Access Reviews at IAM System Implementing IAM Data Model

US 20140181912A1
Filed: 07/18/2013
Published: 06/26/2014
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for conducting access reviews of access rights to logical computing resources comprising:

receiving, at an access reviewer, a selection that indicates a user having access to one or more logical computing resources of a computer system;

identifying, by the access reviewer, a set of current logical computing resources the user has access to;

identifying, by the access reviewer, a set of current logical entitlements associated with the user; and

generating an access review summary based on a comparison of one or more of the current logical computing resources to one or more of the current logical entitlements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of conducting access reviews of access rights to logical computing resources are provided. An access reviewer may receive a selection indicating a user having access to one or more logical computing resources of a computer system. The access reviewer may identify a set of current logical computing resources that the user has access to and a set of current logical entitlements associated with the user. The access reviewer may generate an access review summary based on a comparison of the current logical computing resources to one or more of the current logical entitlements.

9 Citations

View as Search Results

20 Claims

1. A computer-implemented method for conducting access reviews of access rights to logical computing resources comprising:
- receiving, at an access reviewer, a selection that indicates a user having access to one or more logical computing resources of a computer system;
  
  identifying, by the access reviewer, a set of current logical computing resources the user has access to;
  
  identifying, by the access reviewer, a set of current logical entitlements associated with the user; and
  
  generating an access review summary based on a comparison of one or more of the current logical computing resources to one or more of the current logical entitlements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein generating the access review summary includes:
    - determining whether one of the current logical computing resources is indicated in at least one of the current logical entitlements;
      
      responsive to a determination that the current logical computing resource is indicated in at least one of the current logical entitlements, indicating in the access review summary that the current logical computing resource is traceable to an access request; and
      
      responsive to a determination that the current logical computing resource is not indicated in any of the current logical entitlements, indicating in the access review summary that the current logical computing resource is not traceable to an access request.
  - 3. The method of claim 2 further comprising:
    - responsive to the determination that the current logical computing resource is traceable to the access request, including in the access review summary access request information associated with the access request.
  - 4. The method of claim 3 wherein the access request information includes:
    - a date the access request was submitted;
      
      a requestor that submitted the access request;
      
      a date the access request was approved; and
      
      an approver of the access request.
  - 5. The method of claim 1 further comprising:
    - determining whether one of the current logical entitlements indicates a requested logical computing resource that is not included in the set of current logical computing resources;
      
      responsive to a determination that the requested logical computing resource is not included in the set of current logical computing resources, submitting an access request to an access request handler that initiates provisioning of access to the requested logical computing resource for the user based on the access request.
  - 6. The method of claim 5 further comprising:
    - responsive to the determination that the requested logical computing resource is not included in the set of current logical computing resources,identifying a set of physical computing resources associated with the requested logical computing resource, andprovisioning the user with new access rights to each physical computing resource in the set of physical computing resources based on the access request.
  - 7. The method of claim 1 further comprising:
    - determining whether one of the current logical computing resources is indicated in at least one of the current logical entitlements; and
      
      responsive to a determination that the current logical computing resource is not indicated in any of the current logical entitlements, submitting an access request to an access request handler that initiates revocation of access to the current logical computing resource such that the user cannot subsequently access the current logical computing resource.
  - 8. The method of claim 7 further comprising:
    - responsive to the determination that the current logical computing resource is not indicated in any of the current logical entitlements,identifying a set of physical computing resources associated with the current logical computing resource, andrevoking existing access rights for the user from each physical computing resource in the set of physical computing resources.

9. A system for conducting access reviews of access rights to logical computing resources comprising:
- a processor;
  
  an access request handler that, in operation,receives an access request,derives a set of logical entitlements for a user based at least in part on the access request, andinitiates provisioning of access to a logical computing resource specified in the access request; and
  
  an access reviewer that, in operation,identifies a set of current logical computing resources the user has access to,identifies a set of current logical entitlements associated with the user, andgenerates an access review summary based on a comparison of the set of current logical computing resources to the set of current logical entitlements.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9 further comprising:
    - a data store that implements an identity access management (IAM) data model that stores, in accordance with the IAM data model,a set of access request records corresponding to one or more access requests received at the access request handler,a set of logical entitlement records corresponding to one or more logical entitlements derived by the access request handler, anda set of logical computing resource records corresponding to one or more logical computing resources of a computer system.
  - 11. The system of claim 9 wherein the access reviewer further, in operation,determines whether one of the current logical computing resources is indicated in at least one of the current logical entitlements,indicates in the access review summary that the current logical computing resource is traceable to an access request responsive to a determination that the current logical computing resource is indicated in at least one of the current logical entitlements, andindicates in the access review summary that the current logical computing resource is not traceable to an access request responsive to a determination that the current logical computing resources is not indicated in any of the current logical entitlements.
  - 12. The system of claim 11 wherein the access reviewer further, in operation, includes in the access review summary access request information associated with the access request responsive to the determination that the current logical computing resource is traceable to an access request.
  - 13. The system of claim 9 wherein the access reviewer further, in operation,determines whether one of the current logical entitlements indicates a requested logical computing resource that is not included in the set of current logical computing resources, andresponsive to a determination that the requested logical computing resource is not included in the set of current logical computing resources, submits an access request to an access request handler that initiates provisioning of access to the requested logical computing resource based on the access request.
  - 14. The system of claim 9 wherein the access reviewer further, in operation,determines whether one of the current logical computing resources is indicated in at least one of the current logical entitlements, andresponsive to a determination that the current logical computing resource is not indicated in any of the current logical entitlements, submits an access request to an access request handler that initiates revocation of access to the current logical computing resource such that the user cannot subsequently access the current logical computing resource.

15. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to perform steps for conducting access reviews of access rights to logical computing resources, the steps comprising:
- receiving, at an access reviewer, a selection that indicates a user having access to one or more logical computing resources of a computer system;
  
  obtaining, by the access reviewer, a set of current logical computing resources the user has access to and a set of current logical entitlements associated with the user;
  
  presenting the set of current logical computing resources and the set of current logical entitlements at a display device for comparison.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15 wherein the instructions, when executed by the processor, cause the processor to perform steps further comprising:
    - implementing an identity and access management (IAM) data model at a data store;
      
      storing at the data store, in accordance with the IAM data model,a set of access request records corresponding to one or more access requests received at an access request handler,a set of logical entitlement records corresponding to one or more logical entitlements derived by the access handler, anda set of logical computing resource records corresponding to a one or more logical computing resources of the computer system;
      
      wherein individual access request records are respectively associated with individual logical entitlement records based on the IAM data model; and
      
      wherein individual logical entitlement records are associated with individual logical computing resource records based on the IAM data model.
  - 17. The computer-readable medium of claim 15 wherein the instructions, when executed by the processor, cause the processor to perform steps further comprising:
    - receiving a new access request that specifies a requested logical computing resource that is not accessible to the user;
      
      provisioning the user with access to the requested logical computing resource; and
      
      wherein at least one of the current logical entitlements indicates the requested logical computing resource and the set of current logical computing resources does not include the requested logical computing resource.
  - 18. The computer-readable medium of claim 17 wherein provisioning the user with access to the new logical computing resource includes:
    - identifying a set of physical computing resources associated with the requested logical computing resource; and
      
      provisioning the user with new access rights to each physical computing resource in the set of physical computing resources based on the access request.
  - 19. The computer-readable medium of claim 15 wherein the instructions, when executed by the processor, cause the processor to perform steps further comprising:
    - receiving a new access request that specifies one of the current logical computing resources in the set of current logical computing resources;
      
      revoking access to the current logical computing resource such that the user cannot subsequently access the current logical computing resource; and
      
      wherein none of the current logical entitlements indicate the current logical computing resource;
  - 20. The computer-readable medium of claim 19 wherein revoking access to the current logical computing resource includes:
    - identifying a set of physical computing resources associated with the current logical computing resource; and
      
      revoking existing access rights for the user from each physical computing resource in the set of physical computing resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John, Thompson, Bryan, Green, Ward

Granted Patent

US 9,495,380 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 16/176   Support for shared access t...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

Access Reviews at IAM System Implementing IAM Data Model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access Reviews at IAM System Implementing IAM Data Model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links