System and method for flexible security access management in an enterprise
First Claim
1. For a security access manager for use in a data management system that manages access to data resources of an enterprise, a method for securing access to the data resources, said method comprising:
- providing a first security module for authenticating an identity of a user of a client application by (i) accessing an external user directory that is a part of an existing security system of the enterprise which operates outside of the data management system and (ii) verifying the identity of the user against the external user directory;
providing a second security module for alternatively authenticating the identity of the user of the client application by (i) accessing an internal user directory that is a part of the data management system and (ii) verifying the identity of the user against the internal user directory;
providing a third security module for authorizing the user to access a set of secured data resources by accessing a first policy data store that is a part of the data management system upon verification of the identity of the user with the first or second security module; and
providing a fourth security module for alternatively authorizing the user to access the set of secured data resources by accessing a second policy data store that is a part of the existing enterprise security system,wherein said first, second, third, and fourth modules are modules of the security access manager.
6 Assignments
0 Petitions
Accused Products
Abstract
Some embodiments provide a method and system for flexibly managing access to enterprise resources. To flexibly manage security, some embodiments secure the enterprise resources and provide a security access manager (SAM) to control access to the secured resources. The SAM controls access to the enterprise and the secure resources through one or more configurable management modules of the SAM. Each management module of the SAM is configurable to facilitate control over different security services of an enterprise security hierarchy (e.g., authentication, authorization, role mapping, etc.). Specifically, each management module is configurable to leverage security services that are provided by different security systems. In some embodiments, the management module is configured to interface with one or more adapters in order to establish the interfaces, logic, and protocols necessary to leverage the security functionality of such security systems.
-
Citations
18 Claims
-
1. For a security access manager for use in a data management system that manages access to data resources of an enterprise, a method for securing access to the data resources, said method comprising:
-
providing a first security module for authenticating an identity of a user of a client application by (i) accessing an external user directory that is a part of an existing security system of the enterprise which operates outside of the data management system and (ii) verifying the identity of the user against the external user directory; providing a second security module for alternatively authenticating the identity of the user of the client application by (i) accessing an internal user directory that is a part of the data management system and (ii) verifying the identity of the user against the internal user directory; providing a third security module for authorizing the user to access a set of secured data resources by accessing a first policy data store that is a part of the data management system upon verification of the identity of the user with the first or second security module; and providing a fourth security module for alternatively authorizing the user to access the set of secured data resources by accessing a second policy data store that is a part of the existing enterprise security system, wherein said first, second, third, and fourth modules are modules of the security access manager. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer readable storage medium storing a data management system having:
-
a security access manager for securing access to data resources of an enterprise, the security access manager comprising; a first security module for authenticating an identity of a user of a client application by (i) accessing an external user directory that is a part of an existing security system of the enterprise which operates outside of the data management system and (ii) verifying the identity of the user against the external user directory; a second security module for alternatively authenticating the identity of the user of the client application by (i) accessing an internal user directory that is a part of the data management system and (ii) verifying the identity of the user against the internal user directory; a third security module for authorizing the user to access a set of secured data resources by accessing a first policy data store that is a part of the data management system upon verification of the identity of the user with the first or second security module; and a fourth security module for alternatively authorizing the user to access the set of secured data resources by accessing a second policy data store that is a part of the existing security system, wherein said first, second, third, and fourth modules are modules of the security access manager. - View Dependent Claims (11, 12, 13, 17, 18)
-
-
14. The non-transitory computer readable storage medium 10 further comprising a management module for distributing requests to the first and second security modules, wherein each request comprises an identity of a user to be authenticated.
-
15. The non-transitory computer readable storage medium 14, wherein the management module is further for managing responses received from the first and second security modules.
-
16. The non-transitory computer readable storage medium 10, wherein the third and fourth security modules are for performing a first subset of authorization services to authorize the user to access the set of secured data resources, wherein the security access manager further comprises a fourth fifth security module for performing a second subset of authorization services to authorize the user to access the set of secured data resources.
Specification