Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Common Data Model For Identity Access Management Data

    Enviado por

    Walter Macuada
    169 visualizações45 páginas
    Common Data Model for Identity Access Management Data

    Título original

    Common Data Model for Identity Access Management Data

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Common Data Model for Identity Access Management Data

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    169 visualizações45 páginas

    Common Data Model For Identity Access Management Data

    Enviado por

    Walter Macuada
    Common Data Model for Identity Access Management Data

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 45

    US 20140181003A1

    (19) United States


    (12) Patent Application Publication (10) Pub. No.: US 2014/0181003 A1
    Kling et a]. (43) Pub. Date: Jun. 26, 2014

    (54) COMMON DATA MODEL FOR IDENTITY (52) US. Cl.


    ACCESS MANAGEMENT DATA CPC .............................. .. G06F 17/30592 (2013.01)
    USPC ........................................................ .. 707/600
    (71) Applicant: BANK OF AMERICA
    CORPORATION, Charlotte, NC (U S)
    (72) Inventors: John H. Kling, Bellevue, KY (US); (57) ABSTRACT
    Abdulkader Barbir, Ontario (CA);
    gynthla A'. FrICk .Newaik DE (Us);_
    adu Marian, Indian Trial, NC (US),
    A data model . for managing identity and access
    .
    management
    Ronald W. Ritchey Centreville, VA (IAM) data implemented at an electronic database may
    (Us) include a set of logical resource elements, a set of physical
    resource elements, and a set of access requests elements that
    (21) App1_ NO; 13/801,314 respectively model logical resources, physical resources, and
    access requests received at an access request manager of an
    (22) Filed: Mar. 13, 2013 enterprise. The physical resource elements may be respec
    tively associated With the logical resource elements such that
    Related US Application Data access rights for the physical resources may be obtained
    (60) provisional application No_ 61/740,205 ?led on Dec_ based on a logical resource speci?ed in the access request. A
    20, 2012~ system for managing IAM may include a mapping module
    con?gured to transform heterogeneous IAM data provided by
    Publication Classi?cation a plurality of IAM data sources into homogeneous IAM data
    formatted according to the common IAM data format. A data
    (51) Int. Cl. store may implement the IAM data model such that the data
    G06F 17/30 (2006.01) store is con?gured to store the homogeneous IAM data.

    / 100

    l.
    IAM IAM IAM
    Data Source Data Source Data Source
    M g m

    Logical
    Physical Resources
    Permission g
    Spec Access
    m Request
    Common IAM Data Model manager
    m m Physical
    Data Store i Resources
    E g

    IAM Analytlcal
    Q {C} Data Tool
    M

    130
    Patent Application Publication Jun. 26, 2014 Sheet 1 0f 33 US 2014/0181003 A1

    100
    .7/
    ?
    IAM IAM IAM
    Data Source Data Source Data Source
    M ? @

    . - - Logical

    .' Integrated ' Pgrrzigiacin k Resigces


    ' IAM Data ' S

    Q pec' Access
    -_ _ _ - Q g Request

    Common IAM Data Model manager


    102 w
    Physical

    Data Store Resources


    E P &

    Analytical
    Tool
    &

    130

    FIG. 1
    Patent Application Publication Jun. 26, 2014 Sheet2 0f 33 US 2014/0181003 A1

    215 1
    203 A PROCESSOR MEMORY

    217 1 Operating
    " System

    219 \_, APPLICATIONS


    /\ ROM DATA N

    209 '\ Input/Output LAN


    Module MODEM INTERFACE

    ? \ 4? 223
    z
    200 N 229 g

    231

    FIG. 2
    Patent Application Publication Jun. 26, 2014 Sheet 3 0f 33 US 2014/0181003 A1

    300

    302
    Implement common IAM data
    model at data store.

    l 304
    Retrieve IAM data from IAM data
    source.

    W
    306
    Map IAM data from IAM data
    source to common IAM data
    model.

    308
    Store commonly formatted IAM
    data at data store implementing
    common IAM data model.
    310

    / Additional IAM data


    stores?

    3
    N

    312
    Extract integrated IAM data
    formatted according to common
    IAM data model.

    W
    314
    Transform commonly formatted
    IAM data to format required by
    analytical too.

    V
    316
    Perform data analysis on IAM data.

