Role engineering scoping and management

US 8,918,425 B2
Filed: 10/21/2011
Issued: 12/23/2014
Est. Priority Date: 10/21/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a data processing system, causes the data processing system to:

receive a plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system;

receive one or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during a role engineering project, wherein the one or more filter criteria specify a scope of the role engineering project, and wherein the role engineering project comprises generating one or more security roles that do not previously exist in an organization computing system;

apply the one or more filter criteria to generate the subset of data objects;

perform role engineering project operations on the subset of data objects to generate the one or more security roles;

deploy the one or more security roles to the organization computing system to control access operations targeting resources of the organization computing system; and

at least one of;

merge at least one of the one or more filter criteria, the subset of data objects, or the one or more security roles of the role engineering project with at least one of filter criteria, data objects, or security roles of another role engineering project;

orsplit the at least one of the one or more filter criteria, the subset of data objects, or the one or more security roles of the role engineering project into two or more sub-projects of the role engineering project.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for performing a role engineering project for applying security roles to access operations targeting resources. A plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system are received. One or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project are received. The one or more filter criteria specify a scope of the role engineering project. The one or more filter criteria are applied to generate the subset of data objects. Role engineering project operations are performed on the subset of data objects to generate one or more security roles. The one or more security roles are deployed to the organization computing system to control access operations targeting resources of the organization computing system.

15 Citations

View as Search Results

16 Claims

1. A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a data processing system, causes the data processing system to:
- receive a plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system;
  
  receive one or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during a role engineering project, wherein the one or more filter criteria specify a scope of the role engineering project, and wherein the role engineering project comprises generating one or more security roles that do not previously exist in an organization computing system;
  
  apply the one or more filter criteria to generate the subset of data objects;
  
  perform role engineering project operations on the subset of data objects to generate the one or more security roles;
  
  deploy the one or more security roles to the organization computing system to control access operations targeting resources of the organization computing system; and
  
  at least one of;
  
  merge at least one of the one or more filter criteria, the subset of data objects, or the one or more security roles of the role engineering project with at least one of filter criteria, data objects, or security roles of another role engineering project;
  
  orsplit the at least one of the one or more filter criteria, the subset of data objects, or the one or more security roles of the role engineering project into two or more sub-projects of the role engineering project.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product of claim 1, wherein the computer readable program causes the data processing system to receive one or more filter criteria by:
    - outputting a user interface to a user for selecting the one or more filter criteria; and
      
      receiving user input via the user interface identifying the one or more filter criteria to be used to select data objects for inclusion in the role engineering project.
  - 3. The computer program product of claim 2, wherein the one or more filter criteria comprise one or more attributes of the data objects.
  - 4. The computer program product of claim 3, wherein the one or more attributes of the data objects comprises different attributes for different data object types, wherein the different data object types comprise data objects for user identities, data objects for permissions, and data objects for resources.
  - 5. The computer program product of claim 3, wherein the one or more attributes of the data objects comprises at least one of attributes specifying a business function of a data object, attributes associated with a business policy characteristic of the data object, or attributes associated with an information technology characteristic of the data object.
  - 6. The computer program product of claim 2, wherein:
    - the user interface outputs a representation of the plurality of data objects,provides a user input mechanism for selecting at least one attribute of the plurality of data objects for filtering the representation of the plurality of data objects, andprovides a portion of the user interface where a representation of the subset of data objects selected based on the selected at least one attribute of the plurality of data objects is output.
  - 7. The computer program product of claim 1, wherein the computer readable program causes the data processing system to perform role engineering project operations to generate one or more security roles by receiving user selections of at least one user identity data object, at least one resource data object, and at least one permission data object to correlate with one another in a defined security role.
  - 8. The computer program product of claim 1, wherein the computer readable program further causes the data processing system to:
    - receive user input to modify the scope of the role engineering project, wherein the user input to modify the scope comprises at least one of a selection of a new filter criteria to include in the one or more filter criteria or removal of a filter criteria from the one or more filter criteria specifying the scope of the role engineering project.

9. An apparatus, comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to;
  
  receive a plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system;
  
  receive one or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during a role engineering project, wherein the one or more filter criteria specify a scope of the role engineering project, and wherein the role engineering project comprises generating one or more security roles that do not previously exist in an organization computing system;
  
  apply the one or more filter criteria to generate the subset of data objects;
  
  perform role engineering project operations on the subset of data objects to generate the one or more security roles; and
  
  deploy the one or more security roles to the organization computing system to control access operations targeting resources of the organization computing system; and
  
  at least one of;
  
  merge at least one of the one or more filter criteria, the subset of data objects, or the one or more security roles of the role engineering project with at least one of filter criteria, data objects, or security roles of another role engineering project;
  
  orsplit the at least one of the one or more filter criteria, the subset of data objects, or the one or more security roles of the role engineering project into two or more sub-projects of the role engineering project.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the instructions cause the processor to receive one or more filter criteria by:
    - outputting a user interface to a user for selecting the one or more filter criteria; and
      
      receiving user input via the user interface identifying the one or more filter criteria to be used to select data objects for inclusion in the role engineering project.
  - 11. The apparatus of claim 10, wherein the one or more filter criteria comprise one or more attributes of the data objects.
  - 12. The apparatus of claim 11, wherein the one or more attributes of the data objects comprises different attributes for different data object types, wherein the different data object types comprise data objects for user identities, data objects for permissions, and data objects for resources.
  - 13. The apparatus of claim 11, wherein the one or more attributes of the data objects comprises at least one of attributes specifying a business function of a data object, attributes associated with a business policy characteristic of the data object, or attributes associated with an information technology characteristic of the data object.
  - 14. The apparatus of claim 10, wherein:
    - the user interface outputs a representation of the plurality of data objects,provides a user input mechanism for selecting at least one attribute of the plurality of data objects for filtering the representation of the plurality of data objects, andprovides a portion of the user interface where a representation of the subset of data objects selected based on the selected at least one attribute of the plurality of data objects is output.
  - 15. The apparatus of claim 9, wherein the instructions cause the processor to perform role engineering project operations to generate one or more security roles by receiving user selections of at least one user identity data object, at least one resource data object, and at least one permission data object to correlate with one another in a defined security role.
  - 16. The apparatus of claim 9, wherein the instructions further cause the processor to:
    - receive user input to modify the scope of the role engineering project, wherein the user input to modify the scope comprises at least one of a selection of a new filter criteria to include in the one or more filter criteria or removal of a filter criteria from the one or more filter criteria specifying the scope of the role engineering project.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Casco-Arias Sanchez, Luis B., Jordan, Todd D., Kuehr-McLaren, David G., Love, Oriana J., Palmieri, David W., Plachco, Chrystian L., Rajamani, Magesh, Robke, Jeffrey T.
Primary Examiner(s)
Perveen, Rehana
Assistant Examiner(s)
Tran, Loc

Application Number

US13/278,441
Publication Number

US 20130104046A1
Time in Patent Office

1,159 Days
Field of Search

707/783, 707/784, 707/787
US Class Current

707/784
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06Q 10/06   Resources, workflows, human...

H04L 63/20   for managing network securi...

Role engineering scoping and management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Role engineering scoping and management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others