WO2007102966A1 - Management and application of entitlements - Google Patents

Management and application of entitlements Download PDF

Info

Publication number
WO2007102966A1
WO2007102966A1 PCT/US2007/003125 US2007003125W WO2007102966A1 WO 2007102966 A1 WO2007102966 A1 WO 2007102966A1 US 2007003125 W US2007003125 W US 2007003125W WO 2007102966 A1 WO2007102966 A1 WO 2007102966A1
Authority
WO
WIPO (PCT)
Prior art keywords
entitlements
entitlement
identity
workflow
identities
Prior art date
Application number
PCT/US2007/003125
Other languages
French (fr)
Inventor
Neil K. Koorland
Geeman Yip
Herman J. Man
Briant T. Kress
John H. Zibura
Original Assignee
Microsoft Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corporation filed Critical Microsoft Corporation
Priority to EP07717203A priority Critical patent/EP1999714A1/en
Priority to JP2008558272A priority patent/JP2009529182A/en
Publication of WO2007102966A1 publication Critical patent/WO2007102966A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0633Workflow analysis

Definitions

  • Entitlements describe a capability that can be enabled or disabled for a given identity on a given application or system. Entitlements are usually granted to identities based on a business process. For example, each full-time employee may be given an email account if a manager approves. In this example, if the employee has full- time status, an e-mail notification would be sent to the manager for approval. Once the manager approval is received, an email account may be created for the employee. [0002] In a typical provisioning application, entitlements are applied inline with the business process. If entitlements are applied directly to an application, it would require the executor of the business process to have permissions t ⁇ the application in which the entitlement is being applied to.
  • an identity integration server centrally manages data associated with entitlements for a plurality of identities.
  • the integration server may select one of a plurality of workflows.
  • One or more of a plurality of i entitlements to be used in the workflow are selected, and a set of identities for which the workflow is applicable is selected. A determination is made as to whether the workflow should be run on the identities. If so, then the workflow is initiated. The one or more entitlements are then added to a granted entitlements list. Then, a separate process may be initiated to apply the one or more entitlements to the one or more identities.
  • the integration server receives a request to grant an entitlement to an identity.
  • the integration server determines whether the entitlement already exists. If so, then nothing has to be done. If not, then the entitlement may be granted.. Another process may be initiated to apply the entitlement to the identity.
  • FIG. 1 is a block diagram illustrating an exemplary system for managing and applying entitlements.
  • FIG. 2 is a flow diagram illustrating an exemplary process for selecting and applying entitlements to selected identities.
  • FIG. 3 is a flow diagram illustrating an exemplary process for applying an entitlement to an identity upon request.
  • FIG. 4 is a screenshot illustrating an exemplary user interface for managing entitlements.
  • FIG. 5 is a screenshot illustrating an exemplary user interface for defining an identity rule.
  • FIG. 6 is a screenshot illustrating an exemplary user interface for defining a workflow.
  • FIG. 7 illustrates an exemplary computing environment in which certain aspects of the invention may be implemented.
  • FIG. 1 is a block diagram illustrating an exemplary system 100 for managing and applying entitlements.
  • Entitlements describe a capability that can be 5 enabled or disabled for a given user and application.
  • Examples of entitlements include but are not limited to an account, such as a user account, an email account, or a mailbox, or an access right, such as remote system access or access to a shared site.
  • Entitlements may be granted or revoked based on a business process or workflow. For example, an email account may be granted to an employee after the employee's manager approves the
  • entitlements are defined globally within system 100.
  • Each entitlement has a unique identifier (ID).
  • ID corresponds to an entitlement definition that describes how the entitlement is enabled or disabled for an application.
  • ',5 entitlement ID and definitions may be stored in a data store 110.
  • the business rules that define the business processes or workflows for approving the grant of an entitlement or for revoking an entitlement may be stored in a data store 112.
  • System 100 includes an identity integration server 102 to centrally manage the application of entitlements.
  • One or more directories such as 114 or 116, are coupled to the identity integration server 102 via a corresponding management agent, such as 104 or 106.
  • the identity integration server 102 maintains a data store 108 that stores metaverse objects.
  • Each metaverse object may have data that is associated with an identity managed by system 100. For example, a company may maintain metaverse objects that are associated with its employees.
  • Other examples of identities include but are not limited to users, groups, organizational roles, applications, or systems.
  • Each metaverse obj ect may have a granted entitlements list (GEL) and a current entitlements list (CEL).
