Method and system for providing permissions management

US 9,900,322 B2
Filed: 03/02/2016
Issued: 02/20/2018
Est. Priority Date: 04/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method for managing permissions comprising:

identifying, using a first computing system, one or more roles available to be associated, using a reference architecture pattern, with an individual or entity taking part in the development, and/or deployment, and/or operation of two or more computing system applications;

generating, using the first computing system, role data representing the identified roles;

identifying, using the first computing system, a plurality of reference tiers used to create, and/or deploy, and/or operate a computing system application using the reference architecture pattern, wherein the identified reference tiers include at least a development tier and a production tier;

generating, using the first computing system, reference tier data representing the identified reference tiers;

for each role represented by the role data, associating, using the first computing system, at least one permission with each reference tier represented in the reference tier data;

assigning, to an individual or entity of the first computing system, at least one of the roles represented by the role data;

receiving a task request associated with the individual or entity, the task request including a request to perform a computing task;

determining a risk level associated with a potential performance of the requested computing task, the determined risk level being at least partly based on operating characteristics associated with the requested computing task;

adjusting a baseline permission associated with the requested computing task based on the determined risk level;

determining whether the individual or entity is associated, through a role assigned to the individual or entity, with a permission meeting or exceeding the adjusted baseline permission;

performing, if the individual or entity is associated, through a role assigned to the individual or entity, with the permission meeting or exceeding the adjusted baseline permission, the requested computing task in accordance with the request;

denying the request, if the individual or entity is not associated, through a role assigned to the individual or entity, with the permission meeting or exceeding the adjusted baseline permission.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Reference architecture pattern role data representing reference architecture pattern roles to be associated with entities taking part in the development, and/or deployment, and/or operation of an application is generated. Reference architecture pattern tier data representing reference architecture pattern tiers used to create, and/or deploy, and/or operate an application using the reference architecture pattern is generated. For each reference architecture pattern role at least one access and/or operational permission is associated with each reference architecture pattern tier. An entity is assigned one of the reference architecture pattern roles and for each reference architecture pattern tier, the entity is automatically provided the at least one access and/or operational permission associated with the reference architecture pattern role assigned to the entity. When a computing task is requested, permissions associated with the computing task are adjusted based on a risk level associated with performance of the requested computing task.

249 Citations

40 Claims

1. A method for managing permissions comprising:
- identifying, using a first computing system, one or more roles available to be associated, using a reference architecture pattern, with an individual or entity taking part in the development, and/or deployment, and/or operation of two or more computing system applications;
  
  generating, using the first computing system, role data representing the identified roles;
  
  identifying, using the first computing system, a plurality of reference tiers used to create, and/or deploy, and/or operate a computing system application using the reference architecture pattern, wherein the identified reference tiers include at least a development tier and a production tier;
  
  generating, using the first computing system, reference tier data representing the identified reference tiers;
  
  for each role represented by the role data, associating, using the first computing system, at least one permission with each reference tier represented in the reference tier data;
  
  assigning, to an individual or entity of the first computing system, at least one of the roles represented by the role data;
  
  receiving a task request associated with the individual or entity, the task request including a request to perform a computing task;
  
  determining a risk level associated with a potential performance of the requested computing task, the determined risk level being at least partly based on operating characteristics associated with the requested computing task;
  
  adjusting a baseline permission associated with the requested computing task based on the determined risk level;
  
  determining whether the individual or entity is associated, through a role assigned to the individual or entity, with a permission meeting or exceeding the adjusted baseline permission;
  
  performing, if the individual or entity is associated, through a role assigned to the individual or entity, with the permission meeting or exceeding the adjusted baseline permission, the requested computing task in accordance with the request;
  
  denying the request, if the individual or entity is not associated, through a role assigned to the individual or entity, with the permission meeting or exceeding the adjusted baseline permission.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method for managing permissions of claim 1 wherein determining the risk level associated with the potential performance of the requested computing task, the determined risk level being at least partly based on operating characteristics associated with the requested computing task comprises:
    - establishing a baseline risk value;
      
      establishing one or more baseline value ranges of respective operating characteristics associated with a potential performance of the requested computing task, the baseline value ranges representing value ranges of the operating characteristics considered to be normal;
      
      determining whether one or more of operating values associated with the request are outside the respective baseline range; and
      
      varying, for each operating value that is outside the respective baseline range, the baseline risk value, resulting in the determined risk level.
  - 3. The method for managing permissions of claim 1 wherein adjusting the baseline permission associated with the requested computing task based on the risk level comprisesincreasing a permission level required to perform the requested computing task if the risk level is higher than normal;
    - decreasing the permission level required to perform the requested computing task if the risk level is lower than normal; and
      
      not changing the baseline permission level required to perform the requested computing task if the risk level is unchanged from normal.
  - 4. The method for managing permissions of claim 2 wherein establishing the one or more baseline value ranges of respective operating characteristics associated with the request, the baseline ranges representing value ranges of the operating characteristics considered to be normal comprises:
    - for one or more operating characteristics associated with the request;
      
      analyzing two or more normal values associated with the operating characteristic associated with the request and establishing an upper limit and a lower limit which encompasses a majority of the normal values, the upper and lower limits respectively forming the upper and lower limits of a baseline range.
  - 5. The method for managing permissions of claim 1 wherein the operating characteristics associated with the request include at least one operating characteristic selected from the group of operating characteristics including:
    - an operating characteristic associated with the individual initiating the request;
      
      an operating characteristic associated with a computing system used to originate the request;
      
      a type of computing system used to originate the request;
      
      a configuration of a computing system used to originate the request;
      
      an operating characteristic associated with a computing system used to perform a computing task associated with the request;
      
      an operating characteristic associated with a location of the computing system used to originate the request;
      
      a time of the request;
      
      a day of the request; and
      
      a current computing load associated with a computing system expected to perform the computing task associated with the request.
  - 6. The method for managing permissions of claim 1 wherein the request is a request to access or change data in a database, wherein data in the database relating to the request has been assigned a baseline permission level, and further wherein the baseline permission level of the data in the database is varied according to operating values associated with accessing or changing the data.
  - 7. The method for managing permissions of claim 1 further comprisingfor a first one of the reference tiers associated with a first of the one or more computing system applications and represented in the reference tier data, automatically granting the individual a first permission associated with the role assigned to the individual;
    - andfor a second one of the reference tiers associated with a second of the one or more computing system applications and represented in the reference tier data, automatically granting the individual a second permission associated with the role assigned to the individual, wherein the second permission is different from the first permission.
  - 8. The method for providing permissions management of claim 1 wherein at least part of at least one of the computing system applications is to be deployed in a cloud computing environment.
  - 9. The method for providing permissions management of claim 1 wherein at least one of the roles represented by the role data is selected from the group of roles consisting of:
    - a supervisory administrator (SuperAdmin) role;
      
      an administrator (Admin) role;
      
      a security role;
      
      an operator role;
      
      a developer role;
      
      a third party role;
      
      a user role; and
      
      a read-only role.
  - 10. The method for providing permissions management of claim 1 wherein at least one of the reference tiers represented by the reference tier data is selected from the group of reference tiers consisting of:
    - a development tier;
      
      a pre-production tier;
      
      a production tier;
      
      a web tier;
      
      a staging tier;
      
      an integration tier; and
      
      a security tier.
  - 11. The method for providing permissions management of claim 1 wherein at least one of the reference tiers represented by the reference tier data is an account provided by a cloud infrastructure provider.
  - 12. The method for providing permissions management of claim 11 wherein the account provided by the cloud infrastructure provider is selected from the group of accounts consisting of:
    - a development account;
      
      a performance evaluation account;
      
      a security sandbox account;
      
      a pre-production account;
      
      a production account;
      
      a staging account;
      
      an integration account; and
      
      a security account.
  - 13. The method for providing permissions management of claim 1 wherein at the least one permission associated with each tier represented in the reference tier data is a set of two or more permissions associated with each tier represented in the reference tier data.
  - 14. The method for providing permissions management of claim 13 wherein the set of two or more permissions is selected from the group of sets of two or more permissions consisting of:
    - a super broad permissions set;
      
      a broad permissions set;
      
      a moderate permissions set;
      
      a narrow permissions set;
      
      a forensic permissions set;
      
      a broad forensic permissions set;
      
      a moderate forensic permissions set;
      
      a narrow forensic permissions set;
      
      an administrator permissions set;
      
      a broad administrator permissions set;
      
      a moderate administrator permissions set;
      
      a narrow administrator permissions set;
      
      an integrator permissions set;
      
      a broad integrator permissions set;
      
      a moderate integrator permissions set;
      
      a narrow integrator permissions set;
      
      an end-user permissions set;
      
      a broad end-user permissions set;
      
      a moderate end-user permissions set;
      
      a narrow end-user permissions set;
      
      a read-only permissions set;
      
      a broad read-only permissions set;
      
      a moderate read-only permissions set; and
      
      a narrow read-only permissions set.

15. A method for managing permissions comprising:
- identifying, using a first computing system, one or more roles available to be associated, using a reference architecture pattern, with an individual taking part in the development, and/or deployment, and/or operation of two or more computing system applications;
  
  generating, using the first computing system, role data representing the identified roles;
  
  identifying, using the first computing system, a plurality of reference tiers used to create, and/or deploy, and/or operate a computing system application using the reference architecture pattern, wherein the identified reference tiers include at least a development tier and a production tier;
  
  generating, using the first computing system, reference tier data representing the identified reference tiers;
  
  for each role represented by the role data, associating, using the first computing system, at least one permission with each reference tier represented in the reference tier data;
  
  assigning, to an individual of the first computing system, at least one of the roles represented by the role data;
  
  receiving a task request associated with the individual, the task request including a request to perform a computing task;
  
  determining a risk level associated with a potential performance of the requested computing task, the determined risk level being at least partly based on operating characteristics associated with the requested computing task;
  
  adjusting a permission associated with the individual based on the determined risk level;
  
  determining whether the adjusted permission of the individual meets or exceeds a required permission associated with the requested computing task;
  
  performing, if the adjusted permission of the individual meets or exceeds the required permission associated with the requested computing task, the requested computing task in accordance with the request;
  
  denying the request, if the adjusted permission of the individual fails to meet or exceed the required permission associated with the requested computing task.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The method for managing permissions of claim 15 wherein determining the risk level associated with a potential performance of the requested computing task, the determined risk level being at least partly based on operating characteristics associated with the requested computing task comprises:
    - establishing a baseline risk value;
      
      establishing one or more baseline value ranges of respective operating characteristics associated with a potential performance of the requested computing task, the baseline ranges representing value ranges of the operating characteristics considered to be normal;
      
      determining whether one or more of operating values associated with the request are outside the respective baseline range; and
      
      varying, for each operating value that is outside the respective baseline range, the baseline risk value, resulting in the determined risk level.
  - 17. The method for managing permissions of claim 15 wherein adjusting the permission associated with the individual based on the determined risk level compriseslowering a permission level of the individual if the risk level is higher than normal;
    - increasing the permission level of the individual if the risk level is lower than normal; and
      
      not changing the permission level of the individual if the risk level is unchanged from normal.
  - 18. The method for managing permissions of claim 16 wherein establishing the one or more baseline value ranges of respective operating characteristics associated with the request, the baseline ranges representing value ranges of the operating characteristics considered to be normal comprises:
    - for one or more operating characteristics associated with the request;
      
      analyzing two or more normal values associated with the operating characteristic associated with the request and establishing an upper limit and a lower limit which encompasses a majority of the normal values, the upper and lower limits respectively forming the upper and lower limits of the baseline range.
  - 19. The method for managing permissions of claim 15 wherein the operating characteristics associated with the request include at least one operating characteristic selected from the group of operating characteristics including:
    - an operating characteristic associated with the individual initiating the request;
      
      an operating characteristic associated with a computing system used to originate the request;
      
      a type of computing system used to originate the request;
      
      a configuration of a computing system used to originate the request;
      
      an operating characteristic associated with a computing system used to perform a computing task associated with the request;
      
      an operating characteristic associated with a location of the computing system used to originate the request;
      
      a time of the request;
      
      a day of the request; and
      
      a current computing load associated with a computing system expected to perform the computing task associated with the request.
  - 20. The method for managing permissions of claim 15 further comprisingfor a first one of the reference tiers associated with a first of the one or more computing system applications and represented in the reference tier data, automatically granting the individual a first permission associated with the role assigned to the individual;
    - andfor a second one of the reference tiers associated with a second of the one or more computing system applications and represented in the reference tier data, automatically granting the individual a second permission associated with the role assigned to the individual, wherein the second permission is different from the first permission.
  - 21. The method for providing permissions management of claim 15 wherein at least part of at least one of the computing system applications is to be deployed in a cloud computing environment.
  - 22. The method for providing permissions management of claim 15 wherein at least one of the roles represented by the role data is selected from the group of roles consisting of:
    - a supervisory administrator (SuperAdmin) role;
      
      an administrator (Admin) role;
      
      a security role;
      
      an operator role;
      
      a developer role;
      
      a third party role;
      
      a user role; and
      
      a read-only role.
  - 23. The method for providing permissions management of claim 15 wherein at least one of the reference tiers represented by the reference tier data is selected from the group of reference tiers consisting of:
    - a development tier;
      
      a pre-production tier;
      
      a production tier;
      
      a web tier;
      
      a staging tier;
      
      an integration tier; and
      
      a security tier.
  - 24. The method for providing permissions management of claim 15 wherein at least one of the reference tiers represented by the reference tier data is an account provided by a cloud infrastructure provider.
  - 25. The method for providing permissions management of claim 24 wherein the account provided by the cloud infrastructure provider is selected from the group of accounts consisting of:
    - a development account;
      
      a performance evaluation account;
      
      a security sandbox account;
      
      a pre-production account;
      
      a production account;
      
      a staging account;
      
      an integration account; and
      
      a security account.
  - 26. The method for providing permissions management of claim 15 wherein at the least one permission associated with each tier represented in the reference tier data is a set of two or more permissions associated with each tier represented in the reference tier data.
  - 27. The method for providing permissions management of claim 26 wherein at least one set of two or more permissions associated with each tier represented in the reference tier data is a set of two or more permissions selected from the group of sets of two or more permissions consisting of:
    - a super broad permissions set;
      
      a broad permissions set;
      
      a moderate permissions set;
      
      a narrow permissions set;
      
      a forensic permissions set;
      
      a broad forensic permissions set;
      
      a moderate forensic permissions set;
      
      a narrow forensic permissions set;
      
      an administrator permissions set;
      
      a broad administrator permissions set;
      
      a moderate administrator permissions set;
      
      a narrow administrator permissions set;
      
      an integrator permissions set;
      
      a broad integrator permissions set;
      
      a moderate integrator permissions set;
      
      a narrow integrator permissions set;
      
      an end-user permissions set;
      
      a broad end-user permissions set;
      
      a moderate end-user permissions set;
      
      a narrow end-user permissions set;
      
      a read-only permissions set;
      
      a broad read-only permissions set;
      
      a moderate read-only permissions set; and
      
      a narrow read-only permissions set.

28. A system for providing permissions management comprising:
- an individual access system associated with an individual;
  
  two or more computing system applications to be created, and/or deployed, and/or operated by the individual;
  
  a reference architecture pattern associated with the computing system applications to be created, and/or deployed, and/or operated, the reference architecture pattern including;
  
  role data representing one or more roles to be assigned to individuals taking part in the development, and/or deployment, and/or operation of the computing system applications using the reference architecture pattern;
  
  reference tier data representing reference tiers used to create, and/or deploy, and/or operate the computing system applications using the reference architecture pattern; and
  
  permissions data representing at least one permission assigned to each role represented by the role data for each reference tier represented in the reference tier data;
  
  at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by the at least one processor, perform a process for providing permissions management including;
  
  assigning, using the individual access system, the individual one of the reference architecture pattern roles represented by the role data;
  
  receiving a task request associated with the individual, the task request including a request to perform a computing task;
  
  determining a risk level associated with a potential performance of the requested computing task, the determined risk level being at least partly based on operating characteristics associated with the requested computing task;
  
  adjusting a permission associated with the individual based on the determined risk level;
  
  determining whether the adjusted permission of the individual meets or exceeds a required permission associated with the requested computing task;
  
  performing, if the adjusted permission of the individual meets or exceeds the required permission associated with the requested computing task, the requested computing task in accordance with the request;
  
  denying the request, if the adjusted permission of the individual fails to meet or exceed the required permission associated with the requested computing task.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 29. The method for managing permissions of claim 28 wherein determining the risk level associated with the potential performance of the requested computing task, the determined risk level being at least partly based on operating characteristics associated with the requested computing task comprises:
    - establishing a baseline risk value;
      
      establishing one or more baseline value ranges of respective operating characteristics associated with the potential performance of the requested computing task, the baseline ranges representing value ranges of the operating characteristics considered to be normal;
      
      determining whether one or more of operating values associated with the request are outside the respective baseline range; and
      
      varying, for each operating value that is outside the respective baseline range, the baseline risk value, resulting in the determined risk level.
  - 30. The method for managing permissions of claim 28 wherein adjusting the permission associated with the individual based on the determined risk level compriseslowering a permission level of the individual if the risk level is higher than normal;
    - increasing the permission level of the individual if the risk level is lower than normal; and
      
      not changing the permission level of the individual if the risk level is unchanged from normal.
  - 31. The method for managing permissions of claim 29 wherein establishing the one or more baseline value ranges of respective operating characteristics associated with the request, the baseline ranges representing value ranges of the operating characteristics considered to be normal comprises:
    - for one or more operating characteristics associated with the request;
      
      analyzing two or more normal values associated with the operating characteristic associated with the request and establishing an upper limit and a lower limit which encompasses a majority of the normal values, the upper and lower limits respectively forming the upper and lower limits of a baseline range.
  - 32. The method for managing permissions of claim 28 wherein the operating characteristics associated with the request include at least one operating characteristic selected from the group of operating characteristics including:
    - an operating characteristic associated with the individual initiating the request;
      
      an operating characteristic associated with a computing system used to originate the request;
      
      a type of computing system used to originate the request;
      
      a configuration of a computing system used to originate the request;
      
      an operating characteristic associated with a computing system used to perform a computing task associated with the request;
      
      an operating characteristic associated with a location of the computing system used to originate the request;
      
      a time of the request;
      
      a day of the request; and
      
      a current computing load associated with a computing system expected to perform the computing task associated with the request.
  - 33. The method for managing permissions of claim 28 further comprisingfor a first one of the reference tiers associated with a first of the one or more computing system applications and represented in the reference tier data, automatically granting the individual a first permission associated with the role assigned to the individual;
    - andfor a second one of the reference tiers associated with a second of the one or more computing system applications and represented in the reference tier data, automatically granting the individual a second permission associated with the role assigned to the individual, wherein the second permission is different from the first permission.
  - 34. The method for providing permissions management of claim 28 wherein at least part of at least one of the computing system applications is to be deployed in a cloud computing environment.
  - 35. The method for providing permissions management of claim 28 wherein at least one of the roles represented by the role data is selected from the group of roles consisting of:
    - a supervisory administrator (SuperAdmin) role;
      
      an administrator (Admin) role;
      
      a security role;
      
      an operator role;
      
      a developer role;
      
      a third party role;
      
      a user role; and
      
      a read-only role.
  - 36. The method for providing permissions management of claim 28 wherein at least one of the reference tiers represented by the reference tier data is selected from the group of reference tiers consisting of:
    - a development tier;
      
      a pre-production tier;
      
      a production tier;
      
      a web tier;
      
      a staging tier;
      
      an integration tier; and
      
      a security tier.
  - 37. The method for providing permissions management of claim 28 wherein at least one of the reference tiers represented by the reference tier data is an account provided by a cloud infrastructure provider.
  - 38. The method for providing permissions management of claim 37 wherein the account provided by the cloud infrastructure provider is selected from the group of accounts consisting of:
    - a development account;
      
      a performance evaluation account;
      
      a security sandbox account;
      
      a pre-production account;
      
      a production account;
      
      a staging account;
      
      an integration account; and
      
      a security account.
  - 39. The method for providing permissions management of claim 28 wherein at the least one permission associated with each tier represented in the reference tier data is a set of two or more permissions associated with each tier represented in the reference tier data.
  - 40. The method for providing permissions management of claim 39 wherein at least one set of two or more permissions associated with each tier represented in the reference tier data is a set of two or more permissions selected from the group of sets of two or more permissions consisting of:
    - a super broad permissions set;
      
      a broad permissions set;
      
      a moderate permissions set;
      
      a narrow permissions set;
      
      a forensic permissions set;
      
      a broad forensic permissions set;
      
      a moderate forensic permissions set;
      
      a narrow forensic permissions set;
      
      an administrator permissions set;
      
      a broad administrator permissions set;
      
      a moderate administrator permissions set;
      
      a narrow administrator permissions set;
      
      an integrator permissions set;
      
      a broad integrator permissions set;
      
      a moderate integrator permissions set;
      
      a narrow integrator permissions set;
      
      an end-user permissions set;
      
      a broad end-user permissions set;
      
      a moderate end-user permissions set;
      
      a narrow end-user permissions set;
      
      a read-only permissions set;
      
      a broad read-only permissions set;
      
      a moderate read-only permissions set; and
      
      a narrow read-only permissions set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Lietz, M. Shannon, Cabrera, Luis Felipe, Price, Christian, Nikulshin, Michelle, Godinez, Javier, Philip, Sabu Kuruvila, Rambur, Brad A., Kennedy, Scott Cruickshanks, Naugle, Erik Thomas, Bonney, William Q.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/058,521
Publication Number

US 20160182527A1
Time in Patent Office

720 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1433   Vulnerability analysis

H04L 67/00   Network arrangements or pro...

Method and system for providing permissions management

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

249 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing permissions management

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

249 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links