Vertically integrated access control system for managing user entitlements to computing resources

US 10,659,469 B2
Filed: 02/13/2018
Issued: 05/19/2020
Est. Priority Date: 02/13/2018
Status: Active Grant

First Claim

Patent Images

1. A computerized vertically integrated access control system for creating user entitlements to computing resources, comprising:

a computer processor;

a memory;

a network communication device; and

an access control module stored in the memory, executable by the computer processor, and configured to perform the steps of;

collecting information regarding a plurality of entity capabilities of an entity;

storing, in a database, a plurality of entity capability data records, each entity capability data record corresponding to an entity capability of the plurality of entity capabilities;

collecting information regarding a plurality of flagged combinations of entity capabilities;

storing, in the database, a plurality of flagged combination data records, each flagged combination data record corresponding to a flagged combination of entity capabilities;

collecting information regarding interfaces of an information system of the entity;

collecting information regarding access control rules of the information system;

collecting information regarding computing resources of the information system;

storing, in the database, a plurality of data records corresponding to the interfaces, access control rules, and computing resources of the information system;

for each entity capability, linking in the database such entity capability to each interface that implements such entity capability;

for each interface, linking in the database such interface to each access control rule for accessing such interface;

for each computing resource, linking in the database such computing resource to each access control rule for accessing such computing resource;

for each interface, linking in the database such interface to each computing resource accessed by such interface;

creating a vertically integrated access unit by;

identifying a logical work role, the logical work role comprising one or more first entity capabilities of the plurality of entity capabilities;

identifying, from the database, one or more first interfaces that implement the one or more first entity capabilities;

identifying, from the database, one or more first interface access control rules for accessing the one or more first interfaces;

identifying, from the database, one or more first computing resources accessed by the one or more first interfaces;

identifying, from the database, one or more first computing resource access control rules for accessing the one or more first computing resources; and

storing, in the database, a data record for the vertically integrated access unit that links, in the database, data records for the (i) one or more first entity capabilities, (ii) one or more first interfaces, (iii) or more first interface access control rules, (iv) one or more first computing resources, and (v) one or more first computing resource access control rules;

creating a user group by;

assigning the logical work role to the user group; and

based on the logical work role, storing, in the database, a data record for the user group that is linked to the data record for the vertically integrated access unit;

provisioning an entitlement by;

assigning the logical work role to a first user; and

based on assigning the logical work role to the first user, linking the first user to the user group;

determining that a proposed configuration of the vertically integrated access unit, a proposed configuration of the user group, a proposed configuration of the first user, or a proposed entitlement would result in a first flagged combination of entity capabilities; and

in response to determining that the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement would result in the first flagged combination of entity capabilities, performing an action to prevent the first flagged combination of entity capabilities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A vertically integrated access control system may store in a database data records corresponding to the interfaces, access control rules, and computing resources of an information system, as well as data records for entity capabilities. Data records for related interfaces, access control rules, computing resources, and entity capabilities may be linked. Using the database, the system may determine the entity capabilities that can be performed based on an existing user entitlement. If the entity capabilities include a flagged combination of entity capabilities, the system may perform an information security action to remediate the flagged combination. The system may use the database to form vertically integrated access units. The vertically integrated access units may be used to form user entitlements. The system may continuously monitor whether any proposed configurations would create a flagged combination of entity capabilities, and if so take an action to prevent such flagged combination.

50 Citations

View as Search Results

20 Claims

1. A computerized vertically integrated access control system for creating user entitlements to computing resources, comprising:
- a computer processor;
  
  a memory;
  
  a network communication device; and
  
  an access control module stored in the memory, executable by the computer processor, and configured to perform the steps of;
  
  collecting information regarding a plurality of entity capabilities of an entity;
  
  storing, in a database, a plurality of entity capability data records, each entity capability data record corresponding to an entity capability of the plurality of entity capabilities;
  
  collecting information regarding a plurality of flagged combinations of entity capabilities;
  
  storing, in the database, a plurality of flagged combination data records, each flagged combination data record corresponding to a flagged combination of entity capabilities;
  
  collecting information regarding interfaces of an information system of the entity;
  
  collecting information regarding access control rules of the information system;
  
  collecting information regarding computing resources of the information system;
  
  storing, in the database, a plurality of data records corresponding to the interfaces, access control rules, and computing resources of the information system;
  
  for each entity capability, linking in the database such entity capability to each interface that implements such entity capability;
  
  for each interface, linking in the database such interface to each access control rule for accessing such interface;
  
  for each computing resource, linking in the database such computing resource to each access control rule for accessing such computing resource;
  
  for each interface, linking in the database such interface to each computing resource accessed by such interface;
  
  creating a vertically integrated access unit by;
  
  identifying a logical work role, the logical work role comprising one or more first entity capabilities of the plurality of entity capabilities;
  
  identifying, from the database, one or more first interfaces that implement the one or more first entity capabilities;
  
  identifying, from the database, one or more first interface access control rules for accessing the one or more first interfaces;
  
  identifying, from the database, one or more first computing resources accessed by the one or more first interfaces;
  
  identifying, from the database, one or more first computing resource access control rules for accessing the one or more first computing resources; and
  
  storing, in the database, a data record for the vertically integrated access unit that links, in the database, data records for the (i) one or more first entity capabilities, (ii) one or more first interfaces, (iii) or more first interface access control rules, (iv) one or more first computing resources, and (v) one or more first computing resource access control rules;
  
  creating a user group by;
  
  assigning the logical work role to the user group; and
  
  based on the logical work role, storing, in the database, a data record for the user group that is linked to the data record for the vertically integrated access unit;
  
  provisioning an entitlement by;
  
  assigning the logical work role to a first user; and
  
  based on assigning the logical work role to the first user, linking the first user to the user group;
  
  determining that a proposed configuration of the vertically integrated access unit, a proposed configuration of the user group, a proposed configuration of the first user, or a proposed entitlement would result in a first flagged combination of entity capabilities; and
  
  in response to determining that the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement would result in the first flagged combination of entity capabilities, performing an action to prevent the first flagged combination of entity capabilities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computerized system according to claim 1, wherein the step of creating the vertically integrated access unit comprises storing, in the database, a data record corresponding to the logical work role.
  - 3. The computerized system according to claim 2, wherein the step of creating the user group comprises linking in the database the data record for the user group to the data record corresponding to the logical work role.
  - 4. The computerized system according to claim 3, wherein the access control module is configured to perform the steps of:
    - collecting information regarding users of the information system, the users of the information system comprising the first user; and
      
      storing, in the database, a plurality of data records corresponding to the users of the information system, the plurality of data records corresponding to the users of the information system comprising a data record corresponding to the first user;
      
      wherein the step of provisioning the entitlement comprises;
      
      (i) linking in the database the data record corresponding to the first user to the data record corresponding to the logical work role and (ii) linking in the database the data record corresponding to the first user to the data record for the user group.
  - 5. The computerized system according to claim 1, wherein the step of determining that the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement would result in the first flagged combination of entity capabilities is performed during the steps of (i) creating the vertically integrated access unit, (ii) creating the user group, and/or (iii) provisioning the entitlement.
  - 6. The computerized system according to claim 1, whereinthe computing resources of the information system comprise application component methods of the information system;
    - andthe one or more first computing resources accessed by the one or more first interfaces comprises one or more first application component methods accessed by the one or more first interfaces.
  - 7. The computerized system according to claim 1, wherein the action to prevent the first flagged combination of entity capabilities comprises blocking implementation of the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement.
  - 8. The computerized system according to claim 1, wherein the action to prevent the first flagged combination of entity capabilities comprises (i) identifying a proposed change that would eliminate the first flagged combination of entity capabilities and (ii) implementing the proposed configuration and the proposed change.