    FIG. 3
    Patent Application Publication Jun. 26, 2014 Sheet 4 of 33 US 2014/0181003 A1

    Identify and model logical and Associate logical resources with


    Implement common IAM data be physical resources of an physical resources using IAM
    model at data store . ns
    402 enterprlse data model
    % 4_0

    5'
    Associate business tasks with Identify and model business .
    . . . . . . . . Identlfy and model pro?les and
    buslness actlwtles uslng the IAM tasks, actlvmes, processes and .
    . . we roles of the enterpnse
    data model functlons of the enterpnse 408
    m m

    F
    Associate business processes Associate business functions with Associate business activities with
    with business activities using the business processes using the IAM logical permissions using the IAM
    IAM data model data model data model
    M m 4_

    Associate job functions with . . .


    business activities using the IAM Ident'fy anti mm? 10!.) functlons Of
    data model 9 ezzeorpnse
    ?

    Receive a request for access to a Identify the logical resource in the Defggggttgg H%St'ggllge?aulrce
    logical resource as access request . g
    424 426 resource uslng IAM data model
    %

    Translate
    physlcal permlsslon
    loglcal permlsslon
    based onto g Obtain
    . . . physical permission
    . g ln|t|ate
    entltlement
    prowslonlng
    to theofphysical
    a physlcal
    . . . . . . ?e? speclflcatlon for physlcal resource at
    physlcal pennlsslon speclflcatlon g g resource
    434 m 430

    l'

    Provide access information for 400


    logical resource
    ?

    FIG. 4
    Patent Application Publication Jun. 26, 2014 Sheet 5 0f 33 US 2014/0181003 A1

    500
    Physical Permission //

    Physical Permission to Ac ce SS
    Profile to Physical Permission
    Rights and Resources

    i
    \
    t4
    y
    k,

    i A i
    Access Right Physical Entitlement ACL Profile

    l A
    i
    User Account / Group 4K]; PhyS'cakEBTglement

    A
    User Account Group Related Group

    Resource . . A

    Manager System Identlfler Party as

    System Identifier 5 Id _f_


    Resource ysteng ent' 'er >0l Person
    (Service ID) erson

    4}
    Person to A . .
    . . El>Il Organlzatlon
    Organlzatlon
    II

    I Resource -r" : Entity :

    FIG. 5
    Patent Application Publication Jun. 26, 2014 Sheet 6 0f 33 US 2014/0181003 A1

    600

    Permission

    A
    T
    Physical Permission
    Logical Permission lO< Physical Permission -O
    Specification

    Logical Permission to Access Access A Physical Permission Specification


    . . EDDl . lV<F .
    nghts and Loglcal Resources nght to Access nghts and Resources

    (% I")

    Physical Permission
    Logica| Resource to Access Rights and >0 "
    Resources

    Logical Resource to
    Resource

    i
    Resource :

    FIG. 6
    Patent Application Publication Jun. 26, 2014 Sheet 7 0f 33 US 2014/0181003 A1

    Business 700 Logical


    Function ?/ Permission

    Business Function to Incompatible Business Activity to


    Business Process Business Activity 593 Logical Permission

    I I

    A
    Business Activity to
    Business Process -Ic<E
    Business Process

    . ,7:
    Business Task to
    Busmess TaSk <E Business Activity

    A Physical Entitlement
    (ACL)
    Person to Job
    Function L 1

    it User
    Account
    Group

    Person System Identifier I i

    ? User User
    Q Account Account
    Group Group

    System Identifier System Identifier


    O< _
    (Person) (Resource Serwce ID)

    FIG. 7
    Patent Application Publication Jun. 26, 2014 Sheet 8 0f 33 US 2014/0181003 A1

    800

    Access Request Status ~Q0< Access Request Header

    t
    Access Request Detail Access Request Detail
    : O< Access Request Detail
    Action Type Item Event History
    A; w,

    Access Request Detail


    Event Type

    r__\

    Access Request by
    Access Request by Job Access Request by Physica| permission
    Function Business Unit Speci?cation

    Access Request by Access Request by


    Business Activity Logical Permission

    FIG. 8
    Patent Application Publication Jun. 26, 2014 Sheet 9 0f 33 US 2014/0181003 A1

    . . Access Access Request


    System Identlfler |O< User Account |0< >Ol
    Request Status

    21 A
    System Identifier Access Request by Job
    >0l- Person .
    (Person) Functlon

    Person to Job
    Business Activity Function =l>oi Job Function

    Job Function to
    ; r"
    <E Business Activity ED

    Business Activity to
    Access Right
    Logical Permission

    r t
    ()

    A
    Logical Permission to Access
    EDDl- Logical Resource
    Rights and Logical Resources

    i? i
    . . . | 4%
    Loglcal Perm|ss|on
    Logical Resource
    to Resource

    900"
    Resource

    FIG. 9
    Patent Application Publication Jun. 26, 2014 Sheet 10 0f 33 US 2014/0181003 A1

    1000

    Logical Permission to Access


    Access Right
    Rights and Logical Resources
    if

    Physical Permission
    ( )

    Jr if
    >ol- Logical Permission Logical Resource
    Specification

    l
    Physical Permission
    Specification
    ()

    Jr 2%
    Logical Resource to
    Resource KE Resource

    A
    Physical Permission to Access
    Rights and Resources

    (')
    A
    Physical Entitlement
    5[>;i- User Account / Group
    (ACL)

    User Account Group

    FIG. 10
    Patent Application Publication Jun. 26, 2014 Sheet 11 0f 33 US 2014/0181003 A1

    Autttenttcatimn Ruie r

    Facth 1 Ruie i8 <i>i>


    Crieaticn Ruie Ruie Name
    Ruie Sesciiptimt .
    Ruie Lagic P?iwy
    tn Ruie
    Attribute Vaiue
    Attribth it) <Qizii2> Ruie to
    Attribute Type <pi,ti2> Job iurtcticn
    Atit Vatue Effective Start Date "time <pi>
    Attribute Vaiue Autttenticaticm
    Ruie HQ <fii> Toktart
    Eitactivie End Gate Time.
    (Autit DP
    " t

    Ruie Tm Attribute
    Ruie it)
    mm Attribute ED
    Attribute Type

    Attribute Type
    Attribute Type < pi>

    Attribute
    Attribute iD Jcib Function
    Attribute "t"er <Diiti>
    Attribute: Dascripticn

    Authenticaticn
    Factar
    Attribute Vaiue ta
    t
    Attribute Vaiue
    Autiwrization
    Cmrttaxt
    Authenticatisn 1100
    Context
    FIG. 11
    Patent Application Publication Jun. 26, 2014 Sheet 13 0f 33 US 2014/0181003 A1

    Q12v4%t%h.
    2E2ms5wocuamnihq QwmAuaomgwio @avAmg3h5wjmcnev?m
    m@tEwAyzM?m"veaFm 2%E25%:t.h 3m35%Q>thQmSgaswmtahs
    mzc:umh $WEm3ac0Q4Oe s@a3w5men0 mmEA.mQUEQv
    Q35EmachAm@BoE&g0mqw.v_>>etn,uh
    wonsm :cD iw?m
    gram5m9:5ma2%?w.M,.nAeMvmim:a5mgnMmmhmogcwamozwtmah

    A?5v52meQ35m?Am
    c69omEuw.gp"G m5m@E85&AP9mQ?OeVv E"m3au2tk0w?$,nq
    =3.
    EmEmma,
    Patent Application Publication Jun. 26, 2014 Sheet 14 0f 33 US 2014/0181003 A1

    Attribute
    Vatue

    i
    Attribute Value tc: Authunticatiun Cuntext
    Authenticatiun Cuntext it) <pi tit>
    Attribute ED <Qi,ti2>
    Attribute ier <Qi ti2>
    Attr \faiue Effective Start Sate Time <ui ii2>
    Authurtzatiun Decisiun
    Ruieit % Provisicined Linqu Accuunt
    (Auch W3?) - RBAC

    Authutizattun Decistun
    Authenticatiun Eontaxt
    Authenticatiuti Ccntext ED
    Authentication Cuntaxt Date iimu
    <pi> t (Atiii'tz P9P) -ACL
    PTOVi$iU?d Luuin Account

    Authorizatiun Decisiun
    Digitat Signature {Auch PUP)Authentication
    Taken Tu AEAC
    Digitat Signature <ui> Provisiui'ied Lugin Accuunt

    Authenticationibka? (Auttt PD?)


    Taken
    Assess Corttrui tctentitit-at
    Authenticatiun Cuntext 533 Access
    Rute it) W Guntrcii
    Bigitai Signature idatititier
    Effective Start Date Tima
    Ettective End [Jatte time

    1300

    FIG. 13
    Patent Application Publication Jun. 26, 2014 Sheet 15 0f 33 US 2014/0181003 A1

    Q
    Agmmv m$nb3gmu Emi?;
    MQAcmEM?mv
    Em i

    Q3:5AE3aav2vA53 fAgwQ$vNian?E At;v Am v


    M?QgEm?SQ3A<MQ?O
    w@mE>28a5i93ug?ms0q 3%:mtA5%gEavi?mga,m .GE3.
    Am v

    Você também pode gostar