Quality assurance checks of access rights in a computing system

US 9,542,433 B2
Filed: 05/01/2014
Issued: 01/10/2017
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system for ensuring the quality of identity and access management information at a computing system comprising:

at least one processor; and

a data store storing i) access right information for access rights provisioned to users of computing resources of the computing system, the access right information being stored in accordance with a data model that defines relationships between the access rights, the computing resources, and the users, and storing ii) role information for a plurality of roles assignable to the users, the role information indicating, for each role of the plurality of roles, a set of access rights associated with the role; and

memory storing instructions that, when executed by the at least one processor, cause the system to perform a quality assurance task of a plurality of quality assurance tasks associated with the access rights;

wherein the plurality of quality assurance tasks comprises a first quality assurance task associated with a first portion of the instructions that, when executed by the at least one processor, cause the system to;

receive a first request to provision access rights to a user, the first request indicating a set of requested access rights,compare, for each role of the plurality of roles, the set of requested access rights to the set of access rights associated with the role, andbased on whether the set of requested access rights matches the set of access rights associated with one of the roles, either (a) provision the requested access rights for the user if the set of requested access rights does not match the set of access rights associated with any of the plurality of roles, or (b) deny the request and provide an instruction to submit a new request indicating the role associated with the set of access rights that matches the set of requested access rights; and

wherein the plurality of quality assurance tasks comprises a second quality assurance task associated with a second portion of the instructions that, when executed by the at least one processor, cause the system to;

receive a second request to either provision an access right to or revoke the access right from the user,obtain, from the data store, a portion of the access right information indicating a set of provisioned access rights associated with the user, andbased on a comparison of the access right to the set of provisioned access rights, either (a) provide the second request to an access request system for fulfillment, or (b) withhold the second request from the access request system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for ensuring the quality of identity and access management information at a computing system are described. Access right information that respectively corresponds to one or more access rights may be stored at a data store. The access right information may be stored in accordance with a data model that defines respective relationships between the access rights and both the users having access to the computing system and the computing resources of the computing system. At least a portion of the access right information may be retrieved, and quality assurance tasks may be performed using the portion of the access right information retrieved.

220 Citations

16 Claims

1. A system for ensuring the quality of identity and access management information at a computing system comprising:
- at least one processor; and
  
  a data store storing i) access right information for access rights provisioned to users of computing resources of the computing system, the access right information being stored in accordance with a data model that defines relationships between the access rights, the computing resources, and the users, and storing ii) role information for a plurality of roles assignable to the users, the role information indicating, for each role of the plurality of roles, a set of access rights associated with the role; and
  
  memory storing instructions that, when executed by the at least one processor, cause the system to perform a quality assurance task of a plurality of quality assurance tasks associated with the access rights;
  
  wherein the plurality of quality assurance tasks comprises a first quality assurance task associated with a first portion of the instructions that, when executed by the at least one processor, cause the system to;
  
  receive a first request to provision access rights to a user, the first request indicating a set of requested access rights,compare, for each role of the plurality of roles, the set of requested access rights to the set of access rights associated with the role, andbased on whether the set of requested access rights matches the set of access rights associated with one of the roles, either (a) provision the requested access rights for the user if the set of requested access rights does not match the set of access rights associated with any of the plurality of roles, or (b) deny the request and provide an instruction to submit a new request indicating the role associated with the set of access rights that matches the set of requested access rights; and
  
  wherein the plurality of quality assurance tasks comprises a second quality assurance task associated with a second portion of the instructions that, when executed by the at least one processor, cause the system to;
  
  receive a second request to either provision an access right to or revoke the access right from the user,obtain, from the data store, a portion of the access right information indicating a set of provisioned access rights associated with the user, andbased on a comparison of the access right to the set of provisioned access rights, either (a) provide the second request to an access request system for fulfillment, or (b) withhold the second request from the access request system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein:
    - the set of requested access rights is determined to match the set of access rights associated with one of the plurality of roles when the set of requested access rights includes all of the access rights in the set of access rights associated with the role.
  - 3. The system of claim 1 wherein:
    - the second request requests the access right be provisioned to the user;
      
      the second request is provided to the access request system for fulfillment if the access right to provision does not correspond to any of the provisioned access rights; and
      
      the second request is withheld from the access request system if the access right to provision corresponds to one of the provisioned access rights.
  - 4. The system of claim 1 wherein:
    - the second request requests the access right be revoked from the user;
      
      the second request is provided to the access request system for fulfillment if the access right to revoke corresponds to one of the provisioned access rights; and
      
      the second request is withheld from the access request system if the access right to revoke does not correspond to any of the provisioned access rights.
  - 5. The system of claim 1 wherein:
    - receiving the second request includes intercepting the second request submitted to the access request system before the access request system receives the second request.
  - 6. The system of claim 1 wherein:
    - the plurality of quality assurance tasks comprises a third quality assurance task associated with a third portion of the instructions that, when executed by the at least one processor, cause the system to;
      
      receive an access report indicating a set of utilized access rights, each utilized access right in the set of utilized access rights being determined to have been used to access one of the computing resources of the computing system,obtain, from the data store, a portion of the access right information indicating a set of provisioned access rights associated with the computing resource, each provisioned access right in the set of provisioned access rights permitting one of the users to access the computing resource, andgenerate a quality assurance report based on a comparison between the set of utilized access rights and the set of provisioned access rights.
  - 7. The system of claim 6 wherein:
    - generating the quality assurance report includes indicating in the quality assurance report, for each provisioned access right in the set of provisioned access rights, whether the provisioned access right has or has not been used to access the computing resource based on whether the provisioned access right corresponds to one of the utilized access rights in the set of utilized access rights.
  - 8. The system of claim 1 wherein:
    - the plurality of quality assurance tasks comprises a third quality assurance task associated with a third portion of the instructions that, when executed by the at least one processor, cause the system to;
      
      obtain a set of incomplete action items, each incomplete action item of the set of incomplete action items corresponding to an action to be performed with respect to one of the access rights,calculate, for each incomplete action item in the set of incomplete action items, a duration that the incomplete action item has remained incomplete, andindicate, in a quality assurance report for each incomplete action item in the set of incomplete action items, whether the incomplete action item is still actionable or no longer actionable based on a comparison of the duration to a duration threshold.
  - 9. The system of claim 8 wherein:
    - the set of incomplete action items comprises an incomplete action item corresponding to an unfulfilled request to either provision or revoke an access right from one of the users; and
      
      the duration is based on a date on which the unfulfilled request was submitted.
  - 10. The system of claim 8 wherein:
    - the set of incomplete action items comprises an incomplete action item corresponds to a pending review of at least a portion of the access rights; and
      
      the duration is based on a due date of the pending review.

11. A computer-implemented method of ensuring the quality of identity and access management information at a computing system comprising:
- storing, at a data store, i) access right information for access rights provisioned for users of computing resources of the computing system, the access right information being stored in accordance with a data model that defines relationships between the access rights, the computing resources, and the users, and storing ii) role information for a plurality of roles assignable to the users, the role information indicating, for each role of the plurality of roles, a set of access rights associated with the role; and
  
  performing a quality assurance task of a plurality of quality assurance tasks associated with the access rights;
  
  wherein the plurality of quality assurance tasks comprises a first quality assurance task comprising;
  
  receiving a request to provision access rights to a user, the request indicating a set of requested access rights,comparing, for each role of the plurality of roles, the set of requested access rights to the set of access rights associated with the role, andbased on whether the set of requested access rights matches the set of rights associated with one of the roles, either (a) provisioning the requested access rights for the user if the set of requested access rights does not match the set of access rights associated with any of the plurality of roles, or (b) deny the request and provide an instruction to submit a new request indicating the role associated with the set of access rights that matches the set of requested access rights; and
  
  wherein the plurality of quality assurance tasks comprises a second quality assurance task comprising;
  
  receiving a second request to either provision an access right to or revoke the access right from the user,obtaining, from the data store, a portion of the access right information indicating a set of provisioned access rights associated with the user, andbased on a comparison of the access right to the set of provisioned access rights, either (a) providing the second request to an access request system for fulfillment, or (b) withholding the second request from the access request system.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-implemented method of claim 11 wherein:
    - the second request is a request to provision the access right for a user;
      
      wherein the second request is provided to the access request system for fulfillment if the access right to provision does not correspond to any of the provisioned access rights; and
      
      the second request is withheld from the access request system if the access right corresponds to one of the provisioned access rights.
  - 13. The computer-implemented method of claim 11 wherein:
    - the second request is a request to revoke the access right from the user;
      
      wherein the second request is provided to the access request system for fulfillment if the access right to revoke corresponds to one of the provisioned access rights; and
      
      wherein the second request is withheld from the access request system if the access right to revoke does not correspond to any of the provisioned access rights.
  - 14. The computer-implemented method of claim 11 wherein the plurality of quality assurance tasks comprises a third quality assurance task comprising:
    - receiving an access report indicating a set of utilized access rights, each utilized access right in the set of utilized access rights being determined to have been used to access one of the computing resources of the computing system;
      
      obtaining, from the data store, a portion of the access right information indicating a set of provisioned access rights associated with the computing resource, each provisioned access right in the set of provisioned access rights permitting one of the users to access the computing resource; and
      
      generating a quality assurance report indicating, for each provisioned access right in the set of provisioned access rights, whether the provisioned access right corresponds to one of the utilized access rights in the set of utilized access rights.
  - 15. The computer-implemented method of claim 11 wherein the plurality of quality assurance tasks comprise a third quality assurance task comprising:
    - obtaining a set of incomplete action items, each incomplete action item of the set of incomplete action items corresponding to an action to be performed with respect to one of the access rights;
      
      calculating, for each incomplete action item in the set of incomplete action items, a duration that the incomplete action item has remained incomplete;
      
      indicating, in a quality assurance report for each incomplete action item in the set of incomplete action items, whether the incomplete action item is still actionable or no longer actionable based on a comparison of the duration to a duration threshold; and
      
      wherein the set of incomplete action items comprises at least one of i) an unfulfilled request to either provision or revoke an access right from one of the users, and ii) a pending review of at least a portion of the access rights.

16. Non-transitory computer-readable media having instructions, that when executed by a processor of a computing device, cause the computing device to:
- store, at a data store, i) access right information for access rights provisioned to users of computing resources of a computing system, the access right information being stored in accordance with a data model that defines relationships between the access rights, the computing resources, and the users, and storing ii) role information for a plurality of roles assignable to the users, the role information indicating, for each role of the plurality of roles, a set of access rights associated with the role;
  
  retrieve, from a data store storing access right information respectively corresponding to one or more access rights of a computing system;
  
  perform one or more quality assurance tasks of a plurality of quality assurance tasks using the access right information; and
  
  wherein the plurality of quality assurance tasks comprise;
  
  a first quality assurance task comprising determining whether a set of access rights associated with a role of the plurality of roles matches a set of requested access rights indicated in a request to provision the requested access rights to one of the users,a second quality assurance task comprising determining whether to provide, to an access request system, a request to change access rights for one of the users or to withhold the request from the access request system based on whether the change indicated in the request has already occurred,a third quality assurance task comprising determining whether an access right provisioned to one of the users corresponds to an access right determined to have been used to access one of the computing resources of the computing system, anda fourth quality assurance task comprising determining whether an incomplete action item associated with one of the access rights has been incomplete for longer than a duration threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Moloian, Armen, Ritchey, Ronald W.
Primary Examiner(s)
Pham, Tuan A

Application Number

US14/267,564
Publication Number

US 20140289207A1
Time in Patent Office

985 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/215   Improving data quality; Dat...

G06F 16/2365   Ensuring data consistency a...

G06F 21/6209   to a single file or object,...

Quality assurance checks of access rights in a computing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

220 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Quality assurance checks of access rights in a computing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

220 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links