  • GEL granted entitlements list
  • CEL current entitlements list
  • the granted entitlements list is a list of the entitlements that the metaverse object should have according to the business rules.
  • An entry on the granted entitlements list may include but is not limited to a reference to the definition of the entitlement, a reference to the process that created the entry, and/or an operation to be done, such as adding or removing the entitlement.
  • the current entitlements list is a list of the entitlements that the metaverse object currently has based on the entitlement definitions configured in the identity integration server. [0021 ] When an entitlement is to be added or removed for an identity managed by the system. 100, a request to add or remove the entitlement may be sent to the identity integration server 102. The business process or workflow that is associated with granting or revoking the entitlement is determined and initiated.
  • a reference of the entitlement may be set on the granted entitlements list of the metaverse object associated with the identity.
  • a separate process may be initiated to apply the entitlement through the management agent connector space to the appropriate connected • directory. Since the application of the entitlements is decoupled from the business processes, the business processes do not have to know how entitlements are defined and applied.
  • the system may batch up entitlement requests. Furthermore, the evaluation of business processes and the application of entitlement references may be performed in parallel.
  • FIGS. 2-3 are flow diagrams illustrating exemplary processes for applying entitlements. While the description of FIGS. 2-3 may be made with reference to other figures, it should be understood that the exemplary processes illustrated in FIGS. 2-3 are not intended to be limited to being associated with the systems or other contents of any specific figure or figures. Additionally, it should be understood that while the exemplary processes of FIGS. 2-3 indicate a particular order of operation execution, in one or more
  • the operations may be ordered differently. Furthermore, some of the steps and data illustrated in the exemplary processes of FIGS. 2-3 may not be necessary and may be omitted in some implementations. Finally, while the exemplary processes of FIGS. 2-3 contains multiple discrete steps, it should be recognized that in some environments some of these operations maybe combined and executed at the same
  • FIG. 2 is a flow diagram illustrating an exemplary process for selecting and applying entitlements to selected identities.
  • a workflow is selected.
  • one or more of a plurality of entitlements to be used in the workflow are selected.
  • a set of identities for which the workflow is applicable is selected.
  • a determination is made.
  • L 5 is made as to whether the workflow should be run on the identities. If not, then at 280, the process may be complete. If so, then at 250, the workflow is initiated. At 260, the one or more entitlements are added to the GEL of the identities on which the workflow is run. If there is an approval process for the workflow, then this process is initiated before the application of the entitlements. Then, at 270, the next workflow is selected and the
  • FIG. 3 is a flow diagram illustrating an exemplary process for applying j entitlements upon request.
  • a request is received to grant an entitlement for an identity.
  • the identity may be associated with a stored metaverse object.
  • a determination is made as to whether the requested entitlement already exists. If the 15 requested entitlement already exists, then at 350, the process may be complete. If the requested entitlement does not exist, then at 330, the requested entitlement is granted. Then, at 340, a process may be initiated to apply the requested entitlement to the identity.
  • a similar process may be performed for a request to revoke an entitlement.
  • the entitlement does not exist, then nothing has to be done. If the entitlement does exist, then the entitlement is revoked.
  • FIG. 4 is a screenshot illustrating an exemplary user interface 400 for managing entitlements.
  • the interface includes identification and management of identity rules, as shown at 402, workflows such as shown at 404, and entitlements such as shown at 406.
  • the identity rules define the criteria for identifying the one or more of a plurality of identities that are selected for the application of one or more entitlements managed by the identity integration server.
  • an identity rule may specify criteria such as full-time employee, employee in the engineering department, and/or employee working in Building 8.
  • Each identity rule may have a precedence associated with it. For example, working in the engineering department may- have a higher precedence than being a full- time employee.
  • the precedence indicator may be used to resolve conflicts between entitlements approved for groups of identities according to the identity rules. For example, suppose that being a full-time employee entitles you to an email account, but no remote system access. Suppose that being in the engineering department entitles you to remote system access. If an employee is full-time and in the engineering department, then after the corresponding workflows are executed, the employee may have a granted entitlement list that contains entitlements from being a full-time employee (such as an email account and no remote system access) and entitlements from being in the engineering department (such as remote system access).
