Entitlement security and control

US 7,403,925 B2
Filed: 03/17/2003
Issued: 07/22/2008
Est. Priority Date: 03/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an entitlement request from a user via a client seeking an entitlement permission;

generating an entitlement profile corresponding to the user, the entitlement profile is based on the entitlement request;

generating an entitlement criteria based on entitlement rules, wherein the entitlement rules are placed at a metadata repository;

associating first metadata with the entitlement criteria to describe the entitlement criteria, and placing the entitlement criteria and the first metadata at the metadata repository;

associating second metadata with the entitlement profile to describe the entitlement profile, and placing the entitlement profile and the second metadata at the metadata repository;

retrieving the entitlement criteria, the first metadata, the entitlement profile, and the second metadata from the metadata repository;

matching the entitlement profile and the second metadata with the entitlement criteria and the first metadata to determine whether the entitlement request is satisfied;

granting the entitlement permission upon satisfaction of the entitlement rules by the entitlement request;

generating an audit trail of entitlement events by tracking the entitlement events relating to the granting of the entitlement permission, the audit trail having entitlement-related information, the entitlement-related information having information relating to one or more of first users requesting the entitlement permission, second users receiving the entitlement permission, and third users receiving the entitlement permission and not receiving an access permission, the first users including the user, wherein the tracking of the entitlement events includes tracking one or more of trusted data sources, reviewing entitlement requests, entitlement permission upon changes in one or more of the entitlement rules, entitlement regulations, and user characteristics; and

validating the granting of the entitlement permission by accessing the audit trail.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, and method are provided for entitlement security and control. According to one embodiment, an entitlement request is received from a user seeking entitlement permission, the entitlement request is matched against entitlement rules and roles that are retrieved from a metadata repository, and the entitlement permission is granted if the entitlement request satisfies the entitlement rules and roles.

103 Citations

View as Search Results

13 Claims

1. A method comprising:
- receiving an entitlement request from a user via a client seeking an entitlement permission;
  
  generating an entitlement profile corresponding to the user, the entitlement profile is based on the entitlement request;
  
  generating an entitlement criteria based on entitlement rules, wherein the entitlement rules are placed at a metadata repository;
  
  associating first metadata with the entitlement criteria to describe the entitlement criteria, and placing the entitlement criteria and the first metadata at the metadata repository;
  
  associating second metadata with the entitlement profile to describe the entitlement profile, and placing the entitlement profile and the second metadata at the metadata repository;
  
  retrieving the entitlement criteria, the first metadata, the entitlement profile, and the second metadata from the metadata repository;
  
  matching the entitlement profile and the second metadata with the entitlement criteria and the first metadata to determine whether the entitlement request is satisfied;
  
  granting the entitlement permission upon satisfaction of the entitlement rules by the entitlement request;
  
  generating an audit trail of entitlement events by tracking the entitlement events relating to the granting of the entitlement permission, the audit trail having entitlement-related information, the entitlement-related information having information relating to one or more of first users requesting the entitlement permission, second users receiving the entitlement permission, and third users receiving the entitlement permission and not receiving an access permission, the first users including the user, wherein the tracking of the entitlement events includes tracking one or more of trusted data sources, reviewing entitlement requests, entitlement permission upon changes in one or more of the entitlement rules, entitlement regulations, and user characteristics; and
  
  validating the granting of the entitlement permission by accessing the audit trail.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - rejecting the entitlement permission upon dissatisfaction of the entitlement rules by the entitlement request; and
      
      granting an exception to the client when the entitlement request is not satisfied, the exception comprises an option for the client to submit a second entitlement request to seek the entitlement permission.
  - 3. The method of claim 1, wherein the entitlement rules comprise security classified entitlement rules.
  - 4. The method of claim 3, wherein the security classified rules comprise one or more of laws, regulations, policies, plans, roles, and considerations.
  - 5. The method of claim 1, wherein the entitlement permission comprises authorizing the client to access one or more of a system, an application, and a database.

