MANAGING USER ACCESS ENTITLEMENTS TO INFORMATION TECHNOLOGY RESOURCES

US 20090150981A1
Filed: 12/06/2007
Published: 06/11/2009
Est. Priority Date: 12/06/2007
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for provisioning user access to a business application within a framework of an identity management system, the computer implemented method comprising:

providing an interface layer to map respective attributes, permissions, and resource accounts in a data repository needed to represent access to business applications via a managed service in the identity management system;

defining user entitlements on a user account associated with the managed service; and

provisioning user access to the business applications via the managed service in the identity management system upon user request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method, data processing system, and computer program product for logical management and provisioning of business applications within the framework of an identity management system. The illustrative embodiments providing an interface layer to map respective attributes, permissions, and resource accounts in a data repository needed to represent access to business applications via a managed service in the identity management system. The illustrative embodiments define user entitlements on a user account associated with the managed service. The illustrative embodiments provision user access to the business applications via the managed service in the identity management system upon user request.

191 Citations

20 Claims

1. A computer implemented method for provisioning user access to a business application within a framework of an identity management system, the computer implemented method comprising:
- providing an interface layer to map respective attributes, permissions, and resource accounts in a data repository needed to represent access to business applications via a managed service in the identity management system;
  
  defining user entitlements on a user account associated with the managed service; and
  
  provisioning user access to the business applications via the managed service in the identity management system upon user request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer implemented method of claim 1, wherein types of business applications include operating systems, J2EE applications, database systems, and web services.
  - 3. The computer implemented method of claim 1, wherein provisioning user access to the business applications via the managed service is performed via a role based model.
  - 4. The computer implemented method of claim 1, wherein the role based model includes inheritance relationships, allow relationships, relationship constraints, and attribute constraints.
  - 5. The computer implemented method of claim 1, wherein the attributes, permissions, and resource accounts in the data repository are managed on a lifecycle basis.
  - 6. The computer implemented method of claim 1, wherein a provisioning workflow is used to track lifecycle events.
  - 7. The computer implemented method of claim 1, wherein the lifecycle events include access requests, access approval, access activation, access deactivation, access recertification, and access de-provisioning.
  - 8. The computer implemented method of claim 1, wherein the identity management system comprises audit and reporting functions for auditing user access entitlements to the managed service.
  - 9. The computer implemented method of claim 1, wherein providing an interface layer to map respective attributes, permissions, and resource accounts includes creating a service profile for the managed service.
  - 10. The computer implemented method of claim 9, wherein the service profile comprises system profile values, protocol property values, and service definition values for the managed service.
  - 11. The computer implemented method of claim 1, wherein providing an interface layer to map respective attributes, permissions, and resource accounts includes creating an access profile and a user access profile for a business application, wherein attributes specific to access entitlement is defined in the access profile, and wherein user attributes specific to access entitlement to the business application is defined in the user access profile.
  - 12. The computer implemented method of claim 1, wherein the business application comprises a web service.
  - 13. The computer implemented method of claim 1, wherein defining user entitlements on a user account associated with the managed service is performed upon receiving a request from the user to access the managed service.
  - 14. The computer implemented method of claim 1, wherein defining user entitlements on a user account associated with the managed service is performed upon assignment to a business role.
  - 15. The computer implemented method of claim 1, wherein a definition of user entitlements on a user account associated with the managed service is represented as an account within the identity management system.
  - 16. The computer implemented method of claim 1, wherein defining user entitlements on a user account associated with the managed service is managed by business policies set with access entitlement business workflows.

17. A data processing system for provisioning user access to a business application within a framework of an identity management system, the data processing system comprising:
- a bus;
  
  a storage device connected to the bus, wherein the storage device contains computer usable code;
  
  at least one managed device connected to the bus;
  
  a communications unit connected to the bus; and
  
  a processing unit connected to the bus, wherein the processing unit executes the computer usable code to provide an interface layer to map respective attributes, permissions, and resource accounts in a data repository needed to represent access to business applications via a managed service in the identity management system;
  
  define user entitlements on a user account associated with the managed service; and
  
  provision user access to the business applications via the managed service in the identity management system upon user request.

18. A computer program product for provisioning user access to a business application within a framework of an identity management system, the computer program product comprising:
- a computer usable medium having computer usable program code tangibly embodied thereon, the computer usable program code comprising;
  
  computer usable program code for providing an interface layer to map respective attributes, permissions, and resource accounts in a data repository needed to represent access to business applications via a managed service in the identity management system;
  
  computer usable program code for defining user entitlements on a user account associated with the managed service; and
  
  computer usable program code for provisioning user access to the business applications via the managed service in the identity management system upon user request.
- View Dependent Claims (19, 20)
- - 19. The computer program product of claim 18 wherein the computer usable program code is stored in a computer readable storage medium in a data processing system, and wherein the computer usable program code is downloaded over a network from a remote data processing system.
  - 20. The computer program product of claim 18, wherein the computer usable program code is stored in a computer readable storage medium in a server data processing system, and wherein the computer usable program code is downloaded over a network from a remote data processing system for use in a computer readable storage medium with the remote system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Bauserman, Christopher Michael, Chen, Leanne L., Amies, Alexander Phillip, Muppidi, Sridhar R., Bajekal, Sadanand Rajaram

Granted Patent

US 8,132,231 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/102 Entity profiles

H04L 67/02 based on web technology, e....

MANAGING USER ACCESS ENTITLEMENTS TO INFORMATION TECHNOLOGY RESOURCES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

191 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING USER ACCESS ENTITLEMENTS TO INFORMATION TECHNOLOGY RESOURCES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

191 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links