QUALITY ASSURANCE CHECKS OF ACCESS RIGHTS IN A COMPUTING SYSTEM

US 20140289207A1
Filed: 05/01/2014
Published: 09/25/2014
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system for ensuring the quality of identity and access management information at a computing system comprising:

at least one processor; and

a data store that stores access right information respectively corresponding to one or more access rights of a computing system wherein the access right information is stored in accordance with a data model that defines respective relationships between the one or more access rights and i) users having access to the computing system, and ii) computing resources of the computing system;

memory storing instructions that, when executed by the at least one processor, cause the system toretrieve at least a portion of the access right information respectively corresponding to the one or more access rights of the computing system, andperform one or more quality assurance tasks using the portion of the access right information retrieved.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for ensuring the quality of identity and access management information at a computing system are described. Access right information that respectively corresponds to one or more access rights may be stored at a data store. The access right information may be stored in accordance with a data model that defines respective relationships between the access rights and both the users having access to the computing system and the computing resources of the computing system. At least a portion of the access right information may be retrieved, and quality assurance tasks may be performed using the portion of the access right information retrieved.

20 Citations

View as Search Results

20 Claims

1. A system for ensuring the quality of identity and access management information at a computing system comprising:
- at least one processor; and
  
  a data store that stores access right information respectively corresponding to one or more access rights of a computing system wherein the access right information is stored in accordance with a data model that defines respective relationships between the one or more access rights and i) users having access to the computing system, and ii) computing resources of the computing system;
  
  memory storing instructions that, when executed by the at least one processor, cause the system toretrieve at least a portion of the access right information respectively corresponding to the one or more access rights of the computing system, andperform one or more quality assurance tasks using the portion of the access right information retrieved.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1 wherein:
    - the one or more quality assurance tasks include a quality assurance task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system toreceive an access grant request that specifies a set of requested access rights that are requested to be provisioned for a user at the computing system,obtain one or more sets of access rights respectively associated with one or more roles defined at the computing system;
      
      compare the set of requested access rights to the one or more sets of access rights; and
      
      provide the access grant request for fulfillment or deny the access grant request based on whether the set of requested access rights matches at least one of the sets of access rights respectively associated with one of the roles.
  - 3. The system of claim 2 wherein:
    - denying the access right includes instructing a requestor that submitted the access grant request to submit a new access grant request that specifies the role associated with the set of access rights that matches the set of requested access rights.
  - 4. The system of claim 2 wherein:
    - the set of requested access rights matches one of the set of access rights associated with one of the roles when the set of requested access rights includes all of the access rights in the set of access rights associated with the role.
  - 5. The system of claim 1 wherein:
    - the one or more quality assurance tasks include a quality assurance task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system toreceive an access request that specifies a user and a requested access right to either provision or revoke for the user,obtain a set of provisioned access rights associated with the user, andprovide the access request for fulfillment or deny the access request based on a comparison between the requested access right and the set of provisioned access rights.
  - 6. The system of claim 5 wherein:
    - the access request indicates that the requested access right is requested to be provisioned to the user;
      
      the access request is provided for fulfillment responsive to determining that the requested access right does not correspond to any of the provisioned access rights; and
      
      the access request is denied responsive to determining that the requested access right corresponds to one of the provisioned access rights.
  - 7. The system of claim 5 wherein:
    - the access request indicates that the requested access right is requested to be revoked from the user;
      
      the access request is provided for fulfillment responsive to determining that the requested access right corresponds to one of the provisioned access rights; and
      
      the access request is denied responsive to determining that the requested access right does not correspond to any of the provisioned access rights.
  - 8. The system of claim 5 wherein:
    - the access request is submitted to an access request system used to fulfill the access request; and
      
      receiving the access request includes intercepting the access request submitted to the access request system before the access request system receives the access request.
  - 9. The system of claim 1 wherein:
    - the one or more quality assurance tasks include a quality assurance task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system toreceive an access report that identifies a set of reported access rights used to access a computing resource of the computing system,obtain an access rights list that identifies a set of provisioned access rights associated with the computing resource, andgenerate a quality assurance report based on a comparison between the access report and the access rights list.
  - 10. The system of claim 9 wherein:
    - generating the quality assurance report includes identifying one of the provisioned access rights as either a used access right or an unused access right in the quality assurance report based on whether that provisioned access right corresponds to one of the reported access rights.
  - 11. The system of claim 1 wherein:
    - the one or more quality assurance tasks include a quality assurance task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system toobtain an incomplete action item list that identifies a set of incomplete action items wherein individual incomplete action items are respectively associated with one of the access rights of the computing system,calculate a duration that one of the incomplete action items has remained incomplete, anddetermine whether to identify the incomplete action item as an unactionable action item in an quality assurance report based on a comparison of the duration to a duration threshold.
  - 12. The system of claim 11 wherein:
    - the set of incomplete action items is a set of unfulfilled access requests; and
      
      the duration is based on a date on which one of the unfulfilled access requests was submitted.
  - 13. The system of claim 11 wherein:
    - the set of incomplete action items is a set of incomplete access reviews; and
      
      the duration is based on a due date set for one of the access reviews.

14. A computer-implemented method of ensuring the quality of identity and access management information at a computing system comprising:
- storing, at a data store, access right information respectively corresponding to one or more access rights of a computing system wherein the access right information is stored in accordance with a data model that defines respective relationships between the one or more access rights and i) users having access to the computing system, and ii) computing resources of the computing system;
  
  retrieve at least a portion of the access right information respectively corresponding to the one or more access rights of the computing system; and
  
  performing one or more quality assurance tasks using the portion of the access right information retrieved.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-implemented method of claim 14 wherein the one or more quality assurance tasks include a quality assurance task comprising:
    - receiving an access grant request that specifies a set of requested access rights that are requested to be provisioned for a user at the computing system;
      
      obtaining one or more sets of access rights respectively associated with one or more roles defined at the computing system;
      
      comparing the set of requested access rights to the one or more sets of access rights;
      
      providing the access grant request for fulfillment or denying the access grant request based on whether the set of requested access rights matches one of the sets of access rights associated with one of the roles; and
      
      wherein denying the access grant request includes instructing a requestor that submitted the access grant request to submit a new access grant request that specifies the role associated with the set of access rights that matches the set of requested access rights.
  - 16. The computer-implemented method of claim 14 wherein the one or more quality assurance tasks include a quality assurance task comprising:
    - receiving an access request that specifies a user and a requested access right to provision for the user;
      
      obtaining a set of provisioned access rights associated with the user;
      
      providing the access request for fulfillment or denying the access request based on a comparison between the requested access right and the set of provisioned access rights;
      
      wherein the access request is provided for fulfillment responsive to determining that the requested access right does not correspond to any of the provisioned access rights; and
      
      wherein the access request is denied responsive to determining that the requested access right corresponds to one of the provisioned access rights.
  - 17. The computer-implemented method of claim 14 wherein the one or more quality assurance tasks include a quality assurance task comprising:
    - receiving an access request that specifies a user and a requested access right to revoke from the user;
      
      obtaining a set of provisioned access rights associated with the user;
      
      providing the access request for fulfillment or denying the access request based on a comparison between the requested access right and the set of provisioned access rights;
      
      wherein the access request is provided for fulfillment responsive to determining that the requested access right corresponds to one of the provisioned access rights; and
      
      wherein the access request is denied responsive to determining that the requested access right does not correspond to any of the provisioned access rights.
  - 18. The computer-implemented method of claim 14 wherein the one or more quality assurance tasks include a quality assurance task comprising:
    - receiving an access report that identifies a set of reported access rights used to access a computing resource of the computing system;
      
      obtaining an access rights list that identifies a set of provisioned access rights associated with the computing resource; and
      
      identifying one of the provisioned access rights as either a used access right or an unused access right in a quality assurance report based on whether that provisioned access right corresponds to one of the reported access rights.
  - 19. The computer-implemented method of claim 14 wherein the one or more quality assurance tasks include a quality assurance task comprising:
    - obtaining an incomplete action item list that identifies a set of incomplete action items wherein individual incomplete action items are respectively associated with one of the access rights of the computing system;
      
      calculating a duration that one of the incomplete action items has remained incomplete;
      
      determine whether to identify the incomplete action item as an unactionable action item in an quality assurance report based on a comparison of the duration to a duration threshold; and
      
      wherein the set of incomplete action items includes at least one of i) a set of unfulfilled access requests, and ii) a set of incomplete access reviews.

20. Non-transitory computer-readable media having instructions, that when executed by a processor of a computing device, cause the computing device to:
- retrieve access right information respectively corresponding to one or more access rights of a computing system;
  
  perform one or more quality assurance tasks using the access right information; and
  
  wherein the one or more quality assurance tasks includea first quality assurance task comprising determining whether a set of access rights associated with a role defined at the computing system matches a set of requested access rights specified in an access grant request,a second quality assurance task comprising determining whether to provide an access change request to an access request system or deny the access change request based on whether a requested change specified in the access change request has already occurred,a third quality assurance task comprising determining whether a provisioned access right of the computing system corresponds to an access right reported as having been used to access a computing resource of the computing system, anda fourth quality assurance task comprising determining whether an incomplete action item associated with an access right of the computing system has been incomplete for longer than a duration threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Ritchey, Ronald W., Moloian, Armen

Granted Patent

US 9,542,433 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/687
CPC Class Codes

G06F 16/215   Improving data quality; Dat...

G06F 16/2365   Ensuring data consistency a...

G06F 21/6209   to a single file or object,...

QUALITY ASSURANCE CHECKS OF ACCESS RIGHTS IN A COMPUTING SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

QUALITY ASSURANCE CHECKS OF ACCESS RIGHTS IN A COMPUTING SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others