Reconciliation of access rights in a computing system

US 9,477,838 B2
Filed: 05/01/2014
Issued: 10/25/2016
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system for reconciling access rights of a computing system comprising:

at least one processor; and

memory storing instructions that, when executed by the at least one processor, cause the system toobtain access right information respectively corresponding to one or more access rights of the computing system;

perform one or more reconciliation tasks using the access right information; and

generate a reconciliation report during performance of one of the one or more reconciliation tasks;

wherein the reconciliation report indicates that one or more of the one or more access rights should either be provisioned or revoked at the computing system; and

wherein the one or more reconciliation tasks include a first reconciliation task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system to;

obtain a first access rights history that identifies a set of historical access rights associated with a user,obtain an access right revocation list that identifies a set of fulfilled access revocation requests associated with the user, andgenerate the reconciliation report based on a comparison between at least one of the historical access rights of the set of historical access rights and at least one of the fulfilled access revocation requests of the set of fulfilled access revocation requests.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provide for reconciling access rights of a computing system are described. Access right information that respectively corresponds to access rights of a computing system may be obtained and evaluated. Reconciliation tasks may be performed using the access right information, and a reconciliation report may be generated during performance of at least one of the reconciliation tasks. The reconciliation report may indicate that one or more of the access rights should either be provisioned or revoked at the computing system.

Citations

18 Claims

1. A system for reconciling access rights of a computing system comprising:
- at least one processor; and
  
  memory storing instructions that, when executed by the at least one processor, cause the system toobtain access right information respectively corresponding to one or more access rights of the computing system;
  
  perform one or more reconciliation tasks using the access right information; and
  
  generate a reconciliation report during performance of one of the one or more reconciliation tasks;
  
  wherein the reconciliation report indicates that one or more of the one or more access rights should either be provisioned or revoked at the computing system; and
  
  wherein the one or more reconciliation tasks include a first reconciliation task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system to;
  
  obtain a first access rights history that identifies a set of historical access rights associated with a user,obtain an access right revocation list that identifies a set of fulfilled access revocation requests associated with the user, andgenerate the reconciliation report based on a comparison between at least one of the historical access rights of the set of historical access rights and at least one of the fulfilled access revocation requests of the set of fulfilled access revocation requests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein:
    - the one or more reconciliation tasks include a second reconciliation task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system toobtain an access report that identifies a set of reported access rights that were used to access a computing resource of the computing system,obtain an access request list that identifies a set of requested access rights, andgenerate the reconciliation report based on a comparison between at least one reported access right of the set of reported access rights and at least one requested access right of the set of requested access rights.
  - 3. The system of claim 2 wherein:
    - generating the reconciliation report includes identifying one of the reported access rights of the set of reported access rights as either an expected access right or an unexpected access right in the reconciliation report based on whether that reported access right corresponds to one of the requested access rights of the set of requested access rights.
  - 4. The system of claim 2 wherein:
    - generating the reconciliation report includes identifying one of the requested access rights of the set of requested access rights as either a provisioned access right or a non-provisioned access right in the reconciliation report based on whether that requested access right corresponds to one of the reported access rights of the set of reported access rights.
  - 5. The system of claim 1 wherein:
    - generating the reconciliation report includes identifying one of the historical access rights of the set of historical access rights as either a successfully revoked access right or an unsuccessfully revoked access right in the reconciliation report based on whether that historical access right corresponds to one of the fulfilled access revocation requests of the set of fulfilled access revocation requests.
  - 6. The system of claim 1 wherein:
    - the one or more reconciliation tasks include a second reconciliation task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system toobtain a second access rights history that identifies a set of provisioned access rights associated with a user,obtain an access right grant list that identifies a set of approved access grant requests associated with the user, andgenerate the reconciliation report based on a comparison between at least one provisioned access right of the set of provisioned access rights and at least one approved access grant request of the set of approved access grant requests.
  - 7. The system of claim 6 wherein:
    - generating the reconciliation report includes identifying one of the provisioned access rights of the set of provisioned access rights either as an approved access right or an unapproved access right in the reconciliation report based on whether that provisioned access right corresponds to one of the approved access grant request of the set of approved access grant requests.
  - 8. The system of claim 1 wherein:
    - the one or more reconciliation tasks include a second reconciliation task associated with instructions stored at the memory that, when executed by the at least one processor, cause the system toobtain an access report that identifies a plurality of users that are each associated with one of the access rights,obtain attribute information corresponding to one or more attributes of the plurality of users,select one of the users of the plurality of users,generate the reconciliation report based on a comparison between attribute information associated with the selected user and attribute information respectively associated with one or more other users of the plurality of users.
  - 9. The system of claim 8 wherein:
    - generating the reconciliation report includescalculating an attribute deviation score based on the comparison between the attribute information associated with the selected user and the attribute information respectively associated with one or more other users,determining whether to identify the selected user as an outlier in the reconciliation report based on a comparison of the attribute deviation score to a predetermined attribute deviation threshold.

