×

System and method for reviewing role definitions

  • US 9,495,393 B2
  • Filed: 12/12/2011
  • Issued: 11/15/2016
  • Est. Priority Date: 07/27/2011
  • Status: Active Grant
First Claim
Patent Images

1. A system for reviewing role definitions, comprising:

  • a first database storing a plurality of roles, each of the plurality of roles having an identifier and at least one associated entitlement, each of the plurality of roles representing an object that associates some number of people or identities with a common set of access rights or entitlements;

    a second database storing a review definition, the review definition defining a role review process for at least one of the plurality of roles, the role review process ensuring that role definitions are accurate and meaningful over a period of time and enabling changes to be made to a role structure where inaccuracies are found; and

    a processor in communication with the first and second databases, the processor executing instructions to execute the role review process defined by the review definition;

    wherein a meaningful role definition of a role within an organization is one in which the role definition aligns with actual business roles of people within an organization;

    wherein the review definition stored in the second database includes;

    i) a schedule defining when a review process for a role is to be run,ii) a review duration defining how long the review process runs,iii) an identifier of a review owner identifying a person authorized by the system to select at least one reviewer to perform the role review process, andiv) an indicator indicating whether the review process is to be coarse-grained or fine-grained, a coarse-grained review being a review of a role at a high level either by maintaining or revoking the role, a fine-grained review being a review of details of the role including membership and entitlements; and

    wherein the processor, prior to storing the review definition, further executes instructions to receive, at the direction of the review owner, by a graphical user interface (GUI) generated by the processor and displayed on a display device coupled to the processor, a selection of at least one reviewer to perform a role review specified by the role review process,wherein the processor further executes instructions to present the user with controls for receiving from the user a reviewer delegation indication indicating whether the at least one reviewer may delegate performing the role review process to another person, wherein the controls include a checkbox configured to provide the processor with (i) a first value in response to the user clicking the checkbox to indicate that the at least one reviewer is allowed to delegate performing the role review process to another person and (ii) a second value in response to the user clicking the checkbox to indicate that the at least one reviewer is not allowed to delegate performing the role review process to another person,wherein the processor further executes instructions to store the reviewer delegation indication andto allow the at least one reviewer to delegate, or prevent the at least one reviewer from delegating, performing of the role review process to another person based on whether the checkbox respectively provides the processor with the first value or the second value,wherein a reviewer has a role within the organization defined by a role definition associating a group of people with access rights to resources,wherein the processor further executes instructions to present the user with controls for receiving a self-review prevention indicator indicating whether to prevent the at least one reviewer from performing a self review of access rights to the resources, wherein the controls include another checkbox configured to provide the processor with (i) a first self-review value in response to the user clicking the other checkbox to indicate that the at least one reviewer is allowed to perform a self review of access rights to the resources and (ii) a second self-review value in response to the user clicking the other checkbox to indicate that the at least one reviewer is not allowed to perform a self review of access rights to the resources,wherein the processor further executes instructions to store the self-review prevention indicator andto allow the at least one reviewer to perform, or prevent the at least one reviewer from performing, a self review of access rights to the resources based on whether the other checkbox respectively provides the processor with the first self-review value or second self-review value.

View all claims
  • 10 Assignments
Timeline View
Assignment View
    ×
    ×