Access requests at IAM system implementing IAM data model

US 9,189,644 B2
Filed: 07/18/2013
Issued: 11/17/2015
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of provisioning access rights to physical computing resources comprising:

receiving, at an access request handler, an access request that specifies a business role;

identifying, at the access request handler, a set of logical permissions based, at least in part, on the access request wherein identifying the set of logical permissions comprisesobtaining a set of business activities associated with the business role,obtaining a set of business tasks respectively associated with individual business activities in the set of business activities, andidentifying as the set of logical permissions one or more logical permissions respectively associated with individual business tasks in the set of business tasks;

deriving, at the access request handler, a set of logical entitlements based, at least in part, on the set of logical permissions;

translating, at an entitlement translator, the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications respectively associated with the set of logical permissions; and

provisioning, using an access control manager, access rights to at least one physical computing resource indicated in the physical entitlement specification.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification.

37 Citations

View as Search Results

11 Claims

1. A computer-implemented method of provisioning access rights to physical computing resources comprising:
- receiving, at an access request handler, an access request that specifies a business role;
  
  identifying, at the access request handler, a set of logical permissions based, at least in part, on the access request wherein identifying the set of logical permissions comprisesobtaining a set of business activities associated with the business role,obtaining a set of business tasks respectively associated with individual business activities in the set of business activities, andidentifying as the set of logical permissions one or more logical permissions respectively associated with individual business tasks in the set of business tasks;
  
  deriving, at the access request handler, a set of logical entitlements based, at least in part, on the set of logical permissions;
  
  translating, at an entitlement translator, the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications respectively associated with the set of logical permissions; and
  
  provisioning, using an access control manager, access rights to at least one physical computing resource indicated in the physical entitlement specification.
- View Dependent Claims (2)
- - 2. The computer-implemented method of claim 1 further comprising:
    - receiving a second access request at the access request handler wherein the second access request specifies a physical permission specification; and
      
      provisioning, using the access control manager, access rights to each physical computing resource identified in the physical permission specification.

3. A system for provisioning access rights to physical computing resources comprising:
- a processor;
  
  a data store that implements an identity access management (IAM) data model and associates logical computing resource records at the data store with one or more physical computing resource records at the data store;
  
  an access request handler configured to receive an access request that specifies a business role, to identify a set of logical permissions using the IAM data model and based, at least in part, on the access request by i) obtaining a set of business activities associated with the business role, ii) obtaining a set of business tasks respectively associated with individual business activities in the set of business activities, and iii) identifying as the set of logical permissions one or more logical permissions respectively associated with individual business tasks in the set of business tasks, and to derive a set of logical entitlements using the IAM data model and based, at least in part, on the set of logical permissions;
  
  an entitlement translator that, in operation, translates the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications respectively associated with the set of logical permissions; and
  
  an access control manager configured to initiate provisioning of access rights to at least one physical computing resource indicated in the physical entitlement specification.
- View Dependent Claims (4, 5, 6)
- - 4. The system of claim 3 further comprising a resource mapper configured tomap a logical computing resource to one or more physical computing resources, andmap a logical permission associated with the logical computing resource to one or more physical permissions respectively associated with the one or more physical computing resources in order to generate a physical permission specification for the logical computing resource.
  - 5. The system of claim 3 further comprising:
    - a resource assigner configured to assign one or more logical computing resources to a business task.
  - 6. The system of claim 3 wherein:
    - the access request handler is configured to further receive a second access request that specifies a physical permission specification; and
      
      the access control manager is configured to further initiate provisioning of access rights to each physical computing resource identified in the physical permission specification.

7. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to perform steps for provisioning access rights to physical computing resources, the steps comprising:
- receiving, at an access request handler, an access request that specifies a business role;
  
  identifying, at the access request handler, a set of logical permissions based, at least in part, on the access request wherein identifying the set of logical permissions comprisesobtaining a set of business activities associated with the business role,obtaining a set of business tasks respectively associated with individual business activities in the set of business activities, andidentifying as the set of logical permissions one or more logical permissions respectively associated with individual business tasks in the set of business tasks;
  
  generating, at the access request handler, a set of logical entitlements based, at least in part, on the set of logical permissions;
  
  translating, at an entitlement translator, the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications respectively associated with the set of logical permissions; and
  
  provisioning, using an access control manager, access rights to at least one physical computing resource indicated in the physical entitlement specification.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The computer-readable medium of claim 7 wherein the instructions, when executed by the processor, cause the processor to perform steps further comprising:
    - implementing an identity access management (IAM) data model at a data store;
      
      storing at the data store a set of logical computing resource records corresponding to one or more logical computing resources;
      
      storing at the data store with a set of physical computing resource records corresponding to one or more physical computing resources; and
      
      wherein individual logical computing resource records are respectively associated with one or more of the physical computing resource records.
  - 9. The computer-readable medium of claim 7 wherein the instructions, when executed by the processor, cause the processor to further perform steps comprising:
    - generating, at a resource mapper, a physical permission specification for a logical computing resource; and
      
      wherein the physical permission specification is generated by mapping the logical computing resource to one or more physical computing resources and mapping a logical permission associated with the logical computing resource to one or more physical permissions respectively associated with the one or more physical computing resources.
  - 10. The computer-readable medium of claim 7 wherein the instructions, when executed by the processor, cause the processor to further perform steps comprising:
    - assigning, at a resource assigner, one or more logical computing resources to a business task.
  - 11. The computer-readable medium of claim 7 wherein the access request is associated with a plurality of users and the instructions, when executed by the processor, cause the processor to perform steps further comprising:
    - provisioning, using the access control manager, access rights to the at least one physical computing resource for each user associated with the access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John, Thompson, Bryan, Green, Ward
Primary Examiner(s)
LE, THU NGUYET T

Application Number

US13/945,638
Publication Number

US 20140181965A1
Time in Patent Office

852 Days
Field of Search

707/781, 707/783
US Class Current

1/1
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06Q 10/10   Office automation; Time man...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Access requests at IAM system implementing IAM data model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Access requests at IAM system implementing IAM data model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links