6. A system comprising:
- a client to send an entitlement request to a server to seek an entitlement permission for a user;
  
  a server coupled to the client, the server having an entitlement unit includinga metadata repository having entitlement rules,an entitlement processing unit coupled with the metadata repository, the entitlement processing unit toreceive the entitlement request from a user seeking an entitlement permission,generate an entitlement profile corresponding to the user, the entitlement profile is based on the entitlement request,generate an entitlement criteria based on the entitlement rules,associate first metadata with the entitlement criteria to describe the entitlement criteria, and placing the entitlement criteria and the first metadata at a metadata repository;
  
  associate second metadata with the entitlement profile to describe the entitlement profile, and placing the entitlement profile and the second rnetadata at the metadata repository;
  
  retrieve the entitlement criteria, the first metadata, the entitlement profile, and the second metadata from the metadata repository;
  
  match the entitlement profile and the second metadata with the entitlement criteria and the first metadata to determine whether the entitlement request is satisfied,grant the entitlement permission upon satisfaction of the entitlement mles by the entitlement request,generate an audit trail of entitlement events by tracking the entitlement events relating to the granting of the entitlement permission, the audit trail having entitlement-related information, the entitlement-related information having information relating to one or more of first users requesting the entitlement permission, second users receiving the entitlement permission, and third users receiving the entitlement permission and not receiving an access permission, the first users including the user, wherein the tracking of the entitlement events includes tracking one or more of trusted data sources, reviewing entitlement requests, entitlement permission upon changes in one or more of the entitlement rules, entitlement regulations, and user characteristics, andvalidate the granting of the entitlement permission by accessing the audit trail; and
  
  an access control unit coupled with the entitlement unit.
- View Dependent Claims (7, 8)
- - 7. The system of claim 6, wherein the entitlement processing unit is further to:
    - reject the entitlement permission upon dissatisfaction of the entitlement rules by the entitlement request; and
      
      grant an exception to the client when the entitlement request is not satisfied, the exception comprises an option for the client to submit a second entitlement request to seek the entitlement pennission.
  - 8. The system of claim 6, wherein the entitlement rules comprise security classified entitlement rules.

9. A tangible machine-readable storage medium having instructions which, when executed, cause a machine to:
- receive an entitlement request from a user via a client seeking an entitlement permission;
  
  generate an entitlement profile corresponding to the user, the entitlement profile is based on the entitlement request;
  
  generate an entitlement criteria based on entitlement rules, wherein the entitlement rules are placed at a metadata repository;
  
  associate first metadata with the entitlement criteria to describe the entitlement criteria, and placing the entitlement criteria and the first metadata at the metadata repository;
  
  associate second metadata with the entitlement profile to describe the entitlement profile, and placing the entitlement profile and the second metadata at the metadata repository;
  
  retrieve the entitlement criteria, the first metadata, the entitlement profile, and the second metadata from the metadata repository;
  
  match the entitlement profile and the second metadata with the entitlement rules and the first metadata to determine whether the entitlement request is satisfied;
  
  grant the entitlement permission upon satisfaction of the entitlement rules by the entitlement request;
  
  generate an audit trail of entitlement events by tracking the entitlement events relating to the granting of the entitlement permission, the audit trail having entitlement-related information, the entitlement-related information having information relating to one or more of first users requesting the entitlement permission, second users receiving the entitlement permission, and third users receiving the entitlement permission and not receiving an access permission, the first users including the user, wherein the tracking of the entitlement events includes tracking one or more of trusted data sources, reviewing entitlement requests, entitlement permission upon changes in one or more of the entitlement rules, entitlement regulations, and user characteristics; and
  
  validate the granting of the entitlement permission by accessing the audit trail.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The tangible machine-readable storage medium of claim 9, wherein the instructions when executed, further cause the machine to:
    - reject the entitlement permission upon dissatisfaction of the the entitlement request is not satisfied; and
      
      grant an exception to the user if the entitlement request is not satisfied, the exception comprises an option for the user to submit a second entitlement request to seek the entitlement permission.
  - 11. The tangible machine-readable storage medium of claim 9, wherein the entitlement rules comprise security classified entitlement rules.
  - 12. The tangible machine-readable storage medium of claim 11, wherein the security classified rules comprise one or more of laws, regulations, policies, plans, roles, and considerations.
  - 13. The tangible machine-readable storage medium of claim 9, wherein the entitlement permission comprises authorizing the user to access one or more of a system, an application, and a database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Thangarathinam, Thiru, Waite, Timothy, Schlesinger, David
Primary Examiner(s)
Elisca; Pierre E.

Application Number

US10/390,470
Publication Number

US 20040186809A1
Time in Patent Office

1,954 Days
Field of Search

705/64, 705/50, 705/67
US Class Current

705/64
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

Entitlement security and control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Entitlement security and control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links