System and method for flexible security access management in an enterprise

US 8,224,873 B1
Filed: 08/19/2008
Issued: 07/17/2012
Est. Priority Date: 05/22/2008
Status: Active Grant

First Claim

Patent Images

1. For a security access manager of a data management system of an enterprise, a method of authenticating and authorizing a user of a client application to access secure data resources, said method comprising:

providing a first security module for (i) receiving, from the client application which authenticates an identity of the user against an external user directory that operates outside of the data management system, a request comprising the identity of the user, (ii) accessing the external user directory, and (iii) verifying the identity against the external user directory;

providing a second security module for performing a first level authorization upon verification of the identity by (i) accessing an external role repository that operates outside of the data management system, (ii) retrieving an enterprise role associated with the identity from the external role repository, and (iii) associating the enterprise role with an internal role that provides access to a set of secured data resources; and

providing a third security module for performing a second level authorization upon performing the first level authorization by (i) retrieving a set of internal policy definitions and (ii) restricting access to a subset of the set of secured resources using the set of internal policy definitions,wherein said first, second, and third security modules are modules of the security access manager.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method and system for flexibly managing access to enterprise resources. To flexibly manage security, some embodiments secure the enterprise resources and provide a security access manager (SAM) to control access to the secured resources. The SAM controls access to the enterprise and the secure resources through one or more configurable management modules of the SAM. Each management module of the SAM is configurable to facilitate control over different security services of an enterprise security hierarchy (e.g., authentication, authorization, role mapping, etc.). Specifically, each management module is configurable to leverage security services that are provided by different security systems. In some embodiments, the management module is configured to interface with one or more adapters in order to establish the interfaces, logic, and protocols necessary to leverage the security functionality of such security systems.

Citations

24 Claims

1. For a security access manager of a data management system of an enterprise, a method of authenticating and authorizing a user of a client application to access secure data resources, said method comprising:
- providing a first security module for (i) receiving, from the client application which authenticates an identity of the user against an external user directory that operates outside of the data management system, a request comprising the identity of the user, (ii) accessing the external user directory, and (iii) verifying the identity against the external user directory;
  
  providing a second security module for performing a first level authorization upon verification of the identity by (i) accessing an external role repository that operates outside of the data management system, (ii) retrieving an enterprise role associated with the identity from the external role repository, and (iii) associating the enterprise role with an internal role that provides access to a set of secured data resources; and
  
  providing a third security module for performing a second level authorization upon performing the first level authorization by (i) retrieving a set of internal policy definitions and (ii) restricting access to a subset of the set of secured resources using the set of internal policy definitions,wherein said first, second, and third security modules are modules of the security access manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein a security hierarchy comprises a plurality of different levels of security operations that includes authentication services at one level and authorization services at another level.
  - 3. The method of claim 1, wherein the first security module comprises an adapter module that translates a messaging format of the security access manager to a messaging format of the external user directory.
  - 4. The method of claim 1, wherein the identity is part of authentication information that is included in the request, wherein the first module verifies the authentication information by accessing the external user directory.
  - 5. The method of claim 1, wherein the first security module performs a first level authentication, the method further comprising providing a fourth security module for performing a second level authentication by accessing an internal user directory using the identity.
  - 6. The method of claim 5, wherein the fourth security module performs the second level authentication when the first security module fails to verify the identity against the external user directory.
  - 7. The method of claim 1, wherein the data management system comprises a user data store, wherein the second security module is further for accessing the user data store and retrieving the internal role from the user data store in order to associate the enterprise role with the internal role.
  - 8. The method of claim 1, wherein the data management system comprises an internal policy store, wherein the third security module is further for accessing the internal policy store to retrieve the set of internal policy definitions.
  - 9. The method of claim 1, wherein the external user directory is part of a security system developed by a third party developer independent of the data management system.
  - 10. The method of claim 1, wherein the external user directory is part of a security system that does not pre-exist within the enterprise and is integrated into the security access manager to provide security services in addition to services deployed by the security access manager.

11. For a security access manager of a data management system of an enterprise, a method of authenticating and authorizing a user of a client application to access secure data resources of the enterprise, said method comprising:
- receiving a request from the client application that authenticates an identity of the user against an external user directory;
  
  verifying an external authentication against the external user directory;
  
  performing a first level authorization upon verifying the external authentication by (i) accessing an external role repository that operates outside of the data management system, (ii) retrieving an enterprise role associated with the identity from the external role repository, and (iii) associating the enterprise role with an internal role that provides access a set of secured resources; and
  
  performing a second level authorization upon performing the first level authorization by (i) retrieving a set of internal policy definitions and (ii) restricting access to a subset of the set of secured resources using the set of internal policy definitions,wherein the receiving, verifying, and performing the first and second level authorizations are operations of the security access manager.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 further comprising accessing the external user directory using the identity of the user in order to verify the external authentication.
  - 13. The method of claim 11, wherein the security access manager is a part of data management system that manages data resources.
  - 14. The method of claim 11, wherein the external user directory is not a part of the data management system.
  - 15. The method of claim 11, wherein the security access manager is a first security system, the method further comprising directing a different second security system to process a first subset of security operations when the first security system successfully processes a second subset of the security operations.
  - 16. The method of claim 15, wherein the first subset of security operations comprises authentication, and wherein the second subset of the security operations comprises authorization.
  - 17. The method of claim 11, wherein the set of secured resources is a first set of data resources, wherein the internal role restricts access to a second set of data resources.
  - 18. The method of claim 11, wherein the set of secured resources is a first set of data resources, wherein the set of internal policy definitions restricts access to a second set of data resources.
  - 19. The method of claim 13, wherein the data management system comprises a Customer Relationship Management (CRM) system of the enterprise, and said security access manager manages access to data resources of said CRM system.
  - 20. The method of claim 13, wherein the data management system comprises an Enterprise Resource Planning (ERP) system of the enterprise, and said security access manager manages access to data resources of said ERP system.

21. A non-transitory computer readable storage medium storing a computer program for authenticating and authorizing a user of a client application to access data resources of an enterprise, the computer program executable by at least one processing unit, the computer program comprising sets of instructions for:
- receiving, from the client application, a request comprising authentication information with an identity of the user;
  
  performing a first level authentication of the identity by accessing a first user directory using the authentication information;
  
  performing a second level authentication of the identity upon failure of the first level authentication by accessing a second user directory using the authentication information;
  
  performing a first level authorization upon authenticating the identity by assigning a role that provides access to a set of secured resources; and
  
  performing a second level authorization by restricting access to a subset of the set of resources according to a set of internal policy definitions.
- View Dependent Claims (22)
- - 22. The non-transitory computer readable storage medium of claim 21, wherein the set of instructions for performing the first level authorization comprises a set of instructions for accessing a role repository to assign the role.

23. For a security access manager of a data management system of an enterprise, a method of authenticating and authorizing a user of a client application to access secure data resources, said method comprising:
- providing a first security module to (i) receive, from the client application, a request comprising authentication information with an identity of the user and (ii) perform a first level authentication of the identity by accessing a first user directory using the authentication information;
  
  providing a second security module to perform a second level authentication of the identity upon failure of the first level authentication by accessing a second user directory using the authentication information;
  
  providing a third security module to perform a first level authorization upon authenticating the identity by assigning a role that provides access to a set of secured resources; and
  
  providing a fourth security module to perform a second level authorization operation upon performing the first level role authorization by restricting access to a subset of the set of secured resources according to a set of internal policy definitions,wherein said first, second, third, and fourth security modules are modules of the security access manager.
- View Dependent Claims (24)
- - 24. The method of claim 23, wherein the role is an internal role defined within the data management system, wherein the third security module performs the first level authorization by mapping a role definition of an enterprise security system to the internal role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Informatica Corporation
Original Assignee
Informatica Corporation
Inventors
Korablev, Dmitri, Danforth, Gregory
Primary Examiner(s)
VO, TRUONG V

Application Number

US12/194,421
Time in Patent Office

1,428 Days
Field of Search

707/809, 707/797
US Class Current

707/809
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

System and method for flexible security access management in an enterprise

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for flexible security access management in an enterprise

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links