10. A computer-implemented method of reconciling access rights of a computing system comprising:
- obtaining, by a computing device, access right information respectively corresponding to one or more access rights of a computing system;
  
  performing, by the computing device, one or more reconciliation tasks using the access right information; and
  
  generating, by the computing device, a reconciliation report during performance of one of the one or more reconciliation tasks wherein the reconciliation report indicates that one or more of the one or more access rights should either be provisioned or revoked at the computing system;
  
  wherein the one or more reconciliation tasks include a first reconciliation task that comprises;
  
  obtaining, by the computing device, a first access rights history that identifies a set of historical access rights associated with a user;
  
  obtaining, by the computing device, an access right revocation list that identifies a set of fulfilled access revocation requests associated with the user;
  
  comparing, by the computing device, at least one of the historical access rights of the set of historical access rights to at least one of the fulfilled access revocation requests of the set of fulfilled access revocation requests; and
  
  identifying, by the computing device, one of the historical access rights of the set of historical access rights as either a successfully revoked access right or an unsuccessfully revoked access right in the reconciliation report based on whether that historical access right corresponds to one of the fulfilled access revocation requests of the set of fulfilled access revocation requests.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-implemented method of claim 10 wherein the one or more reconciliation tasks include a second reconciliation task comprising the steps of:
    - obtaining, by the computing device, an access report that identifies a set of reported access rights that were used to access a computing resource of the computing system;
      
      obtaining, by the computing device, an access request list that identifies a set of requested access rights of the computing system; and
      
      comparing, by the computing device, at least one of the reported access rights of the set of reported access rights to at least one of the requested access rights of the set of requested access rights.
  - 12. The computer-implemented method of claim 11 wherein the second reconciliation task further comprises:
    - identifying, by the computing device, one of the reported access rights of the set of reported access rights as either an expected access right or an unexpected access right in the reconciliation report based on whether that reported access right corresponds to one of the requested access rights of the set of requested access rights.
  - 13. The computer-implemented method of claim 11 wherein the second reconciliation task further comprises:
    - identifying, by the computing device, one of the requested access rights of the set of requested access rights as either a provisioned access right or a non-provisioned access right in the reconciliation report based on whether that requested access right corresponds to one of the reported access rights of the set of reported access rights.
  - 14. The computer-implemented method of claim 10 wherein the one or more reconciliation tasks include a second reconciliation task comprising the steps of:
    - obtaining, by the computing device, second access rights history that identifies a set of provisioned access rights associated with a user;
      
      obtaining, by the computing device, an access right grant list that identifies a set of approved access grant requests associated with the user;
      
      comparing, by the computing device, at least one of the provisioned access rights of the set of provisioned access rights to at least one of the approved access grant requests of the set of approved access grant requests; and
      
      identifying, by the computing device, one of the provisioned access rights of the set of provisioned access rights as either an approved access right or an unapproved access right in the reconciliation report based on whether that provisioned access right corresponds to one of the approved access grant requests of the set of approved access grant requests.
  - 15. The computer-implemented method of claim 10 wherein the one or more reconciliation tasks include a second reconciliation task comprising the steps of:
    - obtaining, by the computing device, an access report that identifies a plurality of users that are each associated with one of the access rights;
      
      obtaining, by the computing device, attribute information corresponding to one or more attributes of the plurality of users;
      
      selecting, by the computing device, one of the users of the plurality of users;
      
      comparing, by the computing device, attribute information associated with the selected user to attribute information respectively associated with one or more other users of the plurality of users;
      
      calculating, by the computing device, an attribute deviation score based on the comparison between the attribute information associated with the selected user and the attribute information respectively associated with one or more other users; and
      
      determining, by the computing device, whether to identify the selected user as an outlier in the reconciliation report based on a comparison of the attribute deviation score to a predetermined attribute deviation threshold.

16. Non-transitory computer-readable media having instructions, that when executed by a processor of a computing device, cause the computing device to:
- obtain access right information respectively corresponding to one or more access rights of a computing system;
  
  perform one or more reconciliation tasks using the access right information; and
  
  generate a reconciliation report during performance of one of the one or more reconciliation tasks wherein the reconciliation report indicates that one or more of the one or more access rights should either be provisioned or revoked at the computing system;
  
  wherein the one or more reconciliation tasks include a first reconciliation task that comprises;
  
  obtaining a first access rights history that identifies a set of historical access rights associated with a user,obtaining an access right revocation list that identifies a set of fulfilled access revocation requests associated with the user, andgenerating the reconciliation report based on a comparison between at least one of the historical access rights of the set of historical access rights and at least one of the fulfilled access revocation requests of the set of fulfilled access revocation requests.
- View Dependent Claims (17, 18)
- - 17. The non-transitory computer-readable media of claim 16 wherein:
    - the one or more reconciliation tasks further includea second reconciliation task that comprises at least one of i) determining whether an access right reported as having been used by a user corresponds to an access right requested to be provisioned for that user and ii) determining whether an access right requested to be provisioned for a user corresponds to an access right reported as having been used by that user,a third reconciliation task that comprises determining whether an access right provisioned for a user corresponds to an approved request to provision that access right for that user, anda fourth reconciliation task that comprises determining whether a user associated with an access right has one or more attributes that deviate from corresponding attributes of one or more other users that are also associated with that access right based on a deviation score that quantifies a difference between the one or more attributes associated with the user and the corresponding attributes associated with the one or more other users.
  - 18. The non-transitory computer-readable media of claim 17 wherein:
    - the reconciliation report includes a plurality of report sections; and
      
      individual report sections of the reconciliation report respectively correspond to one of the one or more reconciliation tasks performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Moloian, Armen, Ritchey, Ronald W.
Primary Examiner(s)
Cao, Phuong Thao

Application Number

US14/267,578
Publication Number

US 20140289796A1
Time in Patent Office

908 Days
Field of Search

707/600
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/57   Certifying or maintaining t...

G06F 2221/2141   Access rights, e.g. capabil...

G06Q 10/08   Logistics, e.g. warehousing...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

Reconciliation of access rights in a computing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Reconciliation of access rights in a computing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links