Access requests at IAM system implementing IAM data model
First Claim
1. A computer-implemented method for managing computing access rights, the method comprising:
- storing, at a data store of a computing device, access right information that indicates (i) for each user of a plurality of users, a set of access rights, wherein each access right of the set of access rights is associated with one of a plurality of computing resources of a computing system, and (ii) for each user of a plurality of users, one of a plurality of business units the user is associated with;
storing, at the data store of a computing device, business unit information that indicates (i) a plurality of business units and (ii) a business unit hierarchy, wherein individual business units of the plurality of business units are related to at least one other business unit of the plurality of business units and positioned either above or below the at least one other business unit in the business unit hierarchy;
receiving, by the computing device, a request to modify one or more access rights associated with the computing system, the request specifying (i) the one or more access rights to be modified, (ii) a business unit of the plurality of business units, that is associated with one or more users, of the plurality of users, that are associated with the one or more access rights to be modified, and (iii) a direction of the business unit hierarchy;
modifying, by the computing device, the one or more access rights specified in the request for at least one of the one or more users that are associated with the business unit specified in the request;
determining, by the computing device, a related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy; and
modifying, by the computing device, the one or more access rights specified in the request for at least one of the plurality of users that is associated with the related business unit.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification.
-
Citations
20 Claims
-
1. A computer-implemented method for managing computing access rights, the method comprising:
-
storing, at a data store of a computing device, access right information that indicates (i) for each user of a plurality of users, a set of access rights, wherein each access right of the set of access rights is associated with one of a plurality of computing resources of a computing system, and (ii) for each user of a plurality of users, one of a plurality of business units the user is associated with; storing, at the data store of a computing device, business unit information that indicates (i) a plurality of business units and (ii) a business unit hierarchy, wherein individual business units of the plurality of business units are related to at least one other business unit of the plurality of business units and positioned either above or below the at least one other business unit in the business unit hierarchy; receiving, by the computing device, a request to modify one or more access rights associated with the computing system, the request specifying (i) the one or more access rights to be modified, (ii) a business unit of the plurality of business units, that is associated with one or more users, of the plurality of users, that are associated with the one or more access rights to be modified, and (iii) a direction of the business unit hierarchy; modifying, by the computing device, the one or more access rights specified in the request for at least one of the one or more users that are associated with the business unit specified in the request; determining, by the computing device, a related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy; and modifying, by the computing device, the one or more access rights specified in the request for at least one of the plurality of users that is associated with the related business unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing device for managing computing access rights, the computing device comprising:
-
at least one processor; a data store storing; access right information that indicates (i) for each user of a plurality of users, a set of access rights, wherein each access right of the set of access rights is associated with one of a plurality of computing resources of a computing system, and (ii) for each user of a plurality of users, one of a plurality of business units the user is associated with; and business unit information that indicates (i) a plurality of business units and (ii) a business unit hierarchy, wherein individual business units of the plurality of business units are related to at least one other business unit of the plurality of business units and positioned either above or below the at least one other business unit in the business unit hierarchy; memory storing computer-executable instructions that, when executed by the at least one processor, cause the computing device to; receive a request to modify one or more access rights associated with the computing system, the request specifying (i) the one or more access rights to be modified, (ii) a business unit of the plurality of business units, that is associated with one or more users, of the plurality of users, that are associated with the one or more access rights to be modified, and (iii) a direction of the business unit hierarchy; modify the one or more access rights specified in the request for at least one of the one or more users that are associated with the business unit specified in the request; determine a related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy; and modify the one or more access rights specified in the request for at least one of the plurality of users that is associated with the related business unit. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. Non-transitory computer-readable media storing computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
store, at a data store of a computing device, access right information that indicates (i) for each user of a plurality of users, a set of access rights, wherein each access right of the set of access rights is associated with one of a plurality of computing resources of a computing system, and (ii) for each user of a plurality of users, one of a plurality of business units the user is associated with; store, at the data store of a computing device, business unit information that indicates (i) a plurality of business units and (ii) a business unit hierarchy, wherein individual business units of the plurality of business units are related to at least one other business unit of the plurality of business units and positioned either above or below the at least one other business unit in the business unit hierarchy; receive a request to modify one or more access rights associated with the computing system, the request specifying (i) the one or more access rights to be modified, (ii) a business unit of the plurality of business units, that is associated with one or more users, of the plurality of users, that are associated with the one or more access rights to be modified, and (iii) a direction of the business unit hierarchy; modify the one or more access rights specified in the request for at least one of the one or more users that are associated with the business unit specified in the request; determine a related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy; and modify the one or more access rights specified in the request for at least one of the plurality of users that is associated with the related business unit. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification