Access requests at IAM system implementing IAM data model
First Claim
1. A computer-implemented method of provisioning access rights to physical computing resources comprising:
- receiving, at an access request handler, an access request that specifies a business role;
identifying, at the access request handler, a set of logical permissions based, at least in part, on the access request wherein identifying the set of logical permissions comprisesobtaining a set of business activities associated with the business role,obtaining a set of business tasks respectively associated with individual business activities in the set of business activities, andidentifying as the set of logical permissions one or more logical permissions respectively associated with individual business tasks in the set of business tasks;
deriving, at the access request handler, a set of logical entitlements based, at least in part, on the set of logical permissions;
translating, at an entitlement translator, the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications respectively associated with the set of logical permissions; and
provisioning, using an access control manager, access rights to at least one physical computing resource indicated in the physical entitlement specification.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification.
-
Citations
11 Claims
-
1. A computer-implemented method of provisioning access rights to physical computing resources comprising:
-
receiving, at an access request handler, an access request that specifies a business role; identifying, at the access request handler, a set of logical permissions based, at least in part, on the access request wherein identifying the set of logical permissions comprises obtaining a set of business activities associated with the business role, obtaining a set of business tasks respectively associated with individual business activities in the set of business activities, and identifying as the set of logical permissions one or more logical permissions respectively associated with individual business tasks in the set of business tasks; deriving, at the access request handler, a set of logical entitlements based, at least in part, on the set of logical permissions; translating, at an entitlement translator, the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications respectively associated with the set of logical permissions; and provisioning, using an access control manager, access rights to at least one physical computing resource indicated in the physical entitlement specification. - View Dependent Claims (2)
-
-
3. A system for provisioning access rights to physical computing resources comprising:
-
a processor; a data store that implements an identity access management (IAM) data model and associates logical computing resource records at the data store with one or more physical computing resource records at the data store; an access request handler configured to receive an access request that specifies a business role, to identify a set of logical permissions using the IAM data model and based, at least in part, on the access request by i) obtaining a set of business activities associated with the business role, ii) obtaining a set of business tasks respectively associated with individual business activities in the set of business activities, and iii) identifying as the set of logical permissions one or more logical permissions respectively associated with individual business tasks in the set of business tasks, and to derive a set of logical entitlements using the IAM data model and based, at least in part, on the set of logical permissions; an entitlement translator that, in operation, translates the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications respectively associated with the set of logical permissions; and an access control manager configured to initiate provisioning of access rights to at least one physical computing resource indicated in the physical entitlement specification. - View Dependent Claims (4, 5, 6)
-
-
7. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to perform steps for provisioning access rights to physical computing resources, the steps comprising:
-
receiving, at an access request handler, an access request that specifies a business role; identifying, at the access request handler, a set of logical permissions based, at least in part, on the access request wherein identifying the set of logical permissions comprises obtaining a set of business activities associated with the business role, obtaining a set of business tasks respectively associated with individual business activities in the set of business activities, and identifying as the set of logical permissions one or more logical permissions respectively associated with individual business tasks in the set of business tasks; generating, at the access request handler, a set of logical entitlements based, at least in part, on the set of logical permissions; translating, at an entitlement translator, the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications respectively associated with the set of logical permissions; and provisioning, using an access control manager, access rights to at least one physical computing resource indicated in the physical entitlement specification. - View Dependent Claims (8, 9, 10, 11)
-
Specification