective event nodes 550 or individually event node 550) that have direct connections between the application account node 510 and resource instance node 520. Each path traversing the application account node 510, one of the event nodes, and the resource instance node 520 may be an access path. Each event node 550 may include attributes that specify the information related to the access event, such as the AccessType attribute that signifies the event is a deletion of the data resource represented by the resource instance node 520, a modification of the data resource, and a read of the data resource. Each event node 550 may also be timestamped. For example, the event node 550 may be timestamped for individual event or aggregated for a time range (e.g., per hour, day, or week, etc.). In some embodiments, there can be anywhere between zero to many access paths between the application account node 510 and the resource instance node 520. ForAttorney Docket No.: 40671-65316example, if the application account does not have any access event to the application, there can be zero access path even though the application account node 510 and the resource instance node 520 are connected by an access permission traversal path. In some embodiments, the application account may frequently access the data resource. In turn, a large number of event nodes 550 may be stored.

[0098] The data management server 130 may aggregate the number and the type of access events to display the access nature of an application account to an application. In some embodiments, an access graph may be a weighted graph to represent activity level of the access activities. In one instance, an edge contains a property “accessEventCounf that represents the number of times that access path is exercised, e.g., “accessEventCounf ’ with zero value indicates that this path is not exercised at all. For example, if no access event is detected, the data management server 130, in a front-end graphical user interface, may show a dashed line between the application account node 510 and resource instance node 520. Any line, solid or dashed, may signify the presence of a data permission traversal path. The dashed line may signify there is no access event detected. In some embodiments, a solid line may be presented to signify there are access events such as event nodes 550 detected. The thickness of the solid line may be commensurate with application access activity level aggregated by the application account node 510. In some embodiments, the “accessEventCounf’ value may be a dynamic value and associated with a time period of the access graph, and / or activities associated with selected nodes. For example, if an accessgraph is representing the last 30 days of data between a specific user X and resource instance a (Ria) and resource instance b (Rib), then the “accessEventCounf in the access graph will be weights of the activities performed by user X related to resource instances Ria and Rib.

[0099] In some implementations, the data management server 130 may provide an event mapping approach where events are represented as nodes in the graph with edges pointing to the source and destination nodes of the event. In some instances, event node 550 maintains information and attributes graph analysis, such as event timestamp, type of operation performed, actor who initiated the event, and data resource instance impacted by the event. Event attribute may include a pointer attribute to ApplicationAccount and a pointer to AccessEventlnstance, EventTimestamp. and type of operation (create, read, update, delete) of the event. In some embodiments, more attributes may be added. In some embodiments, only required event data attributes for rendering a graph are stored as part of the event nodes and other scalar event attributes may be maintained outside the graph objects.Attorney Docket No.: 40671-65316EXAMPLE EVENT BASED IMPLEMENTATIONS

[0100] FIG. 6 is a conceptual diagram illustrating using an example access graph to determine a type of permission that is granted to a named entity, in accordance with some embodiments. An access graph has node types (such as, named entity, account, applicationAccount, userGroup, role, application) and edges (such as, HasApplicationAccount, Memberof, AccessTo, etc.). Further, permissions and roles also may be assigned. Access permission may be represented as AccessTo edges directed to application nodes. In some embodiments, a type of the access permission may be indicated with the corresponding AccessTo edge.

[0101] As shown in FIG. 6, the access graph 600 may include a source node, which is a named entity node 610. The named entity node 610 (e.g., person) may be connected to one or more entity node representing entities of a person identified by identity providers (IdPs), such as the entity node 620a and 620b. The connections between the named entity node 610 and the entity nodes 620a and 620b indicate that the person represented by named entity node 610 has access to entity nodes 620a and 620b. The access graph 600 may also include one or more destination nodes, such as application node 640a, application node 640b, application node 640c and the like. In some embodiments, the access graph 600 may further include one or more user group nodes, such as user group node 630a (UserGroup id 2), user group node 630b (UserGroup id 23), user group node 630c (UserGroup id 1), user group node 630d (UserGroup id 21), etc. In the access graph 600, the entity node 620a and the application node 640b may be connected through one or more access permission traversal paths and access event paths, e.g., via user group node 630a and user group node 630b.

[0102] In some embodiments, an edge connecting and pointing to an application node may indicating the application node includes at least one access event from the edge, and the application node may be viewed as an access event node. The data management server 130 may traverse one or more access paths that connect the named entity node and the access event node. The data management server 130 may identify at least one account that is along the one or more access paths, and determine, based on the at least one account node, a type of permission granted to the named entity for accessing the application. In one instance, as shown in FIG. 6, one or more access paths that connect the named entity node 610 and application node 640b may be identified based on the access graph 600, which indicate that the person represented by the named entity node 610 is granted with permissions granted to the named entity for accessing the application that is represented by the corresponding accessAttorney Docket No.: 40671-65316event node / application node 640b. For example, the named entity' node 610 is connected to entity node 620a, indicating that the person represented by the named entity node 610 has an application account represented by the entity node 620a. Between the entity node 620a and the application node 640b, at least two access paths are identified. In one path, the entity node 620a is directly connected to the application node 640b, indicating that the entity node 620a is granted with a standard permission to the application node 640b, and the permission type may be determined as a ’'Standard ’ permission. In the other path, the entity node 620a is connected to the application node 640b via the user group node 630a and the user group node 630b. Traversing this access path, the named entity having the entity node 620a is identified as a member of the User Group 2 that is represented by the user group node 630a, and the User Group 2 represented by the user group node 630a is a member of the User Group 23 which is represented by the user group node 630b. The user of the User Group 23 represented by the user group node 630b has an “Admin” permission to the application node 640b. Therefore, traversing this access path, the named entity represented by named entity¬ node 610 having the entity node 620a gains a permission to the application represented by the application node 640b is via membership and the corresponding permission type is an “Admin” permission.

[0103] In some embodiments, identities and entitlements (permission to access) of some applications may be federated to external identity providers (IdPs). An IdP may refer to a trusted entity that creates, maintains, and manages identity information for users and provides authentication services to applications within a federation or distributed network. An IdP may be responsible for validating user credentials and issuing assertions that confirm the user’s identity to other applications and services. An IdP may be a component and / or service provided by an TAM service provider 170. In some implementations, the TAM service provider 170 provides a complete identity and access management solution (e.g., user lifecy cle management, roles and permissions), and the IdP is the part that handles the authentication process and issues identity tokens. In some embodiments, an application may include a software delivery- model in which an application is hosted by a service provider or vendor and made available to customers over the internet. For example, for a software as a service (SaaS) application, instead of purchasing and installing softw are on individual computers or servers, users can access SaaS applications via a yveb browser, often on a subscription basis. In some embodiments, the IdPs may act as central identity management solutions for these applications used by the company, offering services for user and groupAttorney Docket No.: 40671-65316management as well as authentication.

[0104] In some embodiments, the IdPs may support single sign-on (SSO) authentication process, which allows a user to access multiple applications with one set of login credentials. In some embodiments, a system for cross-domain identity management (SCIM) may be used to simplify the process of managing user identities across different systems by enabling standardized provisioning, de-provisioning, and synchronization of user data. An SCIM is an open standard protocol designed to automate the exchange of user identity data between identity domains, systems, and sendee providers. An SCIM may work alongside IdPs to provision and synchronize user identities to other systems and service providers. For example, the IdPs that support SCIM may facilitate access to SaaS applications by providing SSO and organizing user permissions through Groups and Roles. This approach allows for streamlined access management, where users gain access to SaaS applications based on their group or role membership.

[0105] In some implementations, the data management server 130 may integrate with the IdPs to query the resources (Users, Groups, and Group membership) to ingest the IdP entitlement access-graph. When integrating with an IdP, the data management server 130 may obtain details such as the list of user groups, group memberships, and application permissions. In some cases, application may act as both IdPs and application owners, the data management server 130 may determine which groups are associated with specific applications to ensure accurate access management. In some embodiments, an IdP group membership may provide entitlements to one or more applications. Therefore, the data management server 130 may identify which applications are enabled for entitlement based on the IdP-managed group. In scenarios where SCIM-enabled applications are part of a federated environment, groups will be synchronized from the IdP. During the integration’s ingress process, the data management server 130 may label whether a group is “IdP-managed” or “application-managed” to maintain clear ownership and avoid conflicts in group management across the platform.

[0106] In some implementations, the access graph 600 may be referred to as an entitlement graph, which is a representation that outlines the entitlements (permissions) that users or entities (such as users, groups, roles, and service accounts) hold within a system. The access graph 600 may be used to illustrate how access rights are assigned and inherited across the organization. In one instance, the access graph 600 may be built based on the relationship from identity to the application account via email address matching. In someAttorney Docket No.: 40671-65316cases, organizations may use multiple IdPs and authentication services for the same employee’s email address.

[0107] In some implementations, when a user is added into an IdpGroup {id: 1 }, the data management server 130 may entitle the user to access applications permitted by this group membership. ApplicationAccounts for the user may be explicit or implicit depending on the corresponding application. For example, when the account is SSO enabled, the account is enabled access to the application. Some SaaS applications save specific information for the user, so they create an entry in their own user list that relates to the user specific settings like profile, explicit permissions etc. In some embodiments, access paths may be added to show the identify to application relationship. As shown in FIG. 6, the path of named entity node 610 - entity node 620a - user group node 630a - user group node 630b - application node 640a is also labeled as (identity )-[: MemberOf*0..10]->(: UserGroup)-[: EntitledTo]->(: Application), which explicitly illustrates how an identity is entitled to a specific application access. In some embodiments, the data management server 130 may provide an implicit relationship between an identify and an application that may be represented as a virtual relationship form.

[0108] FIG. 7 is an example of a graphical user interface 700 provided by the data management server 130, in accordance with some embodiments. In some embodiments, the graphical user interface 700 may allow users to select one or more nodes and / or edges. Based on the user selection, the data management server 130 retrieves relevant nodes, including both end nodes and / or intermediate nodes, and renders the access graph based on the selection. As shown in FIG. 7, the user has selected a named entity 710, applications / resources (such as documents 740a, site assets 740b, etc.). In some implementations, the data management server 130 may identify and retrieve the intermediate nodes between the selected beginning node and end node, and render relevant access paths and the intermediate nodes, such as the application account 720 and user group nodes (e.g., Sales 730a, Sales Permission 730b, Sales 730c, etc.) that are associated with the named entity John Smith. In some implementations, if the user de-selects one of the application accounts, the corresponding access path will disappear from the access graph. Similarly, if the user selects additional nodes such as an additional application node, the access paths related to the selected additional node will be added to the access graph in the graphical user interface 700.

[0109] The graphical user interface 700 provides a visual representation of how frequently specific access paths are used by users or accounts within an organization. In oneAttorney Docket No.: 40671-65316implementation, the data management server 130 may generate this visualization by vary ing the thickness of the edges based on the frequency with which each path is exercised. Each edge represents a potential access path, and the thickness of the edge may directly correspond to the number of times / frequencies this access path has been used. Thicker edges indicate higher usage, showing well-traveled paths, while thinner or non-existent edges represent paths that exist as permissions but have not been actively used. For example, a first path between the node sales 730c and node " Documents” 740a is much thicker than a second path between the node sales 730c and the node “Converted Forms” 740c, indicating that the first path has a higher activity level (e.g., number of times of being used) than the second path.

[0110] In some embodiments, the graphical user interface 700 may provide an immediate visual understanding of access patterns across the organization, e.g., access patterns at the current time. For example, the data management server 130 may present frequently used paths with thick edges, illustrating critical access paths that are essential for day-to-day activities. In some examples, paths with minimal or no usage (thin edges or broken lines) point to permissions that may be redundant or underutilized, indicating potential security risks or areas where permissions may be optimized. The weighted nature of this graph, where the weight corresponds to level of activities (e.g., usage), dynamically illustrates both actual and potential access activity, giving security teams insights into which permissions are actively exercised and which remain dormant.[OHl] With access events mapped in an access graph, the data management server 130 determines the split of the utilization of permissions per user basis. In the access graph, each user’s access to an application may be represented by edges that connect them to the applications they access through their assigned roles or group memberships. By analyzing these edges, the data management server 130 may calculate the utilization split for each permission type across users, and / or the utilization split among different users that having the same permission type. For example, consider a scenario where three users share access to a particular application through an “AccessTo” permission. Each of these users may use this access at different frequencies, some may access the application regularly, while others may use it sparingly or even not at all. To determine this utilization split, each “AccessTo” edge in the access graph may be associated with an attribute, such as counts of access events. This attribute may be used to record how often each user has exercised a particular access path, providing a count of access events for each user-application interaction. By comparing the values of the counts of access events across users who have access to the same application,Attorney Docket No.: 40671-65316the data management server 130 may calculate a utilization ratio for each user with respect to the same type of access, e.g., “AccessTo” edge. This utilization ratio / split indicates each user’s relative frequency of access, distinguishing between frequent, occasional, and rare users.

[0112] In some embodiments, the data management server 130 may determine a utilization ratio of different groups and / or role membership per user basis. To determine the utilization ratio of different group and role memberships on aper-user basis, the data management server 130 may analyze the access graph to determine how frequently each user exercises their permissions relative to others within the same group or role. This ratio provides insight into the distribution and intensity of access patterns for shared permissions, helping to identify which users are heavy users of specific permissions and which ones rarely use them. This breakdown of access utilization is useful in role and permission management. For instance, identifying users who frequently access certain resources may indicate a strong need for continued or even enhanced access. Conversely, identifying users with minimal or rare access usage could prompt a review' of their permissions, as their needs might not justify the level of access currently granted. In some embodiments, the access graph may be used to optimize group and role structures by tracking the utilization ratio. For example, if a subset of users within a group consistently shows high access activities of certain application, this may indicate a need for a more specialized role that provides access tailored to their frequent tasks. In some examples, groups or roles with widespread but low usage may indicate overly broad permissions that may be refined or reduced.

[0113] In some embodiments, the data management server 130 may use the access graph to identify dormant members in a group. For example, the data management server 130 may analyze the relationships and activity levels associated with each user’s permissions in a group. For instance, each named entity in the access graph is connected to their roles or groups through “Memberof edges, which indicate the roles or groups the users belong to and the permissions they hold. The visual illustration of the “Memberof ’ edges in the access provides a clear view' of the roles or groups associated wdth each named entity, helping determine the permissions the named entities should theoretically be able to exercise. The data management server 130 may use the access events illustrated in the access graph to determine whether these permissions are actively used. Each access event in the access graph represents a specific access action taken by a user (e.g., named entity), tied to the permissions granted through their roles or group memberships. By examining the “Memberof edges forAttorney Docket No.: 40671-65316associated access events, the data management server 130 may determine whether a user has utilized their permissions. In one example, there are no access events linked to a “Memberof’ edge associated with a user (e.g., named entity), the data management server 130 may determine that the user has not exercised this permission, indicating at potential dormancy.

[0114] In some embodiments, the '‘Memberof’ edges may include attributes such as, “AccessEventCount,” which may be used to quantify the activity level of the respective edge that connect a user to applications through their roles or groups. This count may indicate how often the respective access path is used. For each user-role relationship, the data management server 130 may determine whether the access paths have a low or zero “AccessEventCount.” If a user’s access paths through their role or group consistently show low or no usage, it may indicate that their permissions are not being actively exercised. These unexercised “Memberof’ edges may be determined as dormant memberships, e.g., situations where a user has access but is not using it. In some embodiments, the data management server 130 may generate a dormant member report based on the identified dormant memberships. This report may list each dormant user and the specific roles or groups they have not utilized, along with details on access frequency or the lack of it. This information may be used to make informed decisions about whether to revoke unused permissions, reassign users to more fitting roles, or adjust role memberships to better align with actual access needs. In some implementations, the dormant member report may be generated periodically to keep permissions in line with real usage, ensuring security and efficiency by minimizing unneeded access.

[0115] In some embodiments, the data management server 130 may use the access graph to identify source and scope of breaches by investigating access activities. For example, by analyzing the time series of access events around the time of an incident, the data management server 130 can trace access events to determine the actors involved, the access permission paths utilized, and the specific resource instances affected. This analysis assists in incident response efforts and helps mitigate potential damage caused by the breach.

[0116] In some embodiments, the data management server 130 may identify unexpected ghost access events. In one example, the data management server 130 may determine where an actor accesses a resource / application without any existing permission traverse path. Such activity may indicate security or access anomalies, highlighting potential unauthorized access or configuration issues that require further investigation. In some implementations, the dataAttorney Docket No.: 40671-65316management server 130 may use machine learning models and / or statistical models to analyze access pattern to determine access pattern anomalies, such as unusual user behaviors. By analyzing these anomalies, organizations may identify signs of security incidents or compromised accounts. For instance, unusual access patterns may include sudden spikes in activity from specific actors, abnormal attempts to access certain resources, or access occurring during odd hours. Detecting these behavior anomalies helps pinpoint irregular access patterns, enabling timely identification of security breaches and potential threats.

[0117] FIG. 8 is an example of a graphical user interface 800 showing a contextual access graph for selected events, in accordance with some embodiments. In some embodiments, the data management server 130 may capture data events with the timestamp of the event, the type of access performed and the actor of the activity. This allows one or more downstream applications in the data operationalization stage 250 for the use of access-graph knowledge base. In some embodiments, the data management server 130 may provide time series activity analysis by a named entity, a group, a resource instance and / or on an application access instance. This downstream application may include identifying activities performed by specific named entities within a defined time window. The data management server 130 may discover access paths, access events, target data resources, and actors involved in these activities. The data management server 130 may also analyze the time series of events performed on data resources and track the resource usage patterns within the same time window. In some embodiments, the data management server 130 may also display a time series of events per Account, Group, Role, Resource, or edges “MemberOf ’ or “AccessTo.” With events mapped in the access-graph data model, the data management server 130 may determine an access path for each event with a timestamp. This can be used to build the timeseries for individual nodes or edges to determine the time series of all activities performed through that node or edge.

[0118] As shown in FIG. 8, the graphical user interface 800 include user interface elements displaying features while users are reviewing the activities in an access graph. The graphical user interface 800 may start with an access graph (e.g., as shown in FIG. 6 or FIG.7), or a dashboard. The graphical user interface 800 is interactable and allows users to select the specific element they want to investigate: account, group, role, resource, application, or a particular edge type such as “MemberOf’ (indicating group or role membership) or “AccessTo” (indicating access events). In some implementations, the graphical user interface 800 may include a selectable / filtering table / panel that enable users to refine their selection byAttorney Docket No.: 40671-65316specific time ranges, frequency (daily, weekly, monthly), or even specific users or access events. When a user selects one or more activities in the table, the graphical user interface 800 may transform from displaying the access path for those activities to displaying the selected features, e.g., activity frequency chart. In FIG. 8, the graphical user interface 800 displays the activity information for different groups. The graphical user interface 800 may provide an aggregate view that shows overall usage patterns, indicating high and low level of access. For instance, FIG. 8 provides a graphical illustration of number of groups with respect to their respective utilization rates. In some implementations, users may interact with (e.g., click, hover over, etc.) data points to see event details, such as the exact timestamp, the ty pe of the action, and the identity of the user or resource involved, giving a granular view of activity. In some implementations, the graphical user interface 800 may graphically illustrate level of activities, for example, using heatmaps that show high-frequency access periods in darker colors, thus providing a quick visual indicator of busy periods versus times of low activity. In another example, a time series for an “AccessTo” edge linked to an application may show daily or monthly peaks, revealing times of heavy use versus periods of inactivity. For each selected node (e.g., a user account, role, or application) or edge (e.g., " MemberOf ’ or ‘’AccessTo”), the graphical user interface 800 may display a time series graph that plots activity events over the specified time range. By building a time series for each node or edge, the graphical user interface 800 enables users to track activity trends, identify peaks and dips in usage, and gain insights into how permissions are utilized across different time periods. EXAMPLE SEQUENCE DIAGRAMS

[0119] FIG. 9 is an example sequence diagram illustrating an example series 900 of interactions among components of the system environment 100 to render an access graph, in accordance with some embodiments. The series 900 illustrated in FIG. 9 represents sets of instructions that may be stored in one or more computer-readable media, such as the memory7of different servers. The instructions, when executed by one or more processors of the depicted entities, cause one or more processors to perform the described interactions. As depicted in FIG. 9, the series 900 may involve the organization 110, a first workspace data source 120 A, a second workspace data source 120B, and the data management server 130. The data management server 130 may include sub-components that are used to perform the series 900, such as the data connectors 212, the data transformer 220, and the graph engine 280. For simplicity, the data connectors 212 and the data transformer 220 in FIG. 9 may7Attorney Docket No.: 40671-65316include the associated data stores. For example, the data connector 212 may include the raw data store 214 and the data transformer 220 may include the data store 242. Those subcomponents are merely examples that are used to illustrate some functionalities of the data management server 130. In various embodiments, the data management server 130 may not contain the precise components shown in the series 900 and the functionalities may be distributed differently than the example shown in the series 900. Also, while the series 900 is illustrated as a sequence of steps, each step in the series 900 may not follow the precise order as illustrated in FIG. 9. One or more steps may also be added, omitted, changed, or merged in various embodiments.

[0120] The first workspace data source 120 A and the second workspace data source 120B are examples of access control systems that are delegated by a domain (organization 110) to control data access of the organization 110 and maintain data access history associated with the organization 110. For example, the first workspace data source 120A and the second workspace data source 120B are two SaaS platforms that provide services to the organization 110. The data managed by the SaaS platforms are part of the data of the organization 110.

[0121] An organization 110 may grant 905 authorizations to the data management server 130 to receive data of the organization 110 from the first workspace data source 120A and the second workspace data source 120B. The data connectors 212 may receive the grant of permission from the organization 110 to receive data from the organization 110. Each data connector 212 may establish an API channel respectively with the first workspace data source 120A and the second workspace data source 120B.