  • the workflow definitions define a business process to follow to grant one or more entitlements for a selected identity. For example, the workflow may include sending an email to a manager or calling an administrator.
  • the business rules for a company may be such that an identity rule is sufficient and so therefore, no additional approval is needed within a workflow. For example, all full-time employees may be given an email account. Therefore, if an employee's status is full-time, then the workflow would grant an email account to the employee.
  • a entitlement definition describes how entitlements are enabled or disabled for applications.
  • a entitlement definition includes an assertion and flow rules.
  • the assertion is criteria that is used by the identity integration server to identify an entitlement.
  • the assertion is used to match object entitlements.
  • the assertion may be used to determine whether an object already exists in the connector space. If it does not, then an object may be created in the connector space.
  • For attribute entitlements the assertion is used to determine whether the attribute already exists and to populate the current entitlement list.
  • the flow rules are used to populate attributes for the entitlement.
  • An object entitlement may have initialize and persistent flow rules, while an attribute entitlement may just have persistent flow rules.
  • an attribute entitlement may have a dependent object, which has an ID of an object entitlement to which the attribute entitlement depends. For example, an.
  • FIG. 5 is a screenshot illustrating an exemplary user interface 500 for defining an identity rule.
  • the identity rules define the criteria for identifying the one or more of a plurality of identities that are selected for the application of one or more entitlements managed by the identity integration server.
  • the identity rule 502 defines a group of identities that have an attribute of employee status equal to Full- Time Employee (FTE). Therefore, the group of identities that this identity rule refers to are the full-time employees of the company.
  • FIG. 6 is a screenshot illustrating an exemplary user interface 600 for defining a workflow.
  • the workflow definitions define a business process to follow to grant or revoke a selected entitlement for a selected identity
  • the workflow 602 defines steps in a business process that includes sending an email to a manager. After the steps in this example business process have been taken, the entitlement is either approved or not approved. If the entitlement is approved for the identity, then a separate process may be initiated to apply the entitlement to the identity.
  • FIG. 7 illustrates an exemplary computing environment in which certain aspects of the invention may be implemented. It should be understood that computing environment 700 is only one example of a suitable computing environment in which the various technologies described herein may be employed and is not intended to suggest any limitation as to the scope of use or functionality of the technologies described herein.
  • computing environment 700 includes a general purpose computing device 710.
  • Components of computing device 710 may include, but are not limited to, a processing unit 712, a memory 714, a storage device 716, input device(s) 718, output device(s) 720, and communications connection(s) 722.
  • Processing unit 712 may include one or more general or special purpose processors, ASICs, or programmable logic chips.
  • memory 714 may be volatile (such as RAM), non- volatile (such as ROM, flash memory, etc.) or some combination of the two.
  • Computing device 710 may also include additional storage (removable and/or non-removable) including, but not limited to, magnetic or optical disks or tape. Such additional storage is illustrated in Fig. 7 by storage 716.
  • Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
  • Memory 714 and storage -716 are examples of computer storage media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by computing device 710. Any such computer storage media may be part of computing device 710.
  • Computing device 710 may also contain communication connection(s) 722 that allow the computing device 710 to communicate with other devices, such as with other computing devices through network 730.
  • Communications connection(s) 722 is an example of communication media.
  • Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
  • the term 'modulated data signal' means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency, infrared, and other wireless media.
  • the term computer readable media as used herein includes storage media.
  • Computing device 710 may also have input device(s) 718 such as a keyboard, a mouse, a pen, a voice input device, a touch input device, and/or any other input device.
  • input device(s) 718 such as a keyboard, a mouse, a pen, a voice input device, a touch input device, and/or any other input device.
  • Output device(s) 720 such as one or more displays, speakers, printers, and/or any other output device may also be included.

Abstract

A method and system for managing and applying entitlements is described herein. An identity integration server centrally manages data associated with entitlements for a plurality of identities. The integration server may select one of a plurality of workflows. One or more of a plurality of entitlements to be used in the workflow are selected, and a set of identities for which the workflow is applicable is selected. A determination is made as to whether the workflow should be run on the identities. If so, then the workflow is initiated. The one or more entitlements are then added to a granted entitlements list. Then, a separate process may be initiated to apply the one or more entitlements to the one or more identities.

Description

MANAGEMENT AND APPLICATION OF ENTITLEMENTS
BACKGROUND
[0001 ] Entitlements describe a capability that can be enabled or disabled for a given identity on a given application or system. Entitlements are usually granted to identities based on a business process. For example, each full-time employee may be given an email account if a manager approves. In this example, if the employee has full- time status, an e-mail notification would be sent to the manager for approval. Once the manager approval is received, an email account may be created for the employee. [0002] In a typical provisioning application, entitlements are applied inline with the business process. If entitlements are applied directly to an application, it would require the executor of the business process to have permissions tσ the application in which the entitlement is being applied to. In addition, it may be costly to enable the entitlements on the application depending on factors such as network traffic and system load. Different business processes may also be applying the same entitlement. In this case, the system may end up with redundant calls to the application. Furthermore, the system may apply the entitlement onto the application in an inconsistent manner.
SUMMARY [0003] The following presents a simplified summary of the disclosure in order to provide a basic understanding to the reader. This summary is not an extensive overview of the disclosure and it does not identify key/critical elements of the invention or delineate the scope of the invention. Its sole purpose is to present some concepts disclosed herein in a simplified form as a prelude to the more detailed description that is presented later. [0004] Described herein are various technologies and techniques directed to methods and systems for managing and applying entitlements. In accordance with one implementation of the described technologies, an identity integration server centrally manages data associated with entitlements for a plurality of identities. The integration server may select one of a plurality of workflows. One or more of a plurality of i entitlements to be used in the workflow are selected, and a set of identities for which the workflow is applicable is selected. A determination is made as to whether the workflow should be run on the identities. If so, then the workflow is initiated. The one or more entitlements are then added to a granted entitlements list. Then, a separate process may be initiated to apply the one or more entitlements to the one or more identities.
[0005] In another implementation of the described technologies, the integration server receives a request to grant an entitlement to an identity. The integration server determines whether the entitlement already exists. If so, then nothing has to be done. If not, then the entitlement may be granted.. Another process may be initiated to apply the entitlement to the identity.
[0006] Many of the attendant features will be more readily appreciated as the same becomes better understood by reference to the following detailed description considered in connection with the accompanying drawings.
DESCRIPTION OF THE DRAWINGS
[0007] The present description will be better understood from the following detailed description read in light of the accompanying drawings, wherein:
[0008] FIG. 1 is a block diagram illustrating an exemplary system for managing and applying entitlements. [0009] FIG. 2 is a flow diagram illustrating an exemplary process for selecting and applying entitlements to selected identities.
[0010] FIG. 3 is a flow diagram illustrating an exemplary process for applying an entitlement to an identity upon request.
[0011 ] FIG. 4 is a screenshot illustrating an exemplary user interface for managing entitlements.
[0012] FIG. 5 is a screenshot illustrating an exemplary user interface for defining an identity rule.
[0013] FIG. 6 is a screenshot illustrating an exemplary user interface for defining a workflow. [0014J FIG. 7 illustrates an exemplary computing environment in which certain aspects of the invention may be implemented.
[0015] Like reference numerals are used to designate like parts in the accompanying drawings. 5
DETAILED DESCRIPTION tOOl 6] The detailed description provided below in connection with the appended drawings is intended as a description of the present examples and is not intended to represent the only forms in which the present example may be constructed or utilized. The 0 description sets forth the functions of the example and the sequence of steps for constructing and operating the example. However, the same or equivalent functions and sequences may be accomplished by different examples.
[00171 FIG. 1 is a block diagram illustrating an exemplary system 100 for managing and applying entitlements. Entitlements describe a capability that can be 5 enabled or disabled for a given user and application. Examples of entitlements include but are not limited to an account, such as a user account, an email account, or a mailbox, or an access right, such as remote system access or access to a shared site. Entitlements may be granted or revoked based on a business process or workflow. For example, an email account may be granted to an employee after the employee's manager approves the
>0 account.
[0018] In system 100, the business processes are decoupled from the application of the entitlements. Entitlements are defined globally within system 100. Each entitlement has a unique identifier (ID). The entitlement ID corresponds to an entitlement definition that describes how the entitlement is enabled or disabled for an application. The
',5 entitlement ID and definitions may be stored in a data store 110. The business rules that define the business processes or workflows for approving the grant of an entitlement or for revoking an entitlement may be stored in a data store 112.
