Você está na página 1de 45

US 20140181003A1

(19) United States


(12) Patent Application Publication (10) Pub. No.: US 2014/0181003 A1
Kling et a]. (43) Pub. Date: Jun. 26, 2014

(54) COMMON DATA MODEL FOR IDENTITY (52) US. Cl.


ACCESS MANAGEMENT DATA CPC .............................. .. G06F 17/30592 (2013.01)
USPC ........................................................ .. 707/600
(71) Applicant: BANK OF AMERICA
CORPORATION, Charlotte, NC (U S)
(72) Inventors: John H. Kling, Bellevue, KY (US); (57) ABSTRACT
Abdulkader Barbir, Ontario (CA);
gynthla A'. FrICk .Newaik DE (Us);_
adu Marian, Indian Trial, NC (US),
A data model . for managing identity and access
.
management
Ronald W. Ritchey Centreville, VA (IAM) data implemented at an electronic database may
(Us) include a set of logical resource elements, a set of physical
resource elements, and a set of access requests elements that
(21) App1_ NO; 13/801,314 respectively model logical resources, physical resources, and
access requests received at an access request manager of an
(22) Filed: Mar. 13, 2013 enterprise. The physical resource elements may be respec
tively associated With the logical resource elements such that
Related US Application Data access rights for the physical resources may be obtained
(60) provisional application No_ 61/740,205 ?led on Dec_ based on a logical resource speci?ed in the access request. A
20, 2012~ system for managing IAM may include a mapping module
con?gured to transform heterogeneous IAM data provided by
Publication Classi?cation a plurality of IAM data sources into homogeneous IAM data
formatted according to the common IAM data format. A data
(51) Int. Cl. store may implement the IAM data model such that the data
G06F 17/30 (2006.01) store is con?gured to store the homogeneous IAM data.

/ 100

l.
IAM IAM IAM
Data Source Data Source Data Source
M g m

Logical
Physical Resources
Permission g
Spec Access
m Request
Common IAM Data Model manager
m m Physical
Data Store i Resources
E g

IAM Analytlcal
Q {C} Data Tool
M

130
Patent Application Publication Jun. 26, 2014 Sheet 1 0f 33 US 2014/0181003 A1

100
.7/
?
IAM IAM IAM
Data Source Data Source Data Source
M ? @

. - - Logical

.' Integrated ' Pgrrzigiacin k Resigces


' IAM Data ' S

Q pec' Access
-_ _ _ - Q g Request

Common IAM Data Model manager


102 w
Physical

Data Store Resources


E P &

Analytical
Tool
&

130

FIG. 1
Patent Application Publication Jun. 26, 2014 Sheet2 0f 33 US 2014/0181003 A1

215 1
203 A PROCESSOR MEMORY

217 1 Operating
" System

219 \_, APPLICATIONS


/\ ROM DATA N

209 '\ Input/Output LAN


Module MODEM INTERFACE

? \ 4? 223
z
200 N 229 g

231

FIG. 2
Patent Application Publication Jun. 26, 2014 Sheet 3 0f 33 US 2014/0181003 A1

300

302
Implement common IAM data
model at data store.

l 304
Retrieve IAM data from IAM data
source.

W
306
Map IAM data from IAM data
source to common IAM data
model.

308
Store commonly formatted IAM
data at data store implementing
common IAM data model.
310

/ Additional IAM data


stores?

3
N

312
Extract integrated IAM data
formatted according to common
IAM data model.

W
314
Transform commonly formatted
IAM data to format required by
analytical too.

V
316
Perform data analysis on IAM data.

FIG. 3
Patent Application Publication Jun. 26, 2014 Sheet 4 of 33 US 2014/0181003 A1

Identify and model logical and Associate logical resources with


Implement common IAM data be physical resources of an physical resources using IAM
model at data store . ns
402 enterprlse data model
% 4_0

5'
Associate business tasks with Identify and model business .
. . . . . . . . Identlfy and model pro?les and
buslness actlwtles uslng the IAM tasks, actlvmes, processes and .
. . we roles of the enterpnse
data model functlons of the enterpnse 408
m m

F
Associate business processes Associate business functions with Associate business activities with
with business activities using the business processes using the IAM logical permissions using the IAM
IAM data model data model data model
M m 4_

Associate job functions with . . .


business activities using the IAM Ident'fy anti mm? 10!.) functlons Of
data model 9 ezzeorpnse
?

