Distributed Environment Controlled Access Facility

US 20030204751A1
Filed: 04/24/2003
Published: 10/30/2003
Est. Priority Date: 04/24/2002
Status: Active Grant

First Claim

Patent Images

1. A distributed control access facility which comprises:

an application interface connected to an application for which access is controlled, to which remote networked users can obtain access and from which authorization requests for the user can be issued;

at least one server comprising an access control facility connected to the application server the access control facility comprising;

a master setup which provides information to the control facility relating to the application and entitlements;

a request for access facility which receives the user request through a user interface, compares user information, to the information in the master setup;

to determine whether the request should be approved; and

an access repository which acts on the information from the access facility and returns the appropriate authorization to the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented web based access control facility for a distributed environment, which allows users to request for access, take the request through appropriate approval work flow and finally make it available to the users and applications. This program also performs an automatic task of verifying the health of data, access control data as well as the entitlements, to avoid malicious user access. The system also provides an active interface to setup a backup, to delegate the duty in absence. Thus this system provides a comprehensive facility to grant, re-certify and control the entitlements and users in a distributed environment.

32 Citations

View as Search Results

30 Claims

1. A distributed control access facility which comprises:
- an application interface connected to an application for which access is controlled, to which remote networked users can obtain access and from which authorization requests for the user can be issued;
  
  at least one server comprising an access control facility connected to the application server the access control facility comprising;
  
  a master setup which provides information to the control facility relating to the application and entitlements;
  
  a request for access facility which receives the user request through a user interface, compares user information, to the information in the master setup;
  
  to determine whether the request should be approved; and
  
  an access repository which acts on the information from the access facility and returns the appropriate authorization to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The facility of claim 1 where the application interface is connected to a plurality of applications residing on a plurality of servers.
  - 3. The facility of claim 1 wherein the master setup also comprises an administration interface from which information regarding the application name, application description, entitlements, application levels may be defined.
  - 4. The facility of claim 3 wherein the access repository also has the ability to issue access to an application based on the application level a user is entitled.
  - 5. The facility of claim 1 wherein the entitlement comprises:
    - an entitlement name;
      
      an entitlement description;
      
      level of approvers; and
      
      active dates.
  - 6. The facility of claim 1 wherein the entitlement comprises:
    - a separation of duties check and entitlement types.
  - 7. The facility of claim 1 wherein entitlements are grouped into projects, and a user can receive approval on a project basis.
  - 8. The facility of claim 1 wherein the master setup also comprises a separation of duties matrix which is defined by an actor comprise a grid of applications and entitlements and flags at intersections.
  - 9. The facility of claim 1 where the master setup provides for the definition of approvers by owners of the application.
  - 10. The facility of claim 9 wherein the approvers the master setup also provides for the type of users the approvers will approve.
  - 11. The facility of claim 10 wherein the master setup contains entitlements for both internal and external users.
  - 12. The facility of claim 1 also comprising a user interface that provides for a registration form.
  - 13. The facility of claim 12 wherein the registration form and master setup provides for a userid.
  - 14. The master setup of claim 13 wherein the master setup provides for revoking the userid.
  - 15. The master setup of claim 1 wherein the master setup provides for re-certification of entitlements.

16. A distributed control access facility which comprises:
- a plurality of servers that are networked;
  
  at least one of the servers comprising an application for which access is controlled, to which remote networked users can obtain access and from which authorization requests for the user can be issued;
  
  at least one of the servers comprising an access control facility connected to the application server the access control facility comprising;
  
  a master setup which provides information to the control facility relating to the application and entitlements;
  
  a request for access facility which receives the user request through a user interface, compares user information, to the information in the master setup;
  
  to determine whether the request should be approved; and
  
  an access repository which acts on the information from the access facility and returns the appropriate authorization to the application.

17. A method for controlling access to an application in a distributed computer networked environment, the networked environment comprising an application area and a distributed access control facility, comprising the steps of:
- submitting a user request for access to an application;
  
  issuing through the application the request to the distributed access control facility along with pertinent user information;
  
  performing a separation of duties check based on the application and the user information;
  
  determining the type of user;
  
  seeking separation of duties approval based on type of user; and
  
  providing for an override if the user failed the override.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 wherein the types of users comprise external and internal users.
  - 19. The method of claim 18 also comprising the step of routing the external user request to a point of contact.
  - 20. The method of claim 19 also comprising the step of routing the internal user through an approval process in the internal user failed the separation of duties check.

21. A method for controlling access to an application in a distributed computer networked environment, the networked environment comprising an application area and a distributed access control facility, comprising the steps of:
- attempting through a user to access an application in the application area;
  
  requesting through the application area information regarding the user;
  
  sending through the application area an authorization request;
  
  comparing the information received from the application area and the application to information created in the distributed access control facility in an access repository;
  
  sending the results of such comparison to the application, and having the application grant access to the application based on the results of such comparison.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21 wherein the step of sending the results of such comparison also comprises providing the level of access the user has to such application.
  - 23. The method of claim 21 wherein the information created in the distributed access control facility comprises a user entitlement for the application and the step of comparing determines the user entitlement for the application.
  - 24. The method of claim 23 wherein the information created in the distributed access control facility comprises a separation of duties matrix formed using a plurality of user entitlements and applications.
  - 25. The method of claim 24 also comprising the step of performing a separation of duties check.

26. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for controlling access to an application in a distributed computer networked environment, the networked environment comprising an application area and a distributed access control facility, the method comprising the steps of:
- attempting through a user to access an application in the application area;
  
  requesting through the application area information regarding the user;
  
  sending through the application area an authorization request;
  
  comparing the information received from the application area and the application to information created in the distributed access control facility in an access repository;
  
  sending the results of such comparison to the application, and having the application grant access to the application based on the results of such comparison.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method of claim 26 wherein the step of sending the results of such comparison also comprises providing the level of access the user has to such application.
  - 28. The method of claim 26 wherein the information created in the distributed access control facility comprises a user entitlement for the application and the step of comparing determines the user entitlement for the application.
  - 29. The method of claim 28 wherein the information created in the distributed access control facility comprises a separation of duties matrix formed using a plurality of user entitlements and applications.
  - 30. The method of claim 29 also comprising the step of performing a separation of duties check.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kanwar, Rinku, Jindani, Rahul, Krishnamurthy, Jay, Kannoth, Vinod, Kanwar, Deepak, Mehta, Sandeep, Ravipati, Ravi K., Peachey-Kountz, Penny J., McKee, Gregory L.

Granted Patent

US 7,464,400 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/102 Entity profiles

Distributed Environment Controlled Access Facility

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed Environment Controlled Access Facility

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links