Access reviews at IAM system implementing IAM data model
First Claim
Patent Images
1. A computer-implemented method for conducting access reviews of access rights to logical computing resources comprising:
- providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and an entitlement entity and defining a second relationship between the entitlement entity and a logical computing resource entity;
storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more computing resources, (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and corresponding to one of the computing resources, and (c) one or more entitlement records, each entitlement record conforming to the entitlement entity and indicating the user record and one of the logical computing resource records;
receiving a request to generate an access review summary for the user;
responsive to receipt of the request, generate the access review summary by;
identifying which of the one or more computing resources of the computing system access rights have been provisioned for the user;
for each computing resource for which access rights have been provisioned for the user,(i) querying the database for a logical computing resource record corresponding to the computing resource,(ii) querying the database to determine whether the logical computing resource record is associated with an entitlement record being associated with the user record, and(iii) configuring the access review summary to indicate a logical computing resource corresponding to the computing resource and whether the user is authorized to access the logical computing resource, the access review summary indicating either;
that the user is authorized to access the logical computing resource responsive to determining the logical computing resource record is associated with the entitlement record being associated with the user record, orthat the user not authorized to access the logical computing resource responsive to determining the logical computing resource record is not associated with the entitlement record being associated with the user record; and
outputting, at a display device, the access review summary.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods of conducting access reviews of access rights to logical computing resources are provided. An access reviewer may receive a selection indicating a user having access to one or more logical computing resources of a computer system. The access reviewer may identify a set of current logical computing resources that the user has access to and a set of current logical entitlements associated with the user. The access reviewer may generate an access review summary based on a comparison of the current logical computing resources to one or more of the current logical entitlements.
-
Citations
20 Claims
-
1. A computer-implemented method for conducting access reviews of access rights to logical computing resources comprising:
-
providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and an entitlement entity and defining a second relationship between the entitlement entity and a logical computing resource entity; storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more computing resources, (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and corresponding to one of the computing resources, and (c) one or more entitlement records, each entitlement record conforming to the entitlement entity and indicating the user record and one of the logical computing resource records; receiving a request to generate an access review summary for the user; responsive to receipt of the request, generate the access review summary by; identifying which of the one or more computing resources of the computing system access rights have been provisioned for the user; for each computing resource for which access rights have been provisioned for the user, (i) querying the database for a logical computing resource record corresponding to the computing resource, (ii) querying the database to determine whether the logical computing resource record is associated with an entitlement record being associated with the user record, and (iii) configuring the access review summary to indicate a logical computing resource corresponding to the computing resource and whether the user is authorized to access the logical computing resource, the access review summary indicating either; that the user is authorized to access the logical computing resource responsive to determining the logical computing resource record is associated with the entitlement record being associated with the user record, or that the user not authorized to access the logical computing resource responsive to determining the logical computing resource record is not associated with the entitlement record being associated with the user record; and outputting, at a display device, the access review summary. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for conducting access reviews of access rights to logical computing resources comprising:
-
one or more processors; a display device; a database that implements an identity and access management (IAM) data model and storing a set of records conforming to the IAM data model, wherein; the IAM data model defines a first relationship between a user entity and an entitlement entity and defines a second relationship between the entitlement entity and a logical computing resource entity, and the set of records comprises (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more computing resources, (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and corresponding to one of the computing resources, and (c) one or more entitlement records, each entitlement record conforming to the entitlement entity and indicating the user record and one of the logical computing resource records; and memory storing instructions that, when executed by one of the processors, cause the system to; receive a request to generate an access review summary for the user, responsive to receipt of the request, generate the access review summary by; identifying which of the one or more computing resources of the computing system access rights have been provisioned for the user, for each computing resource for which access rights have been provisioned for the user, (i) querying the database for a logical computing resource record corresponding to the computing resource, (ii) querying the database to determine whether the logical computing resource record is associated with an entitlement record being associated with the user record, and (iii) configuring the access review summary to indicate a logical computing resource corresponding to the computing resources and whether the user is authorized to access the logical computing resource, the access review summary indicating either;
that the user is authorized to access the logical computing resource responsive to determining the logical computing resource record is associated with the entitlement record being associated with the user record, or
that the user is not authorized to access the logical computing resource responsive to determining the logical computing resource record is not associated with the entitlement record being associated with the user record; andoutput, at the display device, the access review summary. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor of a computing device, cause the computing device to perform steps for conducting access reviews of access rights to logical computing resources, the steps comprising:
-
providing a database that implements an identity and access management (IAM) data model and storing a set of records conforming to the IAM data model, wherein; the IAM data model defines a first relationship between a user entity and an entitlement entity and defines a second relationship between the entitlement entity and a logical computing resource entity, and the set of records comprises (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more computing resources, (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and corresponding to one of the computing resources, and (c) one or more entitlement records, each entitlement record conforming to the entitlement entity and indicating the user record and one of the logical computing resource records; receiving a request to generate an access review summary for the user; responsive to receipt of the request, generate the access review summary by; identifying which of the one or more computing resources of the computing system access rights have been provisioned for the user, for each computing resource for which access rights have been provisioned for the user, (i) querying the database for a logical computing resource record corresponding to the computing resource, (ii) querying the database to determine whether the logical computing resource record is associated with an entitlement record being associated with the user record, and (iii) configuring the access review summary to indicate a logical computing resource corresponding to the computing resource and whether the user is authorized to access the logical computing resource, the access review summary indicating either; that the user is authorized to access the logical computing resource responsive to determining the logical computing resource record is associated with the entitlement record being associated with the user record, or that the user is not authorized to access the logical computing resource responsive to determining the logical computing resource record is not associated with the entitlement record being associated with the user record; and outputting, at a display device, the access review summary. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification