Rule based data management

US 7,467,142 B2
Filed: 12/20/2002
Issued: 12/16/2008
Est. Priority Date: 07/11/2002
Status: Active Grant

First Claim

Patent Images

1. A method for performing rule-based identity management, comprising:

receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule for a first attribute having one or more dynamic variables for a first attribute;

receiving an attribute value for a second attribute of the identity profile object;

accessing the class for the identity profile object;

reading the rule having one or more dynamic variables from the class;

automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule;

automatically applying the attribute value rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;

identifying additional data based on the filter, wherein identifying the additional data comprises;

using the filter to perform a query against the directory with the first-data to find a set of one or more objects in the directory matching the filter;

receiving an identification of a particular attribute in each of the one or more objects matching the filter;

accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;

displaying, for a user, the list of one or more values; and

receiving a selection of one or more values from the list of values; and

adding the additional data to the identity profile, wherein the step of adding includes adding the selected one or more values to the first attribute in the identity profile.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data is acquired for an Identity System based on a one or more rules. The data can be from the same Identity System Component, another Identity System Component or a component external to the Identity System. The acquired data can be used to populate an Identity Profile, configure a workflow, or provide information to any other object, process, component, etc. of the Identity System. In one embodiment, the present invention combines dynamic identity value substitution and directory filter rules to enable rule based identity management. It enables dynamic population of identity data and real-time routing for identity management workflows. In other embodiments, the present invention can be applied to systems other than Identity Systems.

164 Citations

33 Claims

1. A method for performing rule-based identity management, comprising:
- receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule for a first attribute having one or more dynamic variables for a first attribute;
  
  receiving an attribute value for a second attribute of the identity profile object;
  
  accessing the class for the identity profile object;
  
  reading the rule having one or more dynamic variables from the class;
  
  automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule;
  
  automatically applying the attribute value rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;
  
  identifying additional data based on the filter, wherein identifying the additional data comprises;
  
  using the filter to perform a query against the directory with the first-data to find a set of one or more objects in the directory matching the filter;
  
  receiving an identification of a particular attribute in each of the one or more objects matching the filter;
  
  accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
  
  displaying, for a user, the list of one or more values; and
  
  receiving a selection of one or more values from the list of values; and
  
  adding the additional data to the identity profile, wherein the step of adding includes adding the selected one or more values to the first attribute in the identity profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10)
- - 2. A method according to claim 1, further comprising:
    - receiving the rule; and
      
      receiving the attribute identification.
  - 3. A method according to claim 1, wherein:
    - the additional data includes one or more job codes.
  - 4. A method according to claim 1, wherein:
    - the additional data includes an identification of a resource external to a system that is performing the steps of accessing, applying, identifying and adding.
  - 5. A method according to claim 1, wherein:
    - the additional data includes an identification of a first resource.
  - 6. A method according to claim 1, wherein:
    - identifying additional data includes using the rule to search for control information about a set of resources.
  - 7. A method according to claim 5, further comprising:
    - sending a request for the first resource in response to the step of adding.
  - 8. A method according to claim 5, further comprising:
    - provisioning a task related to the first resource in response to the additional data.
  - 10. A method according to claim 1, wherein:
    - the method is at least partially performed by an integrated Identity System and Access System.

9. A method for performing rule-based identity management, the method comprising:
- receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables;
  
  accessing the class for the identity profile object;
  
  reading the rule having one or more dynamic variables from the class, wherein the class defines one or more dynamic variables comprising a first dynamic variable that corresponds to a region attribute, a second dynamic variable that corresponds to an organization attribute, and a third dynamic variable that corresponds to a group attribute in the identity profile object for the entity;
  
  receiving a first set of attribute values for the first dynamic variable, the second dynamic variable, and the third dynamic variable of the identity profile object;
  
  storing the first set of attribute values;
  
  automatically accessing the attribute values for the first group of dynamic variables of the identity profile object based on the dynamic variable in the ruleautomatically applying the first set of attribute values to the rule by replacing the first dynamic variable with a value stored for the region attribute, replacing the second dynamic variable with a value stored for the organization attribute and replacing the third dynamic variable with a value stored for the group attribute in the identity profile object to create a filter;
  
  identifying additional data based on the filter, wherein identifying the additional data comprises;
  
  using the filter to perform a query against the directory with the first set of attribute values to find a set of one or more objects in the directory matching filter;
  
  receiving an identification of a particular attribute in each of the one or more objects matching the filter, wherein the particular attribute refers to manager name;
  
  accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
  
  displaying, for a user, the list of one or more values; and
  
  receiving a selection of one or more manager names; and
  
  adding the additional data to the identity profile, wherein the step of adding includes adding at least one of the manager names to the identity profile.

11. A method for performing rule-based identity management, the method comprising:
- receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute;
  
  receiving an attribute value for a second attribute of the identity profile object;
  
  accessing the class for the identity profile object;
  
  reading the rule having one or more dynamic variables from the class;
  
  automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule and the identity profile object being accessed as part of a workflow;
  
  automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;
  
  identifying additional data based on the filter, wherein identifying the additional data comprises;
  
  using the filter to perform a query against the directory with the first data to find a set of one or more objects in the directory matching the filter;
  
  receiving an identification of a particular attribute in each of the one or more objects matching the filter;
  
  accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
  
  displaying, for a user, the list of one or more values; and
  
  receiving a selection of one or more values from the list of one or more values; and
  
  using the additional data to perform the work flow, wherein the additional data comprises the selected one or more values.
- View Dependent Claims (12, 13, 14, 15)
- - 12. A method according to claim 11, wherein:
    - using the additional data includes contracting entities identified with the additional data.
  - 13. A method according to claim 11, wherein:
    - identifying additional data comprises evaluating whether a second identity profile satisfies the rule with the first data.
  - 14. A method according to claim 13, further comprising:
    - starting the workflow; and
      
      adding attribute data to the first identity profile, the attribute data includes the first data, the step of using includes providing for a first entity to perform a step of the workflow.
  - 15. A method according to claim 11, wherein:
    - the method is at least partially performed by an integrated Identity System and Access System.

16. One or more processor readable storage devices having processor readable code embodied on the processor readable storage devices, the processor readable code for programming one or more:
- processors, the processor readable code comprising;
  
  code for receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute;
  
  code for receiving an attribute value for a second attribute of the identity profile object;
  
  code for accessing the class for the identity profile object;
  
  code for reading the rule having one or more dynamic variables from the class;
  
  code for automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule;
  
  code for automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;
  
  code for identifying additional data based on the filter, wherein the code for identifying the additional data comprises;
  
  code for using the filter to perform a query against the directory with the first data to find a set of one or more objects in the directory matching the filter;
  
  code for receiving an identification of a particular attribute in each of the one or more objects matching the filter;
  
  code for accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
  
  code for displaying, for a user, the list of one or more values; and
  
  code for receiving a selection of one or more values from the list of values; and
  
  code for adding the additional data to the identity profile, wherein the code for adding includes adding s the elected one or more values to the first attribute in the identity profile.
- View Dependent Claims (17, 18)
- - 17. One or more processor readable storage devices according to claim 16, wherein:
    - the additional data includes an identification of a first resource; and
      
      the processor readable code further includes code for provisioning a task related to the first resource in response to the additional data.
  - 18. One ore more processor readable storage devices according to claim 16, wherein:
    - the processor readable code at least partially implements an integrated Identity System and Access System.

19. One or more processor readable storage devices having processor readable code embodied on the processor readable storage devices, the processor readable code for programming one or more:
- processors, the processor readable code comprising;
  
  code for receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute;
  
  code for receiving an attribute value for a second attribute of the identity profile object;
  
  code for accessing the class for the identity profile object;
  
  code for reading the rule having one or more dynamic variables from the class;
  
  code for automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule and the identity profile object being accessed as part of a workflow;
  
  code for automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;
  
  code for identifying additional data based on the filter, wherein the code for identifying the additional data comprises;
  
  code for using the filter to perform a query against the directory with the first data to find a set one or more objects in the directory matching filter;
  
  code for receiving an identification of a particular attribute in each of the one or more objects matching the filter;
  
  code for accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
  
  code for displaying, for a user, the list of one or more values; and
  
  code for receiving a selection of one or more values from the list of values; and
  
  code for using the additional data to perform the work flow, wherein the additional data comprises the selected one or more values.
- View Dependent Claims (20, 21)
- - 20. One or more processor readable storage devices according to claim 19, wherein the processor readable code further comprises:
    - code for starting the workflow; and
      
      code for adding attribute data to the first identity profile, the attribute data includes the first data, the code for using includes code for providing for a first entity to perform a step of the workflow, the code for identifying additional data comprises code for evaluating whether a second identity profile satisfies the rule with the first data.
  - 21. One or more processor readable storage devices according to claim 19, wherein:
    - the processor readable code at least partially implements an integrated Identity System and Access System.

22. An Identity System, comprising:
- one or more storage devices; and
  
  one or more processor wherein the storage devices comprise processor readable code executable by the processor(s), the processor readable code comprising;
  
  code for receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute;
  
  code for receiving an attribute value for a second attribute of the identity profile object;
  
  code for accessing the class for the identity profile object;
  
  code for reading the rule having one or more dynamic variables from the class;
  
  code for automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule;
  
  code for automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;
  
  code for identifying additional data based on the filter, wherein the code for identifying the additional data comprises;
  
  code for using the filter to perform a query against the directory with first data to find a set of one or more objects in the directory matching the filter;
  
  code for receiving an identification of a particular attribute in each of the one or more objects matching the filter;
  
  code for accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
  
  code for displaying, for a user, the list of one or more values; and
  
  code for receiving a selection of one or more values from the list of values; and
  
  code for adding the additional data to the identity profile, wherein the code for adding includes code for adding the selected one or more values to the first attribute in the identity profile.
- View Dependent Claims (23, 24)
- - 23. An Identity System according to claim 22, wherein:
    - the additional data includes an identification of a first resource; and
      
      the processor readable code further includes code for provisioning a task related to the first resource in response to the additional data.
  - 24. An Identity System according to claim 23, further comprising:
    - a provisioning bridge, the provisioning bridge includes the code for provisioning a task.

25. An Identity System, comprising:
- one or more storage devices; and
  
  one or more processor wherein the storage devices comprise processor readable code executable by the processor(s), the processor readable code comprising;
  
  code for receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute;
  
  code for receiving an attribute value for a second attribute of the identity profile object;
  
  code for accessing the class for the identity profile object;
  
  code for reading the rule having one or more dynamic variables from the class;
  
  code for automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule and the identity profile object being accessed as part of a workflow;
  
  code for automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;
  
  code for identifying additional data based on the filter, wherein the code for identifying the additional data comprises;
  
  code for using the filter to perform a query against the directory with the first data to find a set of one or more objects in the directory matching the filter;
  
  code for receiving an identification of a particular attribute in each of the one or more objects matching the filter;
  
  code for accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
  
  code for displaying, for a user, the list of one or more values; and
  
  code for receiving a selection of one or more values from the list of values; and
  
  code for using the additional data to perform the work flow, wherein the additional data comprises the selected one or more values.
- View Dependent Claims (26, 27, 28)
- - 26. An Identity System according to claim 25, wherein the processor readable code further comprises:
    - code for starting the workflow; and
      
      code for adding attribute data to the first identity profile, the attribute data includes the first data, the code for using includes code for providing for a first entity to perform a step of the workflow, the code for identifying additional data comprises code for evaluating whether a second identity profile satisfies the rule with the first data.
  - 27. A method according to claim 25, wherein the directory resides on a directory server.
  - 28. A method according to claim 25, wherein the directory supports lightweight directory access protocol (“
    - LDAP”
      
      ).

29. A method for performing rule based identity management in an identity system, the identity system being configured to provide identity management services for a network, the method comprising:
- receiving, at the identity system, a request to create an identity profile for a user, wherein the identity profile is stored as an object in a directory, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein each attribute being configured to store information about the user, wherein the class defines the rule having one or more dynamic variables for a first attribute;
  
  providing a template that comprises an indication of one or more attributes for which values are to be provided;
  
  receiving an attribute value for a second attribute of the identity profile object;
  
  accessing the class for the identity profile object;
  
  reading the rule having one or more dynamic variables from the classautomatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule;
  
  automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;
  
  identifying additional data based on the filter, wherein identifying the additional data comprises;
  
  using the filter to perform a query against the directory with the first data to find a set of one or more objects in a directory matching the filter,receiving an identification of a particular attribute in each of the one or more objects matching the filter;
  
  accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
  
  displaying, for a user, the list of one or more values; and
  
  receiving a selection of a first attribute value for the first attribute, from the list of values;
  
  creating the identity profile comprising the first attribute having the first attribute value and the second attribute having the second attribute value; and
  
  saving the identity profile object in the directory.
- View Dependent Claims (30, 31, 32, 33)
- - 30. A method as recited by claim 29, wherein selecting a second attribute value comprises:
    - displaying, for a user, attributes from the plurality of objects; and
      
      allowing a user to select an attribute from the one of the plurality of object.
  - 31. A method as recited by claim 29, wherein selecting a second attribute value comprises selecting a second attribute value without user input.
  - 32. A method as recited by claim 29, wherein the request to add data to the first attribute in the identity profile comprises a request to create a new identity profile.
  - 33. A method as recited by claim 32, wherein creating a new identity profile comprises:
    - accessing an object class information;
      
      providing a template of attributes to the requester, wherein the template provides an indication of the attribute that need to be filled in; and
      
      receiving an initial value for the attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Remahl, Thomas B., Sinn, Richard P., Tsang, Andy M.
Primary Examiner(s)
Corrielus; Jean M.
Assistant Examiner(s)
COLAN, GIOVANNA B

Application Number

US10/327,607
Publication Number

US 20040010519A1
Time in Patent Office

2,188 Days
Field of Search

707/3, 707/1, 707/9, 707/10, 707/201, 707/202, 707/205, 705/14, 705/36, 726/13, 709/202, 709/224, 709/225, 709/227
US Class Current

1/1
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06F 21/31   User authentication

G06F 21/62   Protecting access to data v...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2101   Auditing as a secondary aspect

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99952   Coherency, e.g. same view t...

Y10S 707/99953   Recoverability

Rule based data management

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

164 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Rule based data management

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links