A method includes receiving a permission request from a user to perform an operation in a computer environment. Data elements of operations previously performed by a plurality of users are received. A set of operation types are generated by identifying data elements of operations previously performed by other users of the plurality of users having operation types performed by the user. The data elements in the set are mapped into a graph database. Permission messages are generated with a correct response identified from a data attribute from a specific operation type previously performed by the user, and wrong responses identified from the specific operation type previously performed by the other users. An accumulated probability based on the permission respond message is computed using the graph database. The user is tagged based on the accumulated probability as a permissioned user for performing the operation, or a non-permissioned violator user.