Escolar Documentos
Profissional Documentos
Cultura Documentos
/ 100
l.
IAM IAM IAM
Data Source Data Source Data Source
M g m
Logical
Physical Resources
Permission g
Spec Access
m Request
Common IAM Data Model manager
m m Physical
Data Store i Resources
E g
IAM Analytlcal
Q {C} Data Tool
M
130
Patent Application Publication Jun. 26, 2014 Sheet 1 0f 33 US 2014/0181003 A1
100
.7/
?
IAM IAM IAM
Data Source Data Source Data Source
M ? @
. - - Logical
Q pec' Access
-_ _ _ - Q g Request
Analytical
Tool
&
130
FIG. 1
Patent Application Publication Jun. 26, 2014 Sheet2 0f 33 US 2014/0181003 A1
215 1
203 A PROCESSOR MEMORY
217 1 Operating
" System
? \ 4? 223
z
200 N 229 g
231
FIG. 2
Patent Application Publication Jun. 26, 2014 Sheet 3 0f 33 US 2014/0181003 A1
300
302
Implement common IAM data
model at data store.
l 304
Retrieve IAM data from IAM data
source.
W
306
Map IAM data from IAM data
source to common IAM data
model.
308
Store commonly formatted IAM
data at data store implementing
common IAM data model.
310
3
N
312
Extract integrated IAM data
formatted according to common
IAM data model.
W
314
Transform commonly formatted
IAM data to format required by
analytical too.
V
316
Perform data analysis on IAM data.
FIG. 3
Patent Application Publication Jun. 26, 2014 Sheet 4 of 33 US 2014/0181003 A1
5'
Associate business tasks with Identify and model business .
. . . . . . . . Identlfy and model pro?les and
buslness actlwtles uslng the IAM tasks, actlvmes, processes and .
. . we roles of the enterpnse
data model functlons of the enterpnse 408
m m
F
Associate business processes Associate business functions with Associate business activities with
with business activities using the business processes using the IAM logical permissions using the IAM
IAM data model data model data model
M m 4_
Receive a request for access to a Identify the logical resource in the Defggggttgg H%St'ggllge?aulrce
logical resource as access request . g
424 426 resource uslng IAM data model
%
Translate
physlcal permlsslon
loglcal permlsslon
based onto g Obtain
. . . physical permission
. g ln|t|ate
entltlement
prowslonlng
to theofphysical
a physlcal
. . . . . . ?e? speclflcatlon for physlcal resource at
physlcal pennlsslon speclflcatlon g g resource
434 m 430
l'
FIG. 4
Patent Application Publication Jun. 26, 2014 Sheet 5 0f 33 US 2014/0181003 A1
500
Physical Permission //
Physical Permission to Ac ce SS
Profile to Physical Permission
Rights and Resources
i
\
t4
y
k,
i A i
Access Right Physical Entitlement ACL Profile
l A
i
User Account / Group 4K]; PhyS'cakEBTglement
A
User Account Group Related Group
Resource . . A
4}
Person to A . .
. . El>Il Organlzatlon
Organlzatlon
II
FIG. 5
Patent Application Publication Jun. 26, 2014 Sheet 6 0f 33 US 2014/0181003 A1
600
Permission
A
T
Physical Permission
Logical Permission lO< Physical Permission -O
Specification
(% I")
Physical Permission
Logica| Resource to Access Rights and >0 "
Resources
Logical Resource to
Resource
i
Resource :
FIG. 6
Patent Application Publication Jun. 26, 2014 Sheet 7 0f 33 US 2014/0181003 A1
I I
A
Business Activity to
Business Process -Ic<E
Business Process
. ,7:
Business Task to
Busmess TaSk <E Business Activity
A Physical Entitlement
(ACL)
Person to Job
Function L 1
it User
Account
Group
? User User
Q Account Account
Group Group
FIG. 7
Patent Application Publication Jun. 26, 2014 Sheet 8 0f 33 US 2014/0181003 A1
800
t
Access Request Detail Access Request Detail
: O< Access Request Detail
Action Type Item Event History
A; w,
r__\
Access Request by
Access Request by Job Access Request by Physica| permission
Function Business Unit Speci?cation
FIG. 8
Patent Application Publication Jun. 26, 2014 Sheet 9 0f 33 US 2014/0181003 A1
21 A
System Identifier Access Request by Job
>0l- Person .
(Person) Functlon
Person to Job
Business Activity Function =l>oi Job Function
Job Function to
; r"
<E Business Activity ED
Business Activity to
Access Right
Logical Permission
r t
()
A
Logical Permission to Access
EDDl- Logical Resource
Rights and Logical Resources
i? i
. . . | 4%
Loglcal Perm|ss|on
Logical Resource
to Resource
900"
Resource
FIG. 9
Patent Application Publication Jun. 26, 2014 Sheet 10 0f 33 US 2014/0181003 A1
1000
Physical Permission
( )
Jr if
>ol- Logical Permission Logical Resource
Specification
l
Physical Permission
Specification
()
Jr 2%
Logical Resource to
Resource KE Resource
A
Physical Permission to Access
Rights and Resources
(')
A
Physical Entitlement
5[>;i- User Account / Group
(ACL)
FIG. 10
Patent Application Publication Jun. 26, 2014 Sheet 11 0f 33 US 2014/0181003 A1
Autttenttcatimn Ruie r
Ruie Tm Attribute
Ruie it)
mm Attribute ED
Attribute Type
Attribute Type
Attribute Type < pi>
Attribute
Attribute iD Jcib Function
Attribute "t"er <Diiti>
Attribute: Dascripticn
Authenticaticn
Factar
Attribute Vaiue ta
t
Attribute Vaiue
Autiwrization
Cmrttaxt
Authenticatisn 1100
Context
FIG. 11
Patent Application Publication Jun. 26, 2014 Sheet 13 0f 33 US 2014/0181003 A1
Q12v4%t%h.
2E2ms5wocuamnihq QwmAuaomgwio @avAmg3h5wjmcnev?m
m@tEwAyzM?m"veaFm 2%E25%:t.h 3m35%Q>thQmSgaswmtahs
mzc:umh $WEm3ac0Q4Oe s@a3w5men0 mmEA.mQUEQv
Q35EmachAm@BoE&g0mqw.v_>>etn,uh
wonsm :cD iw?m
gram5m9:5ma2%?w.M,.nAeMvmim:a5mgnMmmhmogcwamozwtmah
A?5v52meQ35m?Am
c69omEuw.gp"G m5m@E85&AP9mQ?OeVv E"m3au2tk0w?$,nq
=3.
EmEmma,
Patent Application Publication Jun. 26, 2014 Sheet 14 0f 33 US 2014/0181003 A1
Attribute
Vatue
i
Attribute Value tc: Authunticatiun Cuntext
Authenticatiun Cuntext it) <pi tit>
Attribute ED <Qi,ti2>
Attribute ier <Qi ti2>
Attr \faiue Effective Start Sate Time <ui ii2>
Authurtzatiun Decisiun
Ruieit % Provisicined Linqu Accuunt
(Auch W3?) - RBAC
Authutizattun Decistun
Authenticatiun Eontaxt
Authenticatiuti Ccntext ED
Authentication Cuntaxt Date iimu
<pi> t (Atiii'tz P9P) -ACL
PTOVi$iU?d Luuin Account
Authorizatiun Decisiun
Digitat Signature {Auch PUP)Authentication
Taken Tu AEAC
Digitat Signature <ui> Provisiui'ied Lugin Accuunt
1300
FIG. 13
Patent Application Publication Jun. 26, 2014 Sheet 15 0f 33 US 2014/0181003 A1
Q
Agmmv m$nb3gmu Emi?;
MQAcmEM?mv
Em i