ACCESS POLICY HARVESTING

US 20150200943A1
Filed: 01/12/2015
Published: 07/16/2015
Est. Priority Date: 01/13/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by a computer system, an account associated with an identity of a user, wherein the account is associated with an entitlement involving a resource of a target system;

determining, by the computer system, that the account is not associated with an access policy;

identifying, by the computer system, a role associated with the identity;

determining, by the computer system, a set of access policies that grant access to the resource of the target system;

determining, by the computer system, from the set of access policies, a first access policy that indicates access to the resource by the identified role; and

associating, by the computer system, the account with the first access policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates generally to techniques for automatically associating one or more access policies with an account. Specifically, these techniques enable one or more access policies to retroactively be associated with an account that is not associated with at least one access policy. By associating an access policy with an account, managing access to one or more resources provided by the account may be automated based on the associated access policy. An identity management system (IDM) system may manage access policies for determining access to resources of target systems. Accounts that are not associated with an access policies may be associated with the access policies governing access to resources identified by those accounts. Access to the resource(s) associated with those accounts may be updated based on the access granted by the access policies which are associated with those accounts.

50 Citations

View as Search Results

20 Claims

1. A method comprising:
- identifying, by a computer system, an account associated with an identity of a user, wherein the account is associated with an entitlement involving a resource of a target system;
  
  determining, by the computer system, that the account is not associated with an access policy;
  
  identifying, by the computer system, a role associated with the identity;
  
  determining, by the computer system, a set of access policies that grant access to the resource of the target system;
  
  determining, by the computer system, from the set of access policies, a first access policy that indicates access to the resource by the identified role; and
  
  associating, by the computer system, the account with the first access policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving, from the target system, account data identifying the account, wherein the account is created by the target system.
  - 3. The method of claim 1, wherein each access policy of the set of access policies indicates an entitlement to access the resource of the target system by one or more roles.
  - 4. The method of claim 1, wherein the account is created before the first access policy is created.
  - 5. The method of claim 1, wherein the account is created after the first access policy is created.
  - 6. The method of claim 1, wherein each access policy of the set of access policies is associated with an identifier, and wherein associating the account with the first access policy includes storing the identifier corresponding to the first access policy in association with account data corresponding to the account.
  - 7. The method of claim 1, further comprising:
    - determining a value of an attribute in access policy data corresponding to the first access policy, wherein the attribute indicates whether the first access policy can be associated with accounts created for accessing the resource of the target system.
  - 8. The method of claim 1, wherein the resource of the target system corresponds to an application provided by the target system.
  - 9. The method of claim 1, wherein the resource of the target system corresponds to a computing system accessible from the target system.
  - 10. The method of claim 1, wherein determining that the account is not associated with an access policy includes:
    - determining policy profile data corresponding to a policy profile associated with the identity; and
      
      determining whether the policy profile data indicates an association between the first access policy and an identifier corresponding to the target system; and
      
      wherein the account is not associated with the access policy when the policy profile data does not indicate an association between the first access policy and the identifier corresponding to the target system.
  - 11. The method of claim 10, wherein the identifier corresponding to the target system is based on information identifying the resource of the target system and an account identifier corresponding to the account associated with the identity.

12. A computer system of an identity management system, the computer system comprising:
- one or more processors; and
  
  a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  identify account data corresponding to an account associated with an identity of a user, wherein the account data is associated with an entitlement involving a resource of a target system;
  
  identify policy profile data corresponding to a policy profile associated with the identity;
  
  determine whether the policy profile data indicates an association between an identifier corresponding to the target system and an access policy that grants access to the resource of the target system by a role associated with the identity;
  
  determine that the account is not associated with an access policy when the policy profile data does not indicate an association between the identifier and the access policy that grants access to the resource of the target system;
  
  determine a set of access policies that grant access to the resource;
  
  identify from the set of access policies, a first access policy that indicates access to the resource by the identified role; and
  
  associate the account with an identifier of the first access policy.
- View Dependent Claims (13, 14, 15)
- - 13. The computer system of claim 12, wherein the identifier corresponding to the target system is based on information identifying the resource of the target system and an account identifier corresponding to the account associated with the identity.
  - 14. The computer system of claim 12, wherein the account is a bulk-loaded account or a reconciled account.
  - 15. The computer system of claim 14, wherein the instructions, when executed by the one or more processors, further cause the one or more processors to:
    - receive, from the target system, data indicating a plurality of accounts created by the target system, wherein the data includes the account data corresponding to the account.

16. A non-transitory computer-readable memory storing a set of instructions that are executable by one or more processors to:
- identify an account associated with an identity of a user, wherein the account is associated with an entitlement involving a resource of a target system;
  
  determine that the account is not associated with an access policy;
  
  identify a role associated with the identity;
  
  determine a set of access policies that grant access to the resource of the target system;
  
  determine, from the set of access policies, a first access policy that indicates access to the resource by the identified role; and
  
  associate the account with the first access policy.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable memory of claim 16, wherein determining that the account is not associated with an access policy includes:
    - determining policy profile data corresponding to a policy profile associated with the identity; and
      
      determining whether the policy profile data indicates an association between the first access policy and an identifier corresponding to the target system;
      
      wherein the account is not associated with the access policy when the policy profile data does not indicate an association between the first access policy and the identifier corresponding to the target system; and
      
      wherein the identifier corresponding to the target system is based on information identifying the resource of the target system and an account identifier corresponding to the account associated with the identity.
  - 18. The non-transitory computer-readable memory of claim 16, wherein the set of instructions are further executable by one or more processors to:
    - receive, from the target system, account data corresponding to a plurality of accounts, wherein each account is a bulk-loaded account or a reconciled account created by one of a plurality of target systems, wherein the plurality of accounts includes the account.
  - 19. The non-transitory computer-readable memory of claim 18, wherein the account is created before the first access policy is created.
  - 20. The non-transitory computer-readable memory of claim 18, wherein the set of instructions are further executable by one or more processors to:
    - determine a value of an attribute in the access policy data corresponding to the first access policy, wherein the attribute indicates whether the first access policy can be associated with accounts created for accessing the resource of the target system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Pitre, Ashutosh

Granted Patent

US 9,602,545 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 21/604   Tools and structures for ma...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

ACCESS POLICY HARVESTING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS POLICY HARVESTING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links