Verifying separation-of-duties at IAM system implementing IAM data model

US 9,483,488 B2
Filed: 07/18/2013
Issued: 11/01/2016
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of verifying separation-of-duties for requested access rights to physical computing resources comprising:

providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a business task entity and defining a second relationship between the business task entity and a logical permission entity;

storing, at the database, (a) a set of user records, each user record conforming to the user entity, (b) a set of business task records, each business task record conforming to the business task entity, and (c) a set of logical permission records, each logical permission record conforming to the logical permission entity;

receiving a request to provision one or more access rights for a user specified in the request;

identifying a business task to provision one or more access rights for based on content included in the request;

querying the database for a first logical permission record that is associated with a first business task record that is associated with a user record corresponding to the user specified in the request, the first business task record corresponding to a current business task associated with the user specified in the request;

querying the database for a second logical permission record that is associated with a second business task record corresponding to the business task identified from the content included in the request;

determining whether the current business task associated with the user is incompatible with the business task identified from the content included in the request by determining whether a first logical permission corresponding to the first logical permission record is incompatible with a second logical permission corresponding to the second logical permission record; and

based on whether the current business task associated with the user is incompatible with the business task identified from the content included in the request, either providing an indication that the request would result in a separation-of-duties violation or fulfilling the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of verifying separation-of-duties (SoD) for requested access rights to physical computing resources are provided. An SoD verifier may receive and access request and obtain a set of current permissions associated with a requestee specified in the access request. The SoD verifier may also obtain a set of new permissions to provision for the requestee based on the access request. The SoD verifier may determine whether one of the current permissions is incompatible with one of the new permissions. The SoD verifier may provide an indication of whether the access request represents an SoD violation.

226 Citations

19 Claims

1. A computer-implemented method of verifying separation-of-duties for requested access rights to physical computing resources comprising:
- providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a business task entity and defining a second relationship between the business task entity and a logical permission entity;
  
  storing, at the database, (a) a set of user records, each user record conforming to the user entity, (b) a set of business task records, each business task record conforming to the business task entity, and (c) a set of logical permission records, each logical permission record conforming to the logical permission entity;
  
  receiving a request to provision one or more access rights for a user specified in the request;
  
  identifying a business task to provision one or more access rights for based on content included in the request;
  
  querying the database for a first logical permission record that is associated with a first business task record that is associated with a user record corresponding to the user specified in the request, the first business task record corresponding to a current business task associated with the user specified in the request;
  
  querying the database for a second logical permission record that is associated with a second business task record corresponding to the business task identified from the content included in the request;
  
  determining whether the current business task associated with the user is incompatible with the business task identified from the content included in the request by determining whether a first logical permission corresponding to the first logical permission record is incompatible with a second logical permission corresponding to the second logical permission record; and
  
  based on whether the current business task associated with the user is incompatible with the business task identified from the content included in the request, either providing an indication that the request would result in a separation-of-duties violation or fulfilling the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein:
    - fulfilling the request comprises adjusting access rights to at least one physical computing resource of a computer system based on the content included in the request.
  - 3. The method of claim 2 wherein:
    - providing the indication that the request would result in a separation-of-duties violation comprises notifying a reviewer that the request represents a separation-of-duties violation, andthe request is fulfilled responsive to dismissal of the separation-of-duties violation by the reviewer.
  - 4. The method of claim 1 wherein:
    - providing the indication that the request would result in a separation-of-duties violation comprises providing notification to a requestor indicated in the request that the request was denied.
  - 5. The method of claim 1 wherein:
    - the request specifies a request type; and
      
      identifying the business task based on the content included in the request comprises identifying the business task based, at least in part, on the request type.
  - 6. The method of claim 1 wherein:
    - the IAM data model further defines a third relationship between the business task entity and a business activity entity and further defines a fourth relationship between the business activity entity and a business role entity;
      
      the records stored at the database further comprise (d) a set of business activity records, each business activity record corresponding to the business activity entity, and (e) a set of business role records, each business role record corresponding to the business role entity;
      
