SEPARATION OF DUTIES CHECKS FROM ENTITLEMENT SETS
First Claim
1. A computer-implemented access check system having computer readable media that store executable instructions executed by a processor, comprising:
- a synchronization component that receives and normalizes entitlements of users obtained from resources having associated security enforcement points; and
an access management component that creates sets of user objects for the users of the entitlements based on the normalized entitlements, the access management component performs set operations on the sets of user objects to check for an anomalous entitlement.
2 Assignments
0 Petitions
Accused Products
Abstract
A data model in which a set provides an abstraction that isolates the computation of membership from the details of how an enforcement point determines access (e.g., based on claims, based on security group membership etc). Set operations (e.g., intersection, union, inverse) can then be used across the sets. The architecture utilizes workflow on set transitions such that when an object such as a user enters the scope of one of these sets, notification can occur, such that inadvertent changes which lead to separation-of-duties violations can be detected quickly. The sets can also be used to define entitlements for enforcement of claims-based access control in a cross-organization deployment (e.g., to a cloud-hosted application).
-
Citations
20 Claims
-
1. A computer-implemented access check system having computer readable media that store executable instructions executed by a processor, comprising:
-
a synchronization component that receives and normalizes entitlements of users obtained from resources having associated security enforcement points; and an access management component that creates sets of user objects for the users of the entitlements based on the normalized entitlements, the access management component performs set operations on the sets of user objects to check for an anomalous entitlement. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-implemented access check method executed by a processor, comprising:
-
obtaining entitlements defined in enforcement policies associated with multiple enforcement points; for each entitlement, creating a set of user objects related to users that currently have the entitlement; obtaining role definitions that specify users for each role; applying set operations on the set and role definitions related to user objects of the set to obtain differences sets of allowed entitlements of the role and non-allowed entitlements for the role; and processing the differences sets to obtain an anomalous entitlement of a user object. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented access check method executed by a processor, comprising:
-
creating a set of user objects for each in-place entitlement associated with enforcement policies of multiple resources, the sets of user objects related to users that have corresponding in-place entitlements; obtaining role definitions that specify users for each associated role; applying set operations on the set and role definitions related to user objects of the set to obtain a conflict set that describes an entitlement anomaly; and performing one or more workflow processes for users associated with the entitlement anomaly. - View Dependent Claims (17, 18, 19, 20)
-
Specification