Receive a request for access to a Identify the logical resource in the Defggggttgg H%St'ggllge?aulrce
logical resource as access request . g
424 426 resource uslng IAM data model
%

Translate
physlcal permlsslon
loglcal permlsslon
based onto g Obtain
. . . physical permission
. g ln|t|ate
entltlement
prowslonlng
to theofphysical
a physlcal
. . . . . . ?e? speclflcatlon for physlcal resource at
physlcal pennlsslon speclflcatlon g g resource
434 m 430

l'

Provide access information for 400


logical resource
?

FIG. 4
Patent Application Publication Jun. 26, 2014 Sheet 5 0f 33 US 2014/0181003 A1

500
Physical Permission //

Physical Permission to Ac ce SS
Profile to Physical Permission
Rights and Resources

i
\
t4
y
k,

i A i
Access Right Physical Entitlement ACL Profile

l A
i
User Account / Group 4K]; PhyS'cakEBTglement

A
User Account Group Related Group

Resource . . A

Manager System Identlfler Party as

System Identifier 5 Id _f_


Resource ysteng ent' 'er >0l Person
(Service ID) erson

4}
Person to A . .
. . El>Il Organlzatlon
Organlzatlon
II

I Resource -r" : Entity :

FIG. 5
Patent Application Publication Jun. 26, 2014 Sheet 6 0f 33 US 2014/0181003 A1

600

Permission

A
T
Physical Permission
Logical Permission lO< Physical Permission -O
Specification

Logical Permission to Access Access A Physical Permission Specification


. . EDDl . lV<F .
nghts and Loglcal Resources nght to Access nghts and Resources

(% I")

Physical Permission
Logica| Resource to Access Rights and >0 "
Resources

Logical Resource to
Resource

i
Resource :

FIG. 6
Patent Application Publication Jun. 26, 2014 Sheet 7 0f 33 US 2014/0181003 A1

Business 700 Logical


Function ?/ Permission

Business Function to Incompatible Business Activity to


Business Process Business Activity 593 Logical Permission

I I

A
Business Activity to
Business Process -Ic<E
Business Process

. ,7:
Business Task to
Busmess TaSk <E Business Activity

A Physical Entitlement
(ACL)
Person to Job
Function L 1

it User
Account
Group

Person System Identifier I i

? User User
Q Account Account
Group Group

System Identifier System Identifier


O< _
(Person) (Resource Serwce ID)

FIG. 7
Patent Application Publication Jun. 26, 2014 Sheet 8 0f 33 US 2014/0181003 A1

800

Access Request Status ~Q0< Access Request Header

t
Access Request Detail Access Request Detail
: O< Access Request Detail
Action Type Item Event History
A; w,

Access Request Detail


Event Type

r__\

Access Request by
Access Request by Job Access Request by Physica| permission
Function Business Unit Speci?cation

Access Request by Access Request by


Business Activity Logical Permission

FIG. 8
Patent Application Publication Jun. 26, 2014 Sheet 9 0f 33 US 2014/0181003 A1

. . Access Access Request


System Identlfler |O< User Account |0< >Ol
Request Status

21 A
System Identifier Access Request by Job
>0l- Person .
(Person) Functlon

Person to Job
Business Activity Function =l>oi Job Function

Job Function to
; r"
<E Business Activity ED

Business Activity to
Access Right
Logical Permission

r t
()

A
Logical Permission to Access
EDDl- Logical Resource
Rights and Logical Resources

i? i
. . . | 4%
Loglcal Perm|ss|on
Logical Resource
to Resource

900"
Resource

FIG. 9
Patent Application Publication Jun. 26, 2014 Sheet 10 0f 33 US 2014/0181003 A1

1000

Logical Permission to Access


Access Right
Rights and Logical Resources
if

Physical Permission
( )

Jr if
>ol- Logical Permission Logical Resource
Specification

l
Physical Permission
Specification
()

Jr 2%
Logical Resource to
Resource KE Resource

A
Physical Permission to Access
Rights and Resources

(')
A
Physical Entitlement
5[>;i- User Account / Group
(ACL)

User Account Group

FIG. 10
Patent Application Publication Jun. 26, 2014 Sheet 11 0f 33 US 2014/0181003 A1

Autttenttcatimn Ruie r

Facth 1 Ruie i8 <i>i>


Crieaticn Ruie Ruie Name
Ruie Sesciiptimt .
Ruie Lagic P?iwy
tn Ruie
Attribute Vaiue
Attribth it) <Qizii2> Ruie to
Attribute Type <pi,ti2> Job iurtcticn
Atit Vatue Effective Start Date "time <pi>
Attribute Vaiue Autttenticaticm
Ruie HQ <fii> Toktart
Eitactivie End Gate Time.
(Autit DP
" t

Ruie Tm Attribute
Ruie it)
mm Attribute ED
Attribute Type

Attribute Type
Attribute Type < pi>

Attribute
Attribute iD Jcib Function
Attribute "t"er <Diiti>
Attribute: Dascripticn

Authenticaticn
Factar
Attribute Vaiue ta
t
Attribute Vaiue
Autiwrization
Cmrttaxt
Authenticatisn 1100
Context
FIG. 11
Patent Application Publication Jun. 26, 2014 Sheet 13 0f 33 US 2014/0181003 A1

Q12v4%t%h.
2E2ms5wocuamnihq QwmAuaomgwio @avAmg3h5wjmcnev?m
m@tEwAyzM?m"veaFm 2%E25%:t.h 3m35%Q>thQmSgaswmtahs
mzc:umh $WEm3ac0Q4Oe s@a3w5men0 mmEA.mQUEQv
Q35EmachAm@BoE&g0mqw.v_>>etn,uh
wonsm :cD iw?m
gram5m9:5ma2%?w.M,.nAeMvmim:a5mgnMmmhmogcwamozwtmah

A?5v52meQ35m?Am
c69omEuw.gp"G m5m@E85&AP9mQ?OeVv E"m3au2tk0w?$,nq
=3.
EmEmma,
Patent Application Publication Jun. 26, 2014 Sheet 14 0f 33 US 2014/0181003 A1

Attribute
Vatue

i
Attribute Value tc: Authunticatiun Cuntext
Authenticatiun Cuntext it) <pi tit>
Attribute ED <Qi,ti2>
Attribute ier <Qi ti2>
Attr \faiue Effective Start Sate Time <ui ii2>
Authurtzatiun Decisiun
Ruieit % Provisicined Linqu Accuunt
(Auch W3?) - RBAC

Authutizattun Decistun
Authenticatiun Eontaxt
Authenticatiuti Ccntext ED
Authentication Cuntaxt Date iimu
<pi> t (Atiii'tz P9P) -ACL
PTOVi$iU?d Luuin Account

Authorizatiun Decisiun
Digitat Signature {Auch PUP)Authentication
Taken Tu AEAC
Digitat Signature <ui> Provisiui'ied Lugin Accuunt

Authenticationibka? (Auttt PD?)


Taken
Assess Corttrui tctentitit-at
Authenticatiun Cuntext 533 Access
Rute it) W Guntrcii
Bigitai Signature idatititier
Effective Start Date Tima
Ettective End [Jatte time

1300

FIG. 13
Patent Application Publication Jun. 26, 2014 Sheet 15 0f 33 US 2014/0181003 A1

Q
Agmmv m$nb3gmu Emi?;
MQAcmEM?mv
Em i

Q3:5AE3aav2vA53 fAgwQ$vNian?E At;v Am v


M?QgEm?SQ3A<MQ?O
w@mE>28a5i93ug?ms0q 3%:mtA5%gEavi?mga,m .GE3.
Am v