      the request specifies a business role; and
      
      identifying the business task based on the content included in the request comprisesquerying the database for a business role record that corresponds to the business role;
      
      querying the database for one or more business activity records associated with the business role record,for each business activity record, querying the database for one or more business task records associated with the business activity record,selecting one of the one or more business task records as the first business task record.
  - 7. The method of claim 1 wherein:
    - the IAM data model further defines a third relationship between the business task entity and a business activity entity;
      
      the records stored at the database further comprise (d) a set of business activity records, each business activity record corresponding to the business activity entity;
      
      the request specifies a business activity; and
      
      identifying the business task based on the content included in the request comprisesquerying the database for a business activity record that corresponds to the business activity,querying the database for one or more business task records associated with the business activity record, andselecting one of the one or more business task records as the first business task record.
  - 8. The method of claim 1 wherein:
    - the request specifies the business task.
  - 9. The method of claim 1 wherein:
    - fulfilling the request comprisesderiving a logical entitlement from the first logical permission associated with the business task,translating the logical entitlement into one or more physical entitlements wherein each one of the one or more physical entitlements identifies, respectively, a physical computing resource and one or more physical permissions used to access the physical computing resource, andinitiating, for each one of the one or more physical computing resources, provisioning of the one or more physical permissions for the requestee specified in the request.

10. A system for verifying separation-of-duties for requested access rights to physical computing resources comprising:
- one or more processors;
  
  a database that implements an identity access management (IAM) data model the IAM data model defining a first relationship between a user entity and a business task entity and defining a second relationship between the business task entity and a logical permission entity;
  
  records stored at the database, the records comprising (a) a set of user records, each user record conforming to the user entity, (b) a set of business task records, each business task record conforming to the business task entity, and (c) a set of logical permission records, each logical permission record conforming to the logical permission entity; and
  
  memory storing instructions that when executed by one of the processors, cause the system toreceive a request to provision one or more access rights for a user specified in the request,identify a business task to provision one or more access rights for based on content included in the request,query the database for a first logical permission record that is associated with a first business task record that is associated with a user record corresponding to the user specified in the request, the first business task record corresponding to a current business task associated with the user specified in the request,query the database for a second logical permission record that is associated with a second business task record corresponding to the business task identified from the content included in the request;
  
  determine whether the current business task associated with the user is incompatible with the business task identified from the content included in the request by determining whether a first logical permission corresponding to the first logical permission record is incompatible with a second logical permission corresponding to the second logical permission record, andbased on whether the current business task associated with the user is incompatible with the business task identified from the content included in the request, either provide an indication that the request would result in a separation-of-duties violation or fulfill the request.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10 wherein:
    - the IAM data model further defines a third relationship between the business task entity and a business activity entity and further defines a fourth relationship between the business activity entity and a business role entity;
      
      the records stored at the database further comprise (d) a set of business activity records, each business activity record corresponding to the business activity entity, and (e) a set of business role records, each business role record corresponding to the business role entity;
      
      the request specifies a business role; and
      
      identifying the business task based on the content included in the request comprisesquerying the database for a business role record that corresponds to the business role,querying the database for one or more business activity records associated with the business role record,for each business activity record, querying the database for one or more business task records associated with the business activity record,selecting one of the one or more business task records as the first business task record.
  - 12. The system of claim 10 wherein:
    - the IAM data model further defines a third relationship between the business task entity and a business activity entity;
      
      the records stored at the database further comprise (d) a set of business activity records, each business activity record corresponding to the business activity entity;
      
      the request specifies a business activity; and
      
      identifying the business task based on the content included in the request comprisesquerying the database for a business activity record that corresponds to the business activity,querying the database for one or more business task records associated with the business activity record, andselecting one of the one or more business task records as the first business task record.
  - 13. The system of claim 10 wherein:
    - the request specifies the business task.

14. A non-transitory computer-readable storage medium having instructions stored thereon that, when executed by a processor, cause the processor to perform steps for verifying separation-of-duties for requested access rights to physical computing resources, the steps comprising:
- providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and a business task entity and defining a second relationship between the business task entity and a logical permission entity;
  
  storing, at the database, (a) a set of user records, each user record conforming to the user entity, (b) a set of business task records, each business task record conforming to the business task entity, and (c) a set of logical permission records, each logical permission record conforming to the logical permission entity;
  
  receiving a request to provision one or more access rights for a user specified in the request;
  
  identifying a business task to provision one or more access rights for based on content included in the request;
  
  querying the database for a first logical permission record that is associated with a first business task record that is associated with a user record corresponding to the user specified in the request, the first business task record corresponding to a business task associated with the user specified in the request;
  
  querying the database for a second logical permission record that is associated with a second business task record corresponding to the business task identified from the content included in the request;
  
  determining whether the current business task associated with the user is incompatible with the business task identified from the content included in the request by determining whether a first logical permission corresponding to the first logical permission record is incompatible with a second logical permission corresponding to the second logical permission record; and
  
  based on whether the current business task associated with the user is incompatible with the business task identified from the content included in the request, either providing an indication that the request would result in a separation-of-duties violation or fulfilling the request.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable medium of claim 14 wherein the instructions, when executed by the processor, cause the processor to perform steps further comprising:
    - storing, at the database, (d) a set of logical computing resource records, each logical computing resource record conforming to a logical computing resource entity defined by the IAM data model and corresponding to a logical computing resource of a computer system; and
      
      storing, at the database, (e) a set of physical computing resource records, each physical computing resource record conforming to a physical computing resource entity defined by the IAM data model and corresponding to a physical computing resource of the computer system;
      
      wherein the IAM data model defines a relationship between the logical computing resource entity and the physical computing resource entity and wherein each logical computing resource record is associated with one or more of the physical computing resource records.
  - 16. The non-transitory computer-readable medium of claim 14 wherein:
    - the IAM data model further defines a third relationship between the business task entity and a business activity entity and further defines a fourth relationship between the business activity entity and a business role entity;
      
      the records stored at the database further comprise (d) a set of business activity records, each business activity record corresponding to the business activity entity, and (e) a set of business role records, each business role record corresponding to the business role entity;
      
      the request specifies a business role; and
      
      identifying the business task based on the content included in the request comprisesquerying the database for a business role record that corresponds to the business role,querying the database for one or more business activity records associated with the business role record,for each business activity record, querying the database for one or more business task records associated with the business activity record,selecting one of the one or more business task records as the first business task record.
  - 17. The non-transitory computer-readable medium of claim 14 wherein:
    - the IAM data model further defines a third relationship between the business task entity and a business activity entity;
      
      the records stored at the database further comprise (d) a set of business activity records, each business activity record corresponding to the business activity entity;
      
      the request specifies a business activity; and
      
      identifying the business task based on the content included in the request comprisesquerying the database for a business activity record that corresponds to the business activity,querying the database for one or more business task records associated with the business activity record, andselecting one of the one or more business task records as the first business task record.
  - 18. The non-transitory computer-readable medium of claim 14 wherein:
    - the request specifies the business task.
  - 19. The non-transitory computer-readable medium of claim 14 wherein:
    - fulfilling the request comprisesderiving a logical entitlement from the first logical permission associated with the business task,translating the logical entitlement into one or more physical entitlements wherein each one of the one or more physical entitlements identifies, respectively, a physical computing resource and one or more physical permissions used to access the physical computing resource, andinitiating, for each one of the one or more physical computing resources, provisioning of the one or more physical permissions for the requestee specified in the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John, Thompson, Bryan, Green, Ward
Primary Examiner(s)
LE, THU NGUYET T

Application Number

US13/945,669
Publication Number

US 20140181913A1
Time in Patent Office

1,202 Days
Field of Search

707/781, 707/783
US Class Current

1/1
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 21/62   Protecting access to data v...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

Verifying separation-of-duties at IAM system implementing IAM data model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

226 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Verifying separation-of-duties at IAM system implementing IAM data model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

226 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links