9. A computer program product for creating user entitlements to computing resources, the computer program product comprising a non-transitory computer-readable storage medium having computer-executable instructions for causing a computer processor to perform the steps of:
- collecting information regarding a plurality of entity capabilities of an entity;
  
  storing, in a database, a plurality of entity capability data records, each entity capability data record corresponding to an entity capability of the plurality of entity capabilities;
  
  collecting information regarding a plurality of flagged combinations of entity capabilities;
  
  storing, in the database, a plurality of flagged combination data records, each flagged combination data record corresponding to a flagged combination of entity capabilities;
  
  collecting information regarding interfaces of an information system of the entity;
  
  collecting information regarding access control rules of the information system;
  
  collecting information regarding computing resources of the information system;
  
  storing, in the database, a plurality of data records corresponding to the interfaces, access control rules, and computing resources of the information system;
  
  for each entity capability, linking in the database such entity capability to each interface that implements such entity capability;
  
  for each interface, linking in the database such interface to each access control rule for accessing such interface;
  
  for each computing resource, linking in the database such computing resource to each access control rule for accessing such computing resource;
  
  for each interface, linking in the database such interface to each computing resource accessed by such interface;
  
  creating a vertically integrated access unit by;
  
  identifying a logical work role, the logical work role comprising one or more first entity capabilities of the plurality of entity capabilities;
  
  identifying, from the database, one or more first interfaces that implement the one or more first entity capabilities;
  
  identifying, from the database, one or more first interface access control rules for accessing the one or more first interfaces;
  
  identifying, from the database, one or more first computing resources accessed by the one or more first interfaces;
  
  identifying, from the database, one or more first computing resource access control rules for accessing the one or more first computing resources; and
  
  storing, in the database, a data record for the vertically integrated access unit that links, in the database, data records for the (i) one or more first entity capabilities, (ii) one or more first interfaces, (iii) or more first interface access control rules, (iv) one or more first computing resources, and (v) one or more first computing resource access control rules;
  
  creating a user group by;
  
  assigning the logical work role to the user group; and
  
  based on the logical work role, storing, in the database, a data record for the user group that is linked to the data record for the vertically integrated access unit;
  
  provisioning an entitlement by;
  
  assigning the logical work role to a first user; and
  
  based on assigning the logical work role to the first user, linking the first user to the user group;
  
  determining that a proposed configuration of the vertically integrated access unit, a proposed configuration of the user group, a proposed configuration of the first user, or a proposed entitlement would result in a first flagged combination of entity capabilities; and
  
  in response to determining that the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement would result in the first flagged combination of entity capabilities, performing an action to prevent the first flagged combination of entity capabilities.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product according to claim 9, wherein the step of creating the vertically integrated access unit comprises storing, in the database, a data record corresponding to the logical work role.
  - 11. The computer program product according to claim 10, wherein the step of creating the user group comprises linking in the database the data record for the user group to the data record corresponding to the logical work role.
  - 12. The computer program product according to claim 11, wherein the non-transitory computer-readable storage medium has computer-executable instructions for causing the computer processor to perform the steps:
    - collecting information regarding users of the information system, the users of the information system comprising the first user; and
      
      storing, in the database, a plurality of data records corresponding to the users of the information system, the plurality of data records corresponding to the users of the information system comprising a data record corresponding to the first user;
      
      wherein the step of provisioning the entitlement comprises;
      
      (i) linking in the database the data record corresponding to the first user to the data record corresponding to the logical work role and (ii) linking in the database the data record corresponding to the first user to the data record for the user group.
  - 13. The computer program product according to claim 9, wherein the step of determining that the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement would result in the first flagged combination of entity capabilities is performed during the steps of (i) creating the vertically integrated access unit, (ii) creating the user group, and/or (iii) provisioning the entitlement.
  - 14. The computer program product according to claim 9, whereinthe computing resources of the information system comprise application component methods of the information system;
    - andthe one or more first computing resources accessed by the one or more first interfaces comprises one or more first application component methods accessed by the one or more first interfaces.
  - 15. The computer program product according to claim 9, wherein the action to prevent the first flagged combination of entity capabilities comprises blocking implementation of the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement.
  - 16. The computer program product according to claim 9, wherein the action to prevent the first flagged combination of entity capabilities comprises (i) identifying a proposed change that would eliminate the first flagged combination of entity capabilities and (ii) implementing the proposed configuration and the proposed change.

