Common data model for identity access management data
First Claim
1. A system for managing identity and access management (IAM) data comprising:
- an IAM data model that models an IAM domain space using a common IAM data format, the IAM data model defining a logical computing resource entity, a physical computing resource entity, and a relationship between the logical computing resource entity and the physical computing resource entity;
a mapping module implemented at a computing device wherein the mapping module is configured to transform heterogeneous IAM data provided by a plurality of IAM data sources based on the IAM data model into homogenous IAM data formatted according to the common IAM data format;
a data store of the computing device that implements the IAM data model such that the data store is configured to store the homogeneous IAM data as a set of database records, the set of database records conforming to the IAM data model, the set of database records comprising (a) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of a plurality of physical computing resources of a computing system, and (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and indicating at least one of the plurality of physical computing resources that implements the logical computing resource at the computing system; and
an access request manager configured to change access rights for a user account using the IAM data model by;
i) receiving a request to change access rights for the user account, wherein the request indicates one of a job function, a business activity, or a business unit,ii) evaluating the homogenous IAM data to identify a logical computing resource associated with the job function, the business activity, or the business unit indicated in the request, and to identify a logical permission to change with respect to the logical computing resource identified,iii) evaluating the homogenous IAM data to identify a physical computing resource that implements the logical computing resource identified,iv) obtaining, from the homogenous IAM data, a physical permission specification associated with the physical computing resource identified, the physical permission specification mapping the logical permission to at least one physical permission that implements the logical permission at the physical computing resource, andv) initiating a change to the access rights for the user account with respect to the physical computing resource identified based on the at least one physical permission of the physical permission specification wherein the change to the access rights either provisions the at least one physical permission to the physical computing resource for the user account or revokes the at least one physical permission to the physical computing resource from the user account.
1 Assignment
0 Petitions
Accused Products
Abstract
A data model for managing identity and access management (IAM) data implemented at an electronic database may include a set of logical resource elements, a set of physical resource elements, and a set of access requests elements that respectively model logical resources, physical resources, and access requests received at an access request manager of an enterprise. The physical resource elements may be respectively associated with the logical resource elements such that access rights for the physical resources may be obtained based on a logical resource specified in the access request. A system for managing IAM may include a mapping module configured to transform heterogeneous IAM data provided by a plurality of IAM data sources into homogeneous IAM data formatted according to the common IAM data format. A data store may implement the IAM data model such that the data store is configured to store the homogeneous IAM data.
-
Citations
12 Claims
-
1. A system for managing identity and access management (IAM) data comprising:
-
an IAM data model that models an IAM domain space using a common IAM data format, the IAM data model defining a logical computing resource entity, a physical computing resource entity, and a relationship between the logical computing resource entity and the physical computing resource entity; a mapping module implemented at a computing device wherein the mapping module is configured to transform heterogeneous IAM data provided by a plurality of IAM data sources based on the IAM data model into homogenous IAM data formatted according to the common IAM data format; a data store of the computing device that implements the IAM data model such that the data store is configured to store the homogeneous IAM data as a set of database records, the set of database records conforming to the IAM data model, the set of database records comprising (a) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of a plurality of physical computing resources of a computing system, and (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and indicating at least one of the plurality of physical computing resources that implements the logical computing resource at the computing system; and an access request manager configured to change access rights for a user account using the IAM data model by; i) receiving a request to change access rights for the user account, wherein the request indicates one of a job function, a business activity, or a business unit, ii) evaluating the homogenous IAM data to identify a logical computing resource associated with the job function, the business activity, or the business unit indicated in the request, and to identify a logical permission to change with respect to the logical computing resource identified, iii) evaluating the homogenous IAM data to identify a physical computing resource that implements the logical computing resource identified, iv) obtaining, from the homogenous IAM data, a physical permission specification associated with the physical computing resource identified, the physical permission specification mapping the logical permission to at least one physical permission that implements the logical permission at the physical computing resource, and v) initiating a change to the access rights for the user account with respect to the physical computing resource identified based on the at least one physical permission of the physical permission specification wherein the change to the access rights either provisions the at least one physical permission to the physical computing resource for the user account or revokes the at least one physical permission to the physical computing resource from the user account. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for managing identity and access management (IAM) data comprising:
-
implementing, at a data store, an IAM data model that models an IAM domain space using a common IAM data format, the IAM data model defining a logical computing resource entity, a physical computing resource entity, and a relationship between the logical computing resource entity and the physical computing resource entity; receiving heterogeneous IAM data from a plurality of IAM data sources; mapping the heterogeneous IAM data based on the IAM data model in order to obtain homogeneous IAM data formatted according to the common IAM data format; storing the homogeneous IAM data at the data store that implements the IAM data model as a set of database records conforming to the IAM data model, the set of database records comprising (a) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of a plurality of physical computing resources of a computing system, and (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and indicating at least one of the plurality of physical computing resources that implements the logical computing resource at the computing system; and changing, by an access request manager, access rights for a user account using the IAM data model by; i) receiving a request to change access rights for the user account, wherein the request indicates one of a job function, a business activity, or a business unit, ii) evaluating the homogenous IAM data to identify a logical computing resource associated with the job function, the business activity, or the business unit indicated in the request, and to identify a logical permission to change with respect to the logical computing resource identified, iii) evaluating the homogenous IAM data to identify a physical computing resource that implements the logical computing resource identified, iv) obtaining, from the homogenous IAM data, a physical permission specification associated with the physical computing resource identified, the physical permission specification mapping the logical permission to at least one physical permission that implements the logical permission at the physical computing resource, and v) initiating a change to the access rights for the user account with respect to the physical computing resource identified based on the at least one physical permission of the physical permission specification wherein the change to the access rights either provisions the at least one physical permission to the physical computing resource for the user account or revokes the at least one physical permission to the physical computing resource from the user account. - View Dependent Claims (8, 9)
-
-
10. A non-transitory computer-readable medium having instructions stored thereon that, when executed, cause a computing device to perform steps comprising:
-
implementing, at a data store, a data model for managing identity and access management (IAM) data, the data model defines; a logical computing resource entity, a physical computing resource entity, and a relationship between the physical computing resource entity and the logical computing resource entity; storing, at the data store, the IAM data as a set of database records, the set of database records conforming to the data model, the set of database records comprising; (a) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of a plurality of physical computing resources of a computing system, and (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and indicating at least one of the plurality of physical computing resources that implements the logical computing resource at the computing system, changing access rights for a user account by; i) receiving a request to change access rights for the user account, wherein the request indicates one of a job function, a business activity, or a business unit, ii) evaluating the IAM data to identify a logical computing resource associated with the job function, the business activity, or the business unit indicated in the request, and to identify a logical permission to change with respect to logical computing resource identified, iii) evaluating the IAM data to identify a physical computing resource that implements the logical computing resource identified, iv) obtaining, from the IAM data, a physical permission specification associated with the physical computing resource identified, the physical permission specification mapping the logical permission to at least one physical permission that implements the logical permission at the physical computing resource, and v) initiating a change to the access rights for the user account with respect to the physical computing resource identified based on the at least one physical permission of the physical permission specification wherein the change to the access rights either provisions the at least one physical permission to the physical computing resource for the user account or revokes the at least one physical permission to the physical computing resource from the user account. - View Dependent Claims (11, 12)
-
Specification