×

Common data model for identity access management data

  • US 9,639,594 B2
  • Filed: 03/13/2013
  • Issued: 05/02/2017
  • Est. Priority Date: 12/20/2012
  • Status: Active Grant
First Claim
Patent Images

1. A system for managing identity and access management (IAM) data comprising:

  • an IAM data model that models an IAM domain space using a common IAM data format, the IAM data model defining a logical computing resource entity, a physical computing resource entity, and a relationship between the logical computing resource entity and the physical computing resource entity;

    a mapping module implemented at a computing device wherein the mapping module is configured to transform heterogeneous IAM data provided by a plurality of IAM data sources based on the IAM data model into homogenous IAM data formatted according to the common IAM data format;

    a data store of the computing device that implements the IAM data model such that the data store is configured to store the homogeneous IAM data as a set of database records, the set of database records conforming to the IAM data model, the set of database records comprising (a) a set of physical computing resource records, each physical computing resource record conforming to the physical computing resource entity and corresponding to one of a plurality of physical computing resources of a computing system, and (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and indicating at least one of the plurality of physical computing resources that implements the logical computing resource at the computing system; and

    an access request manager configured to change access rights for a user account using the IAM data model by;

    i) receiving a request to change access rights for the user account, wherein the request indicates one of a job function, a business activity, or a business unit,ii) evaluating the homogenous IAM data to identify a logical computing resource associated with the job function, the business activity, or the business unit indicated in the request, and to identify a logical permission to change with respect to the logical computing resource identified,iii) evaluating the homogenous IAM data to identify a physical computing resource that implements the logical computing resource identified,iv) obtaining, from the homogenous IAM data, a physical permission specification associated with the physical computing resource identified, the physical permission specification mapping the logical permission to at least one physical permission that implements the logical permission at the physical computing resource, andv) initiating a change to the access rights for the user account with respect to the physical computing resource identified based on the at least one physical permission of the physical permission specification wherein the change to the access rights either provisions the at least one physical permission to the physical computing resource for the user account or revokes the at least one physical permission to the physical computing resource from the user account.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×