Facilitating separation-of-duties when provisioning access rights in a computing system

US 10,341,385 B2
Filed: 04/11/2016
Issued: 07/02/2019
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system for managing risk management rules comprising:

at least one processor;

a rule configuration interface used to configure a risk management rule based on user input received, from a first user, at the rule configuration interface, wherein the rule configuration interface comprises a first list of access rights available for selection by the first user, and wherein a first plurality of access rights listed in the first list of access rights comprise at least one of (i) one or more roles, (ii) one or more tasks, or (iii) one or more permissions;

a role configuration interface used to configure a role based on user input received, from the first user, at the role configuration interface, wherein the role configuration interface comprises a second list of access rights available for selection by the first user, and wherein a second plurality of access rights listed in the second list of access rights comprise at least one of (i) one or more tasks, or (ii) one or more permissions; and

memory storing instructions that, when executed by the at least one processor, cause the system to;

facilitate configuration of the risk management rule by at least;

displaying the rule configuration interface wherein displaying the rule configuration interface comprises presenting, at a first portion of the rule configuration interface, the first list of access rights;

receiving, at the rule configuration interface, input selecting a first access right from the first list of access rights, the first access right selected corresponding to a base access right for the risk management rule,receiving, at the rule configuration interface, input selecting a second access right from the first list of access rights, the second access right selected corresponding to a conflicting access right for the risk management rule,displaying, in the rule configuration interface and in a list of conflicting access rights for the risk management rule, the conflicting access right;

facilitate configuration of the role by at least;

displaying the role configuration interface wherein displaying the role configuration interface comprises presenting, at a first portion of the role configuration interface, the second list of access rights,receiving, at the role configuration interface, input selecting an access right from the second list of access rights for association with the role,evaluating whether the access right selected for association with the role violates one or more risk management rules, andbased on determining that the access right selected for association with the role violates at least one risk management rule, displaying, in the role configuration interface, an indication that the access right selected violates at least one risk management rule; and

monitor access rights provisioned at a computing system to determine whether both the base access right and the conflicting access right are provisioned to a second user of the computing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing risk management rules are provided. A risk management rule may be configured at a rule configuration interface are described. The rule configuration interface may include a list of access rights available for selection. Based on input received, one of the access rights may be identified as a base access right and one of the access rights may be identified as a conflicting access right for the risk management rule. The access rights provisioned at the computing system may be monitored to determine whether a user is provisioned with both the base access right and the conflicting access right. If so, a violation review may be created and presented at a violation review interface at which a decision for the violation review is receivable. An exception to the risk management rule may also be configured at an exception configuration interface.

344 Citations

20 Claims

1. A system for managing risk management rules comprising:
- at least one processor;
  
  a rule configuration interface used to configure a risk management rule based on user input received, from a first user, at the rule configuration interface, wherein the rule configuration interface comprises a first list of access rights available for selection by the first user, and wherein a first plurality of access rights listed in the first list of access rights comprise at least one of (i) one or more roles, (ii) one or more tasks, or (iii) one or more permissions;
  
  a role configuration interface used to configure a role based on user input received, from the first user, at the role configuration interface, wherein the role configuration interface comprises a second list of access rights available for selection by the first user, and wherein a second plurality of access rights listed in the second list of access rights comprise at least one of (i) one or more tasks, or (ii) one or more permissions; and
  
  memory storing instructions that, when executed by the at least one processor, cause the system to;
  
  facilitate configuration of the risk management rule by at least;
  
  displaying the rule configuration interface wherein displaying the rule configuration interface comprises presenting, at a first portion of the rule configuration interface, the first list of access rights;
  
  receiving, at the rule configuration interface, input selecting a first access right from the first list of access rights, the first access right selected corresponding to a base access right for the risk management rule,receiving, at the rule configuration interface, input selecting a second access right from the first list of access rights, the second access right selected corresponding to a conflicting access right for the risk management rule,displaying, in the rule configuration interface and in a list of conflicting access rights for the risk management rule, the conflicting access right;
  
  facilitate configuration of the role by at least;
  
  displaying the role configuration interface wherein displaying the role configuration interface comprises presenting, at a first portion of the role configuration interface, the second list of access rights,receiving, at the role configuration interface, input selecting an access right from the second list of access rights for association with the role,evaluating whether the access right selected for association with the role violates one or more risk management rules, andbased on determining that the access right selected for association with the role violates at least one risk management rule, displaying, in the role configuration interface, an indication that the access right selected violates at least one risk management rule; and
  
