Employing wrapper profiles

US 8,375,113 B2
Filed: 12/20/2002
Issued: 02/12/2013
Est. Priority Date: 07/11/2002
Status: Active Grant

First Claim

Patent Images

1. A method of controlling profile access, comprising the steps of:

identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;

identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;

configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;

creating a wrapper profile for the first profile, wherein;

said wrapper profile is stored as a profile in the directory server separately from said first profile,said wrapper profile controls access to said first profile,said wrapper profile comprises the attribute sets which further include a locking status attribute,said locking status attribute identifying the accessibility of said first profile corresponding to said wrapper profile,said wrapper profile is created as part of a first workflow,said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process and defines multiple users that receive notifications corresponding to actions of the first workflow;

setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;

performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;

enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;

determining said wrapper profile is no longer needed for the first workflow; and

in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technology is disclosed for controlling access to data store information among multiple entities. A corresponding wrapper is created for information that may be subject to simultaneous access attempts. The wrapper includes an attribute that identifies the accessibility of the information—indicating whether the information is locked from further access, shareable among multiple entities, or not restricted at all. Before accessing information in the data store, an entity looks at the wrapper associated with the information to determine the type of access allowed, if any. An Identity, Access, or integrated Identity/Access System may maintain the wrappers as objects in the data store, with each wrapper object controlling another object containing information. Wrappers can be utilized when multiple provisioning applications are employed to provision resources. Each user and their corresponding resources are represented as objects with corresponding wrappers. Each provisioning application employs the wrappers to ensure that it has exclusive ownership of selected user and resource objects when provisioning resources to the selected user.

Citations

82 Claims

1. A method of controlling profile access, comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  creating a wrapper profile for the first profile, wherein;
  
  said wrapper profile is stored as a profile in the directory server separately from said first profile,said wrapper profile controls access to said first profile,said wrapper profile comprises the attribute sets which further include a locking status attribute,said locking status attribute identifying the accessibility of said first profile corresponding to said wrapper profile,said wrapper profile is created as part of a first workflow,said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process and defines multiple users that receive notifications corresponding to actions of the first workflow;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein said setting step causes said first profile to be not locked and accessible by another entity.
  - 3. The method according to claim 1, wherein said setting step causes said first profile to be shared and accessible by a plurality of entities.
  - 4. The method according to claim 1, wherein said setting step causes said first profile to be locked and not accessible by another entity.
  - 5. The method according to claim 1, wherein said method further comprises the step of:
    - setting said locking state of said locking status attribute of said wrapper profile to unlock said first profile.
  - 6. The method according to claim 1, wherein said task is servicing a provisioning request.
  - 7. The method according to claim 1, wherein said setting step comprises the steps of:
    - setting a current time stamp in said wrapper profile;
      
      setting a locking status of said locking status attribute in said wrapper profile; and
      
      setting a component identifier in said wrapper profile.
  - 8. The method according to claim 1, wherein said first profile is a user profile.
  - 9. The method according to claim 1, wherein said first profile is a resource profile.
  - 10. The method according to claim 1, wherein said method is performed as part of an Identity System.
  - 11. The method according to claim 1, wherein said method is performed as part of an Access System.
  - 12. The method according to claim 1, wherein said method is performed as part of an integrated Identity/Access System.

13. One or more processor readable storage devices having processor readable code embodied on said one or more processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  creating a wrapper profile for the first profile, wherein;
  
  said wrapper profile is stored as a profile in the directory server separately from said first profile,said wrapper profile controls access to said first profile,said wrapper profile comprises the attribute sets which further include a locking status attribute,said locking status attribute identifying the accessibility of said first profile corresponding to said wrapper profile,a first workflow defines an approval process for performing one or more tasks to said first profile;
  
  said first workflow defines multiple actions of the approval process of the first workflow;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or the second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for said first workflow, deleting said wrapper profile.
- View Dependent Claims (14, 15, 16, 17)
- - 14. One or more processor readable storage devices according to claim 13, wherein said setting step causes said first profile to be locked and not accessible by another entity.
  - 15. One or more processor readable storage devices according to claim 13, wherein said method further comprises the step of:
    - setting said locking state of said wrapper profile to unlock said first profile.
  - 16. One or more processor readable storage devices according to claim 13, wherein said method is performed as part of an Identity System.
  - 17. One or more processor readable storage devices according to claim 13, wherein said method is performed as part of an Access System.

