Managing user access entitlements to information technology resources

US 8,132,231 B2
Filed: 12/06/2007
Issued: 03/06/2012
Est. Priority Date: 12/06/2007
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for provisioning user access to a business application within a framework of an identity management system, the computer implemented method comprising:

generating a service profile for the business application comprising information used to access the business application to form a managed service in the identity management system;

defining entitlements for the managed service comprising a set of conditions for accessing the managed service and permissions to be assigned to a user when the set of conditions is met;

responsive to receiving a request to access the business application from the user, determining whether the set of conditions for accessing the managed service is met by the user; and

responsive to a determination that the set of conditions for accessing the managed service is met by the user, provisioning the user access to the business application such that the user accesses the managed service using the information in the service profile.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method, data processing system, and computer program product for logical management and provisioning of business applications within the framework of an identity management system. The illustrative embodiments providing an interface layer to map respective attributes, permissions, and resource accounts in a data repository needed to represent access to business applications via a managed service in the identity management system. The illustrative embodiments define user entitlements on a user account associated with the managed service. The illustrative embodiments provision user access to the business applications via the managed service in the identity management system upon user request.

Citations

18 Claims

1. A computer implemented method for provisioning user access to a business application within a framework of an identity management system, the computer implemented method comprising:
- generating a service profile for the business application comprising information used to access the business application to form a managed service in the identity management system;
  
  defining entitlements for the managed service comprising a set of conditions for accessing the managed service and permissions to be assigned to a user when the set of conditions is met;
  
  responsive to receiving a request to access the business application from the user, determining whether the set of conditions for accessing the managed service is met by the user; and
  
  responsive to a determination that the set of conditions for accessing the managed service is met by the user, provisioning the user access to the business application such that the user accesses the managed service using the information in the service profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer implemented method of claim 1, wherein types of business applications include operating systems, J2EE applications, database systems, and web services.
  - 3. The computer implemented method of claim 1, wherein the step of determining whether the set of conditions for accessing the managed service is met by the user comprises determining whether the user is in an organizational role that satisfies the set of conditions.
  - 4. The computer implemented method of claim 1, wherein the user is in a first organizational role, and wherein the set of conditions comprises a relationship constraint in which a condition in the set of conditions is satisfied when the first organizational role of the user is associated with a second organizational role in the identity management system and the set of conditions is satisfied when the user is in the second organizational role.
  - 5. The computer implemented method of claim 1, wherein the entitlements are managed on a lifecycle basis for the user.
  - 6. The computer implemented method of claim 5, wherein a provisioning workflow is used to track lifecycle events for the lifecycle basis.
  - 7. The computer implemented method of claim 6, wherein the lifecycle events include access requests, access approval, access activation, access deactivation, access recertification, and access de-provisioning.
  - 8. The computer implemented method of claim 1, wherein the identity management system comprises audit and reporting functions for auditing the user access entitlements to the managed service.
  - 9. The computer implemented method of claim 1, wherein the request to access the business application comprises an identifier for the managed service in a user interface, wherein the user interface presents a plurality of managed services for which the user may request access.
  - 10. The computer implemented method of claim 1, wherein the user is in a first organizational role, the first organizational role inherits privileges from a second organizational role in a hierarchy of organizational roles in the identity management system, and wherein a condition in the set of conditions is satisfied for the user when the condition is satisfied by the second organizational role.
  - 11. The computer implemented method of claim 1, wherein the business application comprises a web service.
  - 12. The computer implemented method of claim 1, wherein defining the entitlements is performed upon receiving a request from the user to access the managed service.
  - 13. The computer implemented method of claim 1, wherein defining the entitlements is performed upon assignment to a business role.
  - 14. The computer implemented method of claim 1, wherein the information comprises system profile values, protocol property values, and service definition values, and wherein the step of provisioning the user access to the business application such that the user accesses the managed service using the information in the service profile comprises:
    - generating a user account in the identity management system for the user such that the user accesses the managed service using the user account and the information in the service profile.
  - 15. The computer implemented method of claim 1, wherein defining the entitlements is managed by business policies set with access entitlement business workflows.

16. A data processing system for provisioning user access to a business application within a framework of an identity management system, the data processing system comprising:
- a bus;
  
  a storage device connected to the bus, wherein the storage device contains computer usable code;
  
  at least one managed device connected to the bus;
  
  a communications unit connected to the bus; and
  
  a processing unit connected to the bus, wherein the processing unit executes the computer usable code to generate a service profile for the business application comprising information used to access the business application to form a managed service in the identity management system;
  
  define entitlements for the managed service comprising a set of conditions for accessing the managed service and permissions to be assigned to a user when the set of conditions is met;
  
  determine whether the set of conditions for accessing the managed service is met by the user responsive to receiving a request to access the business application from the user; and
  
  provision the user access to the business application such that the user accesses the managed service using the information in the service profile responsive to a determination that the set of conditions for accessing the managed service is met by the user.

17. A computer program product for provisioning user access to a business application within a framework of an identity management system, the computer program product comprising:
- a non-transitory computer readable storage medium having computer readable program code tangibly embodied thereon, the computer readable program code comprising;
  
  computer readable program code for generating a service profile for the business application comprising information used to access the business application to form a managed service in the identity management system;
  
  computer readable program code for defining entitlements for the managed service comprising a set of conditions for accessing the managed service and permissions to be assigned to a user when the set of conditions is met;
  
  computer readable program code for, responsive to receiving a request to access the business application from the user, determining whether the set of conditions for accessing the managed service is met by the user; and
  
  computer readable program code for, responsive to a determination that the set of conditions for accessing the managed service is met by the user, provisioning the user access to the business application such that the user accesses the managed service using the information in the service profile.
- View Dependent Claims (18)
- - 18. The computer program product of claim 17 wherein the computer readable program code is stored in a non-transitory computer readable storage medium in a data processing system, and wherein the computer readable program code is downloaded over a network from a remote data processing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Amies, Alexander Phillip, Bajekal, Sadanand Rajaram, Bauserman, Christopher Michael, Chen, Leanne L., Muppidi, Sridhar R.
Primary Examiner(s)
EL HADY, NABIL M

Application Number

US11/951,980
Publication Number

US 20090150981A1
Time in Patent Office

1,552 Days
Field of Search

726 2- 6, 726/1
US Class Current

726/2
CPC Class Codes

H04L 63/102 Entity profiles

H04L 67/02 based on web technology, e....

Managing user access entitlements to information technology resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Managing user access entitlements to information technology resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links