Web-based security with controlled access to data and resources

COPYRIGHT NOTICE

[0002] A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.

FIELD OF THE INVENTION

[0003] The present invention relates to web-based security applications that provide controlled access to a sponsor organization's data and other resources.

BACKGROUND OF THE INVENTION

[0004] Sponsor organizations, such as healthcare companies, have clients that access their data and other resources over a distributed information retrieval system such as the World Wide Web. Such sponsor organizations have need of a stand-alone security system controlling access to secured information and self-service functionality for the sponsor organization. The basic requirements for such a security system are as follows:

[0005] 1. A User ID is to be associated with a specific person and only that person.

[0006] 2. The system needs to handle registrations of people who are unknown to the sponsor organization prior to registration and have indirect relationships to the sponsor organization through their employers. This requirement makes a registration process necessary.

[0007] 3. In order to use the system, each user needs to have the context in which he uses the system be defined. In general, the context is the organization for which he or she works. Typically these organizations are different from the sponsor organization. Having the context will drive what kinds of business functions and data are available to the user. Within the secured logon application, the contexts are referred to as entities. Each of these entities needs to be registered also.

[0008] 4. A user can work within multiple contexts and still use the same User ID.

[0009] 5. Different users need to play different roles within the entities for which they work. This requirements means that there needs to be a way to assign roles to users.

[0010] 6. When logging onto the system, each user needs to be presented with a menu that contains only those business functions that his or her role allows.

[0011] 7. The day-to-day administration of security activity within the entities needs to be distributed to those entities.

[0012] 8. Access Identifiers need to be associated with the entities in order to provide keys to the data in back-end systems.

[0013] 9. The security system must integrate into multiple environments, even within one sponsor organization.

[0014] 10. It should be possible for one organization to delegate its access rights to another organization so that the second organization may do work on behalf of the first organization.

[0015] 11. For those large entities that have multiple access identifiers, it should be possible to define pieces (segments) of the organization based on groupings of the access identifiers and assign permissions based on the pieces instead of based on the entire organization.

[0016] While various prior art security systems are known to exist that meet some of these requirements, no security system is known to exist that meets most of the requirements, much less the totality of the requirements.

BRIEF SUMMARY OF THE INVENTION

[0017] The present invention, hereinafter referred to as the secured logon application, is a stand-alone. security system controlling access to secured information and self-service functionality for a sponsor organization. It can be used for Web-based and IVR-based self-service functions. A sponsor organization can be an organization hosting the user-interface (Web site or IVR) and the back-end systems or can be an organization hosting just the user interface and passing transactions to other organization(s) for back-end processing. Although it has been developed at a healthcare company, it is not healthcare specific, but can be used by any sponsor organization having clients needing access to its secured information and self-service functionality.

[0018] Definitions and abbreviations used herein are as follows:

[0019] Access Administrator (AA)—A user at an entity who has some security administration rights for the entity, but is not the Primary Access Administrator.

[0020] Access Control—Maintaining records of access rights and communication of this information where needed. In general, access control consists of controlling which business functions a user can perform using what data, and of insuring that the user is an active user while performing those business functions.

[0021] Access Identifiers—For those entities that have data about them in the back-end systems of a sponsor organization, Access Identifiers are the keys to that data. Identifiers can be primary, i.e., they are provided during the registration process or by system application owners, or they can be derived, i.e., they are derived from data in the back-end system based on the primary identifiers. An example of an access identifier for a provider group is the group's TIN (Tax ID Number). The entities that access the secured logon application can vary in size. Most entities will have just one Access Identifier. There are other entities, such as large hospitals that may have dozens, hundreds, or even thousands of access identifiers.

[0022] Access Identifier Type—An Access Identifier Type is a categorization of the access identifiers that are set up to identify entities.

[0023] Access Management (also known as Assigning Roles)—the process of granting, modifying, or removing an administrator's (or user's) access to an organization's data.

[0024] Admin Entity—The Entity for which a user works.

[0025] AKA Name—A public user ID or alias for a user. AKA Names, like user ID's, are unique to a user. It is an alternate way to refer to the user without divulging any information that can be used to log on.

[0026] Alternate Controlling Authority—An Alternate Controlling Authority (ACA) is a person who can legally bind an entity and who acts as a back-up to the Primary Controlling Authority in instances in which the Primary Controlling Authority is unavailable.

[0027] Assigning Roles—see Access Management.

[0028] Authentication—ongoing verification that this individual is still allowed to have access

[0029] Authorization—approving someone, who has a right and a need to use the secure web self-service functions, for access to specific business functions and data based on the individual's credentials and the context for which access is requested.

[0030] BehalfOF Entity—The entity on whose behalf a user is doing work. In situations involving delegation, this will be a different entity than the one for which the user works.

[0031] Business Functions—A business function is some function or activity that a user can perform and that is made available to a user through the secured logon application by a system application that has been properly registered within the secured logon application. An example is “View Claims.”

[0032] Business Function Gen Key/Business Function ID—A Business Function Gen Key, also known as a Business Function ID, is a unique value that is assigned to a Business Function. It is assigned when the Business Function is registered with the secured logon application.

[0033] Business Function Set—A Business Function Set is a logical grouping of Business Functions.

[0034] Delegation—Delegation is the process by which one entity enables another entity to do work of the first entity on behalf of the first entity.

[0035] Derivative Identifiers—Derivative identifiers are those identifiers derived from data in the back-end systems based on the value(s) of primary identifier(s).

[0036] Dynamic Menus—the list of functions a user can perform based on the rights granted to him or her within the secured logon application. If a user does not have access to a particular function that function will not be presented as a menu item to the user.

[0037] Entity—organization such as a provider group, a broker agency, an employer, etc. An entity is an organization or person with whom a sponsor organization has a business relationship. Entities are also third party organizations doing business with the entities having a relationship with a sponsor organization. Each entity has to have specific people identified for a couple of responsibilities—a person who can legally bind the organization (Primary Controlling Authority—PCA) and a person who is responsible for security administration (Primary Access Administrator—PAA).

[0038] Entity Type—Multiple types of entities can be supported. Each entity type can have specific business functions associated with it and certain identifier types associated with it. For a healthcare company, entity types might include provider organization, physician, employer, member, agent, or broker.

[0039] Entity User—An entity user represents the fact that a specific user may do work on behalf of a specific entity. See also User Context.

[0040] Identifiers—See Access Identifier

[0041] Menu—When a user logs on, a menu of business functions is presented to him or her consisting of a list of at least the business functions that his or her role allows and sometimes more.

[0042] Port of Origin (“PO”)—a starting point or entry point for getting access to a sponsor organization's secured business functions and resources via the secured logon application. In the case of a sponsor organization for a healthcare company, there may be ports of origin for health care providers and employers.

[0043] Port of origin key—a key assigned to the PO by the secured logon application administrator when the PO is initially registered.

[0044] Primary Access Administrator (PAA)—A Primary Access Administrator is a person who is responsible for security administration at an entity.

[0045] Primary Controlling Authority (PCA)—A Primary Controlling Authority (PCA) is a person who can legally bind an entity.

[0046] Primary Identifiers—Primary identifiers are those identifiers provided during the registration process or maintained by system application owners.

[0047] Provider organization—An organization that provides healthcare to people insured by the Sponsor Organization and that may be itself insured by the Sponsor Organization.

[0048] Real Entity User—In a real entity user situation, the user works for the entity on whose behalf he or she is doing the work.

[0049] Registration Process—The process whereby data about an entity, the Primary Controlling Authority, and the Primary Access Administrator are captured via an online process and approved. The approval can be by the IT security personnel or it can be an automated approval process.

[0050] Segmentation—Segmentation is the definition of pieces of an organization (segments) based on groupings of the access identifiers and assigning permissions based on the pieces instead of the whole organization.

[0051] Single Sign-On—The single sign-on concept means that a user uses a single User ID in order to log on for multiple contexts.

[0052] Sponsor Organization—A sponsor organization is an organization that installs the secured logon application to control access to its secured information and self-service functionality for a Web site capabilities. A sponsor organization can be an organization hosting the user-interface (Web site) and the back-end systems or can be an organization hosting just the user interface and passing transactions to other organization(s) for back-end processing.

[0053] System application—the code implementing a business function or set of business functions

[0054] System Application ID—A System Application ID is a unique value that is assigned to a System Application. It is assigned when the System Application is registered with the secured logon application.

[0055] System Application Owner—The “owners” of the System Applications are considered to be the business people or organizations that sponsor or control the System Applications.

[0056] System Configuration—The secured logon application supports multiple installation-wide configuration options. Each option provides for some differences in the way the secured logon application works at a given installation. A configuration consists of the whole package of differences, i.e., the individual differences cannot be individually chosen and specified.

[0057] User—an individual who is associated with an entity and who has access to secured business functions protected by the secured logon application

[0058] User Context—In order to use the system, each user needs to have the context in which he or she uses the system be defined. In general, the context is the organization for which he or she works. Typically these organizations are different from the sponsor organization. Having the context will drive what kinds of business functions and data are available to the user. The contexts are referred to as entities.

[0059] User ID—A User ID is the ID that a user uses to log onto a Port of Origin to get access to secured information and self-service functionality. It is associated with a specific person and only that person.

[0060] User Role—A user's role is defined by the business functions to which he or she has been granted access. Roles can be changed dynamically. The number of roles that can be created is limited only by the number of combinations of business functions that are available.

[0061] Virtual Entity User—In a virtual entity user situation, the user does not work for the entity on whose behalf he or she is doing the work.

[0062] There are five primary facets of the secured logon application:

[0063] 1. Access Control: Control of access to secured information and self-service functionality for a sponsor organization.

[0064] 2. Support for Unknown Users: Enable access to users who have indirect relationships to the sponsor organization as well as to users who have a direct relationship with the sponsor organization.

[0065] 3. Distribution of Security Administration: Distribution of security administration from a central information technology resource to various users of the secured logon application.

[0066] 4. Support for Multiple Environments: Support for integration into different kinds of environments.

[0067] 5. Support for System Integrators: Support for system integrators who need to interface with and use the information in the secured logon application in order to execute their business functions.

[0068] The secured logon application in accordance with the present invention has the following characteristics, each of which fits into one or another of the above five primary facets:

[0069] 1. Sponsor Organization: The secured logon application may be installed at different Sponsor Organizations.

[0070] 2. System Configuration: The secured logon application can have some differences in configuration depending on the sponsor organization.

[0071] 3. Integration with a Port of Origin into a Web Site: The secured logon application can be integrated and blended into the Port of Origin between an unsecured section of the Port of Origin and a secured section of the Port of Origin. The integration includes adapting to the look and feel of the Port of Origin, the adjustment of some content, and through its menu structure, defining the navigation paths to the functions that it offers.

[0072] 4. System Application and System Application Owners: The secured logon application distributes some of the security administration rights to System Application Owners based on the business functions implemented by the System Application.

[0073] 5. Business Function: The secured logon application supports access to business functions that may not be in control of the Sponsor Organization, but may be at another organization.

[0074] 6. Entities: The secured logon application has access defined based on entities. Access is approved for an entity and granted to people within those entities.

[0075] 7. Entity Types: The secured logon application categorizes entities into Entity Types for various purposes of controlling access as well as determining which business functions are appropriate for the entity.

[0076] 8. Users: The secured logon application supports users who are people associated with the entities.

[0077] 9. Known and Unknown People: The secured logon application allows users to be people who are not previously known to any sponsor organization, but have an indirect relationship to the sponsor organization through their employers.

[0078] 10. Single Sign-On: The secured logon application supports the use of a single User ID for a given user in multiple contexts, including IVR.

[0079] 11. Identification of a User through a Public Name. The secured logon application supports an AKA Name for a user.

[0080] 12. User Roles: The secured logon application supports the creation of different roles for different users, limited only by the number of combinations of business functions that are available.

[0081] 13. Multiple Ways to Determine Roles: The secured logon application supports multiple ways to determine the user roles, from direct assignment of business functions making up the role to implicit determination based on facts about the user.

[0082] 14. Menus: When a user logs on, the secured logon application supports the presentation of a menu of business functions to the user that contains only those business functions that his or her role allows.

[0083] 15. Distribution of Security Administration: The secured logon application supports distribution of Security Administration to the entities using the Web site in order to perform day-to-day account administration and to the System Application Owners controlling the business functions available on the Web site to grant those business functions and access identifiers the business functions need.

[0084] 16. Delegation to Third Parties: The secured logon application supports delegation by entities to third parties with which they have a relationship.

[0085] 17. Connections to Back-End Data (Access Identifiers): For those entities that have data about them in the back-end systems of a sponsor organization, the secured logon application captures access identifiers that provide the connection or key to that data. It also supports the capture and storage of other identifiers, which are derivatives of the original access identifiers.

[0086] 18. Access Control: The secured logon application supports access control to information and functionality on the site based on the access identifiers of the entity that are assigned to the user and the business functions (role) that are assigned to the user.

[0087] 19. Access Identifier Management (Segmentation): The secured logon application enables large organizations with multiple access identifiers to define subsets of themselves for purposes of controlling access to the subsets versus the entire organization.

[0088] 20. Conditional Use of Site: The secured logon application controls and keeps records of the fact that users of the site have agreed to or acknowledged the conditions for using the site prior to their use of the site.

[0089] 21. Session Management: The secured logon application provides for session management at a Web site once a user has logged onto the site.

[0090] 22. Multiple Registration Alternatives: The secured logon application supports multiple registration alternatives. These include online registration for users connected indirectly to the sponsor organization through an entity, auto-creation of users and entities based on feeds from trusted sources, one-step registration for person entities who are “known” based on data in the back-end systems, and temporary registration through a temporary UserID and password.

[0091] 23. Notification from Back-End Systems: The secured logon application supports the receipt of information from back-end systems to change the security profiles of entities and users.

[0092] 24. Notification to Back-End Systems: The secured logon application supports the notification to back-end systems of additions and changes to security profiles for entities and users.

[0093] 25. Status Control: The secured logon application enables administrators to manage the status of users so that only users who are “active” may perform functions.

[0094] 26. Integration with Other Security Software: Microsoft's Personalization and Membership (“P&M”) product can be utilized in conjunction with the secured logon application to provide an additional level of security for directory access protection.

[0095] The facet of Access Control includes the characteristics of Business Function, Entities, Entity types, Users, Single Sign-On, Identification of a User through a Public Name, User Roles, Multiple Ways to Determine Roles, Menus, Delegation to Third Parties, Connection to Back-End Data, Access Control, Access Identifier Management, Conditional Use of Site, Session Management, and Status Control The facet of Support for Unknown Users includes the characteristics of Known and Unknown People and Multiple Registration Alternatives. The facet of Distribution of Security Administration includes the characteristics of System Application and System Application Owners and Distribution of Security Administration. The facet of Support for Multiple Environments includes the characteristics of Sponsor Organization, System Configuration, Integration with a Port of Origin into a Web Site, and Integration with Other Security Software. The facet of Support for Systems Integrators includes the characteristics of Notification from Back-End Systems and Notification to Back-End Systems.

BRIEF DESCRIPTION OF THE DRAWINGS

[0096] The invention is better understood by reading the following Detailed Description of the Preferred Embodiments with reference to the accompanying drawing figures, in which like reference numerals refer to like elements throughout, and in which:

[0097]
FIG. 1 is a diagram illustrating the relationship between an entity, a user, what the user can do (business functions), and what data the user can perform those functions on (access identifiers).

[0098]
FIG. 2 is a flow chart illustrating the flow a user of the secured logon application will follow when accessing business functions setup within the secured logon application from a registered port of origin.

[0099]
FIG. 3 is an exemplary help text screen.

[0100]
FIG. 4 is a flowchart illustrating the User ID and AKA name conflict management process of the secured logon application.

[0101]
FIG. 5 shows the arrangement of FIGS. 5A-5D, which show an example of a form post used to give a port of origin the ability to “auto-create” an entity and a user in the secured logon application

[0102]
FIG. 6 is an exemplary Assign Roles screen.

[0103]
FIG. 7 is an exemplary XML transaction for updating a user's access programmatically.

[0104]
FIGS. 8A and 8B show exemplary screens for assigning business functions and the data to go along with them.

[0105]
FIG. 9 is a diagrammatic view illustrating the organization of an exemplary Provider.

[0106] FIGS. 10-12 are exemplary screens employed in a web-based registration application for obtaining information about a person's organization and primary contact of the organization.

[0107]
FIG. 13 shows a confidentiality agreement presented via a web page.

[0108]
FIG. 14 is a flow chart the showing the process by which derivative identifiers are assigned.

[0109]
FIGS. 15A and 15B show exemplary screens for temporarily suspending a user.

[0110]
FIG. 16 is a diagram illustrating the extension of multiple delegation chains to the next level when there are multiple delegation chains from the same source entity to a target entity via different routes, and the target entity wants to delegate.

[0111]
FIG. 17 is a diagram illustrating the tracking of a delegation chain by a 3-tuple of data.

[0112]
FIG. 18 is a chart showing an example of possible choices displayed to a Primary Access Administrator for creating segments for his or her organization.

[0113]
FIG. 19 is a chart showing an example of possible choices displayed to an Access Administrator for creating segments within his or her segment of an organization.

[0114] FIGS. 20-22 are exemplary screens used in managing the creation and contents of segments.

[0115] FIGS. 23-29 illustrate the functionality for managing delegations and the typical “Delegate Work” and “Assign Delegated Work” workflows.

[0116]
FIG. 30 illustrates the conceptual relationship between key components of the secured logon application.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

[0117] The secured logon application is a stand-alone security system controlling access to secured information and self-service functionality for a sponsor organization via a secure, externally managed, dynamic menuing program that provides for controlled access to resources, such as secured information and self-service functionally, of the sponsor organization.. It can be implemented using conventional, commercially-available computer equipment and programming languages, and used for Web-based and IVR-based self-service functions. A sponsor organization can be an organization hosting the user-interface (Web site or IVR) and the back-end systems or can be an organization hosting just the user interface and passing transactions to other organization(s) for back-end processing. Although a primary application of the secured logon application is in connection with the healthcare industry, it is not healthcare specific.

[0118] Among the features of the secured logon application are that it can have differences in configuration depending on the sponsor organization; it can be integrated and blended into a Web site between an unsecured section of the site and a secured section of the site; it has access defined based on entities; it supports security for known people as well as people who are unknown to the sponsor organization prior to registration but have an indirect relationship to it through their employers; it supports the creation of different roles for different users, limited only by the number of combinations of business functions that are available (role-based assignment); it supports multiple types of entities, and permits each entity type to have specific business functions and certain access identifier types associated with it; it works for all expected users of web self-service functions, including (in the case of health benefit providers), provider organizations, physicians, employers, agencies, brokers, members, and associates; it supports the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); it supports the use of a single user ID for a given user in multiple contexts, including IVR; and it provides “hooks” to authorized underlying data.

[0119] Security administration is distributed to Authorized Organizations. Each Authorized Organization must designate at least one “Controlling Authority” and one “Access Administrator.” One Authorized Organization can delegate to another Authorized Organization. However, delegation is not allowed for certain critical security activities. The organization of an exemplary doctor's office is shown diagrammatically in FIG. 9.

[0120] To support various organization structures, the secured logon application enables the assignment of functions based on the role the person plays in the Authorized Organization. As discussed hereinafter in greater detail, the Assign Roles function is initiated from an Assign Roles screen such as the one shown in FIG. 6.

[0121] In order to support the HIPAA, each user account, as signified by a User ID, is associated with a specific person and only that person. Further, because a single User ID is used for multiple contexts, a person can function from multiple contexts; for example, a broker can be granted a role as part of an employer's “staff” as well as that of a broker, and a physician can be not only a physician but also a member of a healthcare plan. The AKA Name provides an alternate way to refer to a user without divulging any information that can be used to log on. It is used to communicate with others about a given user account, thus enabling customer service support. It also permits a user to reuse his User ID in contexts different from where the User ID was established.

[0122] The secured logon application provides a hook to the underlying data by collecting high level identifying information. For provider organizations, in the health care industry, the high level identifying information can be the Tax ID; and for physicians, it can be the state license number(s) or similar identifying information. The secured logon application also supports interfaces to enable “segmentation” of an organization into pieces based on groupings of access identifiers and to assign permissions based on the pieces instead of based on the entire organization.

[0123] The access control concept means that the secured logon application provides a single authoritative system for maintaining user information and access rights and communicating access rights information where needed within the sponsor organization. In general access control consists of controlling which business functions a user can perform using what data and of insuring that the user is an active user while performing those business functions.

[0124] The secured logon application supports a registration process whereby a person at an organization with a relationship to the sponsor organization may register the organization as a valid entity within the secured logon application and establish a Primary Access Administrator (security administrator) for the organization's continuing use of the secured logon application.

[0125] The secured logon application also enables security administration by Authorized Organizations using the web, and supports interfaces to capture access identifiers from back-end systems at a lower level than the high level access identifiers. A flow chart showing the process by which derivative identifiers are assigned is shown in FIG. 14. Access rights are granted and revoked by business function and by access identifiers. Access rights can also be delegated to other Authorized Organizations.

[0126] In order to support multiple environments, the secured logon application is customizable by portal. Screen features that can be customized include the header/logo displayed at the top of the page; a left and bottom navigation bar; the look and feel of the menu items displayed by the secured logon application via a style sheet; the location to which users are returned when they complete a business function served up by the secured logon application (this is done by setting the Port of Origin return URL in the secured logon application); the graphics used for navigation; the graphics used to designate required fields and missing data; the help text presented on each external screen provided by the secured logon application; the menu items presented to the user when access is granted; and the text of most of the error messages presented to a user while utilizing the secured logon application.

[0127] The secured logon application can include risk abatement features such as obtaining legal agreements with all Authorized Organizations, obtaining legal agreements with all users, incorporating audit processes and capabilities, and logging of all security transactions.

[0128]
FIG. 1 illustrates the relationship between an entity, a user, what the user can do (business functions), and what data the user can perform those functions on (access identifiers).

[0129] In a preferred embodiment of the invention, the programming languages used to implement the secured logon application are: Visual Basic (VB6) (for COM objects), SQL (for stored procedures), ASP (for web presentation), HTML (for web presentation), JAVA (for COM objects), and Javascript. The database preferably is an SQL Server database.

[0130] I. Primary Facets of the Secured Logon Application

[0131] There are five primary facets of the secured logon application:

[0132] 1. Access Control: Control of access to secured information and self-service functionality for a sponsor organization.

[0133] 2. Support for Unknown Users: Enable access to users who have indirect relationships to the sponsor organization as well as to users who have a direct relationship with the sponsor organization.

[0134] 3. Distribution of Security Administration: Distribution of security administration from a central information technology resource to various users of the secured logon application.

[0135] 4. Support for Multiple Environments: Support for integration into different kinds of environments.

[0136] 5. Support for System Integrators: Support for system integrators who need to interface with and use the information in the secured logon application in order to execute their business functions.

[0137] Each of these is discussed in more detail below.

[0138] II. Access Control

[0139] On a very high level, access control consists of controlling which business functions a user can perform using what data and of insuring that the user is an active user while performing those business functions. The items that are included in a dynamic menu can also be considered part of Access Control.

[0140] A. Control of Which Business Functions a User Can Perform Using What Data

[0141] The control of which business functions a user can perform using what data has many inter-relating facets to it. This is more complex than what might generally be expected because of the support within the secured logon application of delegation and segmentation. Delegation is the granting of permissions from one organization to another organization. Segmentation is support for defining pieces of an organization (segments) and assigning permissions for the pieces instead of the entire organization. The explanation of the facets and how they work together starts with a discussion of the building blocks used in this control, continues with concepts and structures that relate the building blocks, and ends with the rules governing how things can be built.

[0142] B. Building Blocks Used in Control of Which Business Functions a User Can Perform Using What Data

[0143] The basic building blocks used in control of which business functions a user can perform using what data are listed below

[0144] Entity—An entity is an organization or person with whom a sponsor organization has a business relationship. Entities are also third party organizations doing business with the entities having a relationship with a sponsor organization. Examples applicable at a healthcare company as the sponsor organization are:

[0145] Organization entities—provider group, an insurance agency, an employer;

[0146] Person entities—member (person insured by a healthcare company), broker, physician; and

[0147] Third party entities—billing organizations, collection organizations.

[0148] Business Function—A business function is some function or activity that a user can perform

[0149] Access Identifier—For those entities that have data about them in the back-end systems of a sponsor organization, Access Identifiers are the keys to that data. An example of an access identifier for a provider group is the group's TIN (Tax ID Number).

[0150] Access Identifier Type—This is a categorization of the access identifiers that are set up to identify entities.

[0151] User—An individual who has been authorized by an entity to gain access to business functions and information that are secured by the secured logon application.

[0152] Key Positions at Entities—Each entity has to have specific people identified for a couple of positions—a person who can legally bind the organization (Primary Controlling Authority—PCA) and a person who is responsible for security administration (Primary Access Administrator—PAA). For the person entities, the PCA and PAA generally are the person himself or herself. For non-person entities, the PCA and PAA are people and they can be the same person. There are two other positions at entities which are optional. An Access Administrator (AA) can be another person who has security administration responsibilities. An Office Administrator (OA) can be another person who does not have security administration responsibilities.

[0153] Security Account Administration Functions: Several business functions are available to PAAs and AAs to perform account administration activities. There is a set of these functions for non-owner entities and a set for owner entities. Chief among them for non-owner entities for access control purposes are Assign Web Access Rights, Manage User Status, Segment Your Organization, Delegate Work to Another Organization, Change Work Delegated to Another Organization, Stop Delegation to Another Organization, and Assign Delegated Work to Staff. The ones for owner entities are Grant Access to Organization and Establish New Function.

[0154] C. Concepts and Structures (Database Tables) That Relate the Building Blocks Used in Control of Which Business Functions a User Can Perform Using What Data

[0155] There are several key concepts and tables that relate the basic building blocks together. They are explained below.

[0156] 1. Concept: Entity-Users—Users Operate Only in the Context of an Entity

[0157] In order to use the system, each user needs to have the context(s) in which he or she uses the system defined. In general, the context is the entity that authorized the user access to business functions and information. Having the context will drive what kinds of business functions and data are available to the user.

[0158] 2. Structure: ENTITY_USER Table

[0159] The Entity_User table associates a user with an entity, and therefore provides the context in which the user can operate.

[0160] 3. Concept: Primary Access Identifiers and Derivative Access Identifiers

[0161] The secured logon application divides Access Identifiers into two broad categories: Primary and Derivative. Although this distinction is key to the secured logon application's processes, it is, or can be obscure, to Administrators (Primary Access Administrators—PAA, and Access Administrators—AA). Primary Access Identifiers are explicitly defined. The initial set-up is done by the IT security personnel of the sponsor organization, and the information is gleaned from the entity's registration information. Additional Primary access identifiers can be added later. Most often the Primary access identifiers are at the highest, most general level, often a Tax Identification number, or Social Security Number, or physician state license number, or an insurance company issued employer group number. The Derivative access identifiers derive from the primary access identifiers. A “first level” Derivative access identifier would have a primary access identifier as its “parent;” a “second level” Derivative access identifier would have a Derivative access as its “parent;” etc. Derivative access identifiers are either equivalent to a primary access identifier or they represent “subdivisions” of what the primary access identifier represents. A sub-division could be a division, department, site, location, or employer sub-group. For example, a hospital whose primary access identifier is a Tax Identification number may have Derivative identifiers that represent departments within the hospital, such as Billing, Admissions, or Scheduling. Derivative access identifiers at the lowest level can represent an individual or a location, unit, or department, depending upon the level of detail stored in a particular back-end system.

[0162] Reporting and control requirements require that we be able to create a hierarchy amongst the primary and derivative access identifiers for an entity. To accomplish this, the secured logon application tags each Derivative access identifier with the identity of its parent, thus providing a back-link field to represent a tree structure. All derivative access identifiers are back-linked to either another derivative access identifier or to a primary access identifier. The table design permits a tree to be any number of levels deep. They all are rooted in a Primary access identifier. There can be multiple nodes below any given node (multiple branches).

[0163] 4. Structure: ACCESS_IDENTIFIER Table

[0164] The secured logon application will store the primary and derivative access identifiers in the Access Identifier table. This table contains the access identifier value and access identifier type; the entity to which it relates; an indication about whether it is a primary or Derivative access identifier; the identity of the parent for a Derivative access identifier; and short and long descriptions.

[0165] 5. Concept: Segmentation of an Entity Based on Groupings of Access Identifiers

[0166] The entities that access the secured logon application can vary in size. Most entities will have just one Access Identifier. Other entities, generally large entities, such as large hospitals may have dozens, hundreds, or even thousands of identifiers. For those entities that have multiple access identifiers, segmentation is the definition of pieces of an organization (Segments) based on groupings of the access identifiers and assigning permissions for the pieces instead of the entire organization. In this way, different groups of people within the organization can work with information specific to the part of the organization in which they work.

[0167] 6. Structure: ACCESS_GROUP and ACCESS_GROUP_ID_ASSOC Tables

[0168] The definition of a segment is stored in the ACCESS_GROUP table, and the association of which access identifiers make up a segment is stored in the ACCESS_GROUP_ID_ASSOC table.

[0169] 7. Concept: Many Business Functions Use Data

[0170] Most of the business functions work with certain types of access identifiers in order to get to data keyed by that access identifier type. For example, “view member claims” needs a member ID type of access identifier in order to display the appropriate claims; “review employer bill” needs an employer group number type of access identifier in order to display the appropriate bill. Some business functions do not require an association with a specific set of data, for example, a business function for reference information and the security functions. A record is kept of which business functions work with which access identifier types and which business functions do not require any access identifier in order to work.

[0171] 8. Structure—BUS_FUNC_ID_TYPE_ASSOC (BFITA) Table

[0172] This table defines the Access Identifier types that must be associated with a business function. A given business function can be associated with more than one Access Identifier Type. If this table has no entry for a business function then the business function does not require any data.

[0173] 9. Concepts: Delegation

[0174] There are many organizations that want a specialist to do the work for them. It is often done to save money, or provide superior service, or to handle extended hours of operation, or because it is too difficult for the organization to hire, train, and maintain people to do the particular job.

[0175] The secured logon application enables one entity (the “BehalfOf entity”) to allow another entity (the “Admin entity”) to do work on its behalf. This is referred to as delegation. Delegation typically is done by smaller organizations.

[0176] An example is a small physician's office that contracts with a third party administrator (TPA) to process insurance claims with government agencies; it can also contract with another company, acting as another TPA to deal with other insurance companies.

[0177] 10. Concept: Delegation Chain

[0178] The secured logon application allows a delegated-to entity (Admin entity) to allow yet another entity to do work on the original entity's (BehalfOF entity) behalf. This can continue until there is a string of entities who can do work on behalf of the original BehalfOF entity, where each entity in the string received the delegated permissions from the entity directly ahead of it in the string. This is referred to as a delegation chain.

[0179] 11. Structure: DELEGATION Table

[0180] The Delegation Table contains information about the business functions and data that have been delegated by one entity to another and the definition of the delegation chains.

[0181] Referring to FIG. 17, a delegation chain is tracked by a 3-tuple of data, the chain identifier, the level, and the parent. The chain groups the delegations for a particular entity/business function/data set. For example, when XYZ delegates “File Claims” to DEF, a chain ID of “C1357” is assigned. When DEF furthers the delegation by delegating to ABC, the delegation has the same chain ID of “C1357”. The first delegation from XYZ to DEF is level 1, and the second delegation from DEF to ABC is level 2. The parent value points to the row that gave the delegation. The delegation from XYZ to DEF has no parent, so is NULL. The delegation from DEF to ABC has a parent of XYZ to DEF's row.

[0182] It is possible for DEF also to delegate the same work to MNO. This delegation by DEF to MNO will have the same chain ID, the same level, and the same parent value as the delegation by DEF to ABC.

1DELEGATION Table snippet (not all columns shown): See FIG. 17Delegation_GenBehalfOfAdminGrantedBy_KeyEntityEntityEntityDataBus_FuncChainLevelParentExplanationDGK001XYZDEFXYZDI200FileC13571<NULL>XYZClaimsdelegates toDEFDGK002XYZABCDEFDI200FileC13572DGK001DEFClaimsdelegates toABC forXYZDCK003XYZMNODEFDI200FileC13572DGK001DEFClaimsdelegates toMNO forXYZDGK004XYZPQRMNODI200FileC13573DGK003MNOClaimsdelegates toPQR forXYZ

[0183] This design will handle the following kinds of delegations and actions, where “=>” represents delegation: two paths from one node to another node: A=>B=>D and A=>C=>D (the D node is connected to A via two paths and each path is tracked separately); many-to-one mapping: A, B, C, D, E, . . . =>Z; any level of sub-trees; a simple tree of just F=>G; walking back-up a path; and reconstruction of the entire tree.

[0184] 12. Concept: Real Entity Users and Virtual Entity Users—An Extension to the Entity-User Concept

[0185] In order for the secured logon application to provide Delegation, the secured logon application must have two kinds of Entity-User—a real one and a virtual one. A real entity-user is one in which the user works for the entity on whose behalf he is doing work. A virtual entity-user is a user who is employed by one company (Admin entity) and is doing work on behalf of a different company (BehalfOF entity) that has delegated work to the Admin entity.

[0186] 13. Structure: ENTITY_USER Table

[0187] This is the same Entity_User table referenced earlier. In the earlier reference, only one entity field was described. In reality, there are three entity fields that are necessary in order to support delegation; namely, GrantedBy_Entity_Gen_Key, Admin_Entity_Gen_Key, and the BehalfOf_Entity_Gen_Key. The GrantedBy_Entity_Gen_Key contains an identification of the entity whose user caused the entity-user row to be created. The Admin_Entity_Gen_Key contains an identification of the entity the user really works for. The BehalfOf_Entity_Gen_Key contains an identification of the entity on whose behalf he is doing work. The real and virtual entity-users are differentiated by the GrantedBy_Entity_Gen_Key and by the relationship between the Admin_Entity_Gen_Key and the BehalfOf_Entity_Gen_Key. In the case of the real entity-user, this field will be populated. In the case of the virtual entity-user, the GrantedBy_Entity_Gen_Key will be NULL. Also, in the case of the virtual entity-user, the Admin_Entity_Gen_Key (entity the user works for) and the BehalfOf_Entity_Gen_Key (entity on whose behalf he is doing work) will be different.

[0188] 14. Concept: One Table Controls the Business Function—Data Combinations a User Can Use and a User's Role is Determined by the Business Functions and Data Assigned

[0189] The secured logon application limits the data to which a PAA, AA, or OA has access. For business functions that require data, the secured logon application associates specific data with a specific business function for the user. Since business functions are individually assigned and since they are recorded along with the data they may operate against in the EUA table, each user may have business function/data assigned specific to that user's role in his or her organization.

[0190] 15. Structure: ENTITY_USER_ACCESS (EUA) Table

[0191] The ENTITY_USER_ACCESS (EUA) Table defines the access rights a User has for a External Entity in terms of the Business Function:Data pairs with which the User can work.

[0192] 16. Concept: A Given EUA Entry Can Result from Multiple Delegations,

[0193] It is possible to have multiple paths from one entity to another entity in delegation. For example, in the case of A=>B=D and A=>C=>D where “=>” represents delegation, there are two paths from A to D. Extending this idea further, if D=>E, both of A's delegation chains to D will be extended to entity E. There would be EUA entries for the users in D doing work for A and for users in E doing work for A.

[0194] 17. Structure: EUA_DELEGATION_ASSOC Table

[0195] The EUA_DELEGATION_ASSOC table documents why a virtual user has access to a “business function:data pair”. In conjunction with the EUA entries in the Entity_User_Access table, there will be an entry made in the EUA_DELEGATION_ASSOC table to justify each EUA entry resulting from delegation.

[0196] 18. Concept: Business Function Can Operate on Segments or Not

[0197] For some business functions, it makes sense for that business function to operate on discrete segments or parts of an organization. An example would be “View Claims” in a large hospital, where it would be useful to be able to “View Claims” for each department individually. For other business functions, it does not make sense for that business function to operate on discrete segments or parts of an organization. An example would be “Reference Material”.

[0198] 19. Concept: A Business Function Can Be Delegatable or Not

[0199] For some business functions, it makes sense for that business function to be delegated from one organization to another organization. An example for a provider organization delegating to a third party billing service would be “Submit Claims”. For other business functions, it does not make sense for that business function to be delegated from one organization to another organization. An example would be any of the security account administration functions.

[0200] 20. Structure: BUSINESS_FUNCTION Table

[0201] The Business_Function table defines each Business Function that is controlled by the secured logon application and records whether or not each business function can operate on segments and whether or not each business function can be delegated.

[0202] 21. Concept: Hierarchy of Permission Granting

[0203] The secured logon application uses a hierarchy to allow people to access business functions and information (data). The primary control for all business function and data access is the IT Security group of the sponsor organization. They create the entities that represent providers, insurers, payers, third party administrators, members, agencies, brokers, etc. A part of the set-up is the creation of the Primary Access Administrator (PAA) for an entity. A PAA is a person who is given the complete set of business functions and information access that the entity is permitted to have. This is the first layer of the assignment hierarchy.

[0204] When the PAA wants to assign business functions and information access to people who work for the same entity as the PAA, the process is called “Assignment” and the PAA follows the “Assign Access” workflows. The PAA can give other people in his or her organization authority to use the “Assign Access” workflow, thus creating Access Administrators (AAs). This is the second level of the hierarchy. The AAs do not have to have the same set of business functions and information access as the PAA, although the secured logon application permits the AA to be a peer. It is noted that even if an AA has the same set of business functions and information access, he or she is still not a PAA. The PAA has special meaning within many of the secured logon application work flows and can only be created and changed to another individual via intervention from the IT Security group of the sponsor organization.

[0205] When the PAA or an AA at an organization wants to delegate business functions and information access to people who work for a different entity, the process is called “Delegation” and the PAA/AA follows the “Delegate Work” workflows. When Delegation happens, the PAA at the receiving organization receives the rights to the delegated business functions and information access and may assign them to his or her staff. This is another level of the hierarchy.

[0206] When the PAA at an organization that has received delegated rights wants to assign those rights to people who work for his or her organization, the process is called “Assign Delegated Work” and the PAA follows the “Assign Delegated Work” workflow. The PAA can give other people in his or her organization authority to use the “Assign Delegated Work” workflow. This is another level of the hierarchy.

[0207] Another path of the hierarchy goes from the IT Security group of the sponsor organization to the System Application Owners. These System Application Owners have control over the assignment to PAAs of the functions they control. Thereafter, the flow is as outlined above from the PAAs outward.

[0208] The key points of distributed security administration are that all authority flows first from the IT security personnel of the sponsor organization outward:

2From IT security personnelTo an entity PAATo an AA at the entityTo an Employee at the entityTo an Employee at the entityTo the PAA of another entityTo an AA of the other entityTo an Employee of the other entityTo an Employee of the other entityTo a System Application OwnerTo an entity PAATo an AA at the entityTo an Employee at the entityTo an Employee at the entityTo the PAA of another entityTo an AA of the other entityTo an Employee of the other entity

[0209] D. Rules Used in Control of Which Business Functions a User Can Perform Using What Data

[0210] There are eight rules relating to permissions granted to key positions, which are as follows:

[0211] 1. The secured logon application permits only one active PAA for an entity.

[0212] 2. The secured logon application protects the PAA's permissions. Only the sponsor organization IT Security personnel or System Application owners can change the PAA's base access. Delegated access to a PAA is changed by the delegators. An AA in the same entity cannot change the PAA's access.

[0213] 3. The PAA's permissions can be changed in one of three ways—replacing the PAA, adding functions to the PAA, and removing functions from the PAA.

[0214] a. If a PAA is replaced, a new PAA is named. The new PAA receives all the permissions that the prior PAA had. The prior PAA does not have any permissions automatically removed, other than the fact that he or she is no longer the PAA.

[0215] b. A PAA may have business functions added or removed only by the sponsor organization IT security personnel or System Application Owners.

[0216] 4. If business functions are added to a PAA, the PAA must assign or delegate them out to others in order for others to perform those business functions.

[0217] 5. If business functions are removed from a PAA for an entity, they are automatically removed from anyone within the entity to whom they have been previously assigned and they are automatically removed from any user within any other entity to which they have been delegated.

[0218] 6. An AA can change the rights of any other AA or OA, but only to the extent of that AA's rights. In this example, “D” stands for the data assignment and “BF” stands for the corresponding business function assignment. Assume, for example, that Harry's PAA gave OA Harry rights D1-BF1, D1-BF2, D2-BF144, and D2-BF145, and that there are two AAs: Joan and Bella. Joan has Harry's rights and in addition she has rights: D3-BF1, D3-BF2. Joan can remove rights from Harry, or give him one or more of the D3 access pairs. AA Bella only has access to D1-xx, so she can only add or remove D1-xx functions from or to Harry; she cannot change Harry's D2-xx rights in any way. Joan can also give or remove access from Bella. Bella can only remove access from Joan for the D1-xx data pair business functions.

[0219] 7. If an AA is terminated, or his or her permissions are revoked, the termination or revocation will have no effect upon any person he or she has assigned access to, delegated to; or “assigned delegated access” to.

[0220] 8. Rights, once granted, can only be removed either explicitly or through cascading delete due to a revocation of delegation.

[0221] There are three rules relating to explicit business function assignment, which are as follows:

[0222] 1. The determination of which business functions a user can perform using what data starts with the assignment of business functions to a user. There are multiple ways in which this can happen:

[0223] a. IT security personnel to PAA when an application is approved or during a “Manage PAA Roles” process or during a “Mass Assignment” process. This will be done in an entity type context.

[0224] b. IT security personnel to an AA or OA during an “Add an Administrator” process or “Manage AA Roles” process. This will be done in an entity context.

[0225] c. PAA or AA to an AA or OA during a “Register New User” process or “Assign Access Rights” process. This will be done from within a Port of Origin and in an entity context.

[0226] d. System Application Owner to a PAA during a “Grant Access to Organization” process or during an “Establish New Function” process. This will be done from within a Port of Origin and in an entity type context.

[0227] e. PAA or AA of one organization to PAA of another organization during a “Begin Delegation” process, “Change Delegation” process, or “Stop Delegation” process. This will be done from within a Port of Origin and in an entity context.

[0228] f. For delegated rights, PAA or AA of a delegated to organization to an AA or OA of that same organization during a “Assign Delegated Rights” process. This will be done from within a Port of Origin and for a chosen Behalf~f entity.

[0229] g. Transaction Acceptor through the PAA Function Data Access transaction (adds access identifiers and then corresponding rights to those access identifiers through previously assigned business functions) and the User Access Transaction (adds business functions/data pairs to a user for an entity). These will be done in an entity context.

[0230] 2. In all cases except for the transaction acceptor, a screen is displayed that shows the business functions available for assignment. An exemplary screen is shown in FIG. 6. The screen initially comes up showing only business function sets. By clicking on the box with a plus sign to the left of a business function set, the set is expanded to show the business functions within it. In cases where business functions have already been assigned and the process is not a “mass assignment” process, the screen also indicates the business functions or business function sets currently assigned by showing check marks in the boxes.

[0231] 3. The determination of which business functions are available for assignment in each of the above circumstances differs:

[0232] a. IT security personnel to PAA:

[0233] i. Determine the entity type of the PAA's entity or the entity type being used for “mass assignment.”

[0234] ii. Determine the business function sets that can be granted to that entity type.

[0235] iii. Look up the business functions that are part of the business function sets.

[0236] b. IT security personnel to an AA or OA

[0237] i. Look up the business functions that the PAA for the selected entity has.

[0238] c. PAA or AA to an AA or OA:

[0239] i. Look up the business functions that the administrator has for the selected entity that are valid for the Port of Origin in which the process is being done.

[0240] d. System Application Owner to PAA

[0241] i. Look up the business functions which are registered with the system application owner that are valid for the selected entity type and the Port of Origin in which the process is being done.

[0242] e. PAA or AA of one organization to PAA of another organization

[0243] i. Look up the business functions that the administrator has for the selected entity, that are valid for the Port of Origin in which the process is being done, and that are “delegatable”.

[0244] f. For delegated rights, PAA or AA of a delegated to organization to an AA or OA of that same organization

[0245] i. Look up the business functions that the administrator has for the delegated from organization (BehalfOF entity) and that are valid for the Port of Origin in which the process is being done.

[0246] g. Transaction Acceptor to non-PAA User

[0247] i. Validate that the function being assigned has already been assigned to the PAA of the selected entity.

[0248] There is one rule relating to implicit business function assignment, which is as follows:

[0249] 1. The secured logon application supports the implicit assignment of business functions under some circumstances. Two features must be present in order to support implicit business function assignment. The first is a set of rules, codified in database tables, of what business functions are to be assigned under what conditions. The second is a means of determining the conditions under which a user logs in, so that those conditions can be matched to the rules relating to those conditions in order to determine the appropriate set of business functions.

[0250] There are fourteen rules relating to assignment of data with the business function, which are as follows:

[0251] 1. The second step in the determination of which business functions a user can perform using what data is the association of specific data to an assigned business function.

[0252] 2. Whenever the assignment is to a PAA and the business function requires data, all existing access identifiers for the entity that are appropriate for the business function are associated automatically with the business function.

[0253] 3. When the assignment is not to a PAA and the business function requires data and the business function is not “segmentable”, then all existing access identifiers for the entity that are appropriate for the business function are associated automatically with the business function.

[0254] 4. When the assignment is not to a PAA and the business function requires data and the business function is “segmentable” and there is only one existing access identifier for the entity that is appropriate for the business function and no segment contains it, then that one access identifier is associated automatically with the business function.

[0255] 5. When the assignment is not to a PAA and the business function requires data and the business function is “segmentable” and there are multiple access identifiers and/or segments for the entity that are appropriate for the business function, then an “assign data” screen appears to assign data to that business function. FIGS. 8A and 8B illustrate the sequence of assigning business functions and data associated with them.

[0256] 6. If a business function does not require data, then it is assigned with no data designation in the EUA table and possibly also the Delegation table.

[0257] 7. If a business function requires data, at least one access identifier of an appropriate type must exist in order to complete the assignment. If one does not exist, the business function is not assigned.

[0258] 8. If a business function is “segmentable,” it must be associated with at least one access identifier type in the BFITA table. Otherwise, it is not possible to assign segments or pieces of the organization to it.

[0259] 9. A segmentable business function can be associated with primary access identifiers and or segments. The Administrators can assign a person a business function associated with one or more primary access identifiers; one or more Segments; or any combination of Segments and primary access identifiers.

[0260] 10. The assignments of a primary access identifier and a segment containing that access identifier for the same business function are independent of one another. If this occurs and later, the primary access identifier is removed from the segment, the direct assignment of the primary access identifier and the business function remains. For example, if a person is assigned a Primary access identifier of Tax ID of 222334444, and that same access identifier is included in a Segment, then when the Primary access identifier is removed from the Segment and nothing else is changed, the person will still have access to the Tax ID.

[0261] 11. When assigning the data on which a business function is to be performed during the “Assign Access” workflow or the “Delegate Work” workflow, an AA can only assign access to another AA or OA to the extent that the AA has access himself or herself. The data that can be chosen is represented (a) by the Segments that have been assigned to the administrator for the function and proper subsets of those segments as long as they contain at least one individual access identifier of a type that the business function uses and (b) by the Primary access identifiers to which the administrator has rights for the business function (by design these primary access identifiers must be of a type appropriate for the business function).

[0262] 12. In the assignment of access identifiers during the “Assign Access” workflow or the “Delegate Work” workflow, it is assumed that the PAA will have access to all Segments. This is true even when an AA assigns Derivative access identifiers to a Segment and the PAA has not worked with the new Derivative access identifiers directly, because the PAA has access to all the Primary access identifiers. Since all Derivative access identifiers are derived from one of the Primary access identifiers, the PAA has access to all the “parents” of Derivative access identifiers. The secured logon application ensures that if someone has access to the Parent access identifier, then he or she also has access to every Derivative access identifier.

[0263] 13. A business function can be delegated without any data associated with it if and only if the business function does not require access IDs in its normal use.

[0264] 14. At the time of business function invocation, the secured logon application will expand a Segment into the individual access identifiers that make it up according to the following steps:

[0265] a. Each Segment will be looked up to find its individual access identifiers

[0266] b. The union of the individual access identifiers of the Segments and assigned individual access identifiers will be found giving the full set of individual access identifiers; and

[0267] c. The full set of individual access identifiers will be filtered based upon the types of access identifiers that the business function is allowed to process.

[0268] The resulting filtered group is the set of access identifiers that the person can use with the business function. It is possible that the resulting set is NULL

[0269] There are fifteen rules relating to segments, which are as follows:

[0270] 1. A Segment is a collection of one or more access identifiers that “belong to” one entity. The Segment can contain any combination of Primary and Derivative access identifiers.

[0271] 2. When an access identifier is added to a segment, it becomes available immediately everywhere that segment is referenced. Similarly, when an access identifier is removed from a segment, it is immediately removed everywhere that segment is referenced.

[0272] 3. An access identifier can be an element of zero, one, or more Segments, the only restriction being that the Segment must be on behalf of the same entity with which the access identifier is associated.

[0273] 4. Within a Segment an access identifier can exist only once.

[0274] 5. A Segment may not contain another segment.

[0275] 6. A Segment can exist without any members in it.

[0276] 7. The Manage Segments function enables an administrator to manage the creation and contents of Segments. FIGS. 20-22 illustrate the process of creating a segment definition and then determining its contents.

[0277] a. If Derivative access identifiers are possible, a link is provided in the Manage Segments function to enable the user to pick up any Derivative Identifier that has not previously been chosen for use in Segment content definitions.

[0278] 8. The PAA assigns, or withholds permission to an administrator to work with segments via assignment of the Manage Segments function. If an AA does not have the Manage Segments business function, then he or she would not be aware of Segments except to the extent he or she has been assigned a Segment in the context of performing a business function using the data defined by the Segment.

[0279] 9. The Manage Segments function is associated with access ID types in BFITA.

[0280] a. It is necessary to associate the Manage Segments function with access ID types in BFITA so that when a derivative link is activated and it wants to know what data it has to work with for a “parent” access identifier, the derivative link gets the appropriate data. As an example, for agencies and brokers, the function would be based on an access ID type of tax ID as a parent and an access ID type of an Agency Location ID as a parent. These access ID types are the only ones that can actually result in derivatives.

[0281] b. Associating the Manage Segments function with access ID types in BFITA is also done so that administrators can be assigned to Manage Segments for specific segments of the organization.

[0282] i. A consequence of assigning segments of the organization for an administrator to manage via the Manage Segments process is that the administrator may have access to more data for a different function if a broader or different segment is assigned for the other function.

[0283] 10. A PAA can work with all Access identifiers when defining the contents of a Segment.

[0284] 11. The identifiers that an AA can work with when defining the contents of a Segment are determined as follows:

[0285] a. When the AA was assigned the Manage Segments business function, the person who assigned it indicated what data the AA could work with for Maintain Segments. The data assigned is in the form of Segments or Primary access identifiers.

[0286] b. Determine all the Primary access identifiers in the Segments, all the derivative access identifiers in the Segments, all the Primary access identifiers directly assigned, and all the access identifiers that have been derived from the Primary access identifiers. This constitutes all the access identifiers that the AA can work with.

[0287] 12. A PAA can work with all Segments for his or her entity when using the Manage Segments function.

[0288] 13. The Segments that an AA can work with when using the Manage Segments function are determined as follows (results in a list of segments, each of which consists of access identifiers that are directly or indirectly assigned to the AA to use in Manage Segments)

[0289] a. Determine the identifiers the AA can work with when defining the contents of a Segment as above.

[0290] b. Determine the Segments which consist entirely of access identifiers in the above list.

[0291] 14. If a segment is delegated from one organization to another, the PAA and AAs at the receiving organization will not be able to see the individual items within the segment and cannot define segments of their own of the items within the original segment or of primary access IDs that were individually delegated.

[0292] 15. Segments may be created and maintained by both user interface-based processes (Manage Segments) and Transaction Acceptor transactions.

[0293] Two examples of the use of segmentation are as follows:

EXAMPLE ONE

[0294] Jefferson Hospital System started as Jefferson General Hospital, a large big city hospital. It has grown by acquisition such that it now owns facilities that were once thirteen separate organizations. Each of these facilities has retained its original tax ID.

[0295] Megan is the VP of Business Operations for Jefferson and runs all the administration for the Jefferson Hospital System. She has three directors of Business Operations—Charles who oversees the facilities on the East Side of town, Linda who oversees the facilities in the downtown area, and Peter who oversees the facilities in the suburbs.

[0296] Two business activities are conducted online—claims processing and referral processing. Megan has asked Charles to handle the Referral Processing for the entire organization. Claims Processing is handled by the individual operations.

[0297] With these parameters, the organization is structured as follows:

[0298] Charles handles:

[0299] East Side Family Clinic—Tax ID=TINA

[0300] East Side MRI Center—Tax ID=TINB

[0301] East Side Outpatient Surgi-Center—Tax ID=TINC

[0302] East Side Rehab—Tax ID=TIND

[0303] East Side Hospital—Tax ID=TINE

[0304] Linda handles:

[0305] Sisters of Mercy Hospital—Tax ID=TINL

[0306] Jefferson General Hospital—Tax ID=TINM

[0307] Peter handles:

[0308] Middletown Hospital—Tax ID=TINF

[0309] Chester Hospital—Tax ID=TING

[0310] Johnson City Hospital—Tax ID=TINH

[0311] Kingston Hospital—Tax ID=TINI

[0312] Cold Springs Hospital—Tax ID=TINJ

[0313] Bristol Hospital—Tax ID=TINK

[0314] Charles has four administrators working for him. Cathy handles the East Side Family Clinic; Charlotte handles the specialty facilities (East Side MRI and East Side Rehab); Connor handles the East Side Outpatient Surgi-Center and the East Side Hospital; and Chris handles the Referral Processing for the entire operation.

[0315] When Megan registers Jefferson Hospital System with the secured logon application, she lists all 13 Tax IDs as Access Identifiers on the registration.

[0316] Behind the scenes in the secured logon application, the following information is in the BFITA table:

3Business FunctionAccess Identifier TypeSegment Your OrganizationTax IDClaims ProcessingTax IDReferral ProcessingTax ID

[0317] The following information is in the Business Function table:

4Business FunctionSegmentableSegment Your OrganizationYesClaims ProcessingYesReferral ProcessingYes

[0318] When Megan first gets on, she sets up segments. Since she has access to all data and since Segment Your Organization uses data with Access ID Type of Tax ID, her choice for creating segments is shown in FIG. 18.

[0319] Megan sets up the following segments:

5Segment NameContentsEast SideTINA, TINB, TINC, TIND, TINEMid TownTINL, TINMSuburbsTINF, TING, TINH, TINI, TINJ, TINKAllTINA, TINB, TINC, TIND, TINE, TINF,TING, TINH, TINI, TINJ, TINK, TINL,TINM

[0320] She registers Charles, Peter, and Linda and assigns them rights as follows:

6PersonBusiness FunctionData It Uses for OperatingCharlesSegment Your OrganizationEast Side segmentCharlesClaims ProcessingEast Side segmentCharlesReferral ProcessingAll segmentPeterSegment Your OrganizationSuburbs segmentPeterClaims ProcessingSuburbs segmentLindaSegment Your OrganizationMid Town segmentLindaClaims ProcessingMid Town segment

[0321] When she assigns them rights, she will first see a screen that displays the business functions that she may grant out. This screen would show Segment Your Organization, Claims Processing, and Referral Processing. After she has chosen the business functions, she will see all the data that can be assigned with each of the chosen functions.

[0322] The screen she would see for Charles when she assigns data for his business functions would contain the following display of choices:

[0323] +Segment Your Organization

[0324] TINA [East Side Family Clinic]

[0325] TINB [East Side MRI Center]

[0326] TINC [East Side Outpatient Surgi-Center]

[0327] TIND [East Side Rehab]

[0328] TINE [East Side Hospital]

[0329] TINF [Middletown Hospital]

[0330] TING [Chester Hospital]

[0331] TINH [Johnson City Hospital]

[0332] TINI [Kingston Hospital]

[0333] TINJ [Cold Springs Hospital]

[0334] TINK [Bristol Hospital]

[0335] TINL [Sisters of Mercy Hospital]

[0336] TINM [Jefferson General Hospital]

[0337] East Side

[0338] Midtown

[0339] Suburbs

[0340] All

[0341] +Claims Processing

[0342] TINA [East Side Family Clinic]

[0343] TINB [East Side MRI Center]

[0344] TINC [East Side Outpatient Surgi-Center]

[0345] TIND [East Side Rehab]

[0346] TINE [East Side Hospital]

[0347] TINF [Middletown Hospital]

[0348] TING [Chester Hospital]

[0349] TINH [Johnson City Hospital]

[0350] TINI [Kingston Hospital]

[0351] TINJ [Cold Springs Hospital]

[0352] TINK [Bristol Hospital]

[0353] TINL [Sisters of Mercy Hospital]

[0354] TINM [Jefferson General Hospital]

[0355] East Side

[0356] Midtown

[0357] Suburbs

[0358] All

[0359] +Referral Processing

[0360] TINA [East Side Family Clinic]

[0361] TINB [East Side MRI Center]

[0362] TINC [East Side Outpatient Surgi-Center]

[0363] TIND [East Side Rehab]

[0364] TINE [East Side Hospital]

[0365] TINF [Middletown Hospital]

[0366] TING [Chester Hospital]

[0367] TINH [Johnson City Hospital]

[0368] TINI [Kingston Hospital]

[0369] TINJ [Cold Springs Hospital]

[0370] TINK [Bristol Hospital]

[0371] TINL [Sisters of Mercy Hospital]

[0372] TINM [Jefferson General Hospital]

[0373] East Side

[0374] Midtown

[0375] Suburbs

[0376] All

[0377] Once Charles has his functions, he goes about setting up segments that suit him. Since he has been assigned the East Side segment for the Segment Your Organization function, his choice for creating segments will be as shown in FIG. 19.

[0378] Charles sets up the following segments:

7Segment NameContentsSpecialty FacilitiesTINB, TINDHospital CareTINC, TINE

[0379] He does not set up a separate segment for the East Side Family Clinic.

[0380] Charles registers Cathy, Charlotte, and Connor and sets them up for Claims Processing for their respective operations. He sets up Chris and sets him up for Referral Processing for the entire organization.

[0381] When he assigns data for the claims processing for Cathy, Charlotte, and Connor, he will have the following options for assigning data and assigns it as follows:

8Business Function and Data for AssignmentCathyCharlotteConnor+Claims ProcessingTINA [East Side Family Clinic]XTINB [East Side MRI Center]TINC [East Side Outpatient Surgi-Center]TIND [East Side Rehab]TINE [East Side Hospital]Specialty FacilitiesXHospital CareXEast Side

[0382] When he assigns data for the Referral Processing for Chris, he will have the following options for assigning data and can assign it in a number of different ways as he sees fit:

9Business Function and Data forAssignmentOption 1Option 2Option 3+Referral ProcessingTINA [East Side FamilyXClinic]TINB [East Side MRI Center]XTINC [East Side OutpatientXSurgi-Center]TIND [East Side Rehab]XTINE [East Side Hospital]XTINF [Middletown Hospital]XTING [Chester Hospital]XTINH [Johnson City Hospital]XTINI [Kingston Hospital]XTINJ [Cold Springs Hospital]XTINK [Bristol Hospital]XTINL [Sisters of MercyXHospital]TINM [Jefferson GeneralXHospital]East SideXMidtownXSuburbsXAllXSpecialty FacilitiesHospital Care

[0383] It is noted that the data choices Charles sees for assigning for Claims Processing and Referral Processing are different from one another. The differences are based on the rights originally assigned to Charles. For Claims Processing, he was assigned the East Side segment. Thus, when he assigns data for Claims Processing, he sees the Access Identifiers associated with the East Side segment and he sees the other segments which are proper subsets of the East Side segment.

[0384] For Referral Processing, he was assigned the All segment. So when he assigns data for Referral Processing, he sees the Access Identifiers associated with the All segment and he sees the other segments which are proper subsets of the All segment.

EXAMPLE TWO

[0385] Payor Front End (PFE) is a sponsor organization that captures transactions from providers and sends them for processing to payor organizations that have signed up with them. PFE has three payors, ABC, DEF, and GHI.

[0386] At PFE, there are Payor specific functions for each kind of transaction. This means that for the Claims Inquiry transaction, there is an ABC Claims Inquiry and a DEF Claims Inquiry and a GHI Claims Inquiry. For the Referral Inquiry transaction, there is an ABC Referral Inquiry and a DEF Referral Inquiry and a GHI Referral Inquiry.

[0387] In general the ABC functions and GHI functions use a Tax ID (access identifier type=TI) as the identifier when processing the functions and the DEF functions use a proprietary identifier called a Site Definition id (access identifier type=SD) as the identifier when processing the functions.

[0388] The Segment Your Organization business function is associated with both Tax IDs and DEF Site Definition ids, since segments can be created from either or both kinds of identifiers.

[0389] As a consequence the BFITA entries for these functions would be:

10BFITA EntriesABC Claims InquiryTIABC Referral InquiryTIDEF Claims InquirySDDEF Referral InquirySDGHI Claims InquiryTIGHI Referral InquiryTISegment Your OrganizationTISegment Your OrganizationSD

[0390] For the large Provider Organizations, there are often multiple SDs defined, typically one for each of the locations for that Provider Organization. Sometimes there are also multiple Tax IDs.

[0391] We take the case of Big Florida Hospital. It has three locations—Miami East, Miami Central, and Tampa. Big Florida Hospital started in Tampa and acquired the Miami Regional Hospital system. Therefore, it has two Tax IDs—one for the original Tampa hospital and one for the Miami Regional Hospital. The identifiers for the three locations are:

11Big Florida Hospital IdentifiersMiami EastTI = 222333444, SD = H678Miami CentralTI = 222333444, SD = H789TampaTI = 666777666, SD = I345

[0392] When Big Florida Hospital is set up, it has only the Tax IDs in the application. The SD access ids will be added later. Therefore, when Security assigns access to the PAA (Megan), Megan will have the following EUA entries:

12PAA (Megan) Initial EUA EntriesSegment Your OrganizationTI = 222333444Segment Your OrganizationTI = 666777666ABC Claims InquiryTI = 222333444ABC Claims InquiryTI = 666777666ABC Referral InquiryTI = 222333444ABC Referral InquiryTI = 666777666GHI Claims InquiryTI = 222333444GHI Claims InquiryTI = 666777666GHI Referral InquiryTI = 222333444GHI Referral InquiryTI = 666777666

[0393] DEF uses the System Application Owner functions process to assign the Site Definition ids within a few days of the registration completion. They are not captured during the registration process, since they are not known by the Provider Organizations in order to add during the registration process. DEF also assigns the DEF functions to the Provider Organization after adding the Site Definition ids. In fact, if Security attempted to assign the DEF functions prior to the existence of the Site Definition ids, there is a check to prevent this and to raise a warning that an ID of the appropriate type is missing.

[0394] Once DEF completes the assignment of the Site Definition ids and DEF business functions, there will be additional EUA entries as follows:

13PAA (Megan) Additional EUA EntriesDEF Claims InquirySD = H678DEF Claims InquirySD = H789DEF Claims InquirySD = I345DEF Referral InquirySD = H678DEF Referral InquirySD = H789DEF Referral InquirySD = I345

[0395] Some additional Segment Your Organization EUA entries also come into existence when the Site Definition ids are added. This is due to the fact that when an access identifier is added to an entity, there will be an automatic assignment to the PAA of that access identifier along with any currently assigned business function that can use an access identifier of its type.

[0396] PAA (Megan) Additional EUA Entries

[0397] Segment Your Organization SD=H678

[0398] Segment Your Organization SD=H789

[0399] Segment Your Organization SD=1345

[0400] Megan now goes in and creates segments as follows:

14Segment NameContentsMiami EastTI = 222333444, SD = H678Miami CentralTI = 222333444, SD = H789MiamiTI = 222333444, SD = H687, SD = H789TampaTI = 666777666, SD = I345EntireTI = 222333444, TI = 666777666, SD = H678,OrganizationSD = H789, SD = I345

[0401] It is noted that Megan could have created the segments right away before DEF added the Site Definition ids and business functions. If she did that, the segments would include only the Tax IDs, since the Site Definition ids would not be available. Then when the Site Definition ids became available, she could have added them to the appropriate segments. If she sets up things early, she will be unable to assign all business functions, since she will not have access to them or to the Site Definition ids.

[0402] Megan has AAs established for each of the locations—Charles for Miami East, Susan for Miami Central, and George for Tampa.

[0403] When assigning business functions, Megan has the following information displayed, with the choices she makes for Charles, Susan, and George being indicated by an “X.”.

15Business Functions and DataCharlesSusanGeorgeAccount AdministrationSegment Your OrganizationEntire OrganizationMiami EastXMiami CentralXMiamiTampaXSD = H678SD = H789SD = I345TI = 222333444TI = 666777666Claims InquiryABC Claims InquiryEntire OrganizationMiami EastXMiami CentralXMiamiTampaXTI = 222333444TI = 666777666DEF Claims InquiryEntire OrganizationMiami EastXMiami CentralXMiamiTampaXSD = H678SD = H789SD = I345GHI Claims InquiryEntire OrganizationMiami EastXMiami CentralXMiamiTampaXTI = 222333444TI = 666777666Referral InquiryABC Referral InquiryEntire OrganizationMiami EastMiami CentralMiamiXTampaXTI = 222333444TI = 666777666DEF Referral InquiryEntire OrganizationMiami EastMiami CentralMiamiXTampaXSD = H678SD = H789SD = I345GHI Referral InquiryEntire OrganizationMiami EastMiami CentralMiamiXTampaXTI = 222333444TI = 666777666

[0404] It is noted that based on the above assignments, Charles handles all referrals for Miami and Susan handles none.

[0405] Charles has several staff members. When he assigns access to them, he sees the following list displayed:

16Business Functions and DataAccount AdministrationSegment Your OrganizationMiami EastSD = H678TI = 222333444Claims InquiryABC Claims InquiryMiami EastTI = 222333444DEF Claims InquiryMiami EastSD = H678GHI Claims InquiryMiami EastTI = 222333444Referral InquiryABC Referral InquiryMiami EastMiami CentralMiamiTI = 222333444DEF Referral InquiryMiami EastMiami CentralMiamiSD = H678SD = H789GHI Referral InquiryMiami EastMiami CentralMiamiTI = 222333444

[0406] There are multiple ways in which Charles could have been assigned Referral Processing for Miami. Three options are as follows:

17OptionAssignment1ABC Referral Inquiry - MiamiDEF Referral Inquiry - MiamiGHI Referral Inquiry - Miami2ABC Referral Inquiry - TI = 222333444DEF Referral Inquiry - SD = H678DEF Referral Inquiry - SD = H789GHI Referral Inquiry - TI = 2223334443ABC Referral Inquiry - Miami EastABC Referral Inquiry - Miami CentralDEF Referral Inquiry - Miami EastDEF Referral Inquiry - Miami CentralGHI Referral Inquiry - Miami EastGHI Referral Inquiry - Miami Central

[0407] Option 1 is the way in which he was assigned Referral Processing.

[0408] Given the rules associated with which Access Identifiers and segments are available to Charles for assignment, it would not matter how the assignment to him was done. All options result in the choices for his assignment of data for Referral Processing as indicated above.

[0409] There are four rules relating to Derivative access identifiers, which are as follows:

[0410] 1. The secured logon application finds out about derivative access identifiers through processes that peruse back-end systems. The process uses a “parent” access identifier to retrieve and present the back-end systems' identifiers that relate to the “parent” access identifier to an administrator (PAA or AA). The administrator then chooses the desired derivative access identifier(s). A typical flow for this process is represented in FIG. 14. The Port-of-Origin (PO) developers are expected to implement the routines to retrieve the back-end access identifiers, present them to the Administrator via the User Interface, and then send the selected list of derivative access identifiers to the secured logon application via the secured logon application supplied API routines. Furthermore, the secured logon application will allow registered applications (programs) to add derivative access identifiers via the secured logon transaction acceptor.

[0411] 2. The Manage Segments function contains a link(s) to the process(es) that enable the user to pick Derivative Identifiers. Only a person with access to this business function and data can use the PO's functions to find derivative access identifiers to add to the secured logon application.

[0412] 3. The added access identifiers cannot be used individually and must be placed into Segments.

[0413] 4. Since Derivative access identifiers can only be used in segments, a consequence of indicating that a business function is not segmentable is that Derivative identifiers are not allowed for it.

[0414] There is one rule relating to access identifiers that are no longer active, which is as follows:

[0415] The secured logon application does not have a synchronization method in place to ensure that any access identifier (primary or derivative) is still active in a back-end system. It is the responsibility of every business function to ensure that it uses access identifiers appropriately according to business rules, i.e., an otherwise inactive access identifier may still be needed for reporting purposes, but should not be used for new work. Example: a broker is no longer working for an agency, but that broker access identifier is still needed to issue the commission reports for the current fiscal year. A business function must be able to bypass gracefully an invalid or inactive access identifier or tell the user what to do in other circumstances. The business function must deal with the access ID in an appropriate manner. It can, for example, reject the access identifier, or use it for reporting, but not for new work.

[0416] There are three rules relating to deleting access identifiers and segments, which are as follows:

[0417] 1. Whenever an access identifier is deleted, references to it and its children must be deleted:

[0418] a. The entire sub-tree below that access identifier in the Access_Identifier table must be deleted, i.e., all its children must be deleted.

[0419] b. Furthermore, all rows in the EUA table referencing the deleted access identifier and its children must be deleted.

[0420] c. All references to the deleted access identifier and its children in segments must be deleted by removing the association between them in the Access_Group_ID_Assoc table.

[0421] d. All references to the deleted access identifier and its children in the Delegation table must be marked inactive and all EUA_Delegation_Assoc rows associated with those Delegation rows should be marked inactive.

[0422] 2. No deletion of EUA rows or EUA_Delegation_Assoc rows is done for rows pointing to a segment that becomes empty when an access identifier is deleted.

[0423] 3. Whenever a segment is deleted, references to it must be deleted:

[0424] a. All rows in the EUA table referencing the deleted segment must be deleted.

[0425] b. All references to the deleted segment in the Delegation table must be marked inactive and all EUA_Delegation_Assoc rows associated with those Delegation rows should be marked inactive.

[0426] There are two rules relating to adding access identifiers:

[0427] 1. When an access identifier is added to an entity, there will be an automatic assignment to the PAA of that access identifier along with any currently assigned business function that can use an access identifier of its type.

[0428] 2. No such automatic assignment should be done for any business functions that are not currently assigned to the PAA.

[0429] There are two rules relating to logging and audit trails, which are as follows:

[0430] 1. Log records are kept of all adds, changes, and deletions of access identifiers and segments.

[0431] 2. The secured logon application has an audit trail of how any individual or entity received his or her or its authority to perform a function on another's behalf.

[0432] There are twenty-three rules relating to delegation, which are as follows:

[0433] 1. Whenever an entity wants another entity to do some or all of the work for it, the PAA will follow the “Delegate Access” workflow. The PAA can delegate any part or all of the “delegatable” business functions and information access to the other entity.

[0434] 2. Delegation is not an alternate way to “Assign Access” to other people within a particular person's entity. Assignment is the process of giving other people in a person's entity the ability to do the work, whereas delegation is granting access to another entity.

[0435] 3. The secured logon application will pre-determine which entity types can be delegated to by another entity type, e.g. a provider can delegate to a third party administrator, but not to a member entity.

[0436] 4. A PAA becomes a virtual entity-user of the BehalfOF entity when the BehalfOf entity delegates work to the entity for which the PAA works (Admin entity). A PAA, and later an AA of the Admin entity if given the permissions, creates other virtual entity-users when the PAA/AA assigns delegated work to the users. The IT security personnel of the sponsoring organization also can create virtual entity-users when they assign delegated work to the users. Each of these virtual entity-users will have a row in the entity-user table.

[0437] 5. When a person is given access via delegation to another entity, in the context of that other entity he or she is only an OA and cannot be an AA or PAA for that entity.

[0438] 6. If in the context of his or her own entity he or she is the PAA or an AA, he or she can assign people “employed” by his or her entity access to the other entity.

[0439] 7. Referring to FIG. 17, a delegation chain is tracked by a 3-tuple of data: The chain identifier, level, and parent. The chain groups the delegations for a particular entity/business function/data set. For example, when XYZ delegates “File Claims” to DEF, a chain ID of “C1357” is assigned. When DEF furthers the delegation by delegating to ABC, the delegation has the same chain ID of “C1357”. The first delegation from XYZ to DEF is level 1, and the second delegation from DEF to ABC is level 2. The parent value points to the row that gave the delegation. The delegation from XYZ to DEF has no parent, so is NULL. The delegation from DEF to ABC has a parent of XYZ to DEF's row. It is possible for DEF also to delegate the same work to MNO. This delegation by DEF to MNO will have the same chain ID, the same level, and the same parent value as the delegation by DEF to ABC.

18DELEGATION Table snippet (not all columns shown): See FIG. 17Delegation_GenBehalfOfAdminGrantedBy_KeyEntityEntityEntityDataBus_FuncChainLevelParentExplanationDGK001XYZDEFXYZDI200FileC13571<NULL>XYZClaimsdelegates toDEFDGK002XYZABCDEFDI200FileC13572DGK001DEFClaimsdelegates toABC forXYZDCK003XYZMNODEFDI200FileC13572DGK001DEFClaimsdelegates toMNO forXYZDGK004XYZPQRMNODI200FileC13573DGK003MNOClaimsdelegates toPQR forXYZ

[0440] 8. Each “Delegation chain” is considered separately for each “business function: data access pair”. There can be many different “delegation chains.” In fact, there can be hundreds of different “delegation chains” between two entities because each “business function: data access pair” or “business function alone” is delegated separately.

[0441] 9. For a first delegation there is a one-to-one correspondence between a delegated row in the EUA and the EUA_DELEGATION_ASSOC table.

[0442] 10. When delegated work is assigned to staff members within an Admin entity, the Delegation definition used for the delegation to the PAA is used for the staff member as well. This means that when a PAA or AA in an Admin entity “assigns delegated access” to another staff member in the Admin entity, an EUA entry is created for the other staff member and the EUA_Delegation_Assoc table contains an entry associating the new EUA row with the original Delegation for the PAA.

[0443] 11. When there are multiple delegation chains from the same Behalf~f entity to an Admin entity via different routes, and the Admin entity wants to delegate, all of the chains will be extended to the next level. This means that there will be multiple entries in the EUA_Delegation_Assoc table for a given EUA entry created as a result of this delegation to the next level. Referring to FIG. 16, as an example, assume that entity A's work is being delegated: A=>B=>D and A=>C=>D. In this case, entity D can do work on A's behalf via two different paths. When D=>E on behalf of A, then both of A's delegation chains to D will be extended to entity E. This means that any EUA entry created for users at E to do work on behalf of A will have two entries in the EUA_Delegation_Assoc table, one representing the delegation path of A=>B=>D=>E and one representing the delegation path of A=>C=>D=>E.

[0444] 12. In the case as above of multiple delegation chains being extended to the same Admin entity via two different paths, a delegation will continue even if one of the paths is revoked. In the example above, if A revokes the delegation to C, the path of A=>B=>D=>E remains and E may still do work on behalf of A. In this case, the Delegation representing A=>C=>D=>E would be deactivated and the EUA_Delegation_Assoc row referencing that Delegation would be deactivated as well.

[0445] 13. The secured logon application does not permit having a “loop” in the delegation chain. That is, a PAA or AA cannot delegate back to any organization that has already been delegated to on the original entity's behalf on this same delegation chain. For example, if A delegates to B, who delegates A's work to C, then C cannot delegate A's work back to A or to B, and B cannot delegate A's work back to A.

[0446] 14. The Delegation_Authorization table ensures that a delegation between two entities reaches the correct entity the first time. The receiving entity sets up a Delegation Acceptance Code entry in this table, and communicates this public information to the PAA who will perform the delegation. An entry in this table “opens the door” for other entities to delegate to this entity. The PAA of the receiving entity can choose to have one entry that he or she uses to receive all delegations, or he or she can create a separate row for each delegation. It is at the receiving PAA's discretion. Rows in this table are deactivated by the receiving PAA or by the sponsoring organization's IT security personnel.

[0447] 15. The result of delegation is that the PAA of the Admin entity receives the business functions and data. An entity cannot delegate to anyone other than the PAA of the other entity because the secured logon application must have some control as to who receives the delegation. The PAA would then “Assign Delegated Access” of the delegated rights to others within his or her own organization resulting in people in the delegated to company who can do work on behalf of the original delegating entity. The delegation process requires the delegating entity's PAA or AA to know the delegation acceptance code value from the PAA of the “delegating-to” entity.

[0448] 16. The PAA or AA can revoke only the direct delegation from his or her entity to the next entity in the chain.

[0449] 17. When a delegation is terminated, either because of removal of rights to a specific business function: data pair, or because all rights are removed through Stop Delegating to Another Organization, then all corresponding delegations within the terminated entity and all subsequent (lower levels of authorization) are automatically terminated (revoked). This is referred to as a cascading delete. The determination of which items to revoke is made by traversing the delegation chain and deactivating corresponding Delegations from the Delegation table and associations from the EUA_Delegation_Assoc table. EUA rows are removed if there are no remaining entries for them in the EUA_Delegation_Assoc table.

[0450] 18. If A has already delegated to B for a “business function: data pair”, and some time later A wants to delegate to B an additional access ID for the same business function, then there are two ways in the secured logon application to accomplish this: (1) If the delegation was originally done using a Segment, then A's administrator need only add the new access ID to the appropriate Segment; or (2) A runs the “Change Delegation” process to delegate the “business function: new access ID pair” to B. In both cases A's PAA should tell B's PAA that a new access ID has been delegated.

[0451] 19. If a segment is delegated from one organization to another, the PAA and AAs at the receiving organization will not be able to see the individual items within the segment and cannot define segments of their own of the items within the original segment or of primary access IDs that were individually delegated.

[0452] 20. In the assignment of access identifiers during the “Assign Delegated Work” workflow, a PAA or AA may assign segments or primary access ids that have been directly assigned to him or her.

[0453] 21. Because a receiving PAA is not allowed to define/redefine segments that have been delegated to him, assignment of delegated functions and any further delegation will be done with what was originally delegated.

[0454] 22. There is no explicit way for the PAA to control further delegation. A future objective of the secured logons application is to control access along four lines: no further delegation allowed, delegation allowed with permission, delegation allowed with notification, and delegation allowed with no restrictions. The control at the moment consists of not assigning the “perform delegation” functions to organizations that have the “receive delegation” functions.

[0455] 23. Quick summary of delegation information and the tables in which it is stored:

[0456] a. Delegated Business Function and Access Identifier pairs are stored in the Delegation_Table with the definition of the delegation chain. The delegation chain provides the “reason” for the business function/access identifier pair existence. Three pieces of data define the delegation chain—the chain identifier, level, and parent. The Delegation_Table has information on an entity basis.

[0457] b. The virtual Entity User is stored in the Entity_User table; the BehalfOf_Entity_Gen_KeyAdmin_Entity_Gen_Key; GrantedBy_Entity_Gen_Key is null (the granted by entity can be determined by looking at the Delegation_Table and reviewing the delegation chain information)

[0458] c. There is an Entity_User_Access (EUA) entry for each Business Function—Access Identifier pair assigned to the user on behalf of the BehalfOf entity.

[0459] d. EUA_Delegation_Assoc table associates the EUA entry with the reason(s) for its existence, i.e., the entry or entries in the Delegation_Table that documents the delegation chain(s) by which the user has received permission to do the work in the EUA entry.

[0460] e. When someone is “assigned delegated work”, an EUA record is created for him and the EUA_Delegation_Assoc table contains an entry associating the new EUA row and the same Delegation that documents the reason that the PAA received the same permissions.

[0461] f. When a further delegation is done from an existing chain, the 3-tuple of data for the new entry in the Delegation table is related to the 3-tuple of data defining the delegation that it came from as follows: contains the same chain id, has its level incremented by 1 from the delegation from which it is coming, and has its parent point to the delegation from which it is coming.

[0462] g. When a user has the same functionality delegated from multiple paths, the same EUA row is used and another row (reason) is added to the EUA_Delegation_Assoc table, associating that one EUA row with a different Delegation entry.

[0463] h. When a function is removed from a user who has received the functionality from multiple paths, deactivate the EUA_Delegation_Assoc row associated with the path that has been removed; remove the EUA row only if there are no other EUA_Delegation_Assoc rows for that EUA row.

[0464] FIGS. 23-29 illustrate the functionality for managing delegation and the typical “Delegate Work” workflow and “Assign Delegated Work” workflow.

[0465]
FIG. 30 illustrates the conceptual relationship between key components describes. The three examples below illustrate the basic concepts covered in FIG. 30.

EXAMPLE ONE

Illustration of the Concepts in FIG. 30

[0466] The following is an illustration of the basic concepts shown in FIG. 30, in which a health insurance company is the sponsor organization.

[0467] When the secured logon application is established, the following items are set up: two ports of origin, two access identifier types, three system applications, three Owners, five business function sets,

[0468] The two Ports of Origin that are set up are a Port of Origin for an Entity Type of Employer and a Port of Origin for an Entity Type of Provider.

[0469] The Access Identifier Types are Customer Group Number for use by an Employer Entity Type and Tax Identification Number for use by a Provider Entity Type.

[0470] Three System Applications are supported, each with one or two Business Functions. The Employer Support Application implements Online Billing and Member ID Card Replacement. The Provider Support Application implements Claims Inquiry and Eligibility Inquiry. The Account Administration Application implements Register a New User.

[0471] The Owner of the Employer Support Application is the Billing and Enrollment Division of the company. The Owner of the Provider Support Application is the Provider Relations Division of the company. The Owner of the Account Administration Application is the Internal Security Division of the company.

[0472] There are five Business Function Sets: the Employer Member Functions set, which includes Member ID Card Replacement; Employer Billing Functions set, which includes Online Billing; the Employer Account Administration set, which includes Register a New User; the Provider Functions set, which includes Claims Inquiry and Referral Inquiry; and the Provider Account Administration set, which includes Register a New User.

[0473] Different Business Function Sets are associated with each Entity Type. The Employer Entity Type uses the Business Function Sets of Employer Member Functions, Employer Billing Functions, and Employer Account Administration. The Provider Entity Type uses the Business Function Sets of Provider Functions and Provider Account Administration.

[0474] The Port of Origin Menu for the Employer Port of Origin lists the individual Business Functions: Member ID Card Replacement, Online Billing, and Employer Account Administration.

[0475] The Port of Origin Menu for the Provider Port of Origin lists the individual Provider Account Administration function first and then the Provider Functions set as a unit.

[0476] The items that come into existence as the secured logon application are dependent on what happens. In this example, two organizations register—Popkins Internal Medicine and Acme Broadcasting. Popkins Internal Medicine registers two users and Acme Broadcasting registers one user. As a consequence of these actions, the items that come into existence are two Entities, two Access Identifiers, three Users, and three Entity Users.

[0477] There are two Entities: Popkins Internal Medicine, which provides medical services to individuals insured by the sponsor organization and registers as a Provider Entity Type; and Acme Broadcasting, which carries insurance for its employees through the sponsor organization and registers as an Employer Entity Type.

[0478] The Access Identifier value for Popkins Internal Medicine is 123456789 with an Access Identifier Type of Tax Identification Number. The Access Identifier value for Acme Broadcasting is AB 12345 with an Access Identifier Type of Customer Group Number.

[0479] The three Users are Irene Popkins, who is registered as a User by Popkins Internal Medicine; Martin Carver, who is registered as a User by Popkins Internal Medicine; and Mary Smith, who is registered as a User for Acme Broadcasting.

[0480] Since no User is associated with more than one entity, there are also three Entity Users, Irene Popkins to Popkins Internal Medicine, Martin Carver to Popkins Internal Medicine, and Mary Smith to Acme Broadcasting.

[0481] The Entity User Business Functions are granted from the Business Functions within the Business Function Sets associated with the Entity Type. Irene Popkins at Popkins Internal Medicine can be granted functions from the Provider Functions and the Provider Account Administration sets and is actually granted Register a New User, Claims Inquiry, and Referral Inquiry. Martin Carver at Popkins Internal Medicine can be granted functions from the Provider Functions and the Provider Account Administration sets and is actually granted Claims Inquiry and Referral Inquiry.

[0482] Mary Smith at Acme Broadcasting can be granted functions from the Employer Member Functions, Employer Billing Functions, and Employer Account Administration sets and is actually granted Member ID Card Replacement, Online Billing, and Register a New User.

[0483] The User Menu for Irene Popkins in the Provider Port of Origin shows Register a New User and Provider Functions. The User Menu for Martin Carver in the Provider Port of Origin shows Provider Functions. The User Menu for Mary Smith in the Employer Port of Origins shows Member ID Card Replacement, Online Billing, and Register a New User.

EXAMPLE TWO

Person as an Entity

[0484] Entities can be people as well as organizations. Typically the sponsor organization has direct relationships with people as well as organizations. These people or organizations have different kinds of relationships with the sponsor organization. When these people or organizations are set up as entities, each entity is set up with an entity type that represents the relationship the entity has to the sponsor organization. This is done to enable different business functions to be established for the different entity types and to establish relationships easily between entities over time. Examples of these situations at a health insurance sponsor organization are:

[0485] Member of a health insurance plan: Typically, a person becomes a member of a health insurance plan by being employed by an employer who purchases the health insurance plan. At first glance, there might be an expectation that the member would be set up as a user associated with the employer. However, different business functions are available for members than for employers and a member may change employers over time. Having a separate member entity type facilitates each of these situations.

[0486] Physician Typically, a physician does business with a health insurance company by being associated with a provider organization. At first glance, there might be an expectation that the physician would be set up as a user associated with the provider organization. However, different business functions are available for physicians, some dealing with delivery of medical services, and a physician may change provider organizations over time. Having a separate physician entity type facilitates each of these situations.

[0487] The following is an example that builds on Example One above by showing a member as an entity.

[0488] When the secured logon application is established, the following items are set up: three Ports of Origin, three Access Identifier Types, four Systems Applications, four Owners, seven Business Function Sets

[0489] The three Ports of Origin that are set up are a Port of Origin for an Entity Type of Employer, a Port of Origin for an Entity Type of Provider, and a Port of Origin for an Entity Type of Member.

[0490] The Access Identifier Types are Customer Group Number for use by an Employer Entity Type, Tax Identification Number for use by a Provider Entity Type, and Member ID for use by a Member Entity Type

[0491] Four System Applications are supported, each with one or two Business Functions. The Employer Support Application implements Online Billing and Member ID Card Replacement. The Provider Support Application implements Claims Inquiry and Eligibility Inquiry. The Member Support Application implements Referral Inquiry and Change Primary Care Provider (PCP). The Account Administration Application implements Register a New User and Open My Account to Another User.

[0492] The Owner of the Employer Support Application is the Billing and Enrollment Division of the company. The Owner of the Provider Support Application is the Provider Relations Division of the company. The Owner of the Member Support Application is the Member Relations Division. The Owner of the Account Administration Application is the Internal Security Division of the company.

[0493] The seven Business Function Sets are the Employer Member Functions set, which includes Member ID Card Replacement; the Employer Billing Functions set, which includes Online Billing; the Employer Account Administration set, which includes Register a New User; the Provider Functions set, which includes Claims Inquiry and Referral Inquiry; the Provider Account Administration set, which includes Register a New User; the Member Function set, which includes Referral Inquiry and Change PCP; the Member Account Administration set, which includes Open My Account to Another User.

[0494] Different Business Function Sets are associated with each Entity Type. The Employer Entity Type uses the Business Function Sets of Employer Member Functions, Employer Billing Functions, and Employer Account Administration. The Provider Entity Type uses the Business Function Sets of Provider Functions and Provider Account Administration. The Member Entity Type uses the Business Function Sets of Member Functions and Member Account Administration.

[0495] The Port of Origin Menu for the Employer Port of Origin lists the individual Business Functions: Member ID Card Replacement, Online Billing, and Employer Account Administration.

[0496] The Port of Origin Menu for the Provider Port of Origin lists the individual Provider Account Administration function first and then the Provider Functions set as a unit.

[0497] The Port of Origin Menu for the Member Port of Origin lists the Member Functions set as a unit and then the Member Account Administration set as a unit.

[0498] The items that come into existence as the secured logon application is used are dependent on what happens. In this example, two organizations and one person register as entities—Popkins Internal Medicine, Acme Broadcasting, and Steven Towers. Popkins Internal Medicine registers two users; Acme Broadcasting registers one user; and Steven Towers is the only user in his entity. As a consequence of these actions the items that come into existence are three Entities, three Access Identifiers, four Users, and four Entity Users.

[0499] The three entities are Popkins Internal Medicine, which provides medical services to individuals insured by the sponsor organization and registers as a Provider Entity Type; Acme Broadcasting, which carries insurance for its employees through the sponsor organization and registers as an Employer Entity Type; and Steven Towers, who works for Acme Broadcasting and as a consequence is insured by the sponsor organization, and registers as a Member Entity Type.

[0500] Popkins Internal Medicine uses an Access Identifier of 123456789 with an Access Identifier Type of Tax Identification Number. Acme Broadcasting uses an Access Identifier of AB12345 with an Access Identifier Type of Customer Group Number. Steven Towers uses and Access Identifier of STAB12345 with an Access Identifier Type of Member ID.

[0501] The four Users are Irene Popkins, who is registered as a User by Popkins Internal Medicine, Martin Carver, who is registered as a User by Popkins Internal Medicine, Mary Smith, who is registered as a User for Acme Broadcasting, and Steven Towers, who is registered as a User for his own entity, i.e., the Steven Towers entity.

[0502] Since no User is associated with more than one entity, there are also four Entity Users, Irene Popkins to Popkins Internal Medicine, Martin Carver to Popkins Internal Medicine, Mary Smith to Acme Broadcasting, and Steven Towers to Steven Towers (entity).

[0503] The Entity User Business Functions are granted from the Business Functions within the Business Function Sets associated with the Entity Type. Irene Popkins at Popkins Internal Medicine can be granted functions from the Provider Functions and the Provider Account Administration sets and is actually granted Register a New User, Claims Inquiry, and Referral Inquiry.

[0504] Martin Carver at Popkins Internal Medicine can be granted functions from the Provider Functions and the Provider Account Administration sets and is actually granted Claims Inquiry and Referral Inquiry.

[0505] Mary Smith at Acme Broadcasting can be granted functions from the Employer Member Functions, Employer Billing Functions, and Employer Account Administration sets and is actually granted Member ID Card Replacement, Online Billing, and Register a New User.

[0506] Steven Towers at Steven Towers (entity) can be granted functions from the Member Function and Member Account Administration sets and is actually granted Referral Inquiry, Change PCP, and Open My Account to Another User.

[0507] The User Menu for Irene Popkins in the Provider Port of Origin shows Register a New User and Provider Functions. The User Menu for Martin Carver in the Provider Port of Origin shows Provider Functions. The User Menu for Mary Smith in the Employer Port of Origin shows Member ID Card Replacement, Online Billing, and Register a New User. The User Menu for Steven Towers in the Member Port of Origin shows Member Functions and Member Account Administration.

EXAMPLE THREE

User Associated with More than One Entity

[0508] A user can be associated with more than one entity. As an example, a user can be a member and associated with himself or herself and can be an administrator within an employer organization. The following illustrates this concept by building on examples one and two above. All new items are shown italicized.

[0509] The items set up when the secured logon application is established are the same as in Example Two; there is no change.

[0510] The items that come into existence as the secured logon application is used are dependent on what happens. In this example, two organizations and two people register as entities—Popkins Internal Medicine, Acme Broadcasting, Steven Towers, and Mary Smith. Popkins Internal Medicine registers two users; Acme Broadcasting registers one user; Steven Towers is the only user in his entity, and Mary Smith is the only user in her entity. As a consequence of these actions the items that come into existence are four Entities, four Access Identifiers, four Users, and five Entity Users.

[0511] The four entities are Popkins Internal Medicine, which provides medical services to individuals insured by the sponsor organization and registers as a Provider Entity Type; Acme Broadcasting, which carries insurance for its employees through the sponsor organization and registers as an Employer Entity Type; Steven Towers, who works for Acme Broadcasting and as a consequence is insured by the sponsor organization, and registers as a Member Entity Type; and Mary Smith, who is registered as an administrator for Acme Broadcasting in the above examples and works for Acme Broadcasting and as a consequence is insured by the sponsor organization and registers as a Member Entity Type

[0512] Popkins Internal Medicine uses an Access Identifier of 123456789 with an Access Identifier Type of Tax Identification Number. Acme Broadcasting uses an Access Identifier of AB12345 with an Access Identifier Type of Customer Group Number. Steven Towers uses an Access Identifier of STAB12345 with an Access Identifier Type of Member ID. Mary Smith uses an Access Identifier of MSAB12345 with an Access Identifier Type of Member ID.

[0513] The four Users are Irene Popkins, who is registered as a User by Popkins Internal Medicine; Martin Carver, who is registered as a User by Popkins Internal Medicine; Mary Smith, who is registered as a User for Acme Broadcasting; and a User for her own entity, i.e., the Mary Smith entity; and Steven Towers is registered as a User for his own entity, i.e., the Steven Towers entity.

[0514] Since one User is registered with two entities, there are five Entity Users, Irene Popkins to Popkins Internal Medicine, Martin Carver to Popkins Internal Medicine, Mary Smith to Acme Broadcasting, Mary Smith to Mary Smith (entity), and Steven Towers to Steven Towers (entity).

[0515] The Entity User Business Functions are granted from the Business Functions within the Business Function Sets associated with the Entity Type. Irene Popkins at Popkins Internal Medicine can be granted functions from the Provider Functions and the Provider Account Administration sets and is actually granted Register a New User, Claims Inquiry, and Referral Inquiry.

[0516] Martin Carver at Popkins Internal Medicine can be granted functions from the Provider Functions and the Provider Account Administration sets and is actually granted Claims Inquiry and Referral Inquiry.

[0517] Mary Smith at Acme Broadcasting can be granted functions from the Employer Member Functions, Employer Billing Functions, and Employer Account Administration sets and is actually granted Member ID Card Replacement, Online Billing, and Register a New User. Mary Smith at Mary Smith (entity) can be granted functions from the Member Function and Member Account Administration sets and is actually granted Referral Inquiry, Change PCP, and Open My Account to Another User.

[0518] Steven Towers at Steven Towers (entity) can be granted functions from the Member Function and Member Account Administration sets and is actually granted Referral Inquiry, Change PCP, and Open My Account to Another User.

[0519] The User Menu for Irene Popkins in the Provider Port of Origin shows Register a New User and Provider Functions. The User Menu for Martin Carver in the Provider Port of Origin shows Provider Functions. The User Menu for Mary Smith in the Employer Port of Origin shows Member ID Card Replacement, Online Billing, and Register a New User. The User Menu for Mary Smith in the Member Port of Origin shows Member Functions and Member Account Administration. The User Menu for Steven Towers in the Member Port of Origin shows Member Functions and Member Account Administration.

[0520] E. User Status

[0521] 1. Overview

[0522] Determination of user status for purposes of executing a business function is governed by the status of four different items: (1) Entity; (2) User; (3) Entity-user (real and virtual); and (4) Entity-user access (business functions and data combinations)

[0523] The combination of the statuses controls whether a given user can perform something for a given entity against certain data. To do this, the user has to be active, the entity has to be active, the user has to be actively associated with the entity (entity-user), and the business function and data combination has to be active for the user for the entity (entity-user access). Any one of these items can have a status other than “active,” which would cause the operation to fail.

[0524] The statuses are managed in various ways. The IT security personnel of the sponsor organization can manage the statuses of all four items. An external Access Administrator can manage the statuses of two of the items—entity-user and entity-user access. All can be non-active for a period of time and then become active again. One item—entity-user access—can be turned on and off easily at any time through the assignment of access rights processes discussed above. Because there are complexities involved with turning the other three—entity, user, and entity-user—on and off, there are explicit ways in which they can be made temporarily non-active without turning them off. Making the entity, user, and entity-user inactive includes being able to set up planned Suspense Periods in advance.

[0525] Also, in order for the secured logon application to provide Delegation, the logic for determining Processing Status (see the description of Status Types, below) for a virtual entity-user must include reviewing the status of multiple entities, namely the user's administering organization and the entity on whose behalf he is working.

[0526] Under all circumstances, dates define periods of time in which the various statuses are in effect.

[0527] Records must be kept of all actions that establish a planned future status change, change a status, or change a planned future status change.

[0528] 2. Status Types

[0529] There are four ways to represent a status, depending on the circumstances and location:

[0530] Date Status:—This refers to the status of an item as determined by the status dates associated with it.

[0531] Display Status:—This is the status of an item that is displayed on screens and is always relative to the current date and time. For entity-users, this status applies to real entity-users only.

[0532] Processing Status:—This applies to entity users, both real and virtual. It refers to whether an entity user is allowed to perform any functions.

[0533] Selection Status:—This applies to real entity users only. It is used to determine which entity users to display for selection lists used by access administrators and/or Internal Security.

[0534] 3. Entity User Access Status

[0535] A given Entity_User_Access row (combination of entity, user, function, and data) is active, as long as the user, the Admin entity, the BehalfOf entity (if different from the Admin entity), and the real entity user (real entity user whether the Entity User Access is for a real or virtual entity user) are all active; and as long as delegation does not extend beyond one level (i.e., as long as a “delegated to” organization does not in turn delegate the delegated work to another organization). A given Entity_User_Access row (combination of entity, user, function, and data) is active, as long as the user, the Admin entity, the BehalfOf entity (if different from the Admin entity), and the real entity user (real entity user whether the Entity User Access is for a real or virtual entity user) are all active; and as long as delegation does not extend beyond one level (i.e., as long as a “delegated to” organization does not in turn delegate the delegated work to another organization). When delegation can be extended beyond one level (i.e., when a “delegated to” organization can delegate the delegated work to another organization), a given Entity_User_Access row will be active as long as all entities in the delegation chain between the BehalfOF entity and the Admin entity are active in addition to all the criteria mentioned above.

[0536] 4. Business Rules

[0537] a) Real Entity User Statuses

[0538] Statuses for the Real Entity User—Entity User Display Status, Processing Status, and Selection Status—are dependent not only on the Entity User Date Status, but also on the Entity Date Status and the User Date Status. This dependency is reflected in the Entity User Status Derivations matrix, which is set forth in Appendix A.

[0539] In general the rules affecting the status interactions are as follows:

[0540] 1. For Entity User Display Status, the End Date and Time of a revoke (if it exists) takes precedence over all other things that may be happening to either the entity or the user. This is so that the explicit instructions from the Access Administrator or Internal Security, as reflected by the End Date and Time of a revoke will prevail in the event that any of the other events is backed out.

[0541] 2. The Entity User Processing Status will be Active as long as the Entity Date Status is Active, the User Date Status is Active, and the Entity User Date Status is Active. Otherwise, it is Inactive.

[0542] 3. The Entity User Selection Status for the Access Administrator (“AA”) will be Active as long the user has not been suspended or revoked, and the entity is still active. From a status perspective, the user shows up on the current selection lists for an entity when the Entity User Display Status is “Registered”, “Active”, or “Temporarily Inactive”. The user shows up on the Revoked selection list when the Entity User Display Status is “Revoked”.

[0543] b) Virtual Entity User Processing Status

[0544] As long as delegation does not extend beyond one level (i.e., as long as a “delegated to” organization does not in turn delegate the delegated work to another organization) the virtual Entity User Processing Status is dependent on the Date Status of the real Entity User that corresponds to this virtual Entity User, the User Date Status, the Date Status of the Admin Entity, and the Date Status of the Behalf(f Entity. If delegation is extended beyond one level (i.e., if a “delegated to” organization can delegate the delegated work to another organization), then the Date Status of all entities in the delegation chain between the BehalfOF entity and the Admin entity will need to be checked also. These dependencies are reflected in the Virtual Entity User Status Derivations matrix Virtual Entity User Status Derivations, which is set forth in Appendix B.

[0545] In general the rules affecting the status interactions are as follows:

[0546] 1. If the processing status for the real entity-user corresponding to the virtual entity-user is Inactive, then the processing status for the virtual entity-user is Inactive. Essentially this means that if the company that employs this user has suspended or revoked the user, then any delegated access is also Inactive.

[0547] 2. If any of the entities involved in the delegation is suspended or revoked, then the processing status is Inactive.

[0548] c) Actions and Activities Affecting Statuses

[0549] (1) Approve an Application

[0550] The IT security personnel of a sponsor organization can approve an application after going through a validation process. Also, the secured logon application can receive a pre-approved application from a trusted source. In both cases, this results in the entity being established, the user account for the PAA being established if it has not already been established, and the relationship between the entity and the PAA (Entity-User record created) being established. This results in registered and active status records being set up for the entity, the user if not already established, and the entity-user.

[0551] (2) Auto-Post Process

[0552] There is a process by which trusted sources can add an entity, PAA and the entity PAA relationship without going through the application process. As above, this results in registered and active status records being set up for the entity, the user if not already established, and the entity-user.

[0553] (3) Register a User

[0554] An access administrator for an entity or Internal Security can register a user for the entity. This is accomplished by the Register User function for the access administrator. For a sponsor organization's Internal Security personnel, this can be done in one of two places. First, on the Add New Relationship function on the Change/Update This Entity's Administrator Relationships page; and second, through the “Add an Administrator” function which appears in several places on the internal site.

[0555] In general, the rules affecting registration of a user are as follows:

[0556] 1. When doing the registration, an Effective Date and Time must be provided. “Now” is an acceptable option, which should be interpreted by the software to an appropriate date and time. The Effective Date and Time must be “now” or in the future.

[0557] 2. An End Date and Time is optional. If an End Date is provided, a revoke record will be created for that date. The End Date and Time must be greater than the Effective Date and Time.

[0558] 3. It is possible to register a user in one entity and use an account that was established for the user in the context of a different entity. This is how a “single sign-on” is accomplished. That can be done by providing appropriate information at the time of registration. However, reusing an existing user account is not allowed if the user is suspended or revoked by Internal Security; or if the user has been previously registered with the entity and status is not revoked.

[0559] One result of registration of a user is that the user account comes into existence, and registered and active status records for the user are created, if the user has not already been established. It also results in registered and active status records being set up for the entity-user.

[0560] (4) Reinstate a User

[0561] Reinstate a User is equivalent to Register a User, where an existing user account is being used, where the user has been previously registered with the entity, and the status is Revoked. This results in reregistered and active status records being set up for the entity-user.

[0562] (5) Adjust Effective Date and Time

[0563] An Access Administrator for an entity or the sponsor organization's Internal Security can adjust any future Effective Dates and Times for a user for an entity. This is accomplished by selecting the Effective Date and Time for an entity user on the Action Selection page.

[0564] In general, the rules affecting the adjustment of Effective Date and Time are:

[0565] 1. The Effective Date and Time must be “now” or in the future. If it is “now”, the software should interpret it to be an appropriate time.

[0566] 2. The Effective Date and Time must be prior to the End Date and Time if an End Date exists.

[0567] 3. The Effective Date and Time must be prior to all Suspense Dates and Times. If this situation is detected during edits, the user will be warned and will choose the remedy himself or herself. The two remedies are: Change the date(s) so that there is no issue; or cancel existing Suspense Period(s) until there is no issue. If canceling the existing Suspense Period(s) is chosen as the resolution, the record is marked as overridden so that if the effective date is ever changed again, the secured logon application can ask about these overridden records as well.

[0568] The result of an adjustment in the effective date and time is that the new effective date and time is recorded and an audit trail is created of the change.

[0569] (6) Suspend an Entity, User, or Entity-User

[0570] An access administrator for an entity or the IT security personnel of the sponsor organization can temporarily suspend a user for the entity. Only the IT security personnel can temporarily suspend an entity or a user. This is accomplished by defining a Suspense Period. Suspense Periods are managed from the Action Selection page. The result of setting up a Suspense Period is that records are created of the start date and the end date. The result of any changes to the dates associated with a Suspense Period is that records are made of the new dates and an audit trail is created of the changes to the old dates. FIGS. 15A and 15B illustrate the steps to temporarily suspend a user.

[0571] In general, the rules affecting the suspension of an entity, user, or entity-user are as follows:

[0572] 1. A Suspense Period must begin after the entity, user or entity-user's Effective Date.

[0573] 2. A Suspense Period must end before a revoke Date and Time if one exists

[0574] 3. For each Suspense Period, the Suspense Date and Time must be provided. “Now” is an acceptable option, as long as the other edits are met. “Now” should be interpreted by the software to an appropriate time.

[0575] 4. For each Suspense Period, a Reactivate Date and Time is optional, i.e., it can be open-ended as long as all the other edits are met. If it is given, it must be after the Suspense Date and Time. If no Reactivate Date and Time is entered, the default Reactivate Date and Time is used. This will be either a maximum date of 12/30/9999 or the revoke Date and Time, if one exits. When adjusting the dates for an active Suspense Period, “now” is an acceptable option for the Reactivate Date and Time if the other edits are met.

[0576] 5. Multiple Suspense Periods can be specified. Only the last of these can be open ended.

[0577] 6. There can be no overlap between Suspense Periods. When an overlap is detected during edits, the user will be warned and will choose the remedy himself or herself. The two remedies are: change the dates of the new Suspense Period so that there is no overlap; change the dates of existing Suspense Period(s); or cancel existing Suspense Period(s) until there is no overlap. If cancellation of the existing Suspense Period(s) is chosen as the resolution, the record is marked as overridden so that if the dates are ever changed again, the secured logon application can ask about these overridden records as well.

[0578] 7. The Suspense Date and Time for an existing Suspense Period can be changed as long as:

[0579] a) The existing Suspense Date and Time is in the future,

[0580] b) The new Suspense Date and Time is in the future,

[0581] c) The new Suspense Date and Time is prior to the Reactivate Date and Time,

[0582] d) The new Suspense Date and Time is after the Effective Date and Time, and

[0583] e) No overlap with another Suspense Period is created.

[0584] 8. The Reactivate Date and Time for an existing Suspense Period can be changed as long as:

[0585] a) the existing Reactivate Date and Time is in the future,

[0586] b) the new Reactivate Date and Time is in the future,

[0587] c) the new Reactivate Date and Time is after the Suspense Date and Time,

[0588] d) the new Reactivate Date and Time is less than or equal to the Revoke Date and Time if one exists, and

[0589] e) no overlap with another Suspense Period is created.

[0590] 9. A Suspense Period will not cascade down to the entity-user access nor to virtual entity users associated with this entity user. As a result, status must be validated at the user, all entities, and real entity user levels to determine actual access privileges.

[0591] 10. A Suspense Period can be canceled as long as both the Suspense Date and Time and Reactivate Date and Time are in the future.

[0592] 11. while a user or entity is suspended by the IT security personnel of the sponsor organization, future suspense periods for the entity user can still be established. These will be allowed so that they can go into effect in case the user or entity suspense is lifted. The Access Administrator or IT security personnel can set up such periods while the user is suspended. Only IT security personnel will be able to set up such periods while the entity is Suspended, since an Access Administrator will not be able to do anything for the entity while it is Suspended.

[0593] 12. The history of all actions surrounding the status will be shown to Access Administrators, Internal Security, and auditors.

[0594] (7) Revoke an Entity, User, or Entity-User

[0595] An access administrator for an entity or the IT security personnel of the sponsor organization can revoke a user for the entity. The IT security personnel can revoke an entity or a user. This is accomplished on the external site by clicking on the “revoke user” button on the Select Action screen or by choosing the “add an action” button and choosing Begin Revoke as the reason code and selecting a date and time for that action to begin. Regardless of which method you choose, you have the opportunity to enter the begin date of the revocation. The result of revoking is that a record is created of the revoke date. The result of any changes to a revoke date is that a record is made of the new date (if a new one is created) and an audit trail is created of the change to the old date.

[0596] In general, the rules affecting revocation of an entity, user, or entity-user are as follows:

[0597] 1. The revoke date can be in the future or can be “now” as long as the other edits are met.

[0598] 2. The revoke must be greater than any other action dates for them on file. If it is not greater than all other action dates, the user will be warned and will choose the remedy himself or herself. The remedies are: change the dates of Suspense Period(s) so that the edit is met; cancel existing Suspense Period(s) so that the edit is met (if cancellation of existing Suspense Period(s) is chosen as the resolution, the record is marked as overridden so that if the effective date is ever changed again, the secured logon application can ask about these overridden records as well); or change the action so that the edit is met.

[0599] 3. There can be only one future revoke date.

[0600] (8) Entity User Access Status

[0601] The Assign Roles process and all its variations controls entity user access status for an entity user. Usually when a business function and its associated data are assigned to a user, the business function—data pair is set up with an immediate effective date and time. Usually, when a business function—data pair is removed from an entity user, it is tagged with an immediate End Date and time. If the assignment is done through a transaction acceptor transaction, there future effective and end dates can be established.

[0602] (9) Audit Records

[0603] Records must be kept of all actions that establish a planned future status change, change a status, or change a planned future status change.

[0604] F. Dynamic Menus in the Secured Logon Application

[0605] Dynamic menus are another way to control access. Based on information in the secured logon application, menus can be built which display to the user only those business functions to which he has access.

[0606] G. Session Management in the Secured Logon Application

[0607] The secured logon application performs session management for users logging on through it. This provides another way to control access. If a user does not perform any activity for a period of time, the session that his logon initiated expires.

[0608] H. User Accounts in the Secured Logon Application

[0609] The secured logon application requires that each user have a unique public name that can be used without revealing any security related information, enables a user to have a single sign-on for multiple contexts, and supports a requirement that each user agree to various conditions in order to gain access to the secured functionality and information. To gain access to a sponsor organization's secured functionality and information, each user must have a UserID, AKAName, and PIN/Password. The UserID and PIN/Password are used to log on with, and therefore are security related. The AKAName is a public user ID or alias for a user. AKA Names, like user ID's, are unique to a user. It is an alternate way to refer to the user without divulging any information that can be used to log on.

[0610] The secured logon application insures that the UserIDs and AKANames of its users are unique and at the same time supports logic to enable a user to use the same UserID and AKAName in multiple contexts. The conflict management process is utilized in the save application (both internal and external) and the save user (both internal and external) processes.

[0611] A flowchart illustrating the User ID and AKA name conflict management process is shown in FIG. 4.

[0612] There are two parts to the conflict management process, the duplicate checking logic and the User ID and AKA Name conflict management process. The duplicate checking logic checks to see if the User ID, AKA Name, first name, and last name of the user that is being added to the secured logon application already exists with an exact match on all four of these criteria. If a match is found then the user is presented with a screen that states that this may be a duplicate, as it appears this user already exists. The user has an option to agree and not create another user or to say, “no this is not the same user”. If he agrees, he is reusing his UserID and AKAName in a new context.

[0613] If the user says no, then the User ID and AKA Name conflict screens will force the user to select a new User ID and AKA Name that is not currently in use.

[0614] If no match is found for the User ID, AKA Name, first name, or last name of the user as described above, the User ID and AKA Name conflict management process is invoked next. This process checks the User ID against existing values and if taken, will suggest alternatives to the user or allow the user to select another of his or her own choosing. Once the user selects a new User ID, it is also checked to make sure it is not already in use. If the new User ID is already in use, the process is repeated until the user has selected a unique User ID. The process repeats for the AKA Name.

[0615] The first time that a user logs on, he or she can be required to review and accept conditions for gaining access to the secured functionality and information. Thereafter, if those conditions change or if new conditions are added, the user can be required to review and accept the new conditions the first time he or she logs on after the change. An example of an agreement that a person would agree to is the confidentiality agreement presented via a web page, such as shown in FIG. 13.

[0616] III. Support for Unknown Users

[0617] A. Registration Processes

[0618] There are multiple registration processes that are supported by the secured logon application. Entities that are people often have a direct relationship with the sponsor organization and therefore are known to the sponsor organization. For them, it is possible to have a streamlined process that takes advantage of the information the sponsor organization has about that person in its back-end systems.

[0619] For entities that are organizations, a more complex registration process is necessary. This is necessary largely for three reasons; namely that the person or people named on the registration are often unknown to the sponsor organization, that security is being granted to confidential information for the organization, and that security administration for the organization is being distributed to the organization. The first reason means that there is no information in the sponsor organization back-end systems that may be used to assist in the verification process. The second reason means that it is important that the person or people named on the registration are appropriate to the role(s) outlined for them on the registration. The third reason means that a security administrator (Primary Access Administrator) must be named on the registration and that a person who can legally bind the organization (Primary Controlling Authority) must sign legal agreements accepting the security responsibility and agreeing to behave in specific ways. Since the person who is named as the Primary Access Administrator on the application is likely to be unknown to the sponsor organization, some process is needed in order to confirm that the person is appropriate to be named the Primary Access Administrator. Some process is also needed to confirm that the person signing the registration is doing so appropriately.

[0620] Registration for the organization entities includes three steps: registration, verification, and obtaining legal agreements. The first step, registration, is a process by which a person requests access on his organization's behalf to the secured web self-service functions and data of the sponsor organization. It is also the process by which the sponsor organization collects certain data about the person who will be the Primary Controlling Authority, the person who will be the Primary Access Administrator, and the organization. The application used for registration and data collection is a web-based application. Examples of screens employed in a web-based registration application for obtaining information about the person's organization and primary contact (Primary Controlling Authority) of the organization are shown in FIGS. 10-12.

[0621] The second registration step, verification, is the process of ascertaining the correctness of the information obtained from the registration application and of validating that there is a relationship with the sponsor organization such that the Primary Access Administrator and the organization with which he or she is associated have a right and a need to use the secure web self-service functions.

[0622] In the third registration step, obtaining legal agreements, specific legal agreements applicable to the interaction between the sponsor organization, any person gaining access on behalf of an organization, and the organization with which he or she is associated are signed or agreed to by the person and the organization. For the organization, this can be done at the time the registration is completed. For a person, this is done at first time logon, as referenced in a section above.

[0623] IV. Distribution of Security Administration

[0624] Security administration functionality is distributed to PAAs and AAs at External Entities and to System Application Owners.

[0625] A. Functions for PAAs and AAs at External Entities

[0626] Functions for PAAs and AAs at External Entities include the following items:

[0627] Register New Users

[0628] Assign Web Access Rights

[0629] Manage User Status

[0630] Maintain User Information

[0631] Maintain Organization Information

[0632] Monitor Security Changes

[0633] Review Current Security Profile

[0634] Segment Your Organization

[0635] Prepare to Accept Delegated Work

[0636] View Work Delegated to You

[0637] Assign Delegated Work

[0638] Delegate Work to Another Organization

[0639] Change Work Delegated to Another Organization

[0640] Stop Delegating Work to Another Organization

[0641] B. Functions for System Application Owners

[0642] There are three functions available for a system application owner to manage the business functions for which he or she is responsible and the access identifiers that are unique to those business functions.

[0643] 1. System Application Owner Granting Access to Functions

[0644] The system application owner maintains the business functions of an organization by way of its primary access administrator. This process is similar to the sponsor organization IT security's maintenance function except that the system application owner is able to see, add, and delete only business functions for that system application owner and it is only able to maintain roles for the primary access administrator, not any of the organization's other users. This maintenance is done one organization at a time.

[0645] 2. System Application Owner Identifier Maintenance

[0646] The process by which a system application owner maintains an organization's identifiers is quite similar to the sponsor organization IT security's access identifier maintenance function, except that the system application owner is able to edit, add, and delete only access identifiers for that system application owner. It may see access identifiers that are maintained by the sponsor organization IT security personnel. It will not see access identifiers that are maintained by owners of other system applications. This maintenance is done one organization at a time.

[0647] 3. Establishing New Business Functions

[0648] The function of automating the distribution of new business functions to selected organizations' primary access administrators (PAAs) can be performed by the sponsor organization IT security personnel or by the system application owner. The screens would look the same for both groups, except that data is filtered by the system application owner when it is performed by the system application owner. The selection of organizations for this distribution of business functions is performed by broad categories of organizations, not, not by individual organization.

[0649] V. Support for Multiple Environments

[0650] A. Port of Origin Functionality

[0651] One of the key concepts in the secured logon application is port of origin. Using port of origin functionality and dynamic menuing, business function access can be controlled or limited based on the port of origin through which a user entered the secured logon application. An example of how the works is as follows: A user is an administrator for a Provider Organization. The user performs provider administrative activities for the Provider Organization (checks member eligibility and submits claims) and also performs employer benefit administration for the Provider Organization (enrolls new employees, reviews premium bills). This person effectively wears two hats for the Provider Organization. Wearing the hat of the administrator in the physician's office, the user enters the secured logon application through the sponsor organization's port of origin for healthcare providers. Once the user has been authenticated and enters the secured logon application, the user is presented with a list of business functions related to the access he or she has in the context of an administrator for a physician's organization (i.e. patient referrals, authorizations, etc.) as defined by that port of origin. Now that same administrator exits the sponsor organization's port of origin for healthcare providers and re-enters, but this time through the sponsor organization's port of origin for employers using the same User ID and PIN/Password. This time the administrator is presented with a menu of options related to things an employer group can do. Things such as online bill lookup, review of physician directories, etc. might be presented to the administrator after logging in utilizing this PO.

[0652]
FIG. 2 is a flow chart that illustrates the flow a user of the secured logon application will follow when accessing business functions set up within the secured logon application from a registered port of origin.

[0653] In order for a PO to link to, and grant access to, the secured logon application resources, several things need to occur. These can be grouped into six categories, (1) accessing the secured logon application from a port of origin, (2) customizing the look and feel of the port of origin, (3) exiting the secured logon application, (4) making PDF and other documents available for download, (5) using a PO's own logon page, and (6) defining a PO's menu structure.

[0654] 1. Secured Logon Application Access From a Port of Origin

[0655] Access to the secured logon application is defined as the requirements and processes required to invoke, call, or otherwise utilize the secured logon application. There are two methods for doing this, frameless and framed access. In addition to controlling access to business functions, the support for multiple PO's by the secured logon application also allows for the PO to control several other features of the secured logon application as described below:

[0656] a) Framed Access

[0657] In order for users to access the secured logon application from a PO using frames, that PO does the following:

[0658] 1. Defines at a minimum, a two-frame page with the top frame being top justified. The lower frame may utilize the remainder of the page. Although the secured logon application permits the PO to define more than two frames, this may result in undesirable scrolling and layout of the secured logon application content.

[0659] 2. Calls the secured logon application from the two-frame page.

[0660] 3. Includes the header/logo it wants displayed while a user is utilizing secured logon application in the top frame.

[0661] 4. Submits to the secured logon application administration team a style sheet that the PO wishes the secured logon application to adopt (this style sheet is used by the lower frame when the secured logon application is accessed). If the PO does not wish to use a specific style sheet, the default style sheet for secured logon application will be utilized. The style sheet is created by the port of origin using a template supplied by the secured logon application.

[0662] 5. Submits the navigation and other graphics it wishes to utilize.

[0663] 6. Submits the help text it wishes to provide to the user on each screen.

[0664] 7. Passes the port of origin key assigned to the PO when a user logs onto a port of origin secured by the secured logon application. The port of origin key is assigned to the PO by the secured logon application administrator when the PO was initially registered. This Port of Origin key is also used to reference the folder that contains the other PO specific items such as: the top, left, and bottom navigation bar that can be used if frameless access to the secured logon application is utilized, as described hereinafter; the navigation graphics; the help text; and all other port of origin specific content. All content used for framed access is contained in the PO assigned folder and is referenced by the same PO key.

[0665] b) Frameless Access

[0666] If a PO wishes to utilize frameless access, it must do the following in addition to performing the acts described above in connection with framed access:

[0667] 1. Provide a top navigation file that is included by the secured logon application and presented to the user in the same location as for framed access. The top navigation file replaces the top frame graphic employed in framed access.

[0668] 2. Provide an optional left and bottom navigation or other include file that the PO wishes to display to the user

[0669] 3. Give the top, left, and bottom navigation include files (hereafter, respectively, the “top navigation file,” “left navigation file,” and “bottom navigation file”) names specified by the secured logon application.

[0670] 4. Supply the display size of the top, left, and bottom navigation files (i.e. 800×100 pixels). This information is recorded in the secured logon application in order to control the placement of certain items that require absolute positioning or presentation within a frameset.

[0671] 2. Customizing the Look and Feel of a Port of Origin

[0672] In addition to choosing either framed or frameless access, the PO can further customize the “look and feel” of the pages supplied by the secured logon application subsequent to the logon page. Some of the features that can be controlled through the secured logon application are:

[0673] 1. The header/logo displayed at the top of the page.

[0674] 2. A left and bottom navigation bar.

[0675] 3. The look and feel of the menu items displayed by secured logon application via a style sheet.

[0676] 4. The location users are returned to when they complete a business function served up by secured logon application. Setting the Port of Origin return URL in the secured logon application does this.

[0677] 5. The buttons or GIFs used for navigation.

[0678] 6. The GIFs used to designate required fields and missing data.

[0679] 7. The help text presented on each external screen provided by the secured logon application.

[0680] 8. The menu items presented to the user when access is granted.

[0681] 9. The text of most of the error messages presented to a user while utilizing the secured logon application functionality.

[0682] The manner in which these features is controlled is generally conventional. If the PO elects to utilize its own navigation graphics, the port of origin must supply the secured logon application with the files for its navigation graphics, and must strictly adhere to the naming convention specified by the secured logon application. The secured logon application stores these files on its server and the images are served up as the user navigates the secured logon application functionality.

[0683] The secured logon application also allows each port of origin to develop the help text that is displayed when a user clicks one of the help buttons located on the screens supplied by secured logon application. A sample of a help text screen is shown in FIG. 3. The help file may contain whatever help text the port of origin wishes to display to the user.

[0684] In addition to the PO customizations described above, the secured logon application also allows the port of origin to customize the style sheet template used to control the “look and feel” of the screens presented by the secured logon application.

[0685] For handling server-side errors, the secured logon application provides a port of origin with the ability to customize the error message presented to a user in certain circumstances. Further, the port of origin is able to direct that user to a specific page once the user acknowledges the error by clicking on the OK button. The manner by which the secured logon application achieves these functions is largely conventional.

[0686] In order to support these functionalities, the secured logon application handles server-side errors by redirecting to a central error-handling dialog page. Error types are defined in an error message table and are port of origin-specific with port of origin 0 being the default port of origin. The error dialog retrieves an error message from the database based on the Port of Origin ID and Error Message ID. The default message is displayed if one does not exist for the port of origin. The Error dialog always displays the error message and an OK button, which performs a redirect when clicked. The OK redirect URL is stored in the error message table.

[0687] 3. Exiting the Secured Logon Application

[0688] A PO can request that a user be returned to a specific URL when he or she exits the secured logon application by setting up a business function within the secured logon application that will ultimately become a menu item displayed within the secured logon application menus. This business function is merely a URL to a web page that contains the URL/redirect to the location the PO wishes the user returned to and a string of static data the PO wishes returned (if returned data is required).

[0689] 4. Making PDF and Other Documents Available for Download

[0690] The secured logon application enables a port of origin to store documents for later presentation and downloading online by a user. The secured logon application supports this functionality by storing these documents in a folder called “documents” under the port of origin's directory structure. The secured logon application then displays the contents of the directory as links on an ASP page. When the user selects one of the links a download session is automatically started between the user's computer and the secured logon application. To utilize this functionality, the port of origin's documents must be uploaded into the system. Once this is done, a business function is registered for the port of origin with a link to the page that will display the directory's contents.

[0691] 5. Using a PO's Own Logon Page

[0692] Recognizing that different Ports of Origin's (“PO”) may wish to carry their “look and feel” through the authentication process (the authentication process is common to all PO's that use secured logon application to secure and manage access to their resources), the secured logon application provides the ability for a PO to create its own login page in lieu of the standard ASP login screen page/process that is available via the secured logon application. If a PO wishes to do this, it must post a form to the page in the secured logon application that contains the User ID (userid), PIN/Password (txtpassword), the value “SECURITYLINK” (_referrer) and the PO numeric value (portoforigin) assigned to them by secured logon application (hereafter referred to as the “security link page”).

[0693] A Port of Origin may also initiate the PIN/Password change process by posting the User ID, PIN/Password and a PIN/Password change value of 1 to a specified variable in the page referenced above.

[0694] 6. Defining a PO's Menu Structure

[0695] Dynamic menus are available from the secured logon application to allow for customized menus within a web application for each Port of Origin. This incorporates a level of personalization by allowing a Port of Origin to define the navigation for the functions for which the secured logon application controls access. The secured logon application stores the security information for user access, as well as the menu structure as defined by the Port of Origin. The Port of Origin can define the levels, sequence, and details of the menu templates

[0696] The secured logon application also provides data storage for Port of Origins to define the look and feel of their own menus. This is accomplished through both predefined fields in the database and user-defined fields.

[0697] A Port of Origin may develop its own menu, making use of the information defined within the secured logon application or it may use the menu that the secured logon application provides.

[0698] VI. System Integrators Interfaces

[0699] A. Getting Data From the Secured Logon Application

[0700] When a business function is launched from the dynamic menu, the secured logon application provides a launch string to the business function URL with the AKA Name of the user who is logged on and an identification of the menu item that was launched. Thereafter, the business function uses the AKA Name and the menu information with various methods to obtain information from the secured logon application for its own processing purposes.

[0701] A VB6 COM DLL exposes a single class (b_SystemApplication) containing methods to allow business functions to access data associated with the sponsor organization's secured logon application. Data stored and exposed includes Entity and User security information, as well as the function sets that are defined within the secured logon application data store. Data is returned in XML format or as an ADODB.recordset with a flat data representation of the information. An equivalent Java version of the VB6 COM DLL also is available which provides the same functionality except for non COM compliant systems.

[0702] Systems developers can call the exposed methods via COM interfaces as long as a trusted connection can be made to the secured logon application component and the component can run under the context of an account that has access to the secured logon application Database.

[0703] B. Registering System Applications

[0704] In order for business functions to be presented as menu items within the secured logon application, the application that “serves” them up must be registered within the secured logon application. An example of a system application is Trizetto's ePlan application, a system application that serves up eligibility, claims, authorizations (each of these are individual business functions), etc.

[0705] The secured logon application maintains required information about individual System Applications. To add a new System Application to the secured logon application, System Application Administrators must provide the secured logon application Administrator with the System Application Short Name and the System Application Description.

[0706] C. Registering Business Functions

[0707] As described above, the secured logon application provides a gateway to secured resources at a sponsor organization. As new PO's and/or system applications are added, they may have additional business functions that they wish to make available to users via the secured logon application. Such new business functions can be registered or implemented by having representatives from the PO's and/or system application's project team contact the secured logon application administrator and provide various descriptive and processing information about the business function.

[0708] D. Business Functions and Business Function Set Limitations

[0709] Initially, a business function can only exist in one business function set and in one port of origin. If there is a need to have a business function exist in more than one business function set or in more than one port of origin, that business function must be duplicated (registered more than once) for each instance that it is to be used.

[0710] An example would be if the sponsor organization wanted to create a business function called “view claims,” which it intended to utilize in both the provider portal and in the member portal. In the provider portal, office clerks would use this function to review patient claims. In the member portal, members would utilize this function to review their personal claims. In this example, the business function “view claims” would need to be registered twice. Both business functions could utilize the same description and use the same launch URL, but each would be associated with different ports of origin through their business function set association.

[0711] Although the secured logon application is designed so that a business function cannot be shared by multiple business function sets or multiple ports of origins, there are situations where a business function might need to exist in more than one business function set. An example of such a situation is where a set was created for office clerks called “clerks” and one was created for managers called “management”. Both groups might utilize a business function set such as “user demographics”.

[0712] The primary problem with such an arrangement is in the user interface area. FIG. 6 shows an exemplary screen for an “Assign roles” menu in which the user “Joe Alpha” is listed. As an example, assume that the intention is to grant the user “Joe Alpha” access to all of the functions in the “clerks” business function set but nothing in the “management” business function set. If the secured logon application allowed the “user demographics” business function to be shared by both sets, as soon as the user “Joe Alpha” was granted access to the “clerks” business function set, the business function “user demographics” would also appear as being checked in the “management” set, because the “user demographics” is the same function in both sets.

[0713] A likely reaction by the user would be to deselect or uncheck the “user demographics” option in the “management” business function set. If the user did this, he or she would inadvertently remove “Joe Alpha's” access to the “user demographics” business function from the “clerks” set as well. This result would be especially confusing to a user if he or she removed an administrators' clerk functions and then gave them manager functions, only to see on the screen that now the common functions to both sets have been activated in the clerk set again.

[0714] There are also situations where a business function might need to exist across multiple ports of origin. However, the secured logon application does not allow a business function set to be used in more than one port of origin because unwanted access might result. For example, assume that a business function called “view claims” has been created. This is a fairly common business function and likely will be used in some fashion in many portals.

[0715] Under the architecture of the secured logon application, if a business function is granted to a user and that business function is used in multiple portals, there is no way to prevent that user from having access to all portals that contain that business function. In other words, a member that has access to “view claims” could log into the provider portal and get access to secured provider functions, because that member has an active business function, “view claims,” that is valid for the provider portal. Although the access identifiers would prevent the member from viewing claims that were not his or her own, the member may have access to other secured content that may not require access identifiers (e.g., provider manuals, formularies, etc.).

[0716] E. Keeping the Secured Logon Application Session Alive

[0717] When a user logs into the secured logon application, a session is established. As long as the user is performing a function supplied by the secured logon application (e.g., manage organization information) or returns to the secured logon application supplied user menu, the secured logon application keeps the session current and up to date. However, once a user launches a menu item not provided by the secured logon application or if the PO uses a menu not supplied by the secured logon application, the secured logon application has no way to update the user's session and after a specified number of minutes the user's session will time out. The user will be forced to log back in if he/she attempts to return to the menu or access any of the functions that utilize the secured logon application session management. Each page that is part of the transaction should be attempting to keep the session alive. This is done by one of two methods depending on whether the transaction is running under the same domain or a different domain than the one the secured logon application is running under.

[0718] Same Domain Use the getSession_RS API

[0719] Different Domain—Post to an ASP page that does this for the application

[0720] F. Verifying User Access at the Page Level

[0721] As an added level of security, each page that serves up a secured business function can integrate an include file or method that performs page level access verification. This process performs a final validation to verify that the user still has current access to a business function that he or she is attempting to access. This prevents users from accessing a business function by typing the URL directly into the browser.

[0722] G. Transactions Via Posting to Forms

[0723] The secured logon application gives a port of origin the ability to perform certain functions by posting specified fields to a form. The functions supported are to “auto-create” an entity and a user and to “auto-create” an application. The URL from which the post comes must be registered in the secured logon application first. For security reasons, this method also requires that a specific page in the secured logon application be posted to.

[0724] For both functions, in addition to the post, the port of origin also must implement screens to capture the desired User ID, AKA Name, and PIN/Password the user wants. For usability reasons, it is preferable that the post should originate from this selection screen, although it does not have to. This will allow for the presentation of User ID and AKA Name conflict screens by the secured logon application as the next step, should the User ID or AKA Name the user selected already be in use in the secured logon application.

[0725] An example of a form post used to give a port of origin the ability to “auto-create” an entity and a user is shown in FIG. 5.

[0726] H. Updating Data Programmatically in the Secured Logon Application

[0727] In certain instances it may be necessary or desirable for a system application or process to update the data in the secured logon application. In order to accommodate this functionality, the secured logon application includes a generic XML transaction processor. Access to the transaction access handler is available via the SecLinkSysApp.dll.

[0728] In order to utilize the transaction handler, the system application owner must register the system application in the secured logon application and build the processes to enforce the business and security rules for the transaction.

[0729] The present embodiment of the secured logon application includes support for the following transaction types, although it is contemplated that other transactions can be added.

[0730] 1. PAA Function Data Access Transaction

[0731] 2. Access Identifier Transaction

[0732] 3. Access Identifier Group Transaction

[0733] 4. User Access Transaction

[0734] 5. Entity User Attribute Transaction

[0735] 6. User Attribute Transaction

[0736] An exemplary XML transaction for updating a user's access programmatically is shown in FIG. 7.

[0737] I. Notification of Security Profile Changes in the Secured Logon Application

[0738] The secured logon application provides notification to interested parties of changes in security profiles. The notification takes place via an XML transaction. The present embodiment of the secured logon application includes support for the following transaction types, although it is contemplated that other transactions can be added.

[0739] 1. Application reaching entered status

[0740] 2. Application being approved

[0741] 3. Entity information changing

[0742] 4. Entity access identifiers changing

[0743] 5. PAA information changing

[0744] 6. PAA business functions changing

[0745] 7. User information changing

[0746] 8. User business functions changing

[0747] 9. Controlling authority information has changed

[0748] VII. Miscellaneous System Information

[0749] A. Secured Logon Application Internal Screens

[0750] ASP screens are used in a conventional manner to manage access and administer the secured logon application internally. These screens are only available to associates of the sponsor organization with the proper access rights.

[0751] B. The Secured Logon Application Data Objects

[0752] Data objects are used by the business object to provide data access. They cannot be directly accessed from a web application. The data objects in turn use the u_Util object to provide database connectivity and to execute the actual commands against the database.

[0753] C. Secured Logon Application Utility Objects

[0754] Utility objects are employed to provide methods for the data objects to use to connect to the database and execute commands against it.

[0755] VIII. Data Model

[0756] The secured logon application is supported by the following MS SQL Server tables:

[0757] ACCESS_APPLICATION

[0758] ACCESS_APPLICATION_ADDRESS

[0759] ACCESS_GROUP

[0760] ACCESS_GROUP_ID_ASSOC

[0761] ACCESS_GROUP_ID_ASSOC_LOG

[0762] ACCESS_GROUP_LOG

[0763] ACCESS_IDENTIFIER

[0764] ACCESS_IDENTIFIER_LOG

[0765] ACCESS_MODULE_SEQUENCE

[0766] AGREEMENTS

[0767] ALLOWED_APPLICATION_STATUS_TO_REASON_ASSOCIATION

[0768] ALLOWED_MILESTONES_AND_STATE_TRANSITIONS

[0769] APPL_ACCESS_IDENTIFIER

[0770] APPLICATION_MODULE

[0771] APPLICATION_PORT_OF_ORIGIN_ENTITY_TYPE_ACCESS_ID_TYPE_ASSOCIATION

[0772] APPLICATION_PROCESSING_TYPE

[0773] APPLICATION_REPORTING_TABLE

[0774] APPLICATION_ROUTING_CONTROL

[0775] APPLICATION_STATUS

[0776] APPLICATION_STATUS_HISTORY

[0777] APPLICATION_TYPE_REPORTING

[0778] APPLICATION_VIEW_CONTROL

[0779] BF_ALLOWED_BYCOVERAGE

[0780] BUS_FUNC_ID_TYPE_ASSOC

[0781] BUSINESS_FUNCTION

[0782] BUSINESS_FUNCTION_ASSOC

[0783] BUSINESS_FUNCTION_SET

[0784] CONTROLLING_AUTHORITY

[0785] CONTROLLING_AUTHORITY_HIST

[0786] COVERAGE13 QUALIFIERS

[0787] COVERAGES

[0788] DELEGATION

[0789] DELEGATION_AUTHORIZATION

[0790] DEMO_IDS

[0791] DYNAMIC_LINK

[0792] DYNAMIC_LINK_TYPE

[0793] EMAIL_ADDRESS

[0794] ENTITY_TYPE_ENTITY_TYPE_ASSOC

[0795] ENTITY_TYPE_FUNCTION

[0796] ENTITY_USER

[0797] ENTITY_USER_ACCESS

[0798] ENTITY_USER_ACCESS_LOG

[0799] ENTITY_USER_ATTRIBUTES

[0800] ENTITY_USER_LOG

[0801] ERROR_EMAIL_ASSOC

[0802] ERROR_KEYWORD

[0803] ERROR_KEYWORD_ASSOC

[0804] ERROR_MSG

[0805] ERROR_REFERENCE

[0806] EU_ATTRIBUTE_HIST

[0807] EUA_DELEGATION_ASSOC

[0808] EXCEPTION_PROFILE

[0809] EXCEPTION_PROFILE_LOG

[0810] EXCEPTION_SET

[0811] EXCEPTION_SET_LOG

[0812] EXTERNAL_ENTITY

[0813] EXTERNAL_ENTITY_ADDRESS

[0814] EXTERNAL_ENTITY_ADDRESS_HIST

[0815] EXTERNAL_ENTITY_ATTRIBUTES

[0816] EXTERNAL_ENTITY_HIST

[0817] FINAL_DISPOSITION_REPORTING

[0818] HELP_GROUP

[0819] HELP_GROUP_ORIGIN_ASSOC

[0820] HELP_GROUP_ORIGIN_BUS_FUNC_ASSOC

[0821] HELP_GROUP_TOPIC_ASSOC

[0822] HELP_SECTION

[0823] HELP_TOPIC

[0824] IMMUTABLE_BUSINESS_FUNCTIONS

[0825] INCOMPLETE_DB2_UPDATES

[0826] LOG_DETAIL

[0827] LOG_ROLE

[0828] LOG_SUMMARY

[0829] LOOKUP_CODE_GROUPS

[0830] LOOKUP_CODES

[0831] MEMBER_XML_HIST

[0832] MENU_TEMPLATE

[0833] NOTIFICATION

[0834] NOTIFICATION_CONFIRMATIONS

[0835] NOTIFICATION_HIST

[0836] NOTIFICATION_MSG_CREATION_FAILED

[0837] NOTIFICATION_PAYOR_LIST

[0838] NOTIFICATION_PAYOR_MSGQ

[0839] NOTIFICATION_PAYOR_MSG_TYPES

[0840] NOTIFICATION_POST_FAILURES

[0841] NOTIFICATION_TRANSACTION

[0842] NOTIFICATION_TRANSACTION_HIST

[0843] ORIGIN_LOOKUP_CODE_OVERRIDES

[0844] PASSWORD_CHANGE_HISTORY

[0845] PORT_OF_ORIGIN

[0846] PORT_OF_ORIGIN_ATTRIBUTES

[0847] SITE_MONITOR

[0848] STATUS_CONTROL

[0849] SYSTEM_APPLICATION

[0850] SYSTEM_APPLICATION_ATTRIBUTES

[0851] SYSTEM_CONFIG

[0852] SYSTEM_NOTIFICATIONS

[0853] SYSTEM_NOTIFICATIONS_HIST

[0854] TRANSACTION_DEFINITION

[0855] TRANSACTION_SCRIPT_SEQUENCE

[0856] TRANSACTION_SCRIPTS

[0857] USER

[0858] USER_AGREEMENT_ACCEPTANCE

[0859] USER_ATTRIBUTES

[0860] USER_ATTRIBUTE_HIST

[0861] USER_HIST

[0862] USER_LOGIN

[0863] USER_SESSION

[0864] USER_SESSION_HIST

[0865] XML_TRANS_DEF

[0866] XML_TRANS_TYPES

[0867] All data retrieval is performed through the external class and its associated methods.

[0868] The ACCESS_APPLICATION table contains information that is collected about an External Entity during the registration process for gaining access to functions and information secured by Secured Logons.

[0869] The The ACCESS_APPLICATION_ADDRESS table contains information about alternate addresses that may be captured during the completion of an ACCESS APPLICATION.

[0870] The ACCESS_GROUP table contains definitional information about Access ID Groups (segments), which are used to define pieces of organizations (segments) based on groupings of access identifiers.

[0871] The ACCESS_GROUP_ID_ASSOC table contains the association between Access ID Groups (segments) and the Access Identifiers that make up the content of the Access ID Groups (segments).

[0872] The ACCESS_GROUP_ID_ASSOC_LOG table captures an audit trail of all the changes made to ACCESS_GROUP_ID_ASSOC, including the initial creation of an Access_Group_ID_Assoc.

[0873] The ACCESS_GROUP_LOG table captures an audit trail of all the changes made to ACCESS_GROUP, including the initial creation of an Access_Group (segment).

[0874] The ACCESS_IDENTIFIER table contains information about Access Identifiers for external entities. These are keys to the data about the external entities in the back-end systems. Example identifiers may be Federal Tax Identification Numbers (TIN), Broker Id, State License Number, etc.

[0875] The ACCESS_IDENTIFIER_LOG table captures an audit trail of all the changes made to ACCESS_IDENTIFIER, including the initial creation of an Access_Identifier.

[0876] The process to collect Access_Application_New information can consist of several application modules. The ACCESS_MODULE_SEQUENCE table defines the sequence in which the application modules are executed for specific Ports of Origin and Entities.

[0877] The AGREEMENTS table stores information about each agreement that users must consent to in order to gain access to functions and information secured by Secured Logons.

[0878] The ALLOWED_APPLICATION_STATUS_TO_REASON_ASSOCIATION table associates application statuses to valid reason codes for that status.

[0879] The ALLOWED_MILESTONES_AND_STATE_TRANSITIONS table indicates for a given application milestone and status, the set of valid application milestones and statuses possible for the next step in application processing.

[0880] The APPL_ACCESS_IDENTIFIER table contains information about Access Identifiers for an External Entity that are captured during the registration process for gaining access to functions and information secured by Secured Logons. Access Identifiers are keys to the data about the External Entities in the back-end systems.

[0881] The APPLICATION_MODULE table contains information about each of the modules that are used to collect Access_Application_New information There can be different sets of modules for each Port of Origin and Entity Type.

[0882] The APPLICATION_PORT_OF_ORIGIN_ENTITY_TYPE_ACCESS_ID_TYPE_ASSOCIATION table associates Ports of Origin and Entity Types with Access Identifier Types to determine which Access Identifier Types can be collected for a given Port of Origin/Entity Type pair during the registration process for gaining access to functions and information secured by Secured Logons.

[0883] The APPLICATION_PROCESSING_TYPE table indicates what kind of application process is to take place for a given Entity Type and Port of Origin. Examples are “Paper”, “Paperless”, “Autoapproved”.

[0884] The APPLICATION_REPORTING_TABLE table contains one row for each Access_Appplication_New that contains dates and times that each milestone is reached and indicates the latest status. table provides metrics on the approval and completion of applications.

[0885] The APPLICATION_ROUTING_CONTROL table indicates valid routing destinations for an Access Application based upon Port of Origin, Entity Type, Current Status/Milestone, and group currently responsible for the Access Application.

[0886] The APPLICATION_STATUS table contains records of each milestone, status, and activity combination that has occurred for an application. These records document the progress of the application through the approval process.

[0887] The APPLICATION_STATUS_HISTORY table captures an audit trail of all the changes made to APPLICATION_STATUS.

[0888] The APPLICATION_TYPE_REPORTING is a specialized table used in determining counts quickly. It contains a row for each type of application (autoapproved, paper, paperless) and columns for each type of application, which contain values of 0 or 1.

[0889] The APPLICATION_VIEW_CONTROL table controls which groups of people can see the status of an application based upon Port of Origin and Entity Type.

[0890] The BF_ALLOWED_BYCOVERAGE table relates Business Functions to specific coverage types.

[0891] The BUS_FUNC_ID_TYPE_ASSOC table relates each Business Function to the type(s) of Access ID's that the Business Function uses for its processing. If a Business Function does not appear in this table, it means that the Business Function does not require any Access Ids in order to perform it processing.

[0892] The BUSINESS_FUNCTION table defines each Business Function, which is a function or activity that a user can perform and which is secured by Secured Logons.

[0893] The BUSINESS_FUNCTION_ASSOC table associates each Business Function to the Business Function Set to which it belongs.

[0894] The BUSINESS_FUNCTION_SET table defines each Business Function Set, which is a logical grouping of Business Functions.

[0895] The CONTROLLING_AUTHORITY table contains information about the person(s) who have the legal right to control the External Entity and bind the External Entity in contractual agreements.

[0896] The CONTROLLING_AUTHORITY_HIST table contains after update images of rows in the CONTROLLING_AUTHORITY table.

[0897] The COVERAGE_QUALIFIERS table defines applicable coverage qualifiers based upon member status. Qualifiers allow coverages to extend beyond the standard rule set.

[0898] The COVERAGES table identifies coverages available for use in determining Business Function rules.

[0899] The DELEGATION table defines the information that allows a third-party organization (entity) to do work for another organization with which it has a business relationship.

[0900] The DELEGATION_AUTHORIZATION table holds Delegation Acceptance Codes that indicate the willingness of an organization to do work for another.

[0901] The DEMO_IDS table identifies the External Entities and Users which are set up for guest access to Secured Logons for testing and demonstration purposes.

[0902] The DYNAMIC_LINK table contains information that is used to define dynamically generated links that can appear on screens.

[0903] The DYNAMIC_LINK_TYPE table is a list of criteria defining types of dynamic links available for use. The only one available at this time is a “derivative” link.

[0904] The EMAIL_ADDRESS table contains e-mail addresses for members of a support team. table is used for sending error message notification to team members.

[0905] The ENTITY_TYPE_ENTITY_TYPE_ASSOC table is used in the Delegation process to define what kind of organization (From_Entity_Type) can delegate to another kind of organization (To_Entity_Type).

[0906] The ENTITY_TYPE_FUNCTION table associates Business Function Sets to the Entity Types of External Entities that can validly execute the Business Functions within the Business Function Set.

[0907] The ENTITY_USER table contains an association of External Entities to Users that have received permission to do work on behalf of the External Entity. A “real” Entity_User identifies a User who works for the External Entity and has received permissions through the regular assignment process. A “virtual” Entity_User identifies a user who works for another External Entity and has received permissions through a delegation process.

[0908] The ENTITY_USER_ACCESS table defines the access rights a User has for a External Entity in terms of the Business Function:Data pairs that the User can work with.

[0909] The ENTITY_USER_ACCESS_LOG table captures an audit trail of all the changes made to ENTITY_USER_ACCESS, including the initial creation of an Entity_User_Access.

[0910] The ENTITY_USER_ATTRIBUTES table stores information about the ENTITY_USERs.

[0911] The ENTITY_USER_LOG table captures an audit trail of all the changes made to ENTITY_USER, including the initial creation of an Entity_User.

[0912] The ERROR_EMAIL_ASSOC table associates server-side system errors with specific e-mail addresses.

[0913] The ERROR_KEYWORD table establishes words that relate to server-side system errors. Some current keywords are “application” and “logon.”

[0914] The ERROR_KEYWORD_ASSOC table associates custom keywords with server-side system errors so that a Customer Service Rep can retrieve all errors that relate to that keyword.

[0915] The ERROR_MSG table stores error messages for server-side system errors. The message content can differ by Port of Origin. Default error messages are stored for Port of Origin=0.

[0916] The ERROR_REFERENCE table contains information about the server-side system errors.

[0917] The EU_ATTRIBUTE_HIST table captures an audit trail of all the changes made to ENTITY_USER_ATTRIBUTES, including the initial creation of an Entity_User_Attribute.

[0918] The EUA_DELEGATION_ASSOC table gives the reason why (the Delegation referenced in the table) a row in the Entity_User_Access table is permitted to exist for a “virtual user.” This table is only used when delegation is being dealt with. There can be multiple rows in this table to justify a row in the Entity_User_Access table; i.e., there are multiple delegation chains for this entity/user/business function/access Id (or access group). The EUA_Delegation_Assoc table is a self-documenting table. No deletions are permitted.

[0919] The EXCEPTION_PROFILE table defines business functions that are excepted from a user's view.

[0920] The EXCEPTION_PROFILE_LOG table captures an audit trail of all the changes made to EXCEPTION_PROFILE.

[0921] The EXCEPTION_SET table relates to ASO Group Profiling. table contains definitions of the groups used to override a user's access.

[0922] The EXCEPTION_SET_LOG table captures an audit trail of all the changes made to EXCEPTION_SET.

[0923] The EXTERNAL_ENTITY table contains information about an External Entity that has been approved to gain access to functions and information secured by Secured Logons.

[0924] The EXTERNAL_ENTITY_ADDRESS table contains information about alternate addresses that may be available for an External Entity.

[0925] The EXTERNAL_ENTITY_ADDRESS_HIST table contains update after images for the EXTERNAL_ENTITY_ADDRESS table.

[0926] The EXTERNAL_ENTITY_ATTRIBUTES table stores information about the EXTERNAL_ENTITY.

[0927] The EXTERNAL_ENTITY_HIST table contains update after images for the EXTERNAL_ENTITY table.

[0928] The FINAL_DISPOSITION_REPORTING table is a specialized table used in determining counts quickly. It contains a row for each final disposition of an application (approved, denied, withdrawn, etc.) and columns for each final disposition, which contain values of 0 or 1.

[0929] The HELP_GROUP table defines the Help Groups, which organize the Help information relating to the various business functions performed by the user when using Secured Logons.

[0930] The HELP_GROUP_ORIGIN_ASSOC table associates each Help Group with the Ports of Origin for which it is valid. Each Help Group is associated first with the Port of Origin in which it was added, but can be assigned to multiple Ports of Origin within the Secured Logons Help system.

[0931] The HELP_GROUP_ORIGIN_BUS_FUNC_ASSOC table associates each Help Group in a Port of Origin to the Business Function(s) for which it organizes the Help information. Every Help Group in every Port of Origin must be assigned business functions.

[0932] The HELP_GROUP_TOPIC_ASSOC table associates each Help Group to the Help Topic(s) making up that Help Group and indicates the sequence in which the Help Topics will be displayed within that Help Group.

[0933] The HELP_SECTION table defines the Help Sections, which are the actual content within the Help information. Within Help Topics, Help Sections provide the place to write text documenting each task.

[0934] The HELP_TOPIC table defines the Help Topics, which organize the Help information relating to each screen within a Business Function.

[0935] The IMMUTABLE_BUSINESS_FUNCTIONS table allows a method of overriding entries in EXCEPTION_PROFILE and EXCEPTION_SET.

[0936] When transactions apply changes to both SQL Server and DB2, it is possible for DB2 to be unavailable. Rather than force the entire transaction to fail, any DB2 updates in the transaction will be written to this table where they will be stored for execution at a later time. By executing the DB2 updates stored in the INCOMPLETE_DB2_UPDATES table in sequential order at a later time, the integrity of the transactions will be maintained.

[0937] The LOG_DETAIL table contains detailed information about errors in LOG_SUMMARY if the detail log option is “on.”

[0938] The LOG_ROLE table defines the processes where error logging takes place.

[0939] The LOG_SUMMARY table contains information about errors generated in Secured Logons

[0940] The LOOKUP_CODE_GROUPS table provides a way to group the codes in the Lookup_Codes table into logically distinct code groups. The Lookup_Code_Groups table defines the different code groups. LOOKUP_CODE_GROUPS and LOOKUP_CODES together form a generic structure that replaces multiple physical tables that would otherwise be created to hold codes and their descriptions for dropdown boxes and lists.

[0941] The LOOKUP_CODES table contains the code values that make up the code groups defined in the Lookup_Code_Groups table.. Together with LOOKUP_CODE_GROUPS, these two tables form a generic structure that replaces multiple physical tables that would otherwise be created to hold codes and their descriptions for dropdown boxes and lists.

[0942] The MENU_TEMPLATE table defines templates that can be used in preparing custom menus for each user containing the Business Functions each has a right to perform.

[0943] The NOTIFICATION_CONFIRMATIONS table contains confirmation information regarding the receipt of XML Notifications.

[0944] The NOTIFICATION_PAYOR_LIST table contains a list of the System Application owners that elect to received XML Notifications of one type or another and the URL to which the XML notifications are to be sent.

[0945] The NOTIFICATION_PAYOR_MSG_Q table contains a queue of the Notifications that are ready to be processed for each System Application owner.

[0946] The NOTIFICATION_PAYOR_MSG_TYPES table contains a list by System Application owner of the Notification types the owner elects to receive.

[0947] The NOTIFICATION_POST_FAILURES stores a history of all Notifications that were not processed successfully.

[0948] The NOTIFICATION_TRANSACTION table contains a queue of the Notifications that are waiting for the XML notification processor to process.

[0949] The NOTIFICATION_TRANSACTION_HIST table stores a history of all Notifications that have been processed successfully by the XML transaction processor. This includes Notifications that no one wanted and therefore were not transmitted anywhere.

[0950] The ORIGIN_LOOKUP_CODE_OVERRIDES table contains Port of Origin specific additions, replacements and exclusions to the LOOKUP_CODES table.

[0951] The PASSWORD_CHANGE_HISTORY table records password change history for users.

[0952] The PORT_OF_ORIGIN table defines the Ports of Origin secured by Secured Logons, where a Port of Origin is a starting point or entry point for getting access to secured business functions and resources via Secured Logons..

[0953] The PORT_OF_ORIGIN_ATTRIBUTES table stores information about the Ports of Origin.

[0954] The Site_Monitor table contains information used in monitoring the site to see that it remains active.

[0955] The STATUS_CONTROL table controls the “status” of Users, Entities, and Entity_Users. Status may include “Active,” “Revoked,” or “Inactive.”

[0956] The SYSTEM_APPLICATION table contains information about each System Application, which is the code implementing a business function or set of business functions.

[0957] The SYSTEM_APPLICATION_ATTRIBUTES table stores information about the System Applications.

[0958] The SYSTEM_CONFIG table stores information regarding a particular installation/configuration of Secured Logons.

[0959] The SYSTEM_NOTIFICATIONS table contains information enabling the broadcast of System Notifications to broad classes of users.

[0960] The SYSTEM_NOTIFICATIONS_HIST table stores history for SYSTEM_NOTIFICATIONS.

[0961] The USER table contains information about each user who has ever had rights granted by an External_Entity to business functions and resources secured by Secured Logons.

[0962] The USER_AGREEMENT_ACCEPTANCE table stores information about each Agreement to which each User has consented.

[0963] The USER_ATTRIBUTES table stores information about the USERs.

[0964] The USER_ATTRIBUTE_HIST table stores history for USER_ATTRIBUTES.

[0965] The USER_HIST table contains after update images of the USER table.

[0966] The USER_LOGIN table stores security verification information for each User and accumulates statistics related to unsuccessful User logon attempts.

[0967] The USER_SESSION table stores information about Logon Sessions that are currently active.

[0968] The USER_SESSION_HIST table stores information about all prior Logon Sessions for each User to Secured Logons.

[0969] TheXML_TRANS_DEF table stores information regarding the versions of the XML Notification processor.

[0970] TheXML_TRANS_TYPES table stores information describing the events that can trigger an XML notification transaction.

[0971] The data definitions for some of the tables are as follows:

19TableColumnFormatDefinitionACCESS_GROUPAccess_Group_CommentvarcharThis field contains comments related to(60)the Access Group (segment). The fieldmay contain any value. This value ispermitted to change.ACCESS_GROUPAccess_Group_Eff_DatedatetimeThe date in GMT when the this Access(8)Group (segment) is added. It is the datewhen the Access Group (segment) isfirst available for use within SecuredLogons.ACCESS_GROUPAccess_Group_End_DatedatetimeThe date in GMT when this Access(8)Group (segment) is no longer to be used.This field is initialized to <NULL>. It is setwhen a user wants to ‘delete’ this AccessGroup (segment).ACCESS_GROUPAccess_Group_Gen_KeyintThis is a unique key that identifies this(4)Access Group (segment). It is generatedwhen the Access Group (segment) isadded to the data base.ACCESS_GROUPAccess_Group_Long_DescvarcharThis is a descriptive explanation of the(255)purpose and contents of the AccessGroup. This value is permitted tochange.ACCESS_GROUPAccess_Group_Short_DescvarcharThe administrator created name of the(25)Access Group. It should be descriptiveand brief. This value is permitted tochange.ACCESS_GROUPAccess_Group_SourcevarcharTells which of the source types created(15)this AccessGroup (segment). If thesource type is UR (User), this value isthe AKA name of the user; if the sourcetype is SC (Security), this value is theAKA name of the security user; if thesource type is SA (System Application),it is the Gen_key of the systemapplication; etc.ACCESS_GROUPAccess_Group_Source_Type CdvarcharFrom the Lookup_Codes table. Tells(5)where the source for the Access Groupsegment) points to: System_Applicationor Business_Function or which usercreated or any other value.ACCESS_GROUPAccess_Group_Source_Type_Cd—varcharThis code identifies the code table withinTable_Id(8)the lookup codes table which containsthe Source_Type valuesACCESS_GROUPAdmin_Entity_Gen_KeyintThis is a key within the External_Entity(4)table, pointing to the entity of the PAA orAA that created this group (segment).For situations that do not involvedelegation, this will have the same valueas the BehalfOf_Entity_Gen_Key. Forsituations that involve delegation, the‘delegated-to (Admin)’ entity is creatingand managing its own set of groupssegments) from identifiers for the‘BehalfOf_Entity’ and this points to theEntity that has been ‘delegated-to’. Whendelegation is involved, theAdmin_Entity_Gen_Key is different fromthe BehalfOf_Entity_Gen_Key.ACCESS_GROUPBehalfOf_Entity_Gen_KeyintThis is a key within the External_Entity(4)table, pointing to the entity to which allthe Access Ids in this group (segment)belong. For situations that do not involvedelegation, this is the same value asAdmin_Entity_Gen_Key. For situationsthat involve delegation, this points to theentity whose ids are being grouped andthe value is different fromAdmin_Entity_Gen_Key.ACCESS_GROUPCreated_By_User_IdvarcharThis is the AKAName of the user who(25)created the Access Group (segment). Itmay be NULL if the AccessGroup(segment) was created by a non-GUIprogram.ACCESS_GROUPDT_CreateddatetimeThe date and time in GMT that this(8)Access Group (segment) was added tothe data base.ACCESS_GROUP_ID_ASSOCAccess_Group_Gen_KeyintThis is a key within the Access_Group(4)table, pointing to the group (segment)this row is associated with.ACCESS_GROUP_ID_ASSOCAccess_Group_Id_Assoc_Gen—intThis is a unique key that identifies thisKey(4)Access Group ID Assoc. It is generatedwhen the Access Group ID Assoc isadded to the data base.ACCESS_GROUP_ID_ASSOCAccess_Group_Id_Eff_DatedatetimeThe date in GMT when the this Access(8)Group ID Assoc is added. It is the datewhen the Access Group ID Assoc is firstavailable for use within Secured Logons.It represents when this Access Id wasfirst added to this group (segment).ACCESS_GROUP_ID_ASSOCAccess_Group_Id_End_DatedatetimeThe date in GMT when this Access(8)Group ID Assoc is no longer to be used.This field is initialized to <NULL>. It is setwhen a user wants to ‘delete’ this AccessGroup ID Assoc. It represents when thisAccess ID was removed from the groupsegment).ACCESS_GROUP_ID_ASSOCAccess_Group_Id_SourcevarcharTells which of the source types created(15)this Access Group ID Assoc. If thesource type is UR (User), this value isthe AKA name of the user; if the sourcetype is SC (Security), this value is theAKA name of the security user; if thesource type is SA (System Application),it is the Gen_key of the systemapplication; etc.ACCESS_GROUP_ID_ASSOCAccess_Group_Id_Source_Type_CdvarcharFrom the Lookup_Codes table. Tells(5)where the source for the Access GroupID Assoc points to: System_Applicationor Business_Function or which usercreated or any other value.ACCESS_GROUP_ID_ASSOCAccess_Group_Id_Source_Type_Cd—varcharThis code identifies the code table withinTable_Id(8)the lookup codes table which containsthe Source Type valuesACCESS_GROUP_ID_ASSOCAccess_ID_Gen_KeyintThis is a key within the Access_Identifier(4)table, pointing to the Access ID this rowis associated with. This associationindicates the Access ID is a member ofthe group (segment) referenced on thisrow.ACCESS_GROUP_ID_ASSOCCreated_By_User_IdvarcharThis is the AKAName of the user who(25)created the Access Group ID Assoc. Itmay be NULL if the Access Group IDAssoc was created by a non-GUIprogram.ACCESS_GROUP_ID_ASSOCDT_CreateddatetimeThe date and time in GMT that this(8)Access Group ID Assoc was added tothe data base.ACCESS_IDENTIFIERAccess_IdvarcharThis is an identifier associated with an(60)entity and with the back-end dataassociated with that entity. It is used toprovide the connection between an entityand the back-end data supporting thebusiness functions used by the entity.This is essentially a key to that data.ACCESS_IDENTIFIERAccess_Id_Class_CdvarcharThis is a code indicating whether this(5)Access ID is a Primary or DerivativeAccess ID. Values are in the LookupCodes tableACCESS_IDENTIFIERAccess_Id_Class_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Class_Cd valuesACCESS_IDENTIFIERAccess_Id_CommentvarcharThis field contains comments related to(60)the Access ID. The field may containany value. This value is permitted tochange.ACCESS_IDENTIFIERAccess_Id_Eff_DatedatetimeThe date in GMT when the this Access(8)ID is added. It is the date when theAccess ID is first available for use withinSecured Logons.ACCESS_IDENTIFIERAccess_Id_End_DatedatetimeThe date in GMT when this Access ID is(8)no longer to be used. This field isinitialized to <NULL>. It is set when auser wants to ‘delete’ this Access ID.ACCESS_IDENTIFIERAccess_ID_Gen_KeyintThis is a unique key that identifies this(4)Access ID. It is generated when theAccess ID is added to the data base.ACCESS_IDENTIFIERAccess_Id_Long_DescvarcharThis is a long descriptive explanation of(255)what the Access ID represents. Thisvalue is permitted to change. Examplesare “Dr Jones in Maryland at theGermantown Facility” and “Harry Cotter,Broker for ExecPlan in Mid_AtlanticTerritory.”ACCESS_IDENTIFIERAccess_Id_ParentintThis is the Access_Id_Gen_Key for the(4)immediate parent of a Derivative AccessID. For Primary Access Ids, this isNULL.ACCESS_IDENTIFIERAccess_Id_Short_DescvarcharThis is the a short description of what the(25)Access ID represents. It should bedescriptive and brief. This value ispermitted to change. Examples are “Dr.Jones” and “Harry Cotter”.ACCESS_IDENTIFIERAccess_Id_SourcevarcharTells which of the source types created(15)this Access ID. If the source type is UR(User), this value is the AKA name of theuser; if the source type is SC (Security),this value is the AKA name of thesecurity user; if the source type is SA(System Application), it is the Gen_keyof the system application; etc.ACCESS_IDENTIFIERAccess_Id_Source_Type_CdvarcharFrom the Lookup_Codes table. Tells(5)where the source for the Access IDpoints to: System_Application orBusiness_Function or which usercreated or any other value.ACCESS_IDENTIFIERAccess Id_Source_Type_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Source_Type valuesACCESS_IDENTIFIERAccess_Id_Type_CdvarcharThis is a categorization of the access(5)identifiers. Examples are Tax ID,Customer Number, and State LicenseNumber.ACCESS_IDENTIFIERAccess_Id_Type_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Access_ID_Type valuesACCESS_IDENTIFIERCreated_By_User_IdvarcharThis is the AKAName of the user who(25)created the Access Identifier. It may beNULL if the Access Identifier wascreated by a non-GUI program.ACCESS_IDENTIFIERDT_CreateddatetimeThe date and time in GMT that this(8)Access ID was added to the data base.ACCESS_IDENTIFIEREntity_Gen_KeyintThis is a key within the External_Entity(4)table, pointing to the entity to which thisAccess ID belongs.BUS_FUNC_ID_TYPE_ASSOCAccess_Id_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Access_ID_Type_Cd valuesBUS_FUNC_ID_TYPE_ASSOCAccess_Id_Class_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Access_ID_Class_Rule_Cd valuesBUS_FUNC_ID_TYPE_ASSOCAccess_Id_Class_Rule_CdvarcharIf present, indicates this business(5)function uses only those access ID'Swhose class matches this code;otherwise, the business function uses allclasses. Access ID Class Rule codevalues include “primary” and “derivative.”BUS_FUNC_ID_TYPE_ASSOCAccess_Id_Type_CdvarcharThis is a categorization of the access(5)identifiers and indicates an access IDtype that is associated with the businessfunction identified byBus_Func_Gen_Key.BUS_FUNC_ID_TYPE_ASSOCBus_Func_Gen_KeyintThis is a key within the(4)Business_Function table, pointing to abusiness function associated with theAccess_ID_Type_Cd.BUSINESS_FUNCTIONActiveDatedatetimeThe date and time in GMT that this(8)Business Function became active.BUSINESS_FUNCTIONBus_Func_Gen_KeyintThis is a unique key that identifies this(4)Business_Function row. It is generatedwhen the Business_Function row isadded to the data base.BUSINESS_FUNCTIONBusiness_Func_DescvarcharA detailed description or definition of this(255)business functionBUSINESS_FUNCTIONBusiness_Func_NamevarcharThe name by which this business(40)function or process is known to thebusiness communityBUSINESS_FUNCTIONDeActiveDatedatetimeThe date and time in GMT that on which(8)this Business Function became inactive.BUSINESS_FUNCTIONDefault_Navigation_NamevarcharThe default name by which this function(40)is presented in a navigation menu or linkBUSINESS_FUNCTIONDelegation_Type_CdvarcharCode indicating whether or not the(5)business function may be delegated.Values are “Yes” or “No.”BUSINESS_FUNCTIONDelegation_Type_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Delegation_Type_Cd valuesBUSINESS_FUNCTIONDT_CreateddatetimeThe date and time in GMT that this(8)Business_Function row was added to thedata base.BUSINESS_FUNCTIONDT_UpdateddatetimeThe date and time in GMT that the(8)information in this Business_Functionrow was last updated.BUSINESS_FUNCTIONInitial_URLvarcharThe URL to which the browser is(255)redirected when this business function isinvoked.BUSINESS_FUNCTIONPortOrigin_Gen_KeyintThis a key within the Port_Of_Origin(4)table, pointing to the Port of Origin towhich this Business Function belongs.BUSINESS_FUNCTIONSegmentbitA code indicating whether or not this(1)business function is able to work withdiscrete segments or parts of anorganization versus the entireorganization. Yes = 1; No = 0.BUSINESS_FUNCTIONSystem_Application_IDintThis a key within the System_Application(4)table, pointing to the System Applicationto which this Business Function belongs.BUSINESS_FUNCTION_ASSOCActiveDatedatetimeThe date and time in GMT that this(8)Business Function Association becameactive.BUSINESS_FUNCTION_ASSOCBus_Func_Gen_KeyintThis is a key within the(4)Business_Function table, pointing to aBusiness Function that is associated withthe Business Function Set identified byBus_Func_Set_Gen_Key.BUSINESS_FUNCTION_ASSOCBus_Func_Set_Gen_KeyintThis is a key within the(4)Business_Function_Set table, pointing toa Business Function Set that isassociated with the Business Functionidentified by Bus_Func_Gen_Key.BUSINESS_FUNCTION_ASSOCDeactiveDatedatetimeThe date and time in GMT that this(8)Business Function Association becamedeactivated.BUSINESS_FUNCTION_ASSOCDT_CreateddatetimeThe date and time in GMT that this(8)Business Function Association wasadded to the database.BUSINESS_FUNCTION_ASSOCDT_UpdateddatetimeThe date and time in GMT that(8)information about this Business FunctionAssociation was last updated.BUSINESS_FUNCTION_SETActiveDatedatetimeThe date and time in GMT that this(8)Business Function Set became active.BUSINESS_FUNCTION_SETBus_Func_Set_DescvarcharA detailed description or definition of this(255)Business Function Set.BUSINESS_FUNCTION_SETBus_Func_Set_Gen_KeyintThis is a unique key that identifies this(4)Business_Function_Set row. It isgenerated when theBusiness Function Set row is added tothe data base.BUSINESS_FUNCTION_SETBus_Func_Set_NamevarcharA name that implies the purpose of this(40)Business Function Set.BUSINESS_FUNCTION_SETDeactiveDatedatetimeThe date and time in GMT that this(8)Business Function Set becamedeactivated.BUSINESS_FUNCTION_SETDT_CreateddatetimeThe date and time in GMT that this(8)Business Function Set was added to thedatabase.BUSINESS_FUNCTION_SETDT_UpdateddatetimeThe date and time in GMT that(8)information about this Business FunctionSet was last updated.BUSINESS_FUNCTION_SETOrigin_Gen_KeyintThis a key within the Port_Of_Origin(4)table, pointing to the Port of Origin towhich this Business Function Setbelongs.DELEGATIONAdmin_Entity_Gen_KeyintThis is a key within the External_Entity(4)table, pointing to the entity that is giventhe rights to do work as a result of thisDelegation. This value will never be thesame as theGrantedBy_Entity_Gen_Key or theBehalfOf_Entity_Gen_Key.DELEGATIONBehalfOf_Entity_Gen_KeyintThis is a key within the External_Entity(4)able, pointing to the entity whosebusiness function and data aredelegated as a result of this Delegation.DELEGATIONBus_Func_Gen_KeyintThis is a key within the(4)Business_Function table, pointing to thebusiness function being delegated bythis Delegation.DELEGATIONCreatedBy_User_IdvarcharThe AKAName of the user who created(25)this delegation.DELEGATIONData_Gen_KeyintThis is a key for either the(4)ACCESS_IDENTIFIER orACCESS_GROUP table, pointing to theAccess Id or Access Group (segment)that is being delegated.DELEGATIONData_Type_CdvarcharCode indicating whether the(5)Data Gen Key is from theACCESS_IDENTIFIER table or theACCESS GROUP table.DELEGATIONData_Type_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Data_Type_CD values.DELEGATIONDeactivatedBy_Entity_User_Gen—intThis is a key within the Entity_User table,Key(4)pointing to the Entity_User who canceledthis Delegation.DELEGATIONDeactivation_Method_Type_CdvarcharA code that indicates whether a(5)Delegation deactivation resulted from anexplicit deactivation of rights for theentity_user or was the side-effect(cascading delete) of a deactivation ofrights for another entity_user.DELEGATIONDeactivation_Method_Type_CdvarcharThis code identifies the code table withinTable_Id(8)the lookup codes table which containsthe Deactivation_Method_Type_Cdvalues.DELEGATIONDelegation_ChainintThis is an identifier for a delegation(4)chain. When a delegation is initiated,this field gets a unique value. Allsubsequent instances of a delegation ofthis “business function : access pair”copies this value.DELEGATIONDelegation_End_DatedatetimeThe date and time in GMT when this(8)Delegation is inactivated. It is initiallyNULL.DELEGATIONDelegation_Gen_KeyintThis is a unique key that identifies this(4)Delegation. It is generated when theDelegation is added to the data base.DELEGATIONDelegation_LevelintFor the first delegation in a delegation(4)chain of a “business function : accesspair”, this is set to 1. Subsequentdelegations increment the value by 1.DELEGATIONDelegation_ParentintThis is a key within the Delegation table(4)itself, pointing to the row in this table thatimmediately precedes this row in adelegation chain. For the first delegationthis field is set to NULL. For subsequentdelegations (level > 1), this is the valueof the Delegation_Gen_Key of the entrythat is creating this new entry. When Adelegates to B, this column is NULL,when B further delegates A's work to D,this field points to the row where Adelegated to B.DELEGATIONDelegation_Type_CdvarcharA code indicating whether this(5)Delegation may be further delegated, thetype of delegation (with or withoutpermission), etc. (Not currently used.)DELEGATIONDelegation_Type_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Delegation_Type_Cd values.DELEGATIONDT_CreateddatetimeThe date and time in GMT that this(8)Delegation was added to the data base.DELEGATIONDT_UpdateddatetimeThe date and time in GMT that(8)information about this Delegation waslast updated.DELEGATIONGrantedBy_Entity_Gen_KeyintThis is the key within the External_Entity(4)table, pointing to the entity whosePAA/AA did the delegation. For theinitial delegation, this is the same as theBehalfOf_Entity, i.e. A delegates to B(Admin) to do work for itself, A (BehalfOf)and A (GrantedBy). If B subsequentlydelegates A's work to D, this value(GrantedBy) would be B, Admin wouldbe D, and BehalfOf would be A.DELEGATIONGrantedBy_User_IdvarcharThe AKAName of the user who granted(30)his delegation.DELEGATION—Admin_AKANamevarcharThe AKAName of the PAA of the entityAUTHORIZATION(30)that will be delegated to as a result ofthis Delegation Authorization.DELEGATION—Admin_Entity_Gen_KeyintThis is a key within the External_EntityAUTHORIZATION(4)table, pointing to the entity that will bedelegated to as a result of thisDelegation Authorization.DELEGATION—Created By_Entity_User_Gen_KeyintThis