Access requests at IAM system implementing IAM data model

US 10,491,633 B2
Filed: 01/25/2017
Issued: 11/26/2019
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing computing access rights, the method comprising:

storing, at a data store of a computing device, access right information that indicates (i) for each user of a plurality of users, a set of access rights, wherein each access right of the set of access rights is associated with one of a plurality of computing resources of a computing system, and (ii) for each user of a plurality of users, one of a plurality of business units the user is associated with;

storing, at the data store of a computing device, business unit information that indicates (i) a plurality of business units and (ii) a business unit hierarchy, wherein individual business units of the plurality of business units are related to at least one other business unit of the plurality of business units and positioned either above or below the at least one other business unit in the business unit hierarchy;

receiving, by the computing device, a request to modify one or more access rights associated with the computing system, the request specifying (i) the one or more access rights to be modified, (ii) a business unit of the plurality of business units, that is associated with one or more users, of the plurality of users, that are associated with the one or more access rights to be modified, and (iii) a direction of the business unit hierarchy;

modifying, by the computing device, the one or more access rights specified in the request for at least one of the one or more users that are associated with the business unit specified in the request;

determining, by the computing device, a related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy; and

modifying, by the computing device, the one or more access rights specified in the request for at least one of the plurality of users that is associated with the related business unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification.

341 Citations

20 Claims

1. A computer-implemented method for managing computing access rights, the method comprising:
- storing, at a data store of a computing device, access right information that indicates (i) for each user of a plurality of users, a set of access rights, wherein each access right of the set of access rights is associated with one of a plurality of computing resources of a computing system, and (ii) for each user of a plurality of users, one of a plurality of business units the user is associated with;
  
  storing, at the data store of a computing device, business unit information that indicates (i) a plurality of business units and (ii) a business unit hierarchy, wherein individual business units of the plurality of business units are related to at least one other business unit of the plurality of business units and positioned either above or below the at least one other business unit in the business unit hierarchy;
  
  receiving, by the computing device, a request to modify one or more access rights associated with the computing system, the request specifying (i) the one or more access rights to be modified, (ii) a business unit of the plurality of business units, that is associated with one or more users, of the plurality of users, that are associated with the one or more access rights to be modified, and (iii) a direction of the business unit hierarchy;
  
  modifying, by the computing device, the one or more access rights specified in the request for at least one of the one or more users that are associated with the business unit specified in the request;
  
  determining, by the computing device, a related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy; and
  
  modifying, by the computing device, the one or more access rights specified in the request for at least one of the plurality of users that is associated with the related business unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein:
    - modifying the one or more access rights specified in the request for the one or more users that are associated with the business unit specified in the request comprises modifying the one or more access rights specified in the request for all of the one or more users that are associated with the business unit specified in the request.
  - 3. The computer-implemented method of claim 1, further comprising:
    - determining, by the computing device, a second related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy, wherein the direction of the business unit hierarchy is down; and
      
      modifying, by the computing device, the one or more access rights specified in the request for at least one of the plurality of users that is associated with the second related business unit.
  - 4. The computer-implemented method of claim 1, further comprising:
    - determining, by the computing device, a second related business unit that is related to the business unit specified in the request based on the business unit hierarchy, the direction of the business unit hierarchy, and a distance of the business unit hierarchy that is specified in the request; and
      
      modifying, by the computing device, the one or more access rights specified in the request for at least one of the plurality of users that is associated with the second related business unit.
  - 5. The computer-implemented method of claim 1, wherein:
    - modifying the one or more access rights specified in the request comprises, for each access right of the one or more access rights, provisioning access to a computing resource of the plurality of computing resources of the computing system.
  - 6. The computer-implemented method of claim 5, further comprising:
    - creating one or more provisioning records indicating the access provisioned to the computing resource.
  - 7. The computer-implemented method of claim 1, wherein:
    - the one or more access rights specified in the request comprise a logical permission.
  - 8. The computer-implemented method of claim 7, further comprising:
    - obtaining, by the computing device and based the logical permission, a physical entitlement specification for a computing resource of the plurality of computing resources of the computing system, wherein the physical entitlement specification indicates at least one physical entitlement for the computing resource.

9. A computing device for managing computing access rights, the computing device comprising:
- at least one processor;
  
  a data store storing;
  
  access right information that indicates (i) for each user of a plurality of users, a set of access rights, wherein each access right of the set of access rights is associated with one of a plurality of computing resources of a computing system, and (ii) for each user of a plurality of users, one of a plurality of business units the user is associated with; and
  
  business unit information that indicates (i) a plurality of business units and (ii) a business unit hierarchy, wherein individual business units of the plurality of business units are related to at least one other business unit of the plurality of business units and positioned either above or below the at least one other business unit in the business unit hierarchy;
  
  memory storing computer-executable instructions that, when executed by the at least one processor, cause the computing device to;
  
  receive a request to modify one or more access rights associated with the computing system, the request specifying (i) the one or more access rights to be modified, (ii) a business unit of the plurality of business units, that is associated with one or more users, of the plurality of users, that are associated with the one or more access rights to be modified, and (iii) a direction of the business unit hierarchy;
  
  modify the one or more access rights specified in the request for at least one of the one or more users that are associated with the business unit specified in the request;
  
  determine a related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy; and
  
  modify the one or more access rights specified in the request for at least one of the plurality of users that is associated with the related business unit.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computing device of claim 9, wherein:
    - modifying the one or more access rights specified in the request for the one or more users that are associated with the business unit specified in the request comprises modifying the one or more access rights specified in the request for all of the one or more users that are associated with the business unit specified in the request.
  - 11. The computing device of claim 9, wherein:
    - the instructions, when executed, further cause the computing device to;
      
      determine a second related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy, wherein the direction of the business unit hierarchy is down; and
      
      modify the one or more access rights specified in the request for at least one of the plurality of users that is associated with the second related business unit.
  - 12. The computing device of claim 9, wherein:
    - the instructions, when executed, further cause the computing device to;
      
      determine a second related business unit that is related to the business unit specified in the request based on the business unit hierarchy, the direction of the business unit hierarchy, and a distance of the business unit hierarchy that is specified in the request; and
      
      modify the one or more access rights specified in the request for at least one of the plurality of users that is associated with the second related business unit.
  - 13. The computing device of claim 9, wherein:
    - modifying the one or more access rights specified in the request comprises, for each access right of the one or more access rights, provisioning access to a computing resource of the plurality of computing resources of the computing system.
  - 14. The computing device of claim 9, wherein:
    - the one or more access rights specified in the request comprise a logical permission; and
      
      the instructions, when executed, further cause the computing device to obtain, based on the logical permission, a physical entitlement specification for a computing resource of the plurality of computing resources of the computing system, wherein the physical entitlement specification indicates at least one physical entitlement for the computing resource.

15. Non-transitory computer-readable media storing computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- store, at a data store of a computing device, access right information that indicates (i) for each user of a plurality of users, a set of access rights, wherein each access right of the set of access rights is associated with one of a plurality of computing resources of a computing system, and (ii) for each user of a plurality of users, one of a plurality of business units the user is associated with;
  
  store, at the data store of a computing device, business unit information that indicates (i) a plurality of business units and (ii) a business unit hierarchy, wherein individual business units of the plurality of business units are related to at least one other business unit of the plurality of business units and positioned either above or below the at least one other business unit in the business unit hierarchy;
  
  receive a request to modify one or more access rights associated with the computing system, the request specifying (i) the one or more access rights to be modified, (ii) a business unit of the plurality of business units, that is associated with one or more users, of the plurality of users, that are associated with the one or more access rights to be modified, and (iii) a direction of the business unit hierarchy;
  
  modify the one or more access rights specified in the request for at least one of the one or more users that are associated with the business unit specified in the request;
  
  determine a related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy; and
  
  modify the one or more access rights specified in the request for at least one of the plurality of users that is associated with the related business unit.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable media of claim 15, wherein:
    - modifying the one or more access rights specified in the request for the one or more users that are associated with the business unit specified in the request comprises modifying the one or more access rights specified in the request for all of the one or more users that are associated with the business unit specified in the request.
  - 17. The non-transitory computer-readable media of claim 15, wherein the instructions, when executed, further cause the computing device to:
    - determine a second related business unit that is related to the business unit specified in the request based on the business unit hierarchy and the direction of the business unit hierarchy, wherein the direction of the business unit hierarchy is down; and
      
      modify the one or more access rights specified in the request for at least one of the plurality of users that is associated with the second related business unit.
  - 18. The non-transitory computer-readable media of claim 15, wherein the instructions, when executed, further cause the computing device to:
    - determine a second related business unit that is related to the business unit specified in the request based on the business unit hierarchy, the direction of the business unit hierarchy, and a distance of the business unit hierarchy that is specified in the request; and
      
      modify the one or more access rights specified in the request for at least one of the plurality of users that is associated with the second related business unit.
  - 19. The non-transitory computer-readable media of claim 15, wherein:
    - modifying the one or more access rights specified in the request comprises, for each access right of the one or more access rights, provisioning access to a computing resource of the plurality of computing resources of the computing system.
  - 20. The non-transitory computer-readable media of claim 15, wherein:
    - the one or more access rights specified in the request comprise a logical permission; and
      
      the instructions, when executed, further cause the computing device to obtain, based on the logical permission, a physical entitlement specification for a computing resource of the plurality of computing resources of the computing system, wherein the physical entitlement specification indicates at least one physical entitlement for the computing resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John, Thompson, Bryan, Green, Ward
Primary Examiner(s)
Le, Thu Nguyet T

Application Number

US15/414,747
Publication Number

US 20170134435A1
Time in Patent Office

1,035 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06Q 10/10   Office automation; Time man...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Access requests at IAM system implementing IAM data model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

341 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access requests at IAM system implementing IAM data model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

341 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links