Access requests at IAM system implementing IAM data model
First Claim
1. A computer-implemented method of provisioning access rights to physical computing resources comprising:
- receiving, at a computing device, a request to provision one or more access rights for a user account wherein the request specifies a business activity;
identifying, by the computing device, a set of logical permissions based, at least in part, on the request by obtaining a set of business tasks associated with the business activity and identifying, as the set of logical permissions, one or more logical permissions respectively associated with individual business tasks in the set of business tasks;
deriving, by the computing device, a set of logical entitlements based, at least in part, on the set of logical permissions;
translating, by the computing device, the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications wherein each one of the physical permission specifications in the set of physical permission specifications is associated with one of the logical permissions in the set of logical permissions; and
provisioning, by the computing device, access rights for the user account to at least one physical computing resource indicated in the physical entitlement specification.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification.
235 Citations
7 Claims
-
1. A computer-implemented method of provisioning access rights to physical computing resources comprising:
-
receiving, at a computing device, a request to provision one or more access rights for a user account wherein the request specifies a business activity; identifying, by the computing device, a set of logical permissions based, at least in part, on the request by obtaining a set of business tasks associated with the business activity and identifying, as the set of logical permissions, one or more logical permissions respectively associated with individual business tasks in the set of business tasks; deriving, by the computing device, a set of logical entitlements based, at least in part, on the set of logical permissions; translating, by the computing device, the set of logical entitlements to a physical entitlement specification based, at least in part, on a set of physical permission specifications wherein each one of the physical permission specifications in the set of physical permission specifications is associated with one of the logical permissions in the set of logical permissions; and provisioning, by the computing device, access rights for the user account to at least one physical computing resource indicated in the physical entitlement specification. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification
-
- Resources
-
Current AssigneeBank of America Corp.
-
Original AssigneeBank of America Corp.
-
InventorsKling, John, Thompson, Bryan, Green, Ward
-
Primary Examiner(s)LE, THU NGUYET T
-
Application NumberUS14/879,488Publication NumberTime in Patent Office480 DaysField of Search707/781, 707/783US Class Current1/1CPC Class CodesG06F 16/176 Support for shared access t...G06F 21/31 User authenticationG06F 21/6218 to a system of files or obj...G06F 2221/2141 Access rights, e.g. capabil...G06Q 10/10 Office automation; Time man...H04L 63/0281 ProxiesH04L 63/08 for authentication of entit...H04L 63/10 for controlling access to d...H04L 63/102 Entity profilesH04L 63/105 Multiple levels of securityH04L 63/20 for managing network securi...
