Quality assurance checks of access rights in a computing system

US 10,083,312 B2
Filed: 01/06/2017
Issued: 09/25/2018
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of managing identity and access management information comprising:

storing, at a data store of a computing device, access right information indicating a plurality of granted access rights associated with a computing resource of a computing system, wherein each of the plurality of granted access rights grants one of a plurality of users access to the computing resource, wherein the plurality of granted access rights comprises a plurality of entitlements, wherein each entitlement comprises an indication of a permission to access the computing resource, and wherein the permission is provisioned to one of the plurality of users;

receiving, by the computing device, access right utilization information indicating a plurality of utilized access rights, wherein each of the plurality of utilized access rights has been used to access the computing resource;

comparing, by the computing device, each granted access right of the plurality of granted access rights to the plurality of utilized access rights in order to determine whether that granted access right has been used to access the computing resource;

generating, by the computing device, a report based on the comparing, wherein the report indicates which of the plurality of granted access rights have not been used to access the computing resource, wherein the report indicates, for each granted access right of the plurality of granted access rights, whether that granted access right has or has not been used to access the computing resource based on whether that granted access right corresponds to one of the plurality of utilized access rights, and wherein the report indicates which of the plurality of entitlements have not been used to access the computing resource; and

based on determining that a granted access right of the plurality of granted access rights has not been used to access the computing resource, removing the granted access right.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for ensuring the quality of identity and access management information at a computing system are described. Access right information that respectively corresponds to one or more access rights may be stored at a data store. The access right information may be stored in accordance with a data model that defines respective relationships between the access rights and both the users having access to the computing system and the computing resources of the computing system. At least a portion of the access right information may be retrieved, and quality assurance tasks may be performed using the portion of the access right information retrieved.

288 Citations

16 Claims

1. A computer-implemented method of managing identity and access management information comprising:
- storing, at a data store of a computing device, access right information indicating a plurality of granted access rights associated with a computing resource of a computing system, wherein each of the plurality of granted access rights grants one of a plurality of users access to the computing resource, wherein the plurality of granted access rights comprises a plurality of entitlements, wherein each entitlement comprises an indication of a permission to access the computing resource, and wherein the permission is provisioned to one of the plurality of users;
  
  receiving, by the computing device, access right utilization information indicating a plurality of utilized access rights, wherein each of the plurality of utilized access rights has been used to access the computing resource;
  
  comparing, by the computing device, each granted access right of the plurality of granted access rights to the plurality of utilized access rights in order to determine whether that granted access right has been used to access the computing resource;
  
  generating, by the computing device, a report based on the comparing, wherein the report indicates which of the plurality of granted access rights have not been used to access the computing resource, wherein the report indicates, for each granted access right of the plurality of granted access rights, whether that granted access right has or has not been used to access the computing resource based on whether that granted access right corresponds to one of the plurality of utilized access rights, and wherein the report indicates which of the plurality of entitlements have not been used to access the computing resource; and
  
  based on determining that a granted access right of the plurality of granted access rights has not been used to access the computing resource, removing the granted access right.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein:
    - the plurality of granted access rights comprises a plurality of permissions, wherein each permission is provisioned to one of the plurality of users; and
      
      the report identifies which of the plurality of permissions have not been used to access the computing resource.
  - 3. The computer-implemented method of claim 1, wherein:
    - the plurality of granted access rights comprises a plurality of roles, wherein each role is assigned to one of the plurality users; and
      
      the report identifies which of the plurality of roles have not been used to access the computing resource.
  - 4. The computer-implemented method of claim 1, wherein:
    - the granted access right that has not been used to access the computing resource is removed in response to receipt of a request to remove the granted access right.
  - 5. The computer-implemented method of claim 4, wherein:
    - removing the granted access right comprises at least one of;
      
      removing an entitlement associated with one of the plurality of users,removing a role assigned to one of the plurality of users, orremoving a permission provisioned to one of the plurality of users.
  - 6. The computer-implemented method of claim 1, further comprising:
    - presenting the report to an individual responsible for management of the computing resource.
  - 7. The computer-implemented method of claim 1, wherein:
    - the access right utilization information is received from the computing resource itself.
  - 8. The computer-implemented method of claim 1, wherein:
    - wherein the method is performed on-demand.