  monitor access rights provisioned at a computing system to determine whether both the base access right and the conflicting access right are provisioned to a second user of the computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein:
    - the instructions, when executed by the at least one processor, further cause the system to;
      
      create a violation review associated with the risk management rule responsive to determining that the second user has been provisioned with both the base access right and the conflicting access right.
  - 3. The system of claim 2 further comprising:
    - an exception configuration interface used to configure an exception to the risk management rule based on user input received, from the first user, at the exception configuration interface.
  - 4. The system of claim 3 wherein:
    - the exception configuration interface comprises a list of attribute values available for selection by the first user; and
      
      wherein the instructions, when executed by the at least one processor, further cause the system to associate one of the attribute values with the exception based on the user input received.
  - 5. The system of claim 4 wherein:
    - the instructions, when executed by the at least one processor, further cause the system to set an expiration date for the exception based on user input received, from the first user, at the exception configuration interface.
  - 6. The system of claim 3 further comprising:
    - a violation review interface used to receive a review decision for the violation review;
      
      wherein the violation review interface comprises a pending violation review list that indicates the violation review and the risk management rule associated with the violation review; and
      
      wherein the instructions, when executed at the at least one processor, further cause the system to store, at a data store, the review decision received at the violation review interface.
  - 7. The system of claim 6 wherein:
    - the pending violation review list further indicates an exception associated with the risk management rule and whether the exception applies to the risk management rule.
  - 8. The system of claim 6 wherein:
    - the instructions, when executed by the at least one processor, further cause the system to, responsive to determining that the review decision indicates an approval of violation of the risk management rule;
      
      prompt for a justification of the approval of the violation of the risk management rule, andstore the justification at the data store with the review decision.
  - 9. The system of claim 3 wherein:
    - the instructions, when executed, further cause the system to;
      
      determine whether the exception applies to the risk management rule based on a comparison of an attribute value associated with the exception to a corresponding attribute value of a user associated with the violation review.
  - 10. The system of claim 9 wherein:
    - the instructions, when executed, cause the system to determine whether the exception applies to the risk management rule further based on a comparison of a current date to an expiration date set, based on user input received from the first user at the exception configuration interface, for the exception.

11. A computer-implemented method for managing risk management rules comprising:
- providing a rule configuration interface used to configure a risk management rule based on user input received, from a first user, at the rule configuration interface, wherein the rule configuration interface comprises a first list of access rights available for selection by the first user, and wherein a first plurality of access rights listed in the first list of access rights comprise at least one of (i) one or more roles, (ii) one or more tasks, or (iii) one or more permissions;
  
  providing a role configuration interface used to configure a role based on user input received, from the first user, at the role configuration interface, wherein the role configuration interface comprises a second list of access rights available for selection by the first user, and wherein a second plurality of access rights listed in the second list of access rights comprise at least one of (i) one or more tasks, or (ii) one or more permissions;
  
  facilitating configuration of the risk management rule by at least;
  
  displaying the rule configuration interface wherein displaying the rule configuration interface comprises presenting, at a first portion of the rule configuration interface, the first list of access rights;
  
  receiving, at the rule configuration interface, input selecting a first access right from the first list of access rights, the first access right selected corresponding to a base access right for the risk management rule;
  
  receiving, at the configuration interface, input selecting a second access right from the first list of access rights, the second access right selected corresponding to a conflicting access right for the risk management rule;
  
  displaying, in the rule configuration interface and in a list of conflicting access rights for the risk management rule, the conflicting access right;
  
  facilitating configuration of the role by at least;
  
  displaying the role configuration interface wherein displaying the role configuration interface comprises presenting, at a first portion of the role configuration interface, the second list of access rights;
  
  receiving, at the role configuration interface, input selecting an access right from the second list of access rights for association with the role;
  
  evaluating whether the access right selected for association with the role violates one or more risk management rules; and
  
  based on determining that the access right selected for association with the role violates at least one risk management rule, displaying, in the role configuration interface, an indication that the access right selected violates at least one risk management rule; and
  
  monitoring access rights provisioned at a computing system to determine whether both the base access right and the conflicting access right are provisioned to a second user of the computing system.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer-implemented method of claim 11 further comprising:
    - creating a violation review associated with the risk management rule responsive to determining that the second user has been provisioned with both the base access right and the conflicting access right.
  - 13. The computer-implemented method of claim 12 further comprising:
    - providing an exception configuration interface used to configure an exception to the risk management rule based on user input received, from the first user, at the exception configuration interface, wherein the exception configuration interface comprises a list of attribute values available for selection by the first user; and
      
      associating one of the attribute values with the exception based on the user input received at the exception configuration interface; and
      
      setting an expiration date for the exception based on user input received, from the first user, at the exception configuration interface.
  - 14. The computer-implemented method of claim 13 further comprising:
    - determining whether the exception applies to the risk management rule based on;
      
