Reconciling access rights at IAM system implementing IAM data model
First Claim
1. A computer-implemented method for reconciling access rights provisioned for physical computing resources of a computer system, the method comprising:
- providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a physical entitlement specification entity and defining a second relationship between the physical entitlement specification entity and a physical computing resource entity;
storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more physical computing resources, (b) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of the computing resources, and (c) a set of physical entitlement specification records associated with the user record, each physical entitlement specification record conforming to the physical entitlement specification entity and identifying the user record, one of the physical computing resource records, and a permission to access one of the computing resources that corresponds to the physical computing resource record;
receiving a request to reconcile access rights provisioned for the user;
responsive to receipt of the request, initiating a reconciliation process, the reconciliation process comprising;
identifying a set of physical computing resources for which access rights have previously been provisioned for the user,querying the database for the set of physical entitlement specification records associated with the user record that corresponds to the user,for each physical computing resource in the set of physical computing resources, determining whether the user is authorized to access the physical computing resource by determining whether one of the physical entitlement specification records identifies a physical computing resource record that corresponds to the physical computing resource,for each physical entitlement specification record in the set of physical entitlement specification records, determining whether the user has been provisioned with access to the physical computing resource that corresponds to the physical computing resource record identified in the physical entitlement specification record by determining whether the physical computing resource record corresponds to one of the physical computing resources in the set of physical computing resources,determining to adjust access rights for the user responsive to determining that either the user is not authorized to access one of the physical computing resources in the set of physical computing resources, or the user has not been provisioned with access rights to one of the physical computing resources corresponding to the physical computing resource record identified in one of the physical entitlement specification records, andautomatically adjusting access rights for the user to at least one of the physical computing resources, the adjusting comprising at least one of (i) provisioning access rights to one of the physical computing resources or (ii) revoking access rights provisioned for the user to one of the physical computing resources.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for reconciling access rights provisioned for physical computing resources of a computer system are provided. A reconciler may identify current physical computing resources accessible to a user account of the computer system and a physical entitlement specification associated with the user account. The reconciler may determine whether adjustment of access rights is needed based on a comparison of the current physical computing resources to the physical entitlement specification. Access rights to at least one physical computing resource may be adjusted in response to a determination that adjustment of access rights is needed.
211 Citations
16 Claims
-
1. A computer-implemented method for reconciling access rights provisioned for physical computing resources of a computer system, the method comprising:
-
providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a physical entitlement specification entity and defining a second relationship between the physical entitlement specification entity and a physical computing resource entity; storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more physical computing resources, (b) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of the computing resources, and (c) a set of physical entitlement specification records associated with the user record, each physical entitlement specification record conforming to the physical entitlement specification entity and identifying the user record, one of the physical computing resource records, and a permission to access one of the computing resources that corresponds to the physical computing resource record; receiving a request to reconcile access rights provisioned for the user; responsive to receipt of the request, initiating a reconciliation process, the reconciliation process comprising; identifying a set of physical computing resources for which access rights have previously been provisioned for the user, querying the database for the set of physical entitlement specification records associated with the user record that corresponds to the user, for each physical computing resource in the set of physical computing resources, determining whether the user is authorized to access the physical computing resource by determining whether one of the physical entitlement specification records identifies a physical computing resource record that corresponds to the physical computing resource, for each physical entitlement specification record in the set of physical entitlement specification records, determining whether the user has been provisioned with access to the physical computing resource that corresponds to the physical computing resource record identified in the physical entitlement specification record by determining whether the physical computing resource record corresponds to one of the physical computing resources in the set of physical computing resources, determining to adjust access rights for the user responsive to determining that either the user is not authorized to access one of the physical computing resources in the set of physical computing resources, or the user has not been provisioned with access rights to one of the physical computing resources corresponding to the physical computing resource record identified in one of the physical entitlement specification records, and automatically adjusting access rights for the user to at least one of the physical computing resources, the adjusting comprising at least one of (i) provisioning access rights to one of the physical computing resources or (ii) revoking access rights provisioned for the user to one of the physical computing resources. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for reconciling access rights provisioned for physical computing resources of a computer system comprising:
-
one or more processors; a database implementing an identity and access management (IAM) data model and storing a set of records in accordance with the IAM data model wherein; the IAM data model defines a first relationship between a user entity and a physical entitlement specification entity and defines a second relationship between the physical entitlement specification entity and a physical computing resource entity, and the set of records comprises (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more physical computing resources, (b) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of the computing resources, and (c) a set of physical entitlement specification records associated with the user record, each physical entitlement specification record conforming to the physical entitlement specification entity and identifying the user record, one of the physical computing resource records, and a permission to access one of the computing resources that corresponds to the physical computing resource record; and memory storing instructions that, when executed by one of the processors, cause the system to; receive a request to reconcile access rights provisioned for the user, and responsive to receipt of the request, initiating a reconciliation process, the reconciliation process comprising; identifying a set of physical computing resources for which access rights have previously been provisioned to the user, querying the database for the set of physical entitlement specification records associated with the user record that corresponds to the user, for each physical computing resource in the set of physical computing resources, determining whether the user is authorized to access the physical computing resource by determining whether one of the physical entitlement specification records identifies a physical computing resource record that corresponds to the physical computing resource, for each physical entitlement specification record in the set of physical entitlement specification records, determining whether the user has been provisioned with access to the physical computing resource that corresponds to the physical computing resource record identified in the physical entitlement specification record by determining whether the physical computing resource record corresponds to one of the physical computing resources in the set of physical computing resources, determining to adjust access rights for the user responsive to determining that either the user is not authorized to access one of the physical computing resources in the set of physical computing resources, or the user has not been provisioned with access rights to one of the physical computing resources corresponding to the physical computing resource record identified in one of the physical entitlement specification records, and automatically adjusting access rights for the user to at least one of the physical computing resources, the adjusting comprising at least one of (i) provisioning access rights to one of the physical computing resources or (ii) revoking access rights provisioned for the user to one of the physical computing resources. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to perform steps for reconciling access rights for physical computing resources of a computer system, the steps comprising:
-
providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a physical entitlement specification entity and defining a second relationship between the physical entitlement specification entity and a physical computing resource entity; storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more physical computing resources, (b) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of the computing resources, and (c) a set of physical entitlement specification records associated with the user record, each physical entitlement specification record conforming to the physical entitlement specification entity and identifying the user record, one of the physical computing resource records, and a permission to access one of the computing resources that corresponds to the physical computing resource record; receiving a request to reconcile access rights provisioned for the user; responsive to receipt of the request, initiating a reconciliation process, the reconciliation process comprising; identifying a set of physical computing resources for which access rights have previously been provisioned for the user, querying the database for the set of a physical entitlement specification records associated with the user record that corresponds to the user, for each physical computing resource in the set of physical computing resources, determining whether the user is authorized to access the physical computing resource by determining whether one of the physical entitlement specification records identifies a physical computing resource record that corresponds to the physical computing resource, for each physical entitlement specification record in the set of physical entitlement specification records, determining whether the user has been provisioned with access to the physical computing resource that corresponds to the physical computing resource record identified in the physical entitlement specification record by determining whether the physical computing resource record corresponds to one of the physical computing resources in the set of physical computing resources, determining to adjust access rights for the user responsive to determining that either the user is not authorized to access one of the physical computing resources in the set of physical computing resources, or the user has not been provisioned with access rights to one of the physical computing resources corresponding to the physical computing resource record identified in one of the physical entitlement specification records, and automatically adjusting, access rights for the user to at least one of the physical computing resources, the adjusting comprising at least one of (i) provisioning access rights to one of the physical computing resources or (ii) revoking access rights provisioned for the user to one of the physical computing resources. - View Dependent Claims (13, 14, 15, 16)
-
Specification