9. A computing device for managing identity and access management information comprising:
- at least one processor;
  
  a data store storing access right information indicating a plurality of granted access rights associated with a computing resource of a computing system, wherein each of the plurality of access rights grants one of a plurality of users access to the computing resource, wherein the plurality of granted access rights comprises a plurality of entitlements, wherein each entitlement comprises an indication of a permission to access the computing resource, and wherein the permission is provisioned to one of the plurality of users; and
  
  memory storing computer-executable instructions that, when executed by the at least one processor, cause the computing device to;
  
  receive access right utilization information indicating a plurality of utilized access rights, wherein each utilized access right has been used to access the computing resource;
  
  compare each granted access right of the plurality of granted access rights to the plurality of utilized access rights in order to determine whether that granted access right has been used to access the computing resource;
  
  generate a report based on the comparing, wherein the report indicates which of the plurality of granted access rights have not been used to access the computing resource, wherein the report indicates, for each granted access right of the plurality of granted access rights, whether that granted access right has or has not been used to access the computing resource based on whether that granted access right corresponds to one of the plurality of utilized access rights, and wherein the report indicates which of the plurality of entitlements have not been used to access the computing resource; and
  
  based on determining that a granted access right of the plurality of granted access rights has not been used to access the computing resource, remove the granted access right.
- View Dependent Claims (10, 11, 12)
- - 10. The computing device of claim 9, wherein:
    - the plurality of granted access rights further comprises at least one of;
      
      a plurality of permissions, wherein each permission is provisioned to one of the plurality of users;
      
      ora plurality of roles, wherein each role is assigned to one of the plurality users.
  - 11. The computing device of claim 9, wherein:
    - the granted access right that has not been used to access the computing resource is removed in response to receipt of a request to remove the granted access right; and
      
      removing the granted access right comprises at least one of;
      
      removing an entitlement associated with one of the plurality of users,removing a role assigned to one of the plurality of users, orremoving a permission provisioned to one of the plurality of users.
  - 12. The computing device of claim 9, wherein:
    - the access right utilization information is received from the computing resource itself.

13. Non-transitory computer-readable media storing instructions for managing identity and access management information, wherein the instructions, when executed by at least one processor of a computing device, cause the computing device to:
- store, at a data store, access right information indicating a plurality of granted access rights associated with a computing resource of a computing system, wherein each of the plurality of granted access rights grants one of a plurality of users access to the computing resource, wherein the plurality of granted access rights comprises a plurality of entitlements, wherein each entitlement comprises an indication of a permission to access the computing resource, and wherein the permission is provisioned to one of the plurality of users;
  
  receive access right utilization information indicating a plurality of utilized access rights, wherein each utilized access right has been used to access the computing resource;
  
  compare each granted access right of the plurality of granted access rights to the plurality of utilized access rights in order to determine whether that granted access right has been used to access the computing resource;
  
  generate a report based on the comparing, wherein the report indicates which of the plurality of granted access rights have not been used to access the computing resource, wherein the report indicates, for each granted access right of the plurality of granted access rights, whether that granted access right has or has not been used to access the computing resource based on whether that granted access right corresponds to one of the plurality of utilized access rights, and wherein the report indicates which of the plurality of entitlements have not been used to access the computing resource; and
  
  based on determining that a granted access right of the plurality of granted access rights has not been used to access the computing resource, remove the granted access right.
- View Dependent Claims (14, 15, 16)
- - 14. The non-transitory computer-readable media of claim 13, wherein:
    - the plurality of granted access rights further comprises at least one of;
      
      a plurality of permissions, wherein each permission is provisioned to one of the plurality of users;
      
      ora plurality of roles, wherein each role is assigned to one of the plurality users.
  - 15. The non-transitory computer-readable media of claim 13, wherein:
    - the granted access right that has not been used to access the computing resource is removed in response to receipt of a request to remove the granted access right; and
      
      removing the granted access right comprises at least one of;
      
      removing an entitlement associated with one of the plurality of users,removing a role assigned to one of the plurality of users, orremoving a permission provisioned to one of the plurality of users.
  - 16. The non-transitory computer-readable media of claim 13, wherein:
    - the access right utilization information is received from the computing resource itself.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Moloian, Armen, Ritchey, Ronald W.
Primary Examiner(s)
Pham, Tuan A

Application Number

US15/399,831
Publication Number

US 20170116430A1
Time in Patent Office

627 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/215   Improving data quality; Dat...

G06F 16/2365   Ensuring data consistency a...

G06F 21/6209   to a single file or object,...

Quality assurance checks of access rights in a computing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

288 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Quality assurance checks of access rights in a computing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

288 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links