Role Engineering Scoping and Management

US 20130198639A1
Filed: 03/14/2013
Published: 08/01/2013
Est. Priority Date: 10/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method, in a data processing system, for performing a role engineering project for applying security roles to access operations targeting resources, comprising:

receiving, by the data processing system, a plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system;

receiving, by the data processing system, one or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project, wherein the one or more filter criteria specify a scope of the role engineering project;

applying, by the data processing system, the one or more filter criteria to generate the subset of data objects;

performing, in the data processing system, role engineering project operations on the subset of data objects to generate one or more security roles; and

deploying, by the data processing system, the one or more security roles to the organization computing system to control access operations targeting resources of the organization computing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for performing a role engineering project for applying security roles to access operations targeting resources. A plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system are received. One or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project are received. The one or more filter criteria specify a scope of the role engineering project. The one or more filter criteria are applied to generate the subset of data objects. Role engineering project operations are performed on the subset of data objects to generate one or more security roles. The one or more security roles are deployed to the organization computing system to control access operations targeting resources of the organization computing system.

26 Citations

View as Search Results

10 Claims

1. A method, in a data processing system, for performing a role engineering project for applying security roles to access operations targeting resources, comprising:
- receiving, by the data processing system, a plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system;
  
  receiving, by the data processing system, one or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project, wherein the one or more filter criteria specify a scope of the role engineering project;
  
  applying, by the data processing system, the one or more filter criteria to generate the subset of data objects;
  
  performing, in the data processing system, role engineering project operations on the subset of data objects to generate one or more security roles; and
  
  deploying, by the data processing system, the one or more security roles to the organization computing system to control access operations targeting resources of the organization computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein receiving one or more filter criteria comprises:
    - outputting a user interface to a user for selecting the one or more filter criteria; and
      
      receiving user input via the user interface identifying the one or more filter criteria to be used to select data objects for inclusion in the role engineering project.
  - 3. The method of claim 2, wherein the one or more filter criteria comprise one or more attributes of the data objects.
  - 4. The method of claim 3, wherein the one or more attributes of the data objects comprises different attributes for different data object types, wherein the different data object types comprise data objects for user identities, data objects for permissions, and data objects for resources.
  - 5. The method of claim 3, wherein the one or more attributes of the data objects comprises at least one of attributes specifying a business function of a data object, attributes associated with a business policy characteristic of the data object, or attributes associated with an information technology characteristic of the data object.
  - 6. The method of claim 2, wherein:
    - the user interface outputs a representation of the plurality of data objects,provides a user input mechanism for selecting at least one attribute of the plurality of data objects for filtering the representation of the plurality of data objects, andprovides a portion of the user interface where a representation of the subset of data objects selected based on the selected at least one attribute of the plurality of data objects is output.
  - 7. The method of claim 1, wherein performing role engineering project operations to generate one or more security roles comprises receiving user selections of at least one user identity data object, at least one resource data object, and at least one permission data object to correlate with one another in a defined security role.
  - 8. The method of claim 1, further comprising:
    - receiving, in the data processing system, user input to modify the scope of the role engineering project, wherein the user input to modify the scope comprises at least one of a selection of a new filter criteria to include in the one or more filter criteria or removal of a filter criteria from the one or more filter criteria specifying the scope of the role engineering project.
  - 9. The method of claim 1, further comprising at least one of:
    - merging at least one of the one or more filter criteria, the subset of data objects, or the one or more security roles of the role engineering project with at least one of filter criteria, data objects, or security roles of another role engineering project;
      
      orsplitting the at least one of the one or more filter criteria, the subset of data objects, or the one or more security roles of the role engineering project into two or more sub-projects of the role engineering project.

10-25. -25. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Casco-Arias Sanchez, Luis B., Jordan, Todd D., Kuehr-McLaren, David G., Love, Oriana J., Palmieri, David W., Plachco, Chrystian L., Rajamani, Magesh, Robke, Jeffrey T.

Granted Patent

US 8,918,426 B2
Time in Patent Office

Days
Field of Search
US Class Current

715/736
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06Q 10/06   Resources, workflows, human...

H04L 63/20   for managing network securi...

Role Engineering Scoping and Management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Role Engineering Scoping and Management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links