[0122] For example, a data connector 212 may establish 910 connections with the first workspace data source 120 A. In turn, the first workspace data source 120A transmits a first set of data access metadata to the data connector 212. Likewise, another data connector 212 may establish 910 connections with the second workspace data source 120B. In turn, the second workspace data source 120B transmits a second set of data access metadata to the data connector 212. The two sets of metadata are heterogeneous and may include different data fields and may be in different formats.

[0123] The data connectors 212 receive 920 heterogeneous sets of metadata related to the data access history'. For example, a first data connector 212 may receive a first set of metadata arranged in the first format via a first API channel from the workspace data source 120. A second data connector 212 may receive a second set of metadata arranged in the second format via a second API channel from the workspace data source 120. The dataAttorney Docket No.: 40671-65316connectors 212 may store the first set of metadata and the second set of metadata in a common file format, such as in the CSV format.

[0124] The data transformer 220 may generate 930 graph objects generated from the heterogenous sets of metadata. In some embodiments, the data transformer 220 may query the raw data store associated with the data connectors 212 to generate node objects. The queries may be performed to both sets of metadata to generate standardized data objects according to a data schema. For example, the data transformer 220 may generate one or more queries of a node ty pe. The query may include attributes of the node type. The data transformer 220 may perform the one or more queries on the heterogeneous sets of metadata. The data transformer 220 may create one or more graph objects based on query- results that match the attributes from the heterogeneous sets of metadata. For example, the data transformer 220 may identify named entity nodes, account nodes, application nodes, access event nodes, and other graph objects. The named entity node represents a named entity associated with an organization, the account node represents an account that is granted access to an application that is provided by a third party to the organization, t the application node represents the application and the access event node represents an access event to the application. The data transformer 220 may store the one or more graph objects that are generated from the metadata in a data collection. The data collection may be a table that represents the node type and the table may include the node objects that belong to the same type.

[0125] The data transformer 220 may also query’ event data to generate a plurality of event objects. An event may be related to a data access event and associated with a data resource and an application account. The data transformer 220 may also store a plurality7of event objects representing instances of events associated with the access events. The data transformer 220 may also determine the relationships between nodes and store various edge objects.

[0126] The graph engine 280 may query7the node objects. The graph engine 280 may determine one or more access paths that connect between a source node and a destination node. The graph engine 280 may traverse 940 one or more access paths that connect the named entity node and the access event node. In these one or more access paths, the named entity7node is a preceding node, and the access event node is a succeeding node. In some embodiments, each of the one or more paths may include at least one edge connecting the first application account and the first access event node, and a thickness of the at least oneAttorney Docket No.: 40671-65316edge illustrates the respective application access activity level. The graph engine 280 identifies 950 at least one account node that is along the one or more access paths, and determines 960, based on the at least one account node, a type of permission granted to the named entity for accessing the application. In some implementations, the graph engine 280 may identify an accessibility of the named entity to a first application. For example, the graph engine 280 may traverse a path that connects a first application node representing the first application and the named entity node. The named entity node is a preceding node and the first application node is one of the succeeding nodes in this path. The graph engine 280 identifies a first account node that is along the path. Here, the first account node represents the named entity possessing a first account that is granted access to the first application. The graph engine 280 determines a permission utilization of the named entity to the first application based on an application access activity level. In some implementations, the application access activity level is determined based on a number of access event nodes that are connected between the named entity node and the first application node. In some implementations, the graph engine 280 may identify’ that at least one of the one or more paths connecting the first application account node with the first access event node via a set of additional application account nodes. By traversing the at least one path, the graph engine 280 may determine a relationship between the first application account and each application account represented by the respective additional application account node. In some implementations, the graph engine 280 may select a portion of a path of the one or more paths. The selected portion of the path connects to the first access event node and represents an application access activity level via the portion of the path. The graph engine 280 may render for display, at a graphical user interface, a time series of the portion of the path to illustrate a variation of the represented application access activity level in time.

[0127] In some embodiments, the graph engine 280 may render for display, at a graphical user interface, an access graph that illustrates the data permission traversal path from the source node to the application. The data permission traversal path may include an application account node representing a particular application account of the domain. The data permission traversal path may also include an application node. The data permission traversal path may further include a graphical representation of the data permission traversal path representing the particular application account having permission to access the particular application. The graphical representation in FIG. 7 is an edge that has varying thickness. At least a portion of the graphical representation of the data permission traversal path is renderedAttorney Docket No.: 40671-65316according to the data access activity level of the particular application account accessing the particular application. The data access activity level is aggregated from the event objects representing the events of the particular application account accessing the particular application. For example, the access activity level is aggregated from the number of event paths. The graph engine 280 may transmit the rendered access graph to the organization 110 for display.COMPUTING MACHINE ARCHITECTURE

[0128] FIG. 10 is a block diagram illustrating components of an example computing machine that is capable of reading instructions from a computer-readable medium and executing them in a processor (or controller). A computer described herein may include a single computing machine shown in FIG. 10, a virtual machine, a distributed computing system that includes multiple nodes of computing machines shown in FIG. 10, or any other suitable arrangement of computing devices.

[0129] By way of example, FIG. 10 shows a diagrammatic representation of a computing machine in the example form of a computer system 1000 within which instructions 1024 (e.g., software, source code, program code, expanded code, object code, assembly code, or machine code), which may be stored in a computer-readable medium for causing the machine to perform any one or more of the processes discussed herein may be executed. In some embodiments, the computing machine operates as a standalone device or may be connected (e.g., networked) to other machines. In a networked deployment, the machine may operate in the capacity of a server machine or a client machine in a server-client network environment, or as a peer machine in a peer-to-peer (or distributed) network environment.

[0130] The structure of a computing machine described in FIG. 10 may correspond to any software, hardware, or combined components shown in FIGS. 1 and 2. While FIG. 10 shows various hardware and software elements, each of the components described in FIGS. 1 and 2 may include additional or fewer elements.

[0131] By way of example, a computing machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a cellular telephone, a smartphone, a web appliance, a network router, an internet of things (loT) device, a switch or bridge, or any machine capable of executing instructions 1024 that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the terms “machine” and “computer” may also be taken to include any collection of machines that individually orAttorney Docket No.: 40671-65316jointly execute instructions 1024 to perform any one or more of the methodologies discussed herein.

[0132] The example computer system 1000 includes one or more processors 1002 such as a CPU (central processing unit), a GPU (graphics processing unit), a TPU (tensor processing unit), a DSP (digital signal processor), a system on a chip (SOC). a controller, a state machine, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or any combination of these. Parts of the computing system 1000 may also include a memory 1004 that stores computer code including instructions 1024 that may cause the processors 1002 to perform certain actions when the instructions are executed, directly or indirectly by the processors 1002. Instructions can be any directions, commands, or orders that may be stored in different forms, such as equipment-readable instructions, programming instructions including source code, and other communication signals and orders. Instructions may be used in a general sense and are not limited to machine-readable codes. One or more steps in various processes described may be performed by passing through instructions to one or more multiply-accumulate (MAC) units of the processors.

[0133] One or more methods described herein improve the operation speed of the processor 1002 and reduce the space required for the memory 1004. For example, the database processing techniques described herein reduce the complexity of the computation of the processor 1002 by applying one or more novel techniques that simplify the steps in training, reaching convergence, and generating results of the processors 1002. The algorithms described herein also reduce the size of the models and datasets to reduce the storage space requirement for memory 1004.

[0134] The performance of certain operations may be distributed among more than one processor, not only residing within a single machine, but deployed across a number of machines. In some example embodiments, the one or more processors or processor-implemented modules may be located in a single geographic location (e.g., within a home environment, an office environment, or a server farm). In other example embodiments, one or more processors or processor-implemented modules may be distributed across a number of geographic locations. Even though the specification or the claims may refer to some processes to be performed by a processor, this may be construed to include a joint operation of multiple distributed processors. In some embodiments, a computer-readable medium comprises one or more computer-readable media that, individually, together, or distributively, comprise instructions that, when executed by one or more processors, cause a processorAttorney Docket No.: 40671-65316(including in situation of one or more processors) to perform, individually, together, or distributively, the steps of the instructions stored on the one or more computer-readable media. Similarly, a processor comprises one or more processors or processing units that, individually, together, or distributively, perform the steps of instructions stored on a computer-readable medium. In various embodiments, the discussion of one or more processors that carry out a process with multiple steps does not require any one of the processors to carry out all of the steps. For example, a processor A can carry out step A, a processor B can carry out step B using, for example, the result from the processor A, and a processor C can carry out step C, etc. The processors may work cooperatively in this type of situation such as in multiple processors of a system in a chip, in Cloud computing, or in distributed computing.

[0135] The computer system 1000 may include a main memory 1004, and a static memory 1006, which are configured to communicate with each other via a bus 1008. The computer system 1000 may further include a graphics display unit 1010 (e.g., a plasma display panel (PDP), a liquid crystal display (LCD), a projector, or a cathode ray tube (CRT)). The graphics display unit 1010, controlled by the processor 1002, displays a graphical user interface (GUI) to display one or more results and data generated by the processes described herein. The computer system 1000 may also include an alphanumeric input device 1012 (e.g., a keyboard), a cursor control device 1014 (e.g., a mouse, a trackball, a joystick, a motion sensor, or other pointing instruments), a storage unit 1016 (a hard drive, a solid-state drive, a hybrid drive, a memory disk, etc.), a signal generation device 1018 (e.g., a speaker), and a network interface device 1020, which also are configured to communicate via the bus 1008.

[0136] The storage unit 1016 includes a computer-readable medium 1022 on which is stored instructions 1024 embodying any one or more of the methodologies or functions described herein. The instructions 1024 may also reside, completely or at least partially, within the main memory 1004 or within the processor 1002 (e g., within a processor’s cache memory) during execution thereof by the computer system 1000, the main memory 1004 and the processor 1002 also constituting computer-readable media. The instructions 1024 may be transmitted or received over a network 1026 via the network interface device 1020.

[0137] While computer-readable medium 1022 is shown in an example embodiment to be a single medium, the term “computer-readable medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, or associated cachesAttorney Docket No.: 40671-65316and servers) able to store instructions (e.g., instructions 1024). The computer-readable medium may include any medium that is capable of storing instructions (e.g., instructions 1024) for execution by the processors (e.g., processors 1002) and that cause the processors to perform any one or more of the methodologies disclosed herein. The computer-readable medium may include, but not be limited to, data repositories in the form of solid-state memories, optical media, and magnetic media. The computer-readable medium does not include a transitory medium such as a propagating signal or a carrier wave.ADDITIONAL CONSIDERATIONS

[0138] The foregoing description of the embodiments has been presented for the purpose of illustration; it is not intended to be exhaustive or to limit the patent rights to the precise forms disclosed. Persons skilled in the relevant art can appreciate that many modifications and variations are possible in light of the above disclosure.

