Reconciling access rights at IAM system implementing IAM data model

US 9,489,390 B2
Filed: 07/18/2013
Issued: 11/08/2016
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for reconciling access rights provisioned for physical computing resources of a computer system, the method comprising:

providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a physical entitlement specification entity and defining a second relationship between the physical entitlement specification entity and a physical computing resource entity;

storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more physical computing resources, (b) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of the computing resources, and (c) a set of physical entitlement specification records associated with the user record, each physical entitlement specification record conforming to the physical entitlement specification entity and identifying the user record, one of the physical computing resource records, and a permission to access one of the computing resources that corresponds to the physical computing resource record;

receiving a request to reconcile access rights provisioned for the user;

responsive to receipt of the request, initiating a reconciliation process, the reconciliation process comprising;

identifying a set of physical computing resources for which access rights have previously been provisioned for the user,querying the database for the set of physical entitlement specification records associated with the user record that corresponds to the user,for each physical computing resource in the set of physical computing resources, determining whether the user is authorized to access the physical computing resource by determining whether one of the physical entitlement specification records identifies a physical computing resource record that corresponds to the physical computing resource,for each physical entitlement specification record in the set of physical entitlement specification records, determining whether the user has been provisioned with access to the physical computing resource that corresponds to the physical computing resource record identified in the physical entitlement specification record by determining whether the physical computing resource record corresponds to one of the physical computing resources in the set of physical computing resources,determining to adjust access rights for the user responsive to determining that either the user is not authorized to access one of the physical computing resources in the set of physical computing resources, or the user has not been provisioned with access rights to one of the physical computing resources corresponding to the physical computing resource record identified in one of the physical entitlement specification records, andautomatically adjusting access rights for the user to at least one of the physical computing resources, the adjusting comprising at least one of (i) provisioning access rights to one of the physical computing resources or (ii) revoking access rights provisioned for the user to one of the physical computing resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for reconciling access rights provisioned for physical computing resources of a computer system are provided. A reconciler may identify current physical computing resources accessible to a user account of the computer system and a physical entitlement specification associated with the user account. The reconciler may determine whether adjustment of access rights is needed based on a comparison of the current physical computing resources to the physical entitlement specification. Access rights to at least one physical computing resource may be adjusted in response to a determination that adjustment of access rights is needed.

211 Citations

16 Claims

1. A computer-implemented method for reconciling access rights provisioned for physical computing resources of a computer system, the method comprising:
- providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a physical entitlement specification entity and defining a second relationship between the physical entitlement specification entity and a physical computing resource entity;
  
  storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more physical computing resources, (b) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of the computing resources, and (c) a set of physical entitlement specification records associated with the user record, each physical entitlement specification record conforming to the physical entitlement specification entity and identifying the user record, one of the physical computing resource records, and a permission to access one of the computing resources that corresponds to the physical computing resource record;
  
  receiving a request to reconcile access rights provisioned for the user;
  
  responsive to receipt of the request, initiating a reconciliation process, the reconciliation process comprising;
  
  identifying a set of physical computing resources for which access rights have previously been provisioned for the user,querying the database for the set of physical entitlement specification records associated with the user record that corresponds to the user,for each physical computing resource in the set of physical computing resources, determining whether the user is authorized to access the physical computing resource by determining whether one of the physical entitlement specification records identifies a physical computing resource record that corresponds to the physical computing resource,for each physical entitlement specification record in the set of physical entitlement specification records, determining whether the user has been provisioned with access to the physical computing resource that corresponds to the physical computing resource record identified in the physical entitlement specification record by determining whether the physical computing resource record corresponds to one of the physical computing resources in the set of physical computing resources,determining to adjust access rights for the user responsive to determining that either the user is not authorized to access one of the physical computing resources in the set of physical computing resources, or the user has not been provisioned with access rights to one of the physical computing resources corresponding to the physical computing resource record identified in one of the physical entitlement specification records, andautomatically adjusting access rights for the user to at least one of the physical computing resources, the adjusting comprising at least one of (i) provisioning access rights to one of the physical computing resources or (ii) revoking access rights provisioned for the user to one of the physical computing resources.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the adjusting comprises (i), and the adjusting includes submitting a request to provision new access rights for the user, the request indicating the user, the new access rights, and the physical computing resource, and the request being submitted to an access request handler that automatically initiates provisioning the new access rights based on the request.
  - 3. The method of claim 1 further comprising:
    - generating a reconciliation exception that indicates the user and one of the physical computing resources corresponding to one of the physical computing resource records identified in the physical entitlement specification record that the user has not been provisioned with access rights to; and
      
      providing notification of the reconciliation exception.
  - 4. The method of claim 1 wherein the adjusting comprises (ii), and the adjusting includes submitting a request to revoke existing access rights provisioned for the user, the request indicating the user, the existing access rights, and the physical computing resource, and the request being submitted to an access request handler that automatically initiates revocation of the existing access rights based on the request.
  - 5. The method of claim 1 further comprising:
    - generating a reconciliation exception that indicates the user and one of the physical computing resources corresponding to one of the physical computing resource records for which access rights have previously been provisioned for the user but does not correspond to at least one physical computing resource record identified in any of the physical entitlement specification records; and
      
      providing notification of the reconciliation exception.

6. A system for reconciling access rights provisioned for physical computing resources of a computer system comprising:
- one or more processors;
  
  a database implementing an identity and access management (IAM) data model and storing a set of records in accordance with the IAM data model wherein;
  
  the IAM data model defines a first relationship between a user entity and a physical entitlement specification entity and defines a second relationship between the physical entitlement specification entity and a physical computing resource entity, andthe set of records comprises (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more physical computing resources, (b) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of the computing resources, and (c) a set of physical entitlement specification records associated with the user record, each physical entitlement specification record conforming to the physical entitlement specification entity and identifying the user record, one of the physical computing resource records, and a permission to access one of the computing resources that corresponds to the physical computing resource record; and
  
  memory storing instructions that, when executed by one of the processors, cause the system to;
  
  receive a request to reconcile access rights provisioned for the user, andresponsive to receipt of the request, initiating a reconciliation process, the reconciliation process comprising;
  
  identifying a set of physical computing resources for which access rights have previously been provisioned to the user,querying the database for the set of physical entitlement specification records associated with the user record that corresponds to the user,for each physical computing resource in the set of physical computing resources, determining whether the user is authorized to access the physical computing resource by determining whether one of the physical entitlement specification records identifies a physical computing resource record that corresponds to the physical computing resource,for each physical entitlement specification record in the set of physical entitlement specification records, determining whether the user has been provisioned with access to the physical computing resource that corresponds to the physical computing resource record identified in the physical entitlement specification record by determining whether the physical computing resource record corresponds to one of the physical computing resources in the set of physical computing resources,determining to adjust access rights for the user responsive to determining that either the user is not authorized to access one of the physical computing resources in the set of physical computing resources, or the user has not been provisioned with access rights to one of the physical computing resources corresponding to the physical computing resource record identified in one of the physical entitlement specification records, andautomatically adjusting access rights for the user to at least one of the physical computing resources, the adjusting comprising at least one of (i) provisioning access rights to one of the physical computing resources or (ii) revoking access rights provisioned for the user to one of the physical computing resources.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The system of claim 6 wherein:
    - the IAM data model further defines a third relationship between a logical computing resource entity and a logical entitlement entity, defines a fourth relationship between the logical computing resource entity and the physical computing resource entity, and defines a fifth relationship between a provisioning entity and the physical computing resource entity; and
      
      the set of records further comprises;
      
      (d) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity, corresponding to a logical computing resource of the computing system, and identifying one of the physical computing resource records that correspond to one of the physical computing resources the logical computing resource is associated with,(e) a set of logical entitlement records, each logical entitlement record conforming to the logical entitlement entity and corresponding to a logical entitlement associated with the user and one of the logical computing resources, and(f) a set of provisioning records, each provisioning record conforming to the provisioning entity and identifying one of the physical computing resource records corresponding to one of the physical computing resources for which access rights have been provisioned for the user.
  - 8. The system of claim 7 wherein the adjusting comprises (i), and the adjusting includes submitting a request to provision new access rights for the user, the request indicating the user, the new access rights, and the physical computing resource, and the request being submitted to an access request handler that automatically initiates provisioning of the new access rights based on the request.
  - 9. The system of claim 7 wherein the instructions, when executed by one of the processors, further cause the system to:
    - generate a reconciliation exception that indicates the user and one of the physical computing resources corresponding to one of the physical computing resource records identified in the physical entitlement specification record that the user has not been provisioned with access rights to, andprovide notification of the reconciliation exception.
  - 10. The system of claim 7 wherein the adjusting comprises (ii), and the adjusting includes submitting a request to revoke existing access rights provisioned for the user, the request indicating the user, the existing access rights, and the physical computing resource, and the request being submitted to an access request handler automatically initiates revocation of the existing access rights based on the request.
  - 11. The system of claim 7 wherein the instructions, when executed by one of the processors, further cause the system to:
    - generate a reconciliation exception that indicates the user and one of the physical computing resources corresponding to one of the physical computing resource records for which access rights have previously been provisioned for the user but does not correspond to at least one physical computing resource record identified in any of the physical entitlement specification records; and
      
      provide notification of the reconciliation exception.

12. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to perform steps for reconciling access rights for physical computing resources of a computer system, the steps comprising:
- providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a physical entitlement specification entity and defining a second relationship between the physical entitlement specification entity and a physical computing resource entity;
  
  storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more physical computing resources, (b) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of the computing resources, and (c) a set of physical entitlement specification records associated with the user record, each physical entitlement specification record conforming to the physical entitlement specification entity and identifying the user record, one of the physical computing resource records, and a permission to access one of the computing resources that corresponds to the physical computing resource record;
  
  receiving a request to reconcile access rights provisioned for the user;
  
  responsive to receipt of the request, initiating a reconciliation process, the reconciliation process comprising;
  
  identifying a set of physical computing resources for which access rights have previously been provisioned for the user,querying the database for the set of a physical entitlement specification records associated with the user record that corresponds to the user,for each physical computing resource in the set of physical computing resources, determining whether the user is authorized to access the physical computing resource by determining whether one of the physical entitlement specification records identifies a physical computing resource record that corresponds to the physical computing resource,for each physical entitlement specification record in the set of physical entitlement specification records, determining whether the user has been provisioned with access to the physical computing resource that corresponds to the physical computing resource record identified in the physical entitlement specification record by determining whether the physical computing resource record corresponds to one of the physical computing resources in the set of physical computing resources,determining to adjust access rights for the user responsive to determining that either the user is not authorized to access one of the physical computing resources in the set of physical computing resources, or the user has not been provisioned with access rights to one of the physical computing resources corresponding to the physical computing resource record identified in one of the physical entitlement specification records, andautomatically adjusting, access rights for the user to at least one of the physical computing resources, the adjusting comprising at least one of (i) provisioning access rights to one of the physical computing resources or (ii) revoking access rights provisioned for the user to one of the physical computing resources.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The non-transitory computer-readable medium of claim 12 whereinthe IAM data model further defines a third relationship between a logical computing resource entity and a logical entitlement entity, defines a fourth relationship between the logical computing resource entity and the physical computing resource entity, and defines a fifth relationship between a provisioning entity and the physical computing resource entity;
    - andthe set of records further comprises;
      
      (d) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity, corresponding to a logical computing resource of the computing system, and identifying one of the physical computing resource records that correspond to one of the physical computing resources the logical computing resource is associated with,(e) a set of logical entitlement records, each logical entitlement record conforming to the logical entitlement entity and corresponding to a logical entitlement associated with the user and one of the logical computing resources, and(f) a set of provisioning records, each provisioning record conforming to the provisioning entity and identifying one of the physical computing resource records corresponding to one of the physical computing resources for which access rights have been provisioned for the user.
  - 14. The non-transitory computer-readable medium of claim 12 wherein:
    - the adjusting comprises (i), and the adjusting includes;
      
      creating a request to provision new access rights for the user, the request indicating the user, the new access rights, and the physical computing resource, andsubmitting the request to an access request handler that automatically initiates provisioning of the new access rights based on the request.
  - 15. The non-transitory computer-readable medium of claim 12 wherein:
    - the adjusting comprises (ii), and the adjusting includes;
      
      creating a request to revoke existing access rights from the user, the request indicating the user, the existing access rights, and the physical computing resource, andsubmitting the request to an access request handler that automatically initiates revocation of the existing access rights based on the request.
  - 16. The non-transitory computer-readable medium of claim 12 wherein the instructions, when executed by one of the processors, cause the system to perform steps further comprising:
    - generating a reconciliation exception that indicates the user and indicates at least one of;
      
      a first one of the physical computing resources corresponding to one of the physical computing resource records identified in the physical entitlement specification record that the user has not been provisioned with access rights to, ora second one of the physical computing resources corresponding to one of the physical computing resource records for which access rights have previously been provisioned for the user but does not correspond to at least one physical computing resource record identified in any of the physical entitlement specification records; and
      
      providing notification of the reconciliation exception.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John, Thompson, Bryan, Green, Ward
Primary Examiner(s)
LE, THU NGUYET T

Application Number

US13/945,679
Publication Number

US 20140181914A1
Time in Patent Office

1,209 Days
Field of Search

707/781, 707/783, 726/4
US Class Current

1/1
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 21/62   Protecting access to data v...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

Reconciling access rights at IAM system implementing IAM data model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

211 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Reconciling access rights at IAM system implementing IAM data model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

211 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others