System and method for reviewing role definitions
First Claim
Patent Images
1. A system for reviewing role definitions, comprising:
- a first database storing a plurality of roles, each of the plurality of roles having an identifier and at least one associated entitlement, each of the plurality of roles representing an object that associates some number of people or identities with a common set of access rights or entitlements;
a second database storing a review definition, the review definition defining a role review process for at least one of the plurality of roles, the role review process ensuring that role definitions are accurate and meaningful over a period of time and enabling changes to be made to a role structure where inaccuracies are found; and
a processor in communication with the first and second databases, the processor executing instructions to execute the role review process defined by the review definition;
wherein a meaningful role definition of a role within an organization is one in which the role definition aligns with actual business roles of people within an organization;
wherein the review definition stored in the second database includes;
i) a schedule defining when a review process for a role is to be run,ii) a review duration defining how long the review process runs,iii) an identifier of a review owner identifying a person authorized by the system to select at least one reviewer to perform the role review process, andiv) an indicator indicating whether the review process is to be coarse-grained or fine-grained, a coarse-grained review being a review of a role at a high level either by maintaining or revoking the role, a fine-grained review being a review of details of the role including membership and entitlements; and
wherein the processor, prior to storing the review definition, further executes instructions to receive, at the direction of the review owner, by a graphical user interface (GUI) generated by the processor and displayed on a display device coupled to the processor, a selection of at least one reviewer to perform a role review specified by the role review process,wherein the processor further executes instructions to present the user with controls for receiving from the user a reviewer delegation indication indicating whether the at least one reviewer may delegate performing the role review process to another person, wherein the controls include a checkbox configured to provide the processor with (i) a first value in response to the user clicking the checkbox to indicate that the at least one reviewer is allowed to delegate performing the role review process to another person and (ii) a second value in response to the user clicking the checkbox to indicate that the at least one reviewer is not allowed to delegate performing the role review process to another person,wherein the processor further executes instructions to store the reviewer delegation indication andto allow the at least one reviewer to delegate, or prevent the at least one reviewer from delegating, performing of the role review process to another person based on whether the checkbox respectively provides the processor with the first value or the second value,wherein a reviewer has a role within the organization defined by a role definition associating a group of people with access rights to resources,wherein the processor further executes instructions to present the user with controls for receiving a self-review prevention indicator indicating whether to prevent the at least one reviewer from performing a self review of access rights to the resources, wherein the controls include another checkbox configured to provide the processor with (i) a first self-review value in response to the user clicking the other checkbox to indicate that the at least one reviewer is allowed to perform a self review of access rights to the resources and (ii) a second self-review value in response to the user clicking the other checkbox to indicate that the at least one reviewer is not allowed to perform a self review of access rights to the resources,wherein the processor further executes instructions to store the self-review prevention indicator andto allow the at least one reviewer to perform, or prevent the at least one reviewer from performing, a self review of access rights to the resources based on whether the other checkbox respectively provides the processor with the first self-review value or second self-review value.
10 Assignments
0 Petitions
Accused Products
Abstract
A system for reviewing role definitions includes a database that stores a plurality of roles. Each of the plurality of roles associates an identifier with at least one entitlement. The system also includes a second database that stores role review definitions. The review definitions define role review processes for the plurality of roles. The system further includes a processor that is in communication with the role database and the review definition database. The processor executes the role review processes defined by the review definitions at the appropriate times.
-
Citations
26 Claims
-
1. A system for reviewing role definitions, comprising:
-
a first database storing a plurality of roles, each of the plurality of roles having an identifier and at least one associated entitlement, each of the plurality of roles representing an object that associates some number of people or identities with a common set of access rights or entitlements; a second database storing a review definition, the review definition defining a role review process for at least one of the plurality of roles, the role review process ensuring that role definitions are accurate and meaningful over a period of time and enabling changes to be made to a role structure where inaccuracies are found; and a processor in communication with the first and second databases, the processor executing instructions to execute the role review process defined by the review definition; wherein a meaningful role definition of a role within an organization is one in which the role definition aligns with actual business roles of people within an organization; wherein the review definition stored in the second database includes; i) a schedule defining when a review process for a role is to be run, ii) a review duration defining how long the review process runs, iii) an identifier of a review owner identifying a person authorized by the system to select at least one reviewer to perform the role review process, and iv) an indicator indicating whether the review process is to be coarse-grained or fine-grained, a coarse-grained review being a review of a role at a high level either by maintaining or revoking the role, a fine-grained review being a review of details of the role including membership and entitlements; and wherein the processor, prior to storing the review definition, further executes instructions to receive, at the direction of the review owner, by a graphical user interface (GUI) generated by the processor and displayed on a display device coupled to the processor, a selection of at least one reviewer to perform a role review specified by the role review process, wherein the processor further executes instructions to present the user with controls for receiving from the user a reviewer delegation indication indicating whether the at least one reviewer may delegate performing the role review process to another person, wherein the controls include a checkbox configured to provide the processor with (i) a first value in response to the user clicking the checkbox to indicate that the at least one reviewer is allowed to delegate performing the role review process to another person and (ii) a second value in response to the user clicking the checkbox to indicate that the at least one reviewer is not allowed to delegate performing the role review process to another person, wherein the processor further executes instructions to store the reviewer delegation indication and to allow the at least one reviewer to delegate, or prevent the at least one reviewer from delegating, performing of the role review process to another person based on whether the checkbox respectively provides the processor with the first value or the second value, wherein a reviewer has a role within the organization defined by a role definition associating a group of people with access rights to resources, wherein the processor further executes instructions to present the user with controls for receiving a self-review prevention indicator indicating whether to prevent the at least one reviewer from performing a self review of access rights to the resources, wherein the controls include another checkbox configured to provide the processor with (i) a first self-review value in response to the user clicking the other checkbox to indicate that the at least one reviewer is allowed to perform a self review of access rights to the resources and (ii) a second self-review value in response to the user clicking the other checkbox to indicate that the at least one reviewer is not allowed to perform a self review of access rights to the resources, wherein the processor further executes instructions to store the self-review prevention indicator and to allow the at least one reviewer to perform, or prevent the at least one reviewer from performing, a self review of access rights to the resources based on whether the other checkbox respectively provides the processor with the first self-review value or second self-review value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for reviewing role definitions in a role review system, comprising the steps of:
-
storing a plurality of roles in a first database, each of the plurality of roles having an identifier and at least one associated entitlement, each of the plurality of roles representing an object that associates some number of people or identities with a common set of access rights or entitlements; and storing a review definition in a second database, the review definition defining a role review process for at least one of the plurality of roles, the role review process specifying role reviews arranged to verify that role definitions are accurate and meaningful over a period of time and enabling changes to be made to a role structure where inaccuracies are found; wherein a meaningful role definition of a role within an organization is one in which the role definition aligns with actual business roles of people within an organization; wherein storing the review definition in the second database includes storing i) a schedule defining when a review process for a role is to be run, ii) a review duration defining how long the review process runs, iii) an identifier of a review owner identifying a authorized by the system to select at least one reviewer to perform the role review process, and iv) an indicator indicating whether the review process is to be coarse-grained or fine-grained, a coarse-grained review being a review of a role at a high level either by maintaining or revoking the role, a fine-grained review being a review of details of the role including membership and entitlements, wherein the method further comprises, prior to storing the review definition, receiving, at the direction of the review owner, by a graphical user interface (GUI) generated by a processor of the role review system and displayed on a display device coupled to the processor, a selection of at least one reviewer to perform a role review specified by the role review process, wherein generating the GUI includes presenting the user with controls for receiving from the user a reviewer delegation indication indicating whether the at least one reviewer may delegate performing the role review process to another person, wherein the controls include a checkbox configured to provide the processor with (i) a first value in response to the user clicking the checkbox to indicate that the at least one reviewer is allowed to delegate performing the role review process to another person and (ii) a second value in response to the user clicking the checkbox to indicate that the at least one reviewer is not allowed to delegate performing the role review process to another person, wherein storing the review definition in the set of databases further includes storing the reviewer delegation indication, and wherein the method further comprises executing the role review process, wherein executing includes allowing the at least one reviewer to delegate, or preventing the at least one reviewer from delegating, performing of the role review process to another person based on whether the checkbox respectively provides the processor with the first value or the second value, wherein a reviewer has a role within the organization defined by a role definition associating a group of people with access rights to resources, wherein generating the GUI further includes presenting the user with controls for receiving a self-review prevention indicator indicating whether to prevent the at least one reviewer from performing a self review of access rights to the resources, wherein the controls include another checkbox configured to provide the processor with (i) a first self-review value in response to the user clicking the other checkbox to indicate that the at least one reviewer is allowed to perform a self review of access rights to the resources and (ii) a second self-review value in response to the user clicking the other checkbox to indicate that the at least one reviewer is not allowed to perform a self review of access rights to the resources, wherein storing the review definition in the set of databases includes storing the self-review prevention indicator, and wherein executing the role review process defined by the inputs further includes allowing the at least one reviewer to perform, or preventing the at least one reviewer from performing, a self review of access rights to the resources based on whether the other checkbox respectively provides the processor with the first self-review value or the second self-review value. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification