Quality assurance checks of access rights in a computing system
First Claim
1. A system for ensuring the quality of identity and access management information at a computing system comprising:
- at least one processor; and
a data store storing i) access right information for access rights provisioned to users of computing resources of the computing system, the access right information being stored in accordance with a data model that defines relationships between the access rights, the computing resources, and the users, and storing ii) role information for a plurality of roles assignable to the users, the role information indicating, for each role of the plurality of roles, a set of access rights associated with the role; and
memory storing instructions that, when executed by the at least one processor, cause the system to perform a quality assurance task of a plurality of quality assurance tasks associated with the access rights;
wherein the plurality of quality assurance tasks comprises a first quality assurance task associated with a first portion of the instructions that, when executed by the at least one processor, cause the system to;
receive a first request to provision access rights to a user, the first request indicating a set of requested access rights,compare, for each role of the plurality of roles, the set of requested access rights to the set of access rights associated with the role, andbased on whether the set of requested access rights matches the set of access rights associated with one of the roles, either (a) provision the requested access rights for the user if the set of requested access rights does not match the set of access rights associated with any of the plurality of roles, or (b) deny the request and provide an instruction to submit a new request indicating the role associated with the set of access rights that matches the set of requested access rights; and
wherein the plurality of quality assurance tasks comprises a second quality assurance task associated with a second portion of the instructions that, when executed by the at least one processor, cause the system to;
receive a second request to either provision an access right to or revoke the access right from the user,obtain, from the data store, a portion of the access right information indicating a set of provisioned access rights associated with the user, andbased on a comparison of the access right to the set of provisioned access rights, either (a) provide the second request to an access request system for fulfillment, or (b) withhold the second request from the access request system.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for ensuring the quality of identity and access management information at a computing system are described. Access right information that respectively corresponds to one or more access rights may be stored at a data store. The access right information may be stored in accordance with a data model that defines respective relationships between the access rights and both the users having access to the computing system and the computing resources of the computing system. At least a portion of the access right information may be retrieved, and quality assurance tasks may be performed using the portion of the access right information retrieved.
220 Citations
16 Claims
-
1. A system for ensuring the quality of identity and access management information at a computing system comprising:
-
at least one processor; and a data store storing i) access right information for access rights provisioned to users of computing resources of the computing system, the access right information being stored in accordance with a data model that defines relationships between the access rights, the computing resources, and the users, and storing ii) role information for a plurality of roles assignable to the users, the role information indicating, for each role of the plurality of roles, a set of access rights associated with the role; and memory storing instructions that, when executed by the at least one processor, cause the system to perform a quality assurance task of a plurality of quality assurance tasks associated with the access rights; wherein the plurality of quality assurance tasks comprises a first quality assurance task associated with a first portion of the instructions that, when executed by the at least one processor, cause the system to; receive a first request to provision access rights to a user, the first request indicating a set of requested access rights, compare, for each role of the plurality of roles, the set of requested access rights to the set of access rights associated with the role, and based on whether the set of requested access rights matches the set of access rights associated with one of the roles, either (a) provision the requested access rights for the user if the set of requested access rights does not match the set of access rights associated with any of the plurality of roles, or (b) deny the request and provide an instruction to submit a new request indicating the role associated with the set of access rights that matches the set of requested access rights; and wherein the plurality of quality assurance tasks comprises a second quality assurance task associated with a second portion of the instructions that, when executed by the at least one processor, cause the system to; receive a second request to either provision an access right to or revoke the access right from the user, obtain, from the data store, a portion of the access right information indicating a set of provisioned access rights associated with the user, and based on a comparison of the access right to the set of provisioned access rights, either (a) provide the second request to an access request system for fulfillment, or (b) withhold the second request from the access request system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented method of ensuring the quality of identity and access management information at a computing system comprising:
-
storing, at a data store, i) access right information for access rights provisioned for users of computing resources of the computing system, the access right information being stored in accordance with a data model that defines relationships between the access rights, the computing resources, and the users, and storing ii) role information for a plurality of roles assignable to the users, the role information indicating, for each role of the plurality of roles, a set of access rights associated with the role; and performing a quality assurance task of a plurality of quality assurance tasks associated with the access rights; wherein the plurality of quality assurance tasks comprises a first quality assurance task comprising; receiving a request to provision access rights to a user, the request indicating a set of requested access rights, comparing, for each role of the plurality of roles, the set of requested access rights to the set of access rights associated with the role, and based on whether the set of requested access rights matches the set of rights associated with one of the roles, either (a) provisioning the requested access rights for the user if the set of requested access rights does not match the set of access rights associated with any of the plurality of roles, or (b) deny the request and provide an instruction to submit a new request indicating the role associated with the set of access rights that matches the set of requested access rights; and wherein the plurality of quality assurance tasks comprises a second quality assurance task comprising; receiving a second request to either provision an access right to or revoke the access right from the user, obtaining, from the data store, a portion of the access right information indicating a set of provisioned access rights associated with the user, and based on a comparison of the access right to the set of provisioned access rights, either (a) providing the second request to an access request system for fulfillment, or (b) withholding the second request from the access request system. - View Dependent Claims (12, 13, 14, 15)
-
-
16. Non-transitory computer-readable media having instructions, that when executed by a processor of a computing device, cause the computing device to:
-
store, at a data store, i) access right information for access rights provisioned to users of computing resources of a computing system, the access right information being stored in accordance with a data model that defines relationships between the access rights, the computing resources, and the users, and storing ii) role information for a plurality of roles assignable to the users, the role information indicating, for each role of the plurality of roles, a set of access rights associated with the role; retrieve, from a data store storing access right information respectively corresponding to one or more access rights of a computing system; perform one or more quality assurance tasks of a plurality of quality assurance tasks using the access right information; and wherein the plurality of quality assurance tasks comprise; a first quality assurance task comprising determining whether a set of access rights associated with a role of the plurality of roles matches a set of requested access rights indicated in a request to provision the requested access rights to one of the users, a second quality assurance task comprising determining whether to provide, to an access request system, a request to change access rights for one of the users or to withhold the request from the access request system based on whether the change indicated in the request has already occurred, a third quality assurance task comprising determining whether an access right provisioned to one of the users corresponds to an access right determined to have been used to access one of the computing resources of the computing system, and a fourth quality assurance task comprising determining whether an incomplete action item associated with one of the access rights has been incomplete for longer than a duration threshold.
-
Specification