[0139] Any feature mentioned in one claim category, e.g. method, can be claimed in another claim category', e.g. computer program product, system, or storage medium, as well. The dependencies or references in the attached claims are chosen for formal reasons only. However, any subject matter resulting from a deliberate reference back to any previous claims (in particular multiple dependencies) can be claimed as well, so that any combination of claims and the features thereof is disclosed and can be claimed regardless of the dependencies chosen in the attached claims. The subject matter may include not only the combinations of features as set out in the disclosed embodiments but also any other combination of features from different embodiments. Various features mentioned in the different embodiments can be combined with explicit mentioning of such combination or arrangement in an example embodiment or without any explicit mentioning. Furthermore, any of the embodiments and features described or depicted herein may be claimed in a separate claim and / or in any combination with any embodiment or feature described or depicted herein or with any of the features.

[0140] Some portions of this description describe the embodiments in terms of algorithms and symbolic representations of operations on information. These operations and algorithmic descriptions, while described functionally, computationally, or logically, are understood to be implemented by computer programs or equivalent electrical circuits, microcodes, or the like. Furthermore, it has also proven convenient at times, to refer to these arrangements of operations as engines, without loss of generality. The described operations and theirAttorney Docket No.: 40671-65316associated engines may be embodied in software, firmware, hardware, or any combinations thereof.

[0141] Any of the steps, operations, or processes described herein may be performed or implemented with one or more hardware or software engines, alone or in combination with other devices. In some embodiments, a software engine is implemented with a computer program product comprising a computer-readable medium containing computer program code, which can be executed by a computer processor for performing any or all of the steps, operations, or processes described. The term “steps'’ does not mandate or imply a particular order. For example, while this disclosure may describe a process that includes multiple steps sequentially with arrows present in a flowchart, the steps in the process do not need to be performed in the specific order claimed or described in the disclosure. Some steps may be performed before others even though the other steps are claimed or described first in this disclosure. Likewise, any use of (i), (ii), (iii), etc., or (a), (b), (c), etc. in the specification or in the claims, unless specified, is used to better enumerate items or steps and also does not mandate a particular order.

[0142] Throughout this specification, plural instances may implement components, operations, or structures described as a single instance. Although individual operations of one or more methods are illustrated and described as separate operations, one or more of the individual operations may be performed concurrently, and nothing requires that the operations be performed in the order illustrated. Structures and functionality7presented as separate components in example configurations may be implemented as a combined structure or component. Similarly, structures and functionality presented as a single component may be implemented as separate components. These and other variations, modifications, additions, and improvements fall within the scope of the subject matter herein. In addition, the term “each” used in the specification and claims does not imply that every or all elements in a group need to fit the description associated with the term “each.” For example, “each member is associated with element A” does not imply that all members are associated with an element A. Instead, the term “each” only implies that a member (of some of the members), in a singular form, is associated with an element A. In claims, the use of a singular form of a noun may imply at least one element even though a plural form is not used.

[0143] Finally, the language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the patent rights. It is therefore intended that the scope of the patent rights beAttorney Docket No.: 40671-65316limited not by this detailed description, but rather by any claims that issue on an application based hereon. Accordingly, the disclosure of the embodiments is intended to be illustrative, but not limiting, of the scope of the patent rights.

Claims

Attorney Docket No.: 40671-65316WHAT IS CLAIMED IS:

1. A computer-implemented method, comprising:establishing connections with a plurality of access control systems, the access control systems delegated by a domain to control data access of the domain and maintain data access history associated with the domain;receiving, from the plurality of access control systems, heterogeneous sets of metadata related to the data access history;generating graph objects from the heterogenous sets of metadata, the graph objects comprising (1) a named entity node, (2) an account node, (3) an application node, (4) an access event node, wherein (1) the named entity node represents a named entity associated with an organization, (2) the account node represents an account that is granted access to an application that is provided by a third party to the organization, (3) the application node represents the application and (4) the access event node represents an access event to the application; traversing one or more access paths that connect the named entity node and the access event node, the named entity node being a preceding node and the access event node being a succeeding node in the one or more access paths; identifying at least one account node that is along the one or more access paths; and determining, based on the at least one account node, a type of permission granted to the named entity for accessing the application.

2. The computer-implemented method of claim 1, further comprising:identify ing an accessibility of the named entity to a first application, wherein identifying the accessibility of the named entity to the first application comprises:traversing a path that connects a first application node representing the first application and the named entity node, the named entity node being a preceding node and the first application node being a succeeding node in the path, andidentifying a first account node that is along the path, wherein the first account node represents the named entity possessing a first account that is granted access to the first application; andAttorney Docket No.: 40671-65316determining a permission utilization of the named entity to the first application based on an application access activity level, wherein the application access activity level is determined based on a number of access event nodes that are connected between the named entity node and the first application node.

3. The computer-implemented method of claim 1, wherein each of the one or more access paths comprises at least one edge connecting a first application account and a first access event node, and a thickness of the at least one edge illustrates a respective application access activity level.

4. The computer-implemented method of claim 3, further comprising:identifying that at least one of the one or more paths connecting the first application account node with the first access event node via a set of additional application account nodes; anddetermining, by traversing the at least one path, a relationship between the first application account and each application account represented by the respective additional application account node.

5. The computer-implemented method of claim 3, further comprising:selecting a portion of an access path of the one or more access paths, the portion of the access path connecting to the first access event node and representing an application access activity level via the portion of the access path; and causing to display a time series of the portion of the access path to illustrate a variation of the represented application access activity level in time.

6. The computer-implemented method of claim 1, wherein the graph objects comprise a plurality of different node types, each being associated with a set of attributes, and a plurality' of different edge types, each edge ty pe describing a different relationship between two nodes.

