Access requests at IAM system implementing IAM data model

US 9,529,989 B2
Filed: 03/08/2016
Issued: 12/27/2016
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computing device for provisioning access rights to physical computing resources comprising:

one or more processors; and

memory storing computer-executable instructions that, when executed by one of the one or more processors, cause the computing device toreceive a request to provision one or more access rights for a user account, the request specifying a business activity;

identify a set of logical permissions based, at least in part, on the request by obtaining a set of business tasks associated with the business activity and identifying, as the set of logical permissions, one or more logical permissions respectively associated with individual business tasks in the set of business tasks;

derive a set of logical entitlements based, at least in part, on the set of logical permissions;

translate the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications wherein each physical permission specification in the set of physical permission specifications is associated with one of the logical permissions in the set of logical permissions; and

provision one or more access rights for the user account to at least one physical computing resource indicated in the physical entitlement specification.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification.

421 Citations

20 Claims

1. A computing device for provisioning access rights to physical computing resources comprising:
- one or more processors; and
  
  memory storing computer-executable instructions that, when executed by one of the one or more processors, cause the computing device toreceive a request to provision one or more access rights for a user account, the request specifying a business activity;
  
  identify a set of logical permissions based, at least in part, on the request by obtaining a set of business tasks associated with the business activity and identifying, as the set of logical permissions, one or more logical permissions respectively associated with individual business tasks in the set of business tasks;
  
  derive a set of logical entitlements based, at least in part, on the set of logical permissions;
  
  translate the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications wherein each physical permission specification in the set of physical permission specifications is associated with one of the logical permissions in the set of logical permissions; and
  
  provision one or more access rights for the user account to at least one physical computing resource indicated in the physical entitlement specification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The computing device of claim 1, further comprising:
    - a database that implements, using a plurality of database tables, an identity and access management (IAM) data model, the IAM data model comprising a plurality of identity and access management (IAM) entities, each database table corresponding to one of the IAM entities and comprising one or more records that stores identity and access management (IAM) data.
  - 3. The computing device of claim 2, wherein:
    - obtaining the set of business tasks comprises querying the database for any business task records related to a business activity record of the business activity specified in the request.
  - 4. The computing device of claim 2, wherein:
    - identifying the set of logical permissions comprises, for a business task in the set of business tasks, querying the database for any logical permission records related to a business task record of that business task.
  - 5. The computing device of claim 2, wherein:
    - deriving the set of logical entitlements comprises pairing the user account with individual logical permissions in the set of logical permissions.
  - 6. The computing device of claim 5, wherein:
    - each logical permission in the set of logical permissions pairs a logical resource with one or more access rights.
  - 7. The computing device of claim 2, wherein:
    - the instructions, when executed by one of the one or more processors, further cause the computing device to obtain, for each logical permission in the set of logical permissions, a physical permission specification for the logical permission.
  - 8. The computing device of claim 7, wherein:
    - the physical permission specification comprises one or more physical permissions used to implement the logical permission.
  - 9. The computing device of claim 8, wherein:
    - translating the set of logical entitlements to a physical entitlement specification comprises pairing the user account with individual physical permissions of the one or more physical permissions of the physical permission specification.
  - 10. The computing device of claim 8, wherein:
    - each physical permission of the one or more physical permissions pairs a physical computing resource with one or more access rights.
  - 11. The computing device of claim 2, wherein:
    - the database comprises a logical resource table comprising a plurality of logical resource records, each logical resource record corresponding to one of a plurality of logical resources of a computing system.
  - 12. The computing device of claim 11, wherein:
    - the database comprises a physical resource table comprising a plurality of physical computing resource records, each physical computing resource record corresponding to one of a plurality of physical computing resources of the computing system.
  - 13. The computing device of claim 12, wherein:
    - each logical resource record of the plurality of logical resource records is related to at least one physical computing resource record of the plurality of physical computing resource records.
  - 14. The computing device of claim 1, wherein:
    - the at least one physical computing resource indicated in the physical entitlement specification comprises at least one of a transaction, a machine, a software application, a database, or a database table.
  - 15. The computing device of claim 1, wherein:
    - the instructions, when executed by one of the one or more processors, further cause the computing device to create and store a request record corresponding to the request to provision the one or more access rights for the user account.
  - 16. The computing device of claim 15, wherein:
    - the request record indicates (i) a date the request was submitted, (ii) an identifier for a requestor, and (iii) an identifier for a requestee.
  - 17. The computing device of claim 15, wherein:
    - the request record indicates (i) a date the request was approved, and (ii) an identifier for an approver.
  - 18. The computing device of claim 1, wherein:
    - the instructions, when executed by one of the one or more processors, further cause the computing device to create and store a provisioning record that identifies one of the at least one physical computing resources and one of the one or more access rights provisioned for that physical computing resource.
  - 19. The computing device of claim 1, wherein:
    - provisioning one of the one or more access rights for the user account comprises interacting with a resource manager associated with one of the at least one physical computing resource.
  - 20. The computing device of claim 1, wherein:
    - the one or more access rights comprise at least one of a read access right, a write access right, and an execute access right.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John, Thompson, Bryan, Green, Ward
Primary Examiner(s)
LE, THU NGUYET T

Application Number

US15/063,993
Publication Number

US 20160224770A1
Time in Patent Office

294 Days
Field of Search

707/781, 707/783
US Class Current

1/1
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06Q 10/10   Office automation; Time man...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Access requests at IAM system implementing IAM data model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

421 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access requests at IAM system implementing IAM data model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

421 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links