Rule based data management
First Claim
1. A method for performing rule-based identity management, comprising:
- receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule for a first attribute having one or more dynamic variables for a first attribute;
receiving an attribute value for a second attribute of the identity profile object;
accessing the class for the identity profile object;
reading the rule having one or more dynamic variables from the class;
automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule;
automatically applying the attribute value rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter;
identifying additional data based on the filter, wherein identifying the additional data comprises;
using the filter to perform a query against the directory with the first-data to find a set of one or more objects in the directory matching the filter;
receiving an identification of a particular attribute in each of the one or more objects matching the filter;
accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects;
displaying, for a user, the list of one or more values; and
receiving a selection of one or more values from the list of values; and
adding the additional data to the identity profile, wherein the step of adding includes adding the selected one or more values to the first attribute in the identity profile.
5 Assignments
0 Petitions
Accused Products
Abstract
Data is acquired for an Identity System based on a one or more rules. The data can be from the same Identity System Component, another Identity System Component or a component external to the Identity System. The acquired data can be used to populate an Identity Profile, configure a workflow, or provide information to any other object, process, component, etc. of the Identity System. In one embodiment, the present invention combines dynamic identity value substitution and directory filter rules to enable rule based identity management. It enables dynamic population of identity data and real-time routing for identity management workflows. In other embodiments, the present invention can be applied to systems other than Identity Systems.
164 Citations
33 Claims
-
1. A method for performing rule-based identity management, comprising:
-
receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule for a first attribute having one or more dynamic variables for a first attribute; receiving an attribute value for a second attribute of the identity profile object; accessing the class for the identity profile object; reading the rule having one or more dynamic variables from the class; automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule; automatically applying the attribute value rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter; identifying additional data based on the filter, wherein identifying the additional data comprises; using the filter to perform a query against the directory with the first-data to find a set of one or more objects in the directory matching the filter; receiving an identification of a particular attribute in each of the one or more objects matching the filter; accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects; displaying, for a user, the list of one or more values; and receiving a selection of one or more values from the list of values; and adding the additional data to the identity profile, wherein the step of adding includes adding the selected one or more values to the first attribute in the identity profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10)
-
-
9. A method for performing rule-based identity management, the method comprising:
-
receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables; accessing the class for the identity profile object; reading the rule having one or more dynamic variables from the class, wherein the class defines one or more dynamic variables comprising a first dynamic variable that corresponds to a region attribute, a second dynamic variable that corresponds to an organization attribute, and a third dynamic variable that corresponds to a group attribute in the identity profile object for the entity; receiving a first set of attribute values for the first dynamic variable, the second dynamic variable, and the third dynamic variable of the identity profile object; storing the first set of attribute values; automatically accessing the attribute values for the first group of dynamic variables of the identity profile object based on the dynamic variable in the rule automatically applying the first set of attribute values to the rule by replacing the first dynamic variable with a value stored for the region attribute, replacing the second dynamic variable with a value stored for the organization attribute and replacing the third dynamic variable with a value stored for the group attribute in the identity profile object to create a filter; identifying additional data based on the filter, wherein identifying the additional data comprises; using the filter to perform a query against the directory with the first set of attribute values to find a set of one or more objects in the directory matching filter; receiving an identification of a particular attribute in each of the one or more objects matching the filter, wherein the particular attribute refers to manager name; accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects; displaying, for a user, the list of one or more values; and receiving a selection of one or more manager names; and adding the additional data to the identity profile, wherein the step of adding includes adding at least one of the manager names to the identity profile.
-
-
11. A method for performing rule-based identity management, the method comprising:
-
receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute; receiving an attribute value for a second attribute of the identity profile object; accessing the class for the identity profile object; reading the rule having one or more dynamic variables from the class; automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule and the identity profile object being accessed as part of a workflow; automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter; identifying additional data based on the filter, wherein identifying the additional data comprises; using the filter to perform a query against the directory with the first data to find a set of one or more objects in the directory matching the filter; receiving an identification of a particular attribute in each of the one or more objects matching the filter; accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects; displaying, for a user, the list of one or more values; and receiving a selection of one or more values from the list of one or more values; and using the additional data to perform the work flow, wherein the additional data comprises the selected one or more values. - View Dependent Claims (12, 13, 14, 15)
-
-
16. One or more processor readable storage devices having processor readable code embodied on the processor readable storage devices, the processor readable code for programming one or more:
- processors, the processor readable code comprising;
code for receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute; code for receiving an attribute value for a second attribute of the identity profile object; code for accessing the class for the identity profile object; code for reading the rule having one or more dynamic variables from the class; code for automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule; code for automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter; code for identifying additional data based on the filter, wherein the code for identifying the additional data comprises; code for using the filter to perform a query against the directory with the first data to find a set of one or more objects in the directory matching the filter; code for receiving an identification of a particular attribute in each of the one or more objects matching the filter; code for accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects; code for displaying, for a user, the list of one or more values; and code for receiving a selection of one or more values from the list of values; and code for adding the additional data to the identity profile, wherein the code for adding includes adding s the elected one or more values to the first attribute in the identity profile. - View Dependent Claims (17, 18)
- processors, the processor readable code comprising;
-
19. One or more processor readable storage devices having processor readable code embodied on the processor readable storage devices, the processor readable code for programming one or more:
- processors, the processor readable code comprising;
code for receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute; code for receiving an attribute value for a second attribute of the identity profile object; code for accessing the class for the identity profile object; code for reading the rule having one or more dynamic variables from the class; code for automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule and the identity profile object being accessed as part of a workflow; code for automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter; code for identifying additional data based on the filter, wherein the code for identifying the additional data comprises; code for using the filter to perform a query against the directory with the first data to find a set one or more objects in the directory matching filter; code for receiving an identification of a particular attribute in each of the one or more objects matching the filter; code for accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects; code for displaying, for a user, the list of one or more values; and code for receiving a selection of one or more values from the list of values; and code for using the additional data to perform the work flow, wherein the additional data comprises the selected one or more values. - View Dependent Claims (20, 21)
- processors, the processor readable code comprising;
-
22. An Identity System, comprising:
-
one or more storage devices; and one or more processor wherein the storage devices comprise processor readable code executable by the processor(s), the processor readable code comprising; code for receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute; code for receiving an attribute value for a second attribute of the identity profile object; code for accessing the class for the identity profile object; code for reading the rule having one or more dynamic variables from the class; code for automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule; code for automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter; code for identifying additional data based on the filter, wherein the code for identifying the additional data comprises; code for using the filter to perform a query against the directory with first data to find a set of one or more objects in the directory matching the filter; code for receiving an identification of a particular attribute in each of the one or more objects matching the filter; code for accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects; code for displaying, for a user, the list of one or more values; and code for receiving a selection of one or more values from the list of values; and code for adding the additional data to the identity profile, wherein the code for adding includes code for adding the selected one or more values to the first attribute in the identity profile. - View Dependent Claims (23, 24)
-
-
25. An Identity System, comprising:
-
one or more storage devices; and one or more processor wherein the storage devices comprise processor readable code executable by the processor(s), the processor readable code comprising; code for receiving, at an identity server, a request to add data to an identity profile for an entity, wherein the identity profile is stored as an object in a directory, wherein the directory comprises a database for storing one or more identity profiles, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein the class defines a rule having one or more dynamic variables for a first attribute; code for receiving an attribute value for a second attribute of the identity profile object; code for accessing the class for the identity profile object; code for reading the rule having one or more dynamic variables from the class; code for automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule and the identity profile object being accessed as part of a workflow; code for automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter; code for identifying additional data based on the filter, wherein the code for identifying the additional data comprises; code for using the filter to perform a query against the directory with the first data to find a set of one or more objects in the directory matching the filter; code for receiving an identification of a particular attribute in each of the one or more objects matching the filter; code for accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects; code for displaying, for a user, the list of one or more values; and code for receiving a selection of one or more values from the list of values; and code for using the additional data to perform the work flow, wherein the additional data comprises the selected one or more values. - View Dependent Claims (26, 27, 28)
-
-
29. A method for performing rule based identity management in an identity system, the identity system being configured to provide identity management services for a network, the method comprising:
-
receiving, at the identity system, a request to create an identity profile for a user, wherein the identity profile is stored as an object in a directory, wherein the identity profile object is based on a class, wherein the class defines one or more attributes for the identity profile object such that the identity profile comprises one or more attributes, wherein each attribute being configured to store information about the user, wherein the class defines the rule having one or more dynamic variables for a first attribute; providing a template that comprises an indication of one or more attributes for which values are to be provided; receiving an attribute value for a second attribute of the identity profile object; accessing the class for the identity profile object; reading the rule having one or more dynamic variables from the class automatically accessing the attribute value for the second attribute of the identity profile object based on the dynamic variable in the rule; automatically applying the attribute value to the rule by replacing a dynamic variable in the rule with the attribute value of the second attribute to create a filter; identifying additional data based on the filter, wherein identifying the additional data comprises; using the filter to perform a query against the directory with the first data to find a set of one or more objects in a directory matching the filter, receiving an identification of a particular attribute in each of the one or more objects matching the filter; accessing, for each of the one or more objects, the particular attribute to generate a list of one or more values, each value corresponding to the particular attribute in one of the one or more objects; displaying, for a user, the list of one or more values; and receiving a selection of a first attribute value for the first attribute, from the list of values; creating the identity profile comprising the first attribute having the first attribute value and the second attribute having the second attribute value; and saving the identity profile object in the directory. - View Dependent Claims (30, 31, 32, 33)
-
Specification