The dynamic profile access control tool 10 as shown in
Examples of some resource type policies and instance type policies are as follows:
In an exemplary embodiment, the policy repository 16 is a database but it should not be limited to only database technologies. One of ordinary skill in the art will recognize that the policy repository 16 can be any data repository such as extensible markup language (XML) files.
Referring back to
The dynamic profile access control tool 10 comprises a dynamic user group formation component 20 configured to obtain the policy from the policy repository 16 and the hierarchical structure from the hierarchical structure repository 18 and dynamically form a user group based on the policy and hierarchical structure. After retrieving the policy from the policy repository 16 and the hierarchical structure from the hierarchical structure repository 18, the dynamic user group formation component 20 applies the specifications of the policy to the retrieved hierarchical structure and determines which members in the organization meet the specifications. Members that meet the specifications are used to form the user group. The formation of the users group is dynamic because the dynamic user group formation component 20 is able to pull the policy and compare it against the current hierarchical structure to generate a group of users that shall be granted permissions for a specific resource every time someone makes an access request for a resource. In a static process, the user group is always the same and does not change because it is assumed that all members of the group are known. There would be no need to check for a current hierarchical structure. If one wanted to check for a current hierarchical structure then the user groups would have to be manually changed either adding or deleting names for any changes that may have occurred.
The dynamic profile access control tool 10 also comprises a permissions component 22 that is configured to use the user groups formed by the dynamic user group formation component 20 to grant access permissions to protected resources. As mentioned above, permissions as used in this disclosure vary in scope and can mean allowing members to perform a number of possible actions on a resource such as viewing, editing, adding, deleting, modifying, approving and administrating.
As shown in
A communication network such as an electronic or wireless network connects the computing units 14 to the dynamic profile access control tool 10.
Once the dynamic profile access control tool has received an access request, it will retrieve the policy for the specified resource from the policy repository at 34 that the user is interested in. In addition, the dynamic profile access control tool obtains the hierarchical structure from the hierarchical structure repository at 36. Using the current policy for the specified resource and the current hierarchical structure, the dynamic user group formation component will dynamically form a user group at 38. In particular, the dynamic user group formation component applies the rules of the policy that govern the particular resource to the retrieved hierarchical structure to determine which members in the hierarchy of the organization meet the specifications of the rule. Generally, members that meet the specifications are used to form the user group and people that do not meet the specifications are excluded from the group. The permissions component will treat the dynamically formed user group as a subject and either grant permission or revoke permission to the individual or groups of elements making the request at 40. In particular, the permissions component will grant permission to the resource if the individual or groups of elements making the request is a member of the dynamically formed user group.
In this example, the dynamic profile access control tool 10 would dynamically form the user groups after retrieving the policy for the scorecard and the hierarchical structure. In particular, the dynamic profile access control tool 10 would ascertain that node 45 is a scorecard owner and based on the policy and hierarchical structure, determine that nodes 46 and 47 can read the scorecard as well as nodes 48 and 49 and node 46 can approve the scorecard. The dynamically formed user group in this example would comprise nodes 46-49 as members.
For policy 44, there would be visibility only one level up and one level down. If node 50 was the owner of a particular resource then only node 51 which is one level above node 50 and node 52 which is one level below node 50 would have visibility or read permissions for the resource. In this example, the dynamic profile access control tool 10 would dynamically form the user group after retrieving this visibility policy and the hierarchical structure. In particular, the dynamic profile access control tool 10 would ascertain that node 50 is an owner and based on the policy and hierarchical structure, determine that nodes 51 and 52 can read the resource. The dynamically formed user group in this example would comprise nodes 51-52.
A benefit associated with the approach described herein is that a consistent business rule based access model is applied to better govern access to critical business information. This is especially important in the current business climate where organizations are refocused on better management of information, as well as ensuring that their competitive assets and knowledge are not compromised. As such organizations go through their natural evolution they are not forced to constantly re-evaluate membership rules since they are generically applied based on the business rules and dynamic grouping. This will also decrease complexity as it relates to individual policies as the asset can be leveraged in multiple compliance and business related venues where rules are common as to transparency and individual access. Another benefit with this approach is that allows for flexibility of access assignment by applying standard and inverted hierarchal constraints on access and transparency.
In the computing environment 100 there is a computer 102 which is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with an exemplary computer 102 include, but are not limited to, personal computers, server computers, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
The exemplary computer 102 may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, logic, data structures, and so on, that performs particular tasks or implements particular abstract data types. The exemplary computer 102 may be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
As shown in
Bus 108 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnects (PCI) bus.
The computer 102 typically includes a variety of computer readable media. Such media may be any available media that is accessible by computer 102, and it includes both volatile and non-volatile media, removable and non-removable media.
In
Computer 102 may further include other removable/non-removable, volatile/non-volatile computer storage media. By way of example only,
The drives and their associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules, and other data for computer 102. Although the exemplary environment described herein employs a hard disk 116, a removable magnetic disk 118 and a removable optical disk 122, it should be appreciated by those skilled in the art that other types of computer readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital video disks, random access memories (RAMs), read only memories (ROM), and the like, may also be used in the exemplary operating environment.
A number of program modules may be stored on the hard disk 116, magnetic disk 120, optical disk 122, ROM 112, or RAM 110, including, by way of example, and not limitation, an operating system 128, one or more application programs 130 (e.g., dynamic profile access control tool 10), other program modules 132, and program data 134.
Each of the operating system 128, one or more application programs 130 other program modules 132, and program data 134 or some combination thereof, may include an implementation of the dynamic profile access control tool 10 of
A user may enter commands and information into computer 102 through optional input devices such as a keyboard 136 and a pointing device 138 (such as a “mouse”). Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, serial port, scanner, camera, or the like. These and other input devices are connected to the processor unit 104 through a user input interface 140 that is coupled to bus 108, but may be connected by other interface and bus structures, such as a parallel port, game port, or a universal serial bus (USB).
An optional monitor 142 or other type of display device is also connected to bus 108 via an interface, such as a video adapter 144. In addition to the monitor, personal computers typically include other peripheral output devices (not shown), such as speakers and printers, which may be connected through output peripheral interface 146.
Computer 102 may operate in a networked environment using logical connections to one or more remote computers, such as a remote server/computer 148. Remote computer 148 may include many or all of the elements and features described herein relative to computer 102.
Logical connections shown in
In a networked environment, program modules depicted relative to the personal computer 102, or portions thereof, may be stored in a remote memory storage device. By way of example, and not limitation,
An implementation of an exemplary computer 102 may be stored on or transmitted across some form of computer readable media. Computer readable media can be any available media that can be accessed by a computer. By way of example, and not limitation, computer readable media may comprise “computer storage media” and “communications media.”
“Computer storage media” include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
“Communication media” typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as carrier wave or other transport mechanism. Communication media also includes any information delivery media.
The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above are also included within the scope of computer readable media.
It is apparent that there has been provided with this disclosure, an approach for providing dynamic profile access control. While the disclosure has been particularly shown and described in conjunction with a preferred embodiment thereof, it will be appreciated that variations and modifications can be effected by a person of ordinary skill in the art without departing from the scope of the disclosure.
In another embodiment, this disclosure provides a business method that performs the process steps of the invention on a subscription, advertising, and/or fee basis. That is, a service provider could offer to provide dynamic profile access control within a computer system. In this case, the service provider can create, deploy, maintain, support, etc., a dynamic profile access control tool, such as tool 10 (
In still another embodiment, this disclosure provides a method for using dynamic profile access control within a computer system to protect specified resources. In this case, a dynamic profile access control tool, such as tool 10 (