18. An apparatus, comprising:
- one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices, said one or more processors to perform a method comprising the steps of;
  
  identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  creating a wrapper profile for the first profile wherein;
  
  said wrapper profile is stored as a profile in the directory server separately from said first profile,said wrapper profile controls access to said first profile,said wrapper profile comprises the attribute sets which further include a locking status attribute, said locking status attribute identifying the accessibility of said first profile corresponding to said wrapper profile,said wrapper profile is created as part of a first workflow;
  
  said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  performing a task related to said first profile after said setting step is performed;
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.

19. One or more processor readable storage devices having processor readable code embodied on said one or more processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  creating the first profile and a wrapper profile corresponding to said first profile, wherein;
  
  said wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,said locking status attribute identifying the accessibility of said first profile corresponding to said wrapper profile,said wrapper profile is created as part of a first workflow,said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process of the first workflow;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  locking said first profile;
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (20, 21, 22, 23)
- - 20. One or more processor readable storage devices according to claim 19, wherein said locking step comprises the step of:
    - setting a locking state of a wrapper profile corresponding to said first profile.
  - 21. One or more processor readable storage devices according to claim 19, wherein said method further comprises the steps of:
    - performing a task related to said first profile after said locking step is performed; and
      
      unlocking said first profile.
  - 22. One or more processor readable storage devices according to claim 19, wherein said method is performed as part of an Identity System.
  - 23. One or more processor readable storage devices according to claim 19, wherein said method is performed as part of an Access System.

24. A method of controlling profile access, comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  selecting a task request corresponding to the first profile;
  
  accessing a wrapper profile corresponding to said first profile to determine if said first profile is locked, wherein;
  
  said wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,said locking status attribute identifies the accessibility of said first profile corresponding to said wrapper profile,said wrapper profile is created as part of a first workflow,said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process of the first workflow;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by a second entity; and
  
  setting a locking state of said locking status attribute of said wrapper profile to lock said first profile by a first entity, if it is determined in said accessing step that said wrapper profile is not locked, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or said second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity; and
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 25. The method according to claim 24, wherein said method further comprises the step of:
    - determining whether an error occurred, if it is determined in said accessing step that said wrapper profile is locked.
  - 26. The method according to claim 25, wherein said determining step comprises the step of:
    - determining whether said first profile has been locked for at least a threshold period of time.
  - 27. The method according to claim 26, wherein said determining step comprises the step of:
    - determining whether said wrapper profile was last set to have a locking state of locked at least said threshold period of time before said determining step is performed.
  - 28. The method according to 27, further comprising the step of:
    - setting said locking state of said wrapper profile to locked, if it is determined in said determining step that said error occurred.
  - 29. The method according to claim 28, wherein said error is said first profile being locked for at least said threshold period of time and said setting step comprises the steps of:
    - setting a current time stamp of said wrapper profile;
      
      setting a locking status of said wrapper profile to locked; and
      
      setting a component identifier of said wrapper profile.
  - 30. The method according to claim 24, wherein at least one profile corresponds to said first profile and said method further comprises the steps of:
    - receiving information from said wrapper profile, wherein said information corresponds to said first profile;
      
      identifying a wrapper profile for each unlocked profile in said at least one profile; and
      
      setting a locking state for each wrapper profile identified in said identifying step.
  - 31. The method according to claim 30, wherein said locking state causes said each unlocked profile in said at least one profile to be locked.
  - 32. The method according to claim 30, wherein said method further comprises the step of:
    - unlocking said first profile after at least one task related to said first profile has been performed.
  - 33. The method according to claim 32, wherein said unlocking step includes the step of deleting said wrapper profile.
  - 34. The method according to claim 32, wherein:
    - said first profile is a user profile,said each unlocked profile in said at least one profile includes at least one resource profile, andsaid at least one task includes provisioning at least one resource.
  - 35. The method according to claim 24, wherein said method is performed as part of an Identity System.
  - 36. The method according to claim 24, wherein said method is performed as part of an Access System.

37. One or more processor readable storage devices having processor readable code embodied on said one or more processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  selecting a task request corresponding to the first profile;
  
  accessing a wrapper profile corresponding to said first profile to determine if said first profile is locked, wherein;
  
  said wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,said locking status attribute identifying the accessibility of said first profile corresponding to said wrapper profile,said wrapper profile is created as part of a first workflow,said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process and defines multiple users that receive notifications corresponding to actions of the first workflow;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by a second entity; and
  
  setting a locking state of said locking status attribute of said wrapper profile to lock said first profile by a first entity, if it is determined in said accessing step that said wrapper profile is not locked, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or said second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (38, 39, 40, 41, 42, 43)
- - 38. One or more processor readable storage devices according to claim 37, wherein said method further comprises the step of:
    - determining whether an error occurred, if it is determined in said accessing step that said wrapper profile is locked.
  - 39. One or more processor readable storage devices according to claim 38, wherein said determining step comprises the steps of:
    - determining whether said first profile has been locked for at least a threshold period of time.
  - 40. One or more processor readable storage devices according to claim 39, wherein said determining step comprises the step of:
    - determining whether said wrapper profile was last set to have a locking state of locked at least said threshold period of time before said determining step is performed.
  - 41. One or more processor readable storage devices according to claim 37, wherein at least one profile corresponds to said first profile and said method further comprises the steps of:
    - receiving information from said wrapper profile, wherein said information corresponds to said first profile;
      
      identifying a wrapper profile for each unlocked profile in said at least one profile; and
      
      setting a locking state for each wrapper profile identified in said identifying step.
  - 42. One or more processor readable storage devices according to claim 41, wherein said method further comprises the step of:
    - unlocking said first profile after at least one task related to said first profile has been performed.
  - 43. One or more processor readable storage devices according to claim 37 wherein said method is performed as part of an Identity System.

44. A method of controlling profile access, comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  identifying at least one wrapper profile satisfying criteria, wherein;
  
  said criteria calls for said at least one wrapper profile to have a locking status of locked and said locking status to have been in place for at least a threshold period of time,said at least one wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,said wrapper profile is created as part of a first workflow, andsaid first workflow defines an approval process for performing one or more tasks to said first profile;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  for each wrapper profile identified in said identifying step, setting a current time stamp;
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (45, 46, 47, 48)
- - 45. The method according to claim 44, wherein said method further comprises the step of:
    - for each wrapper profile identified in said identifying step, setting a component identifier.
  - 46. The method according to claim 45, wherein said component identifier is changed to a different value in said setting step.
  - 47. The method according to claim 44, wherein said method is performed as part of an Identity System.
  - 48. The method according to claim 44, wherein said method is performed as part of an Access System.

49. One or more processor readable storage devices having processor readable code embodied on said one or more processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  identifying at least one wrapper profile satisfying criteria, wherein;
  
  said criteria calls for said at least one wrapper profile to have a locking status of locked and said locking status to have been in place for at least a threshold period of time,said at least one wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,a workflow defines an approval process for performing one or more tasks to said first profile, andsaid workflow defines multiple actions of the approval process of the first workflow;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  for each wrapper profile identified in said identifying step, setting a current time stamp; and
  
  determining said wrapper profile is no longer needed for the workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (50, 51)
- - 50. One or more processor readable storage devices according to claim 49, wherein said method further comprises the step of:
    - for each wrapper profile identified in said identifying step, setting a component identifier.
  - 51. One or more processor readable storage devices according to claim 49, wherein said method is performed as part of an Identity System.

52. A method of controlling profile access, comprising the step of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  identifying at least one wrapper profile corresponding to a criteria, wherein;
  
  said at least one wrapper profile corresponds to at least one profile and said criteria calls for said at least one wrapper profile to have a locking status corresponding to a profile being accessible,said at least one wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute;
  
  a workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process and defines multiple users that receive notifications corresponding to actions of the first workflow;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  for each wrapper profile identified in said identifying step that has a locking status of not locked, setting a locking state;
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (53, 54, 55, 56, 57)
- - 53. The method according to claim 52, wherein said locking status has a value in a set consisting of shared and not locked.
  - 54. The method according to claim 52, wherein said method further comprises the steps of:
    - identifying any wrapper profile in said at least one wrapper profile identified in said identifying step that includes a wrapper profile with a shared locking status; and
      
      setting a locking status for any wrapper profile identified in said identifying step.
  - 55. The method according to claim 52, further comprising the step of:
    - performing at least one action related to said at least one profile.
  - 56. The method according to claim 52, wherein said method is performed as part of an Identity System.
  - 57. The method according to claim 52, wherein said method is performed as part of an Access System.