[0019] System 100 includes an identity integration server 102 to centrally manage the application of entitlements. One or more directories, such as 114 or 116, are coupled to the identity integration server 102 via a corresponding management agent, such as 104 or 106. The identity integration server 102 maintains a data store 108 that stores metaverse objects. Each metaverse object may have data that is associated with an identity managed by system 100. For example, a company may maintain metaverse objects that are associated with its employees. Other examples of identities include but are not limited to users, groups, organizational roles, applications, or systems. [00201 Each metaverse obj ect may have a granted entitlements list (GEL) and a current entitlements list (CEL). The granted entitlements list is a list of the entitlements that the metaverse object should have according to the business rules. An entry on the granted entitlements list may include but is not limited to a reference to the definition of the entitlement, a reference to the process that created the entry, and/or an operation to be done, such as adding or removing the entitlement. The current entitlements list is a list of the entitlements that the metaverse object currently has based on the entitlement definitions configured in the identity integration server. [0021 ] When an entitlement is to be added or removed for an identity managed by the system. 100, a request to add or remove the entitlement may be sent to the identity integration server 102. The business process or workflow that is associated with granting or revoking the entitlement is determined and initiated. When the business process or workflow is completed, a reference of the entitlement may be set on the granted entitlements list of the metaverse object associated with the identity. Once the business process or workflow is completed, a separate process may be initiated to apply the entitlement through the management agent connector space to the appropriate connected • directory. Since the application of the entitlements is decoupled from the business processes, the business processes do not have to know how entitlements are defined and applied. The system may batch up entitlement requests. Furthermore, the evaluation of business processes and the application of entitlement references may be performed in parallel.
[0022] FIGS. 2-3 are flow diagrams illustrating exemplary processes for applying entitlements. While the description of FIGS. 2-3 may be made with reference to other figures, it should be understood that the exemplary processes illustrated in FIGS. 2-3 are not intended to be limited to being associated with the systems or other contents of any specific figure or figures. Additionally, it should be understood that while the exemplary processes of FIGS. 2-3 indicate a particular order of operation execution, in one or more
5 alternative implementations, the operations may be ordered differently. Furthermore, some of the steps and data illustrated in the exemplary processes of FIGS. 2-3 may not be necessary and may be omitted in some implementations. Finally, while the exemplary processes of FIGS. 2-3 contains multiple discrete steps, it should be recognized that in some environments some of these operations maybe combined and executed at the same
10 time.
[0023] FIG. 2 is a flow diagram illustrating an exemplary process for selecting and applying entitlements to selected identities. At 210, a workflow is selected. At 220, one or more of a plurality of entitlements to be used in the workflow are selected. At 230, a set of identities for which the workflow is applicable is selected. At 240, a determination
L 5 is made as to whether the workflow should be run on the identities. If not, then at 280, the process may be complete. If so, then at 250, the workflow is initiated. At 260, the one or more entitlements are added to the GEL of the identities on which the workflow is run. If there is an approval process for the workflow, then this process is initiated before the application of the entitlements. Then, at 270, the next workflow is selected and the
•JO process is repeated from step 220.
[0024] FIG. 3 is a flow diagram illustrating an exemplary process for applying j entitlements upon request. At 310, a request is received to grant an entitlement for an identity. The identity may be associated with a stored metaverse object. At 320, a determination is made as to whether the requested entitlement already exists. If the 15 requested entitlement already exists, then at 350, the process may be complete. If the requested entitlement does not exist, then at 330, the requested entitlement is granted. Then, at 340, a process may be initiated to apply the requested entitlement to the identity. [0025] A similar process may be performed for a request to revoke an entitlement.
If the entitlement does not exist, then nothing has to be done. If the entitlement does exist, then the entitlement is revoked.
[0026] FIG. 4 is a screenshot illustrating an exemplary user interface 400 for managing entitlements. The interface includes identification and management of identity rules, as shown at 402, workflows such as shown at 404, and entitlements such as shown at 406. The identity rules define the criteria for identifying the one or more of a plurality of identities that are selected for the application of one or more entitlements managed by the identity integration server. For example, an identity rule may specify criteria such as full-time employee, employee in the engineering department, and/or employee working in Building 8.
[0027] Each identity rule may have a precedence associated with it. For example, working in the engineering department may- have a higher precedence than being a full- time employee. The precedence indicator may be used to resolve conflicts between entitlements approved for groups of identities according to the identity rules. For example, suppose that being a full-time employee entitles you to an email account, but no remote system access. Suppose that being in the engineering department entitles you to remote system access. If an employee is full-time and in the engineering department, then after the corresponding workflows are executed, the employee may have a granted entitlement list that contains entitlements from being a full-time employee (such as an email account and no remote system access) and entitlements from being in the engineering department (such as remote system access). Since being in the engineering department has a higher precedence than being a full-time employee, then the employee is given an email account and remote system access. Suppose that the same employee then transfers to the human resources department and suppose that being in the human resources department does not have any additional entitlements associated with it. Then, the employee would only have an email account and would no longer have remote system access. In this way, an administrative may set up a standard set of entitlements for base identity rules and grant more specific entitlements to specific identity rules. [00281 The workflow definitions define a business process to follow to grant one or more entitlements for a selected identity. For example, the workflow may include sending an email to a manager or calling an administrator. Alternatively, the business rules for a company may be such that an identity rule is sufficient and so therefore, no additional approval is needed within a workflow. For example, all full-time employees may be given an email account. Therefore, if an employee's status is full-time, then the workflow would grant an email account to the employee.
