Hybrid meta-directory

US 7,950,049 B2
Filed: 10/24/2006
Issued: 05/24/2011
Est. Priority Date: 10/24/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing separation of duty detection and compliance, comprising:

displaying, on a display device, a hierarchical list of resources for selection of at least one of a plurality of privileges associated with the resources;

in response to a user selecting, through a user interface at least one of the privileges from the hierarchical list, adding the selected privilege to a request cart to allow the user to initiate a request for the privilege;

for each item added to the request cart, checking a separation of duty privilege list to determine whether any of the privileges in the request cart conflict with any privilege currently granted to the target user or present in the request cart;

in response to detecting a conflict, indicating to the user that the privilege cannot be granted concurrently with the conflicting privilege, thereby facilitating compliance with separation of duties requirements;

allowing the separation of duty conflict to be cured by prompting the user to choose between removing the requested privilege from the request cart, removing the conflicting privilege that is already present in the request cart, and having the conflicting privilege currently granted to the target user removed; and

in response to the user submitting the request cart, automatically invoking a workflow process to approve the request for the privilege, wherein the workflow is dynamically generated at least in part from a structure of the hierarchical list of resources and a location of the privilege within the hierarchical list;

wherein approval for the request of the privilege is granted by requesting approval from a chain of one or more people associated with the privilege and its corresponding resource as defined by the structure of the hierarchical list; and

wherein the workflow process is configured such that a countdown timer having a designated duration is associated with each privilege in the hierarchical list, wherein once the request for the privilege is submitted the corresponding countdown timer is started, and as the countdown timer begins to expire, the workflow process sends approval request reminders at increasingly rapid intervals to people who have yet to respond.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary embodiments provide a method and system for providing a hybrid meta-directory for recording a grant of privileges. In one embodiment method and system aspects of the exemplary embodiment include: assigning a privilege identifier to each privilege stored in a privilege repository; in response to a granting of one of the privileges to a target user, storing the privilege identifier assigned to the granted privilege in an authoritative source domain record for the target user; and in response to receiving a query of the authoritative source domain based on a user ID, retrieving a list of privileges granted to the corresponding target user based on the privilege identifiers associated with the user ID.

25 Citations

View as Search Results

12 Claims

1. A computer-implemented method for providing separation of duty detection and compliance, comprising:
- displaying, on a display device, a hierarchical list of resources for selection of at least one of a plurality of privileges associated with the resources;
  
  in response to a user selecting, through a user interface at least one of the privileges from the hierarchical list, adding the selected privilege to a request cart to allow the user to initiate a request for the privilege;
  
  for each item added to the request cart, checking a separation of duty privilege list to determine whether any of the privileges in the request cart conflict with any privilege currently granted to the target user or present in the request cart;
  
  in response to detecting a conflict, indicating to the user that the privilege cannot be granted concurrently with the conflicting privilege, thereby facilitating compliance with separation of duties requirements;
  
  allowing the separation of duty conflict to be cured by prompting the user to choose between removing the requested privilege from the request cart, removing the conflicting privilege that is already present in the request cart, and having the conflicting privilege currently granted to the target user removed; and
  
  in response to the user submitting the request cart, automatically invoking a workflow process to approve the request for the privilege, wherein the workflow is dynamically generated at least in part from a structure of the hierarchical list of resources and a location of the privilege within the hierarchical list;
  
  wherein approval for the request of the privilege is granted by requesting approval from a chain of one or more people associated with the privilege and its corresponding resource as defined by the structure of the hierarchical list; and
  
  wherein the workflow process is configured such that a countdown timer having a designated duration is associated with each privilege in the hierarchical list, wherein once the request for the privilege is submitted the corresponding countdown timer is started, and as the countdown timer begins to expire, the workflow process sends approval request reminders at increasingly rapid intervals to people who have yet to respond.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 further comprising providing a configuration stage that allows an administrator to link individual privileges in the resource list to one or more other privileges that together create a separation of duty conflict, and storing the privilege and its identified conflicting privileges in the separation of duty privilege list.
  - 3. The method of claim 2 further comprising:
    - in response to the user adding a privilege to the request cart, accessing the separation of duty privilege list associated with the requested privilege;
      
      if any of the privileges in the separation of duty privilege list matches any of the privileges currently in the request cart or currently granted to the target user, then determining that a separation of duty conflict has been detected and denying request for the privilege.
  - 4. The method of claim 1 further comprising handling exceptions to a detected separation of duty conflict by prompting the user to enter a justification for allowing the conflict, wherein as part of a workflow process, a request for approval is sent with the justification entered by the user to a person identified as having authority to allow separation of duty conflicts.

5. An executable software product stored on a computer-readable non-transitory medium containing program instructions for providing separation of duty detection and compliance, a program instructions for:
- displaying a hierarchical list of resources for selection of at least one of a plurality of privileges associated with the resources;
  
  in response to a user selecting at least one of the privileges from the hierarchical list, adding the selected privilege to a request cart to allow the user to initiate a request for the privilege;
  
  for each item added to the request cart, checking a separation of duty privilege list to determine whether any of the privileges in the request cart conflict with any privilege currently granted to the target user or present in the request cart;
  
  in response to detecting a conflict, indicating to the user that the privilege cannot be granted concurrently with the conflicting privilege, thereby facilitating compliance with separation of duties requirements;
  
  allowing the separation of duty conflict to be cured by prompting the user to choose between removing the requested privilege from the request cart, removing the conflicting privilege that is already present in the request cart, and having the conflicting privilege currently granted to the target user removed; and
  
  in response to the user submitting the request cart, automatically invoking a workflow process to approve the request for the privilege, wherein the workflow is dynamically generated at least in part from a structure of the hierarchical list of resources and a location of the privilege within the hierarchical list;
  
  wherein approval for the request of the privilege is granted by requesting approval from a chain of one or more people associated with the privilege and its corresponding resource as defined by the structure of the hierarchical list; and
  
  wherein the workflow process is configured such that a countdown timer having a designated duration is associated with each privilege in the hierarchical list, wherein once the request for the privilege is submitted the corresponding countdown timer is started, and as the countdown timer begins to expire, the workflow process sends approval request reminders at increasingly rapid intervals to people who have yet to respond.
- View Dependent Claims (6, 7, 8)
- - 6. The executable software product of claim 5 further comprising providing a configuration stage that allows an administrator to link individual privileges in the resource list to one or more other privileges that together create a separation of duty conflict, and storing the privilege and its identified conflicting privileges in the separation of duty privilege list.
  - 7. The executable software product of claim 6 further comprising:
    - in response to the user adding a privilege to the request cart, accessing the separation of duty privilege list associated with the requested privilege;
      
      if any of the privileges in the separation of duty privilege list matches any of the privileges currently in the request cart or currently granted to the target user, then determining that a separation of duty conflict has been detected and denying request for the privilege.
  - 8. The executable software product of claim 7 further comprising handling exceptions to a detected separation of duty conflict by prompting the user to enter a justification for allowing the conflict, wherein as part of the workflow process, a request for approval is sent with the justification entered by the user to a person identified as having authority to allow separation of duty conflicts.

9. A hybrid meta-directory system for providing separation of duty detection and compliance, comprising:
- a network; and
  
  a computer coupled to the network and executing an identity management application, the identity management application configured to;
  
  display a hierarchical list of resources for selection of at least one of a plurality of privileges associated with the resources;
  
  in response to a user selecting at least one of the privileges from the hierarchical list, add the selected privilege to a request cart to allow the user to initiate a request for the privilege;
  
  for each item added to the request cart, checking a separation of duty privilege list to determine whether any of the privileges in the request cart conflict with any privilege currently granted to the target user or present in the request cart;
  
  in response to detecting a conflict, indicating to the user that the privilege cannot be granted concurrently with the conflicting privilege, thereby facilitating compliance with separation of duties requirements;
  
  allowing the separation of duty conflict to be cured by prompting the user to choose between removing the requested privilege from the request cart, removing the conflicting privilege that is already present in the request cart, and having the conflicting privilege currently granted to the target user removed; and
  
  in response to the user submitting the request cart, automatically invoking a workflow process to approve the request for the privilege, wherein the workflow is dynamically generated at least in part from a structure of the hierarchical list of resources and a location of the privilege within the hierarchical list;
  
  wherein approval for the request of the privilege is granted by requesting approval from a chain of one or more people associated with the privilege and its corresponding resource as defined by the structure of the hierarchical list; and
  
  wherein the workflow process is configured such that a countdown timer having a designated duration is associated with each privilege in the hierarchical list, wherein once the request for the privilege is submitted the corresponding countdown timer is started, and as the countdown timer begins to expire, the workflow process sends approval request reminders at increasingly rapid intervals to people who have yet to respond.
- View Dependent Claims (10, 11, 12)
- - 10. The hybrid meta-directory system of claim 9 wherein the identity management application includes a configuration stage that allows an administrator to link individual privileges in the resource list to one or more other privileges that together create a separation of duty conflict, wherein the privilege and its identified conflicting privileges are stored in the separation of duty privilege list.
  - 11. The hybrid meta-directory system of claim 10 wherein the identity manager application is for configured to:
    - in response to the user adding a privilege to the request cart, access the separation of duty privilege list associated with the requested privilege;
      
      if any of the privileges in the separation of duty privilege list matches any of the privileges currently in the request cart or currently granted to the target user, then determine that a separation of duty conflict has been detected and denying request for the privilege.
  - 12. The hybrid meta-directory system of claim 11 wherein the identity management application handles exceptions to a detected separation of duty conflict by prompting the user to enter a justification for allowing the conflict, wherein as part of the workflow process, a request for approval is sent with the justification entered by the user to a person identified as having authority to allow separation of duty conflicts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avatier Corporation
Original Assignee
Avatier Corporation
Inventors
Barron, Billy J., Cicchitto, Nelson A., Chiou, Scott L.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
LEWIS, LISA C

Application Number

US11/552,285
Publication Number

US 20080098485A1
Time in Patent Office

1,673 Days
Field of Search

726/2, 726/4, 726/5
US Class Current

726/4
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

Hybrid meta-directory

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Hybrid meta-directory

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links