58. One or more processor readable storage devices having processor readable code embodied on said one or more processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  identifying at least one wrapper profile corresponding to a criteria, wherein;
  
  said at least one wrapper profile corresponds to at least one profile and said criteria calls for said at least one wrapper profile to have a locking status corresponding to a profile being accessible,said at least one wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,a first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process of the first workflow;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  for each wrapper profile identified in said identifying step that has a locking status of not locked, setting a locking state; and
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (59, 60)
- - 59. One or more processor readable storage devices according to claim 58, wherein said method further comprises the steps of:
    - identifying any wrapper profile in said at least one wrapper profile identified in said identifying step that comprises a wrapper profile with a shared locking status; and
      
      setting a locking status for any wrapper profile identified in said identifying step.
  - 60. One or more processor readable storage devices according to claim 58, wherein said method is performed as part of an Identity System.

61. A method of controlling profile access, comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  identifying at least one wrapper profile corresponding to a criteria, wherein;
  
  said at least one wrapper profile corresponds to at least one profile and said criteria calls for said at least one wrapper profile to have a locking status of not locked,said at least one wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,a workflow defines an approval process for performing one or more tasks to said first profile, andsaid workflow defines multiple actions of the approval process of the first workflow;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  for each wrapper profile identified in said identifying step, setting a locking status of said locking status attribute;
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (62, 63, 64)
- - 62. The method according to claim 61, wherein said locking status set in said setting step is locked.
  - 63. The method according to claim 61, wherein said method is performed as part of an Identity System.
  - 64. The method according to claim 61, wherein said method is performed as, part of an Access System.

65. One or more processor readable storage devices having processor readable code embodied on said one or more processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  identifying at least one wrapper profile corresponding to a criteria, wherein;
  
  said at least one wrapper profile corresponds to at least one profile and said criteria calls for said at least one wrapper profile to have a locking status of not locked,said at least one wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,a first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process and defines multiple users that receive notifications corresponding to actions of the first workflow;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  for each wrapper profile identified in said identifying step, setting a locking status of said locking status attribute; and
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (66)
- - 66. One or more processor readable storage devices according to claim 65, wherein said method is performed as part of an Identity System.

67. A method of controlling profile access, comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  creating a user profile;
  
  creating a first wrapper profile for said user profile, whereinsaid wrapper profile is created as part of a first workflow,said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process of the first workflow;
  
  creating at least one resource profile corresponding to said user profile;
  
  creating a wrapper profile for each resource profile in said at least one resource profile, wherein said wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute; and
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  determining the wrapper profile is no longer needed for the first workflow; and
  
  in response to determining the wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (68, 69, 70, 71, 72, 73, 74, 75)
- - 68. The method according to claim 67, wherein said method further comprises the step of:
    - submitting a provisioning request.
  - 69. The method according to claim 68, wherein said method further comprises the steps of:
    - selecting said provisioning request; and
      
      accessing said first wrapper profile to determine if said user profile is locked; and
      
      setting a locking state of said first wrapper profile to lock said user profile, if it is determined in said accessing step that said user profile is not locked.
  - 70. The method according to claim 69, wherein said method further comprises the step of:
    - determining whether an error occurred, if it is determined in said accessing step that said first wrapper profile is locked.
  - 71. The method according to claim 69, wherein said method further comprises the steps of:
    - identifying a wrapper profile for each not locked profile in said at least one resource profile; and
      
      setting a locking state for each wrapper profile identified in said identifying step.
  - 72. The method according to claim 71, wherein said locking state causes said each not locked profile in said at least one resource profile to become locked.
  - 73. The method according to claim 71, wherein said method further comprises the step of:
    - unlocking said user profile after at least one task called for by said provisioning request is completed.
  - 74. The method according to claim 67, wherein said method is performed as part of an Identity System.
  - 75. The method according to claim 67, wherein said method is performed as part of an Access System.

76. One or more processor readable storage devices having processor readable code embodied on said one or more processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  creating a user profile;
  
  creating a first wrapper profile for said user profile, whereinsaid first wrapper profile is created as part of a first workflow,said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process and defines multiple users that receive notifications corresponding to actions of the first workflow;
  
  creating at least one resource profile corresponding to said user profile;
  
  creating a wrapper profile for each resource profile in said at least one resource profile, wherein said wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute; and
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity;
  
  determining the first wrapper profile is no longer needed for the first workflow; and
  
  in response to determining the first wrapper profile is no longer needed for the first workflow, deleting said first wrapper profile.
- View Dependent Claims (77, 78, 79, 80)
- - 77. One or more processor readable storage devices according to claim 76, wherein said method further comprises the step of:
    - submitting a provisioning request.
  - 78. One or more processor readable storage devices according to claim 77, wherein said method further comprises the steps of:
    - selecting said provisioning request; and
      
      accessing said first wrapper profile to determine if said user profile is locked; and
      
      setting a locking state of said first wrapper profile to lock said user profile, if it is determined in said accessing step that said user profile is not locked.
  - 79. One or more processor readable storage devices according to claim 77, wherein said method further comprises the steps of:
    - identifying a wrapper profile for each not locked profile in said at least one resource profile;
      
      setting a locking state for each wrapper profile identified in said identifying step; and
      
      unlocking said user profile after at least one task called for by said provisioning request is completed.
  - 80. One or more processor readable storage devices according to claim 76, wherein said method is performed as part of an Identity System.

81. An apparatus, comprising:
- one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices, said one or more processors perform a method comprising the steps of;
  
  identifying a first and second profile each including multiple objects and attribute sets, the first and second profiles each configured to identify an entity in a directory server, wherein each of the attribute sets describing at least one trait of each entity, and wherein each attribute set is included in each of the multiple objects;
  
  identifying a template for each attribute set including configuration information other than schema information for at least one attribute in each attribute set;
  
  configuring the first and second profiles by configuring each attribute set, based at least in part on the configuration information, wherein each attribute set includes at least a first attribute of a first type and a second attribute of a second type, and wherein the first attribute of the first profile is set to a first value and the first attribute of the second profile is set to a second value;
  
  creating a user profile;
  
  creating a first wrapper profile for said user profile, wherein;
  
  said first wrapper profile is stored as a profile in the directory server separately from said first profile and the attribute sets which further include a locking status attribute,said wrapper profile is created as part of a first workflow,said first workflow defines an approval process for performing one or more tasks to said first profile, andsaid first workflow defines multiple actions of the approval process of the first workflow;
  
  creating at least one resource profile corresponding to said user profile;
  
  creating a wrapper profile for each resource profile in said at least one resource profile;
  
  submitting a provisioning request;
  
  selecting said provisioning request;
  
  accessing said first wrapper profile to determine if said user profile is locked;
  
  enabling provisioning of said first profile using a provisioning system, said provisioning system receiving a request from a provisioning bridge server to grant or remove access to an external resource, and said provisioning bridge server being coupled to said directory server;
  
  setting a locking state of said locking status attribute of said wrapper profile for said first profile by a first entity, wherein when said locking status attribute of said wrapper profile is locked, said first profile is locked and not accessible by another entity for writing or modifying, and wherein when said locking status attribute of said wrapper profile is locked, said first profile is accessible for viewing by the first entity or a second entity;
  
  performing a task related to said first profile after said setting step is performed, which setting step causes said first profile to be not locked and accessible by another entity, shared and accessible by a plurality of entities, or locked and not accessible by another entity;
  
  setting a locking state of said locking status attribute of said first wrapper profile to lock said user profile, if it is determined in said accessing step that said user profile is not locked, wherein said provisioning bridge server uses said wrapper profile to ensure that said first profile is not being locked by said second entity; and
  
  determining said wrapper profile is no longer needed for the first workflow; and
  
  in response to determining said wrapper profile is no longer needed for the first workflow, deleting said wrapper profile.
- View Dependent Claims (82)
- - 82. The apparatus according to claim 81, wherein said method further comprises the steps of:
    - identifying a wrapper profile for each not locked profile in said at least one resource profile;
      
      setting a locking state for each wrapper profile identified in said identifying step; and
      
      unlocking said user profile after at least one task called for by said provisioning request is completed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sinn, Richard, Yuen, Stan, Lee, Chi-Cheng
Primary Examiner(s)
Salad, Abdullahi
Assistant Examiner(s)
Ma, Wing

Application Number

US10/325,438
Publication Number

US 20040010591A1
Time in Patent Office

3,707 Days
Field of Search

709/217, 709/218, 709/223, 709/224, 709/225, 709/203, 709/227, 709/229, 707/9, 707/781, 707/783, 707/784, 710/200, 726/3, 726/4, 726/27, 726/30
US Class Current

709/223
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

Employing wrapper profiles

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

82 Claims

Specification

Solutions

Use Cases

Quick Links

Employing wrapper profiles

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

82 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links