      (i) a comparison of the attribute value associated with the exception to a corresponding attribute value of a user associated with the violation review, and(ii) a comparison of the expiration date set for the exception to a current date.
  - 15. The computer-implemented method of claim 12 further comprising:
    - providing a violation review interface used to receive a review decision for the violation review, wherein the violation review interface comprises a pending violation review list that indicates the violation review and the risk management rule associated with the violation review; and
      
      storing the review decision received at the violation review interface at a data store.
  - 16. The computer-implemented method of claim 15 wherein:
    - the pending violation review list further indicates an exception associated with the risk management rule and whether the exception applies to the risk management rule.
  - 17. The computer-implemented method of claim 15 wherein the review decision indicates an approval of violation of the risk management rule, the method further comprising:
    - responsive to determining that the review decision indicates the approval of violation of the risk management rule;
      
      prompting for a justification of the approval of the violation of the risk management rule, andstoring the justification at the data store with the review decision.

18. Non-transitory computer-readable media storing computer-executable instructions that, when executed, cause a computing device to manage risk management rules and roles for a computing system by at least:
- providing a rule configuration interface used to configure a risk management rule based on user input received, from a first user, at the rule configuration interface, wherein the rule configuration interface comprises a first list of access rights available for selection by the first user, and wherein a first plurality of access rights listed in the first list of access rights comprise at least one of (i) one or more roles, (ii) one or more tasks, or (iii) one or more permissions;
  
  providing a role configuration interface used to configure a role based on user input received, from the first user, at the role configuration interface, wherein the role configuration interface comprises a second list of access rights available for selection by the first user, and wherein a second plurality of access rights listed in the second list of access rights comprise at least one of (i) one or more tasks, or (ii) one or more permissions;
  
  facilitating configuration of the risk management rule by at least;
  
  displaying the rule configuration interface wherein displaying the rule configuration interface comprises presenting, at a first portion of the rule configuration interface, the first list of access rights;
  
  selecting, from the first list of access rights and based on user input received at the rule configuration interface from the first user, a first access right as a base access right for the risk management rule;
  
  selecting, from the first list of access rights and based on user input received at the rule configuration interface from the first user, a second access right as a conflicting access right for the risk management rule;
  
  displaying, in the rule configuration interface and in a list of conflicting access rights for the risk management rule, the conflicting access right;
  
  facilitating configuration of the role by at least;
  
  displaying the role configuration interface wherein displaying the role configuration interface comprises presenting, at a first portion of the role configuration interface, the second list of access rights;
  
  selecting, from the second list of access rights and based on user input received at the role configuration interface from the first user, an access right from the second list of access rights for association with the role;
  
  evaluating whether the access right selected for association with the role violates one or more risk management rules; and
  
  based on determining that the access right selected for association with the role violates at least one risk management rule, displaying, in the role configuration interface, an indication that the access right selected violates at least one risk management rule; and
  
  monitoring access rights provisioned at a computing system to determine whether both the base access right and the conflicting access right are provisioned to a second user of the computing system.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable media of claim 18, wherein the instructions, when executed, cause the computing device to manage the risk management rule further by:
    - providing an exception configuration interface used to configure an exception to the risk management rule based on user input received, from the first user, at the exception configuration interface.
  - 20. The non-transitory computer-readable media of claim 18, wherein the instructions, when executed, cause the computing device to manage the risk management rule further by:
    - creating a violation review associated with the risk management rule responsive to determining that the second user has been provisioned with both the base access right and the conflicting access right; and
      
      providing a violation review interface used to receive a review decision for the violation review, wherein the violation review interface comprises a pending violation review list that indicates the violation review and the risk management rule associated with the violation review.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Moloian, Armen, Ritchey, Ronald W.
Primary Examiner(s)
Cao, Phuong Thao

Application Number

US15/095,588
Publication Number

US 20160226919A1
Time in Patent Office

1,177 Days
Field of Search

707600
US Class Current
CPC Class Codes

G06F 16/283   Multi-dimensional databases...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Facilitating separation-of-duties when provisioning access rights in a computing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

344 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating separation-of-duties when provisioning access rights in a computing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

344 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links