[0029] The entitlement definitions describe how entitlements are enabled or disabled for applications. A entitlement definition includes an assertion and flow rules. The assertion is criteria that is used by the identity integration server to identify an entitlement. The assertion is used to match object entitlements. The assertion may be used to determine whether an object already exists in the connector space. If it does not, then an object may be created in the connector space. For attribute entitlements, the assertion is used to determine whether the attribute already exists and to populate the current entitlement list. The flow rules are used to populate attributes for the entitlement. An object entitlement may have initialize and persistent flow rules, while an attribute entitlement may just have persistent flow rules. Furthermore, an attribute entitlement may have a dependent object, which has an ID of an object entitlement to which the attribute entitlement depends. For example, an. Active Directory (AD) entitlement, which is an object entitlement, may have an assertion of PrimaryObjectClass = "user", an initialize flow rule of Password = "foobar", and persistent flow rules of {DisplayName} = Metaverse.DisplayName, PrimaryObjectClass = "user", and Dn = {DisplayName} + ou=Users, dc=Redmond, dc=Microsoft, dc=com. A Remote Access System (RAS) entitlement, which is attribute entitlement, may have a dependent object of the ID of the AD user entitlement, an assertion of RAS = "true", and a persistent flow rule of RAS = "true".
[0030] FIG. 5 is a screenshot illustrating an exemplary user interface 500 for defining an identity rule. The identity rules define the criteria for identifying the one or more of a plurality of identities that are selected for the application of one or more entitlements managed by the identity integration server. In this example, the identity rule 502 defines a group of identities that have an attribute of employee status equal to Full- Time Employee (FTE). Therefore, the group of identities that this identity rule refers to are the full-time employees of the company. [0031 ] FIG. 6 is a screenshot illustrating an exemplary user interface 600 for defining a workflow. The workflow definitions define a business process to follow to grant or revoke a selected entitlement for a selected identity, hi this example, the workflow 602 defines steps in a business process that includes sending an email to a manager. After the steps in this example business process have been taken, the entitlement is either approved or not approved. If the entitlement is approved for the identity, then a separate process may be initiated to apply the entitlement to the identity. [0032] FIG. 7 illustrates an exemplary computing environment in which certain aspects of the invention may be implemented. It should be understood that computing environment 700 is only one example of a suitable computing environment in which the various technologies described herein may be employed and is not intended to suggest any limitation as to the scope of use or functionality of the technologies described herein. Neither should the computing environment 700 be interpreted as necessarily requiring all of the components illustrated therein. [0033] The technologies described herein may be operational with numerous other general purpose or special purpose computing environments or configurations. Examples of well known computing environments and/or configurations that may be suitable for use with the technologies described herein include, but are not limited to, personal computers, server computers, hand-held or laptop devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. t00341 With reference to FIG. 7, computing environment 700 includes a general purpose computing device 710. Components of computing device 710 may include, but are not limited to, a processing unit 712, a memory 714, a storage device 716, input device(s) 718, output device(s) 720, and communications connection(s) 722. [0035] Processing unit 712 may include one or more general or special purpose processors, ASICs, or programmable logic chips. Depending on the configuration and type of computing device, memory 714 may be volatile (such as RAM), non- volatile (such as ROM, flash memory, etc.) or some combination of the two. Computing device 710 may also include additional storage (removable and/or non-removable) including, but not limited to, magnetic or optical disks or tape. Such additional storage is illustrated in Fig. 7 by storage 716. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Memory 714 and storage -716 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by computing device 710. Any such computer storage media may be part of computing device 710. [0036] Computing device 710 may also contain communication connection(s) 722 that allow the computing device 710 to communicate with other devices, such as with other computing devices through network 730. Communications connection(s) 722 is an example of communication media. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term 'modulated data signal' means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of ex.ample, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency, infrared, and other wireless media. The term computer readable media as used herein includes storage media.
[0037] Computing device 710 may also have input device(s) 718 such as a keyboard, a mouse, a pen, a voice input device, a touch input device, and/or any other input device. Output device(s) 720 such as one or more displays, speakers, printers, and/or any other output device may also be included.
[0038] While the invention has been described in terms of several exemplary implementations, those of ordinary skill in the art will recognize that the invention is not limited to the implementations described, but can be practiced with modification and alteration within the spirit and scope of the appended claims. The description is thus to be regarded as illustrative instead of limiting.

Claims

1. A method comprising: selecting one of a plurality of workflows; selecting one or more of a plurality of entitlements to be used in the selected workflow; selecting one or more of a plurality of identities for which the workflow is applicable; initiating the workflow on the one or more selected identities to grant the one or more entitlements to the one or more selected identities; and initiating a process to apply the one or more selected entitlements to the one or more selected identities.
2. The method of claim 1, wherein each identity is associated with a stored metaverse object.
3. The method of claim 1, further comprising determining whether a selected identity has a selected entitlement.
4. The method of claim 3, further comprising initiating the workflow when the selected identity does not have the selected entitlement.
5. The method of claim 1, further comprising determining a workflow for revoking a selected entitlement.
6. The method of claim 5, further comprising determining whether the selected identity has a selected entitlement that should be revoked.
7. The method of claim 6, further comprising initiating the workflow for revoking a selected entitlement when the selected identity has a selected entitlement that should be revoked.
8. The method of claim 1, wherein one or more of the plurality of entitlements is an account.
9. The method of claim 1, wherein one or more of the plurality of entitlements is an • access right.
10. A system comprising: a data store to store metaverse objects, each metaverse object associated with an identity; one or more management agents coupled to one or more directories to send requests for entitlements and to apply entitlements to the corresponding directories; and an integration server coupled to the data store and to the one or more management agents to centrally manage data associated with entitlements for a plurality of identities, the integration server to receive the requests for entitlements from the management agents, to initiate corresponding workflows for the requests, and to initiate processes to apply the entitlements to the corresponding directories through the corresponding management agents.
11. The system of claim 10, where the integration server to maintain for each metaverse object a granted entitlements list indicating one or more entitlements that have been granted to the metaverse object via the corresponding workflows.
12. The system of claim 10, where the integration server to maintain for each metaverse object a current entitlements list indicating one or more entitlements the metaverse object currently has.
13. The system of claim 10, further comprising a data store coupled to the integration server to store workflows, each workflow associated with a business process to grant or revoke at least one of the entitlements for at least one of the identities managed by the integration server.
14. The system of claim 10, further comprising a data store coupled to the integration server to store definitions for the entitlements managed by the integration server.
15. One or more device-readable media with device-executable instructions for performing steps comprising: receiving a request to grant an entitlement to an identity, the identity associated with a metaverse object; determining a business process associated with granting the requested entitlement •to the identity; initiating the business process to grant the requested entitlement to the identity; and initiating a separate process to apply the requested entitlement to the identity.
16. The one or more device-readable media of claim 15, wherein the steps further comprise adding the requested entitlement to a list of granted entitlements associated with the identity.
17. The one or more device-readable media of claim 15, wherein initiating a separate process to apply the requested entitlement to the identity comprises sending a request to a management agent to apply the requested entitlement to the identity.
18. The one or more device-readable media of claim 17, wherein the steps further comprise adding the requested entitlement to a list of current entitlements associated with the identity when the requested entitlement has been applied to the identity.
19. The one or more device-readable media of claim 15, wherein the requested entitlement is an account.
20. The one or more device-readable media of claim 15, wherein the requested entitlement is an access right.
PCT/US2007/003125 2006-03-06 2007-02-06 Management and application of entitlements WO2007102966A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP07717203A EP1999714A1 (en) 2006-03-06 2007-02-06 Management and application of entitlements
JP2008558272A JP2009529182A (en) 2006-03-06 2007-02-06 Entitlement management and enforcement

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/276,582 2006-03-06
US11/276,582 US7703667B2 (en) 2006-03-06 2006-03-06 Management and application of entitlements

Publications (1)

Publication Number Publication Date
WO2007102966A1 true WO2007102966A1 (en) 2007-09-13

Family

ID=38475180

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/003125 WO2007102966A1 (en) 2006-03-06 2007-02-06 Management and application of entitlements

Country Status (6)

Country Link
US (1) US7703667B2 (en)
EP (1) EP1999714A1 (en)
JP (1) JP2009529182A (en)
KR (1) KR20080106220A (en)
CN (1) CN101395632A (en)
WO (1) WO2007102966A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8010786B1 (en) 2006-10-30 2011-08-30 Citigroup Global Markets Inc. Systems and methods for managing digital certificate based communications
US8095970B2 (en) * 2007-02-16 2012-01-10 Microsoft Corporation Dynamically associating attribute values with objects
US8880889B1 (en) 2007-03-02 2014-11-04 Citigroup Global Markets, Inc. Systems and methods for remote authorization of financial transactions using public key infrastructure (PKI)
US8819814B1 (en) * 2007-04-13 2014-08-26 United Services Automobile Association (Usaa) Secure access infrastructure
US20090187440A1 (en) * 2008-01-21 2009-07-23 Binny Gopinath Sreevas Method and system for facilitating security management in an electronic network
US20100043049A1 (en) * 2008-08-15 2010-02-18 Carter Stephen R Identity and policy enabled collaboration
US20120046989A1 (en) * 2010-08-17 2012-02-23 Bank Of America Corporation Systems and methods for determining risk outliers and performing associated risk reviews
US8959114B2 (en) * 2011-10-21 2015-02-17 Salesforce.Com, Inc. Entitlement management in an on-demand system
US9253113B2 (en) 2012-09-07 2016-02-02 Oracle International Corporation Customizable model for throttling and prioritizing orders in a cloud environment
US10148530B2 (en) 2012-09-07 2018-12-04 Oracle International Corporation Rule based subscription cloning
US8972725B2 (en) 2012-09-07 2015-03-03 Oracle International Corporation Security infrastructure for cloud services
US9621435B2 (en) 2012-09-07 2017-04-11 Oracle International Corporation Declarative and extensible model for provisioning of cloud based services
US9667470B2 (en) 2012-09-07 2017-05-30 Oracle International Corporation Failure handling in the execution flow of provisioning operations in a cloud environment
US10521746B2 (en) 2012-09-07 2019-12-31 Oracle International Corporation Recovery workflow for processing subscription orders in a computing infrastructure system
US20150262190A1 (en) * 2014-03-14 2015-09-17 Disney Enterprises, Inc. Methods and Systems for Determining Consumer Entitlements for Playback Interoperability
US10164901B2 (en) 2014-08-22 2018-12-25 Oracle International Corporation Intelligent data center selection
US9985992B1 (en) * 2014-09-19 2018-05-29 Jpmorgan Chase Bank, N.A. Entitlement system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030009691A1 (en) * 2001-07-06 2003-01-09 Lyons Martha L. Centralized clearinghouse for entitlement information
US20040044895A1 (en) * 2002-08-27 2004-03-04 Reasons John D. Connected support entitlement system and method of operation
US20040064353A1 (en) * 2001-09-12 2004-04-01 Kim Yeong-Ho System and method for creating personalized template for monitoring workflows
US20050283372A1 (en) * 2004-06-16 2005-12-22 Jorgenson Daniel S System and method for linking user accounts to business entitlement objects
US20060041436A1 (en) * 2004-08-17 2006-02-23 International Business Machines Corporation System, method, service method, and program product for managing entitlement with identity and privacy applications for electronic commerce

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020049627A1 (en) * 1999-08-23 2002-04-25 Ravi Goli Data driven entitlement
US7389335B2 (en) * 2001-11-26 2008-06-17 Microsoft Corporation Workflow management based on an integrated view of resource identity
US20050060572A1 (en) * 2003-09-02 2005-03-17 Trulogica, Inc. System and method for managing access entitlements in a computing network
US7774365B2 (en) * 2004-08-31 2010-08-10 Morgan Stanley Organizational reference data and entitlement system
US7647423B2 (en) * 2005-04-29 2010-01-12 Morgan Stanley Workflow based and metadata driven reporting system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030009691A1 (en) * 2001-07-06 2003-01-09 Lyons Martha L. Centralized clearinghouse for entitlement information
US20040064353A1 (en) * 2001-09-12 2004-04-01 Kim Yeong-Ho System and method for creating personalized template for monitoring workflows
US20040044895A1 (en) * 2002-08-27 2004-03-04 Reasons John D. Connected support entitlement system and method of operation
US20050283372A1 (en) * 2004-06-16 2005-12-22 Jorgenson Daniel S System and method for linking user accounts to business entitlement objects
US20060041436A1 (en) * 2004-08-17 2006-02-23 International Business Machines Corporation System, method, service method, and program product for managing entitlement with identity and privacy applications for electronic commerce

Also Published As

Publication number Publication date
EP1999714A1 (en) 2008-12-10
KR20080106220A (en) 2008-12-04
JP2009529182A (en) 2009-08-13
US20070215683A1 (en) 2007-09-20
CN101395632A (en) 2009-03-25
US7703667B2 (en) 2010-04-27

Similar Documents

Publication Publication Date Title
US7703667B2 (en) Management and application of entitlements
US7676831B2 (en) Role-based access control management for multiple heterogeneous application components
US7707298B2 (en) Secure sharing of LOB bound information in client applications
US8204949B1 (en) Email enabled project management applications
US20050289234A1 (en) Expanded membership access control in a collaborative environment
US20020059236A1 (en) Computer system with access control mechanism
US20120072970A1 (en) Chaining information card selectors
US7870101B2 (en) Method and apparatus for presentation of a security-focused repository with a party-focused repository
US20080244736A1 (en) Model-based access control
US7599959B2 (en) Centralized access and management for multiple, disparate data repositories
US8365261B2 (en) Implementing organization-specific policy during establishment of an autonomous connection between computer resources
KR20120062514A (en) Authorization apparatus and method under software as a service platform
CN102299915A (en) Access control based on network layer claims
US9355270B2 (en) Security configuration systems and methods for portal users in a multi-tenant database environment
CN114641768A (en) Controlling access to cloud resources in data using cloud-enabled data tagging and dynamic access control policy engine
US9356919B1 (en) Automated discovery of knowledge-based authentication components
US8290979B1 (en) Software architecture for access control based on hierarchical characteristics
WO2011057876A1 (en) Network system security management
US20120110011A1 (en) Managing application access on a computing device
US11709956B2 (en) Secure data broker
WO2009000276A1 (en) An identity management system for assigning end-users with access rights to systems coupled to a central server
US11632375B2 (en) Autonomous data source discovery
CN114095200A (en) Resource access authority management method and device, electronic equipment and medium
CN111414591A (en) Workflow management method and device
KR101702650B1 (en) Login control method and apparatus for active directory domain

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 4241/CHENP/2008

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 1020087021493

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 200780008113.4

Country of ref document: CN

Ref document number: 2008558272

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2007717203

Country of ref document: EP