ACCESS POLICY HARVESTING
First Claim
1. A method comprising:
- identifying, by a computer system, an account associated with an identity of a user, wherein the account is associated with an entitlement involving a resource of a target system;
determining, by the computer system, that the account is not associated with an access policy;
identifying, by the computer system, a role associated with the identity;
determining, by the computer system, a set of access policies that grant access to the resource of the target system;
determining, by the computer system, from the set of access policies, a first access policy that indicates access to the resource by the identified role; and
associating, by the computer system, the account with the first access policy.
1 Assignment
0 Petitions
Accused Products
Abstract
The present disclosure relates generally to techniques for automatically associating one or more access policies with an account. Specifically, these techniques enable one or more access policies to retroactively be associated with an account that is not associated with at least one access policy. By associating an access policy with an account, managing access to one or more resources provided by the account may be automated based on the associated access policy. An identity management system (IDM) system may manage access policies for determining access to resources of target systems. Accounts that are not associated with an access policies may be associated with the access policies governing access to resources identified by those accounts. Access to the resource(s) associated with those accounts may be updated based on the access granted by the access policies which are associated with those accounts.
-
Citations
20 Claims
-
1. A method comprising:
-
identifying, by a computer system, an account associated with an identity of a user, wherein the account is associated with an entitlement involving a resource of a target system; determining, by the computer system, that the account is not associated with an access policy; identifying, by the computer system, a role associated with the identity; determining, by the computer system, a set of access policies that grant access to the resource of the target system; determining, by the computer system, from the set of access policies, a first access policy that indicates access to the resource by the identified role; and associating, by the computer system, the account with the first access policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system of an identity management system, the computer system comprising:
-
one or more processors; and a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to; identify account data corresponding to an account associated with an identity of a user, wherein the account data is associated with an entitlement involving a resource of a target system; identify policy profile data corresponding to a policy profile associated with the identity; determine whether the policy profile data indicates an association between an identifier corresponding to the target system and an access policy that grants access to the resource of the target system by a role associated with the identity; determine that the account is not associated with an access policy when the policy profile data does not indicate an association between the identifier and the access policy that grants access to the resource of the target system; determine a set of access policies that grant access to the resource; identify from the set of access policies, a first access policy that indicates access to the resource by the identified role; and associate the account with an identifier of the first access policy. - View Dependent Claims (13, 14, 15)
-
-
16. A non-transitory computer-readable memory storing a set of instructions that are executable by one or more processors to:
-
identify an account associated with an identity of a user, wherein the account is associated with an entitlement involving a resource of a target system; determine that the account is not associated with an access policy; identify a role associated with the identity; determine a set of access policies that grant access to the resource of the target system; determine, from the set of access policies, a first access policy that indicates access to the resource by the identified role; and associate the account with the first access policy. - View Dependent Claims (17, 18, 19, 20)
-
Specification