Recommendation engine for unified identity management across internal and shared computing applications

US 8,978,114 B1
Filed: 03/11/2013
Issued: 03/10/2015
Est. Priority Date: 07/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising,providing a data store including an identity management access database, wherein the providing a data store comprisesrecording a listing of identities,for each identity of the listing of identities, recording a set of peer and supervisory relationships between the identity and other identities of the listing of identities, andfor each identity of the listing of identities, recording previously requested access entitlement operations;

generating suggested access entitlement operations for potential identities of the listing of identities on which to perform access entitlement operations, whereinthe generating suggested access entitlement operations further comprisesanalyzing a requesting user and one or more identities with connection to the requesting user to identify the potential identities of the listing of identities on which to perform access entitlement operations,analyzing the one or more identities with connection to the requesting user to identify patterns of access entitlement in the identity management access database,based at least in part on the patterns of access entitlement in the identity management access database, selecting the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations andsuggesting an access entitlement operation based at least in part on a hybrid prediction approach combining collaborative filtering and content based filtering, whereinthe selecting the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations further comprises calculating a ratio of a number of identities with connection to the requesting user to a number of identities with connection to the requesting user having a particular access entitlement; and

offering through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations, whereinone or more of the access entitlement operations creates or manages one or more accounts on a customer internal application via an on-premise proxy, andanother of the access entitlement operations creates or manages one of the one or more accounts on a shared computing system application via a multi-customer gateway on a shared computing system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A recommendation engine for identity management is disclosed. A data store including an identity management access database is provided. Suggested access entitlement operations for potential identities of a listing of identities on which to perform access entitlement operations are generated. Suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations are offered through a user interface. In some embodiments, the generating suggested access entitlement operations includes analyzing a requesting user and one or more identities with connection to the requesting user to identify the potential identities of the listing of identities on which to perform access entitlement operations, and based at least in part on the patterns of access entitlement in the identity management access database, selecting the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations.

86 Citations

View as Search Results

18 Claims

1. A method, comprising,providing a data store including an identity management access database, wherein the providing a data store comprisesrecording a listing of identities,for each identity of the listing of identities, recording a set of peer and supervisory relationships between the identity and other identities of the listing of identities, andfor each identity of the listing of identities, recording previously requested access entitlement operations;
- generating suggested access entitlement operations for potential identities of the listing of identities on which to perform access entitlement operations, whereinthe generating suggested access entitlement operations further comprisesanalyzing a requesting user and one or more identities with connection to the requesting user to identify the potential identities of the listing of identities on which to perform access entitlement operations,analyzing the one or more identities with connection to the requesting user to identify patterns of access entitlement in the identity management access database,based at least in part on the patterns of access entitlement in the identity management access database, selecting the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations andsuggesting an access entitlement operation based at least in part on a hybrid prediction approach combining collaborative filtering and content based filtering, whereinthe selecting the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations further comprises calculating a ratio of a number of identities with connection to the requesting user to a number of identities with connection to the requesting user having a particular access entitlement; and
  
  offering through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations, whereinone or more of the access entitlement operations creates or manages one or more accounts on a customer internal application via an on-premise proxy, andanother of the access entitlement operations creates or manages one of the one or more accounts on a shared computing system application via a multi-customer gateway on a shared computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 8)
- - 2. The method of claim 1, wherein the offering through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprises:
    - calculating for each of the one or more identities with connection to the requesting user a likelihood of access entitlement operation request;
      
      ranking the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      providing a listing of the one or more identities with connection to the requesting user in order of the ranking.
  - 3. The method of claim 1, wherein the offering through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprises:
    - calculating for each of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations a likelihood of access entitlement operation request;
      
      ranking the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      providing a listing of the one or more identities with connection to the requesting user in order of the ranking.
  - 4. The method of claim 1, wherein the offering through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprises:
    - calculating for each of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations a likelihood of access entitlement operation request;
      
      ranking the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      providing a listing of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations in order of the ranking.
  - 5. The method of claim 1, wherein the generating suggested access entitlement operations further comprises suggesting access entitlement operations for performance on peers of the requesting user based on recent changes to access entitlements held by other peers of the requesting user, and wherein said peers of the requesting user have similar manager and title as the requesting user.
  - 6. The method of claim 1, wherein the generating suggested access entitlement operations further comprises suggesting access entitlement operations for performance on peers of the requesting user based on access entitlements held by other peers of the requesting user.
  - 8. The system of claim 3, wherein the program instructions executable by the at least one processor to offer through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprise:
    - program instructions executable by the at least one processor to calculate for each of the one or more identities with connection to the requesting user a likelihood of access entitlement operation request;
      
      program instructions executable by the at least one processor to rank the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      program instructions executable by the at least one processor to provide a listing of the one or more identities with connection to the requesting user in order of the ranking.

7. A system, comprising:
- at least one processor; and
  
  a memory comprising program instructions, wherein the program instructions are executable by the at least one processor to;
  
  generate suggested access entitlement operations for potential identities of the listing of identities on which to perform access entitlement operations, whereinthe program instructions executable by the at least one processor to generate suggested access entitlement operations further compriseprogram instructions executable by the at least one processor to analyze a requesting user and one or more identities with connection to the requesting user to identify the potential identities of a listing of identities on which to perform access entitlement operations,program instructions executable by the at least one processor to analyze the one or more identities with connection to the requesting user to identify patterns of access entitlement in the identity management access database,program instructions executable by the at least one processor to, based on the patterns of access entitlement in the identity management access database, select the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations,the program instructions executable by the at least one processor to select the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations further comprise program instructions executable by the at least one processor to calculate a ratio of a number of identities with connection to the requesting user to a number of identities with connection to the requesting user having a particular access entitlement, andprogram instructions are executable by the at least one processor to suggest an access entitlement operation based at least in part on a hybrid prediction approach combining collaborative filtering and content based filtering; and
  
  offer through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations, whereinone or more of the access entitlement operations creates or manages one or more accounts on a customer internal application via an on-premise proxy, andanother of the access entitlement operations creates or manages one of the one or more accounts on a shared computing system application via a multi-customer gateway on a shared computing system.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 7, wherein the program instructions executable by the at least one processor to offer through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprises:
    - program instructions executable by the at least one processor to calculate for each of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations a likelihood of access entitlement operation request;
      
      program instructions executable by the at least one processor to rank the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      program instructions executable by the at least one processor to provide a listing of the one or more identities with connection to the requesting user in order of the ranking.
  - 10. The system of claim 7, wherein the program instructions executable by the at least one processor to offer through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprise:
    - program instructions executable by the at least one processor to calculate for each of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations a likelihood of access entitlement operation request;
      
      program instructions executable by the at least one processor to rank the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      program instructions executable by the at least one processor to provide a listing of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations in order of the ranking.
  - 11. The system of claim 7, wherein the program instructions executable by the at least one processor to generate suggested access entitlement operations further comprise program instructions executable by the at least one processor to suggest access entitlement operations for performance on peers of the requesting user based on recent changes to access entitlements held by other peers of the requesting user, and wherein said peers of the requesting user have similar manager and title as the requesting user.
  - 12. The system of claim 7, wherein the program instructions executable by the at least one processor to generate suggested access entitlement operations further comprise program instructions executable by the at least one processor to suggesting access entitlement operations for performance on peers of the requesting user based on access entitlements held by other peers of the requesting user.

13. A non-transitory computer-readable storage medium storing program instructions, wherein the program instructions are computer-executable to implement:
- providing a data store including an identity management access database, wherein the providing a data store comprisesrecording a listing of identities a listing of identities,for each identity of the listing of identities, recording a set of peer and supervisory relationships between the identity and other identities of the listing of identities, andfor each identity of the listing of identities, recording previously requestedaccess entitlement operations;
  
  generating suggested access entitlement operations for potential identities of the listing of identities on which to perform access entitlement operations, whereinthe generating suggested access entitlement operations further comprisesbased on the patterns of access entitlement in the identity management access database, selecting the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations,the program instructions computer-executable to implement the selecting the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations further comprise program instructions computer-executable to implement calculating a ratio of a number of identities with connection to the requesting user to a number of identities with connection to the requesting user having a particular access entitlement, andsuggesting an access entitlement operation based at least in part on a hybrid prediction approach combining collaborative filtering and content based filtering; and
  
  offering through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations, whereinone or more of the access entitlement operations creates or manages one or more accounts on a customer internal application via an on-premise proxy, andanother of the access entitlement operations creates or manages one of the one or more accounts on a shared computing system application via a multi-customer gateway on a shared computing system.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the program instructions computer-executable to implement offering through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprise:
    - program instructions computer-executable to implement calculating for each of the one or more identities with connection to the requesting user a likelihood of access entitlement operation request;
      
      program instructions computer-executable to implement ranking the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      program instructions computer-executable to implement providing a listing of the one or more identities with connection to the requesting user in order of the ranking.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the program instructions computer-executable to implement offering through auser interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprise:
    - program instructions computer-executable to implement calculating for each of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations a likelihood of access entitlement operation request;
      
      program instructions computer-executable to implement ranking the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      program instructions computer-executable to implement providing a listing of the one or more identities with connection to the requesting user in order of the ranking.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the program instructions computer-executable to implement offering through a user interface the suggested access entitlement operations for the potential identities of the listing of identities on which to perform access entitlement operations further comprise:
    - program instructions computer-executable to implement calculating for each of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations a likelihood of access entitlement operation request;
      
      program instructions computer-executable to implement ranking the one or more identities with connection to the requesting user according to the respective likelihood of access entitlement operation request; and
      
      program instructions computer-executable to implement providing a listing of the suggested access entitlement operations for each of the potential identities of the listing of identities on which to perform access entitlement operations in order of the ranking.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the program instructions computer-executable to implement generating suggested access entitlement operations further comprise program instructions computer-executable to implement suggesting access entitlement operations for performance on peers of the requesting user based on recent changes to access entitlements held by other peers of the requesting user, and wherein said peers of the requesting user have similar manager and title as the requesting user.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the program instructions computer-executable to implement generating suggested access entitlement operations further comprise program instructions computer-executable to implement suggesting access entitlement operations for performance on peers of the requesting user based on access entitlements held by other peers of the requesting user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Scuid LLC
Original Assignee
Identropy Corporation
Inventors
Kaushik, Nishant, Crumb, Matthew David
Primary Examiner(s)
Lagor, Alexander

Application Number

US13/793,941
Time in Patent Office

729 Days
Field of Search

None
US Class Current

726/5
CPC Class Codes

G06F 16/24578   using ranking

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

G06F 21/6218   to a system of files or obj...

G06N 3/08   Learning methods

Recommendation engine for unified identity management across internal and shared computing applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Recommendation engine for unified identity management across internal and shared computing applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links