7. The computer-implemented method of claim 1, wherein the graph objects are standardized across the heterogeneous sets of metadata obtained from the plurality of access control systems.Attorney Docket No.: 40671-653168. A system comprising:one or more processors; anda memory storing code comprising instructions, wherein the instructions when executed by one or more processors cause the one or more processors to: establish connections with a plurality of access control systems, the access control systems delegated by a domain to control data access of the domain and maintain data access history associated with the domain; receive, from the plurality of access control systems, heterogeneous sets of metadata related to the data access history;generate graph objects from the heterogenous sets of metadata, the graph objects comprising (1) a named entity node, (2) an account node, (3) an application node, (4) an access event node, wherein (1) the named entity node represents a named entity associated with an organization, (2) the account node represents an account that is granted access to an application that is provided by a third party to the organization, (3) the application node represents the application and (4) the access event node represents an access event to the application;traverse one or more access paths that connect the named entity7node and the access event node, the named entity node being a preceding node and the access event node being a succeeding node in the one or more access paths;identify at least one account node that is along the one or more access paths;anddetermine, based on the at least one account node, a type of permission granted to the named entity for accessing the application.

9. The system of claim 8, wherein the instructions when executed by the one or more processors further cause the one or more processors to:identify an accessibility7of the named entity to a first application, wherein the instructions to identify the accessibility7of the named entity to the first application further cause the one or more processors to:traverse a path that connects a first application node representing the first application and the named entity node, the named entity node being aAttorney Docket No.: 40671-65316preceding node and the first application node being a succeeding node in the path, andidentify a first account node that is along the path, wherein the first account node represents the named entity possessing a first account that is granted access to the first application; anddetermine a permission utilization of the named entity to the first application based on an application access activity level, wherein the application access activity level is determined based on a number of access event nodes that are connected between the named entity node and the first application node.

10. The system of claim 8, wherein each of the one or more access paths comprises at least one edge connecting a first application account and a first access event node, and a thickness of the at least one edge illustrates a respective application access activity level.

11. The system of claim 10, wherein the instructions when executed by the one or more processors further cause the one or more processors to:identify that at least one of the one or more paths connecting the first application account node with the first access event node via a set of additional application account nodes; anddetermine, by traversing the at least one path, a relationship between the first application account and each application account represented by the respective additional application account node.

12. The system of claim 10, wherein the instructions when executed by the one or more processors further cause the one or more processors to:select a portion of an access path of the one or more access paths, the portion of the access path connecting to the first access event node and representing an application access activity level via the portion of the access path; and cause to display a time series of the portion of the path to illustrate a variation of the represented application access activity level in time.Attorney Docket No.: 40671-6531613. The system of claim 8, wherein the graph objects comprise a plurality of different node types, each being associated with a set of attributes, and a plurality of different edge types, each edge type describing a different relationship between two nodes.

14. The system of claim 8, wherein the graph objects are standardized across the heterogeneous sets of metadata obtained from the plurality' of access control systems.

15. A non-transitory computer readable storage medium comprising stored program code, the program code comprising instructions, the instructions when executed causes a processor system to:establish connections with a plurality of access control systems, the access control systems delegated by a domain to control data access of the domain and maintain data access history associated with the domain;receive, from the plurality of access control systems, heterogeneous sets of metadata related to the data access history;generate graph objects from the heterogenous sets of metadata, the graph objects comprising (1) a named entity node, (2) an account node, (3) an application node, (4) an access event node, wherein (1) the named entity’ node represents a named entity associated with an organization, (2) the account node represents an account that is granted access to an application that is provided by a third party to the organization, (3) the application node represents the application and (4) the access event node represents an access event to the application; traverse one or more access paths that connect the named entity node and the access event node, the named entity node being a preceding node and the access event node being a succeeding node in the one or more access paths; identify at least one account node that is along the one or more access paths; and determine, based on the at least one account node, a type of permission granted to the named entity for accessing the application.

16. The non-transitory computer readable storage medium of claim 15, wherein the instructions when executed further cause the system processor to:identify an accessibility’ of the named entity to a first application, wherein the instructions to identify the accessibility' of the named entity to the first application further cause the system processor to:Attorney Docket No.: 40671-65316traverse a path that connects a first application node representing the first application and the named entity node, the named entity node being a preceding node and the first application node being a succeeding node in the path, andidentify a first account node that is along the path, wherein the first account node represents the named entity possessing a first account that is granted access to the first application; anddetermine a permission utilization of the named entity to the first application based on an application access activity level, wherein the application access activity level is determined based on a number of access event nodes that are connected between the named entity node and the first application node.

17. The non-transitory computer readable storage medium of claim 15, wherein each of the one or more access paths comprises at least one edge connecting a first application account and a first access event node, and a thickness of the at least one edge illustrates a respective application access activity level.

18. The non-transitory computer readable storage medium of claim 17, wherein the instructions when executed further cause the system processor to:identify that at least one of the one or more access paths connecting the first application account node with the first access event node via a set of additional application account nodes; anddetermine, by traversing the at least one access path, a relationship between the first application account and each application account represented by the respective additional application account node.

19. The non-transitory computer readable storage medium of claim 17, wherein the instructions when executed further cause the system processor to:select a portion of an access path of the one or more access paths, the portion of the access path connecting to the first access event node and representing an application access activity level via the portion of the path; and cause to display a time series of the portion of the access path to illustrate a variation of the represented application access activity level in time.Attorney Docket No.: 40671-6531620. The non-transitory computer readable storage medium of claim 15, wherein the graph objects comprise a plurality of different node types, each being associated with a set of attributes, and a plurality of different edge types, each edge type describing a different relationship between two nodes.