System and method for flexible security access management in an enterprise
First Claim
1. For a security access manager of a data management system of an enterprise, a method of authenticating and authorizing a user of a client application to access secure data resources, said method comprising:
- providing a first security module for (i) receiving, from the client application which authenticates an identity of the user against an external user directory that operates outside of the data management system, a request comprising the identity of the user, (ii) accessing the external user directory, and (iii) verifying the identity against the external user directory;
providing a second security module for performing a first level authorization upon verification of the identity by (i) accessing an external role repository that operates outside of the data management system, (ii) retrieving an enterprise role associated with the identity from the external role repository, and (iii) associating the enterprise role with an internal role that provides access to a set of secured data resources; and
providing a third security module for performing a second level authorization upon performing the first level authorization by (i) retrieving a set of internal policy definitions and (ii) restricting access to a subset of the set of secured resources using the set of internal policy definitions,wherein said first, second, and third security modules are modules of the security access manager.
9 Assignments
0 Petitions
Accused Products
Abstract
Some embodiments provide a method and system for flexibly managing access to enterprise resources. To flexibly manage security, some embodiments secure the enterprise resources and provide a security access manager (SAM) to control access to the secured resources. The SAM controls access to the enterprise and the secure resources through one or more configurable management modules of the SAM. Each management module of the SAM is configurable to facilitate control over different security services of an enterprise security hierarchy (e.g., authentication, authorization, role mapping, etc.). Specifically, each management module is configurable to leverage security services that are provided by different security systems. In some embodiments, the management module is configured to interface with one or more adapters in order to establish the interfaces, logic, and protocols necessary to leverage the security functionality of such security systems.
-
Citations
24 Claims
-
1. For a security access manager of a data management system of an enterprise, a method of authenticating and authorizing a user of a client application to access secure data resources, said method comprising:
-
providing a first security module for (i) receiving, from the client application which authenticates an identity of the user against an external user directory that operates outside of the data management system, a request comprising the identity of the user, (ii) accessing the external user directory, and (iii) verifying the identity against the external user directory; providing a second security module for performing a first level authorization upon verification of the identity by (i) accessing an external role repository that operates outside of the data management system, (ii) retrieving an enterprise role associated with the identity from the external role repository, and (iii) associating the enterprise role with an internal role that provides access to a set of secured data resources; and providing a third security module for performing a second level authorization upon performing the first level authorization by (i) retrieving a set of internal policy definitions and (ii) restricting access to a subset of the set of secured resources using the set of internal policy definitions, wherein said first, second, and third security modules are modules of the security access manager. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. For a security access manager of a data management system of an enterprise, a method of authenticating and authorizing a user of a client application to access secure data resources of the enterprise, said method comprising:
-
receiving a request from the client application that authenticates an identity of the user against an external user directory; verifying an external authentication against the external user directory; performing a first level authorization upon verifying the external authentication by (i) accessing an external role repository that operates outside of the data management system, (ii) retrieving an enterprise role associated with the identity from the external role repository, and (iii) associating the enterprise role with an internal role that provides access a set of secured resources; and performing a second level authorization upon performing the first level authorization by (i) retrieving a set of internal policy definitions and (ii) restricting access to a subset of the set of secured resources using the set of internal policy definitions, wherein the receiving, verifying, and performing the first and second level authorizations are operations of the security access manager. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer readable storage medium storing a computer program for authenticating and authorizing a user of a client application to access data resources of an enterprise, the computer program executable by at least one processing unit, the computer program comprising sets of instructions for:
-
receiving, from the client application, a request comprising authentication information with an identity of the user; performing a first level authentication of the identity by accessing a first user directory using the authentication information; performing a second level authentication of the identity upon failure of the first level authentication by accessing a second user directory using the authentication information; performing a first level authorization upon authenticating the identity by assigning a role that provides access to a set of secured resources; and performing a second level authorization by restricting access to a subset of the set of resources according to a set of internal policy definitions. - View Dependent Claims (22)
-
-
23. For a security access manager of a data management system of an enterprise, a method of authenticating and authorizing a user of a client application to access secure data resources, said method comprising:
-
providing a first security module to (i) receive, from the client application, a request comprising authentication information with an identity of the user and (ii) perform a first level authentication of the identity by accessing a first user directory using the authentication information; providing a second security module to perform a second level authentication of the identity upon failure of the first level authentication by accessing a second user directory using the authentication information; providing a third security module to perform a first level authorization upon authenticating the identity by assigning a role that provides access to a set of secured resources; and providing a fourth security module to perform a second level authorization operation upon performing the first level role authorization by restricting access to a subset of the set of secured resources according to a set of internal policy definitions, wherein said first, second, third, and fourth security modules are modules of the security access manager. - View Dependent Claims (24)
-
Specification