17. A computerized method for creating user entitlements to computing resources, the method comprising the steps of:
- collecting, via a computer processor, information regarding a plurality of entity capabilities of an entity;
  
  storing, via a computer processor, in a database, a plurality of entity capability data records, each entity capability data record corresponding to an entity capability of the plurality of entity capabilities;
  
  collecting, via a computer processor, information regarding a plurality of flagged combinations of entity capabilities;
  
  storing, via a computer processor, in the database, a plurality of flagged combination data records, each flagged combination data record corresponding to a flagged combination of entity capabilities;
  
  collecting, via a computer processor, information regarding interfaces of an information system of the entity;
  
  collecting, via a computer processor, information regarding access control rules of the information system;
  
  collecting, via a computer processor, information regarding computing resources of the information system;
  
  storing, via a computer processor, in the database, a plurality of data records corresponding to the interfaces, access control rules, and computing resources of the information system;
  
  for each entity capability, linking, via a computer processor, in the database such entity capability to each interface that implements such entity capability;
  
  for each interface, linking, via a computer processor, in the database such interface to each access control rule for accessing such interface;
  
  for each computing resource, linking, via a computer processor, in the database such computing resource to each access control rule for accessing such computing resource;
  
  for each interface, linking, via a computer processor, in the database such interface to each computing resource accessed by such interface;
  
  creating, via a computer processor, a vertically integrated access unit by;
  
  identifying a logical work role, the logical work role comprising one or more first entity capabilities of the plurality of entity capabilities;
  
  identifying, from the database, one or more first interfaces that implement the one or more first entity capabilities;
  
  identifying, from the database, one or more first interface access control rules for accessing the one or more first interfaces;
  
  identifying, from the database, one or more first computing resources accessed by the one or more first interfaces;
  
  identifying, from the database, one or more first computing resource access control rules for accessing the one or more first computing resources; and
  
  storing, in the database, a data record for the vertically integrated access unit that links, in the database, data records for the (i) one or more first entity capabilities, (ii) one or more first interfaces, (iii) or more first interface access control rules, (iv) one or more first computing resources, and (v) one or more first computing resource access control rules;
  
  creating, via a computer processor, a user group by;
  
  assigning the logical work role to the user group; and
  
  based on the logical work role, storing, in the database, a data record for the user group that is linked to the data record for the vertically integrated access unit;
  
  provisioning, via a computer processor, an entitlement by;
  
  assigning the logical work role to a first user; and
  
  based on assigning the logical work role to the first user, linking the first user to the user group;
  
  determining, via a computer processor, that a proposed configuration of the vertically integrated access unit, a proposed configuration of the user group, a proposed configuration of the first user, or a proposed entitlement would result in a first flagged combination of entity capabilities; and
  
  in response to determining that the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement would result in the first flagged combination of entity capabilities, performing, via a computer processor, an action to prevent the first flagged combination of entity capabilities.
- View Dependent Claims (18, 19, 20)
- - 18. The computerized method according to claim 17, wherein the step of creating the vertically integrated access unit comprises storing, in the database, a data record corresponding to the logical work role.
  - 19. The computerized method according to claim 17, wherein the action to prevent the first flagged combination of entity capabilities comprises blocking implementation of the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement.
  - 20. The computerized method according to claim 17, wherein the action to prevent the first flagged combination of entity capabilities comprises (i) identifying a proposed change that would eliminate the first flagged combination of entity capabilities and (ii) implementing the proposed configuration and the proposed change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John Howard, Sloane, Brandon, Cadavid, Regina Yee, Bierner, Rachel Yun Kim, Kuhlmeier, Ronald James
Primary Examiner(s)
Shanmugasundaram, Kannan

Application Number

US15/895,763
Publication Number

US 20190253427A1
Time in Patent Office

826 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 3/0622   in relation to access

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

Vertically integrated access control system for managing user entitlements to computing resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Vertically integrated access control system for managing user entitlements to computing resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links