Verifying separation-of-duties at IAM system implementing IAM data model
First Claim
1. A computer-implemented method of verifying separation-of-duties for requested access rights to physical computing resources comprising:
- providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a business task entity and defining a second relationship between the business task entity and a logical permission entity;
storing, at the database, (a) a set of user records, each user record conforming to the user entity, (b) a set of business task records, each business task record conforming to the business task entity, and (c) a set of logical permission records, each logical permission record conforming to the logical permission entity;
receiving a request to provision one or more access rights for a user specified in the request;
identifying a business task to provision one or more access rights for based on content included in the request;
querying the database for a first logical permission record that is associated with a first business task record that is associated with a user record corresponding to the user specified in the request, the first business task record corresponding to a current business task associated with the user specified in the request;
querying the database for a second logical permission record that is associated with a second business task record corresponding to the business task identified from the content included in the request;
determining whether the current business task associated with the user is incompatible with the business task identified from the content included in the request by determining whether a first logical permission corresponding to the first logical permission record is incompatible with a second logical permission corresponding to the second logical permission record; and
based on whether the current business task associated with the user is incompatible with the business task identified from the content included in the request, either providing an indication that the request would result in a separation-of-duties violation or fulfilling the request.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods of verifying separation-of-duties (SoD) for requested access rights to physical computing resources are provided. An SoD verifier may receive and access request and obtain a set of current permissions associated with a requestee specified in the access request. The SoD verifier may also obtain a set of new permissions to provision for the requestee based on the access request. The SoD verifier may determine whether one of the current permissions is incompatible with one of the new permissions. The SoD verifier may provide an indication of whether the access request represents an SoD violation.
226 Citations
19 Claims
-
1. A computer-implemented method of verifying separation-of-duties for requested access rights to physical computing resources comprising:
-
providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a business task entity and defining a second relationship between the business task entity and a logical permission entity; storing, at the database, (a) a set of user records, each user record conforming to the user entity, (b) a set of business task records, each business task record conforming to the business task entity, and (c) a set of logical permission records, each logical permission record conforming to the logical permission entity; receiving a request to provision one or more access rights for a user specified in the request; identifying a business task to provision one or more access rights for based on content included in the request; querying the database for a first logical permission record that is associated with a first business task record that is associated with a user record corresponding to the user specified in the request, the first business task record corresponding to a current business task associated with the user specified in the request; querying the database for a second logical permission record that is associated with a second business task record corresponding to the business task identified from the content included in the request; determining whether the current business task associated with the user is incompatible with the business task identified from the content included in the request by determining whether a first logical permission corresponding to the first logical permission record is incompatible with a second logical permission corresponding to the second logical permission record; and based on whether the current business task associated with the user is incompatible with the business task identified from the content included in the request, either providing an indication that the request would result in a separation-of-duties violation or fulfilling the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for verifying separation-of-duties for requested access rights to physical computing resources comprising:
-
one or more processors; a database that implements an identity access management (IAM) data model the IAM data model defining a first relationship between a user entity and a business task entity and defining a second relationship between the business task entity and a logical permission entity; records stored at the database, the records comprising (a) a set of user records, each user record conforming to the user entity, (b) a set of business task records, each business task record conforming to the business task entity, and (c) a set of logical permission records, each logical permission record conforming to the logical permission entity; and memory storing instructions that when executed by one of the processors, cause the system to receive a request to provision one or more access rights for a user specified in the request, identify a business task to provision one or more access rights for based on content included in the request, query the database for a first logical permission record that is associated with a first business task record that is associated with a user record corresponding to the user specified in the request, the first business task record corresponding to a current business task associated with the user specified in the request, query the database for a second logical permission record that is associated with a second business task record corresponding to the business task identified from the content included in the request; determine whether the current business task associated with the user is incompatible with the business task identified from the content included in the request by determining whether a first logical permission corresponding to the first logical permission record is incompatible with a second logical permission corresponding to the second logical permission record, and based on whether the current business task associated with the user is incompatible with the business task identified from the content included in the request, either provide an indication that the request would result in a separation-of-duties violation or fulfill the request. - View Dependent Claims (11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium having instructions stored thereon that, when executed by a processor, cause the processor to perform steps for verifying separation-of-duties for requested access rights to physical computing resources, the steps comprising:
-
providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a business task entity and defining a second relationship between the business task entity and a logical permission entity; storing, at the database, (a) a set of user records, each user record conforming to the user entity, (b) a set of business task records, each business task record conforming to the business task entity, and (c) a set of logical permission records, each logical permission record conforming to the logical permission entity; receiving a request to provision one or more access rights for a user specified in the request; identifying a business task to provision one or more access rights for based on content included in the request; querying the database for a first logical permission record that is associated with a first business task record that is associated with a user record corresponding to the user specified in the request, the first business task record corresponding to a business task associated with the user specified in the request; querying the database for a second logical permission record that is associated with a second business task record corresponding to the business task identified from the content included in the request; determining whether the current business task associated with the user is incompatible with the business task identified from the content included in the request by determining whether a first logical permission corresponding to the first logical permission record is incompatible with a second logical permission corresponding to the second logical permission record; and based on whether the current business task associated with the user is incompatible with the business task identified from the content included in the request, either providing an indication that the request would result in a separation-of-duties violation or fulfilling the request. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification