Access reviews at IAM system implementing IAM data model

US 9,495,380 B2
Filed: 07/18/2013
Issued: 11/15/2016
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for conducting access reviews of access rights to logical computing resources comprising:

providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and an entitlement entity and defining a second relationship between the entitlement entity and a logical computing resource entity;

storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more computing resources, (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and corresponding to one of the computing resources, and (c) one or more entitlement records, each entitlement record conforming to the entitlement entity and indicating the user record and one of the logical computing resource records;

receiving a request to generate an access review summary for the user;

responsive to receipt of the request, generate the access review summary by;

identifying which of the one or more computing resources of the computing system access rights have been provisioned for the user;

for each computing resource for which access rights have been provisioned for the user,(i) querying the database for a logical computing resource record corresponding to the computing resource,(ii) querying the database to determine whether the logical computing resource record is associated with an entitlement record being associated with the user record, and(iii) configuring the access review summary to indicate a logical computing resource corresponding to the computing resource and whether the user is authorized to access the logical computing resource, the access review summary indicating either;

that the user is authorized to access the logical computing resource responsive to determining the logical computing resource record is associated with the entitlement record being associated with the user record, orthat the user not authorized to access the logical computing resource responsive to determining the logical computing resource record is not associated with the entitlement record being associated with the user record; and

outputting, at a display device, the access review summary.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of conducting access reviews of access rights to logical computing resources are provided. An access reviewer may receive a selection indicating a user having access to one or more logical computing resources of a computer system. The access reviewer may identify a set of current logical computing resources that the user has access to and a set of current logical entitlements associated with the user. The access reviewer may generate an access review summary based on a comparison of the current logical computing resources to one or more of the current logical entitlements.

219 Citations

20 Claims

1. A computer-implemented method for conducting access reviews of access rights to logical computing resources comprising:
- providing a database that implements an identity and access management (IAM) data model, the IAM data model defining a first relationship between a user entity and an entitlement entity and defining a second relationship between the entitlement entity and a logical computing resource entity;
  
  storing, at the database, (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more computing resources, (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and corresponding to one of the computing resources, and (c) one or more entitlement records, each entitlement record conforming to the entitlement entity and indicating the user record and one of the logical computing resource records;
  
  receiving a request to generate an access review summary for the user;
  
  responsive to receipt of the request, generate the access review summary by;
  
  identifying which of the one or more computing resources of the computing system access rights have been provisioned for the user;
  
  for each computing resource for which access rights have been provisioned for the user,(i) querying the database for a logical computing resource record corresponding to the computing resource,(ii) querying the database to determine whether the logical computing resource record is associated with an entitlement record being associated with the user record, and(iii) configuring the access review summary to indicate a logical computing resource corresponding to the computing resource and whether the user is authorized to access the logical computing resource, the access review summary indicating either;
  
  that the user is authorized to access the logical computing resource responsive to determining the logical computing resource record is associated with the entitlement record being associated with the user record, orthat the user not authorized to access the logical computing resource responsive to determining the logical computing resource record is not associated with the entitlement record being associated with the user record; and
  
  outputting, at a display device, the access review summary.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein:
    - the database stores (d) a set of provisioning records, each provisioning record corresponding to a request to provision access rights to one of the one or more computing resources; and
      
      generating the access review summary further comprises, for each computing resource for which access rights have been provisioned for the user;
      
      determining whether a request to provision access rights for the computing resource was previously submitted by querying the database for a provisioning record associated with a logical computing resource record corresponding to the computing resource, andindicating in the access review summary either;
      
      that the request to provision the access rights was previously submitted responsive to determining the provisioning record exists, orthat the request to provision the access rights was not previously submitted responsive to determining the provisioning record does not exist.
  - 3. The method of claim 2:
    - wherein indicating that the request to provision the access rights was previously submitted comprises indicating, in the access review summary, information associated with the request to provision the access rights.
  - 4. The method of claim 3 wherein the information associated with the request to provision the access rights includes:
    - a date the request was submitted;
      
      a requestor that submitted the request;
      
      a date the request was approved; and
      
      an approver of the request.
  - 5. The method of claim 1 further comprising:
    - identifying a logical computing resource record associated with one of the entitlement records, the logical computing resource record corresponding to a logical computing resource for which access rights have not been provisioned for the user; and
      
      submitting a new request to provision new access rights to the logical computing resource for the user.
  - 6. The method of claim 5 further comprising:
    - responsive to receipt of the new request to provision the new access rights to the logical computing resource, identifying a set of physical computing resources of the computing system, the set of physical computing resources corresponding to the logical computing resource, and, for each physical computing resource in the set of physical computing resources, provisioning the new access rights to the physical computing resource for the user.
  - 7. The method of claim 1 further comprising:
    - for each logical computing resource for which access rights have been provisioned for the user but the user is not authorized to access, submitting a new request to revoke existing access rights to the logical computing resource from the user.
  - 8. The method of claim 7 further comprising:
    - responsive to receipt of the new request to revoke the existing access rights to the logical computing resource, identifying a set of physical computing resources associated with the logical computing resource, and, for each physical computing resource in the set of physical computing resources, revoking the existing access rights to the physical computing resource from the user.

9. A system for conducting access reviews of access rights to logical computing resources comprising:
- one or more processors;
  
  a display device;
  
  a database that implements an identity and access management (IAM) data model and storing a set of records conforming to the IAM data model, wherein;
  
  the IAM data model defines a first relationship between a user entity and an entitlement entity and defines a second relationship between the entitlement entity and a logical computing resource entity, andthe set of records comprises (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more computing resources, (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and corresponding to one of the computing resources, and (c) one or more entitlement records, each entitlement record conforming to the entitlement entity and indicating the user record and one of the logical computing resource records; and
  
  memory storing instructions that, when executed by one of the processors, cause the system to;
  
  receive a request to generate an access review summary for the user,responsive to receipt of the request, generate the access review summary by;
  
  identifying which of the one or more computing resources of the computing system access rights have been provisioned for the user,for each computing resource for which access rights have been provisioned for the user,(i) querying the database for a logical computing resource record corresponding to the computing resource,(ii) querying the database to determine whether the logical computing resource record is associated with an entitlement record being associated with the user record, and(iii) configuring the access review summary to indicate a logical computing resource corresponding to the computing resources and whether the user is authorized to access the logical computing resource, the access review summary indicating either;
  
  that the user is authorized to access the logical computing resource responsive to determining the logical computing resource record is associated with the entitlement record being associated with the user record, or
  
  that the user is not authorized to access the logical computing resource responsive to determining the logical computing resource record is not associated with the entitlement record being associated with the user record; and
  
  output, at the display device, the access review summary.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9 wherein:
    - the set of records further comprises (d) a set of provisioning records, each provisioning record corresponding to a request to provision access rights to one of the one or more computing resources.
  - 11. The system of claim 9 wherein:
    - generating the access review summary further comprises, for each computing resource for which access rights have been provisioned for the user;
      
      determining whether a request to provision access rights for the computing resource was previously submitted by querying the database for a provisioning record associated with a logical computing resource record corresponding to the computing resource,indicating, in the access review summary, either;
      
      that the request to provision the access rights was previously submitted responsive to determining that the provisioning record exists, orthat the request to provision the access rights was not previously submitted responsive to determining the provisioning record does not exist.
  - 12. The system of claim 11 wherein indicating that the request to provision the access rights was previously submitted comprises indicating, in the access review summary, information associated with the request to provision the access rights.
  - 13. The system of claim 9 wherein:
    - the instructions, when executed by one of the processors, further cause the system to;
      
      identify logical computing resource record associated with one of the entitlement records, the logical computing resource record corresponding to a logical computing resource for which access rights have not been provisioned for the user, andsubmitting a new request to provision new access rights to the logical computing resource.
  - 14. The system of claim 9 wherein:
    - the instructions, when executed by one of the processors, further cause the system to;
      
      for each logical computing resource for which access rights have been provisioned for the user but the user is not authorized to access, submitting a new request to revoke existing access rights to the logical computing resource from the user.

15. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor of a computing device, cause the computing device to perform steps for conducting access reviews of access rights to logical computing resources, the steps comprising:
- providing a database that implements an identity and access management (IAM) data model and storing a set of records conforming to the IAM data model, wherein;
  
  the IAM data model defines a first relationship between a user entity and an entitlement entity and defines a second relationship between the entitlement entity and a logical computing resource entity, andthe set of records comprises (a) a user record conforming to the user entity, the user record corresponding to a user of a computing system, the computing system comprising one or more computing resources, (b) a set of logical computing resource records, each logical computing resource record conforming to the logical computing resource entity and corresponding to one of the computing resources, and (c) one or more entitlement records, each entitlement record conforming to the entitlement entity and indicating the user record and one of the logical computing resource records;
  
  receiving a request to generate an access review summary for the user;
  
  responsive to receipt of the request, generate the access review summary by;
  
  identifying which of the one or more computing resources of the computing system access rights have been provisioned for the user,for each computing resource for which access rights have been provisioned for the user,(i) querying the database for a logical computing resource record corresponding to the computing resource,(ii) querying the database to determine whether the logical computing resource record is associated with an entitlement record being associated with the user record, and(iii) configuring the access review summary to indicate a logical computing resource corresponding to the computing resource and whether the user is authorized to access the logical computing resource, the access review summary indicating either;
  
  that the user is authorized to access the logical computing resource responsive to determining the logical computing resource record is associated with the entitlement record being associated with the user record, orthat the user is not authorized to access the logical computing resource responsive to determining the logical computing resource record is not associated with the entitlement record being associated with the user record; and
  
  outputting, at a display device, the access review summary.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15 wherein:
    - the set of records further comprises (d) a set of provisioning records, each provisioning record corresponding to a request to provision access rights to one of the one or more computing resources.
  - 17. The computer-readable medium of claim 15 wherein the instructions, when executed by the processor, cause the computing device to perform steps further comprising:
    - identifying a logical computing resource record associated with one of the entitlement records, the logical computing resource record corresponding to a logical computing resource for which access rights have not been provisioned for the user; and
      
      submitting a new request to provision new access rights to the logical computing resource for the user.
  - 18. The computer-readable medium of claim 17 wherein the instructions, when executed by the processor, cause the computing device to perform steps further comprising:
    - responsive to receipt of the new request to provision the new access rights to the logical computing resource, identifying a set of physical computing resources of the computing system, the set of physical computing resources corresponding to the logical computing resource, and for each physical computing resource in the set of physical computing resources, provisioning the new access rights to the physical computing resource for the user.
  - 19. The computer-readable medium of claim 15 wherein the instructions, when executed by the processor, cause the computing device to perform steps further comprising:
    - for each for each logical computing resource for which access rights have been provisioned for the user but the user is not authorized to access, submitting a new request to revoke existing access rights to the logical computing resource from the user.
  - 20. The computer-readable medium of claim 19 wherein the instructions, when executed by the processor, cause the computing device to perform steps further comprising:
    - responsive to receipt of the new request to revoke the existing access rights to the logical computing resource, identifying a set of physical computing resources associated with that logical computing resource, and for each physical computing resource in the set of physical computing resources, revoking the existing access rights to the physical computing resource from the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John, Thompson, Bryan, Green, Ward
Primary Examiner(s)
LE, THU NGUYET T

Application Number

US13/945,656
Publication Number

US 20140181912A1
Time in Patent Office

1,216 Days
Field of Search

707/781, 707/783
US Class Current

1/1
CPC Class Codes

G06F 16/176   Support for shared access t...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

Access reviews at IAM system implementing IAM data model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

219 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access reviews at IAM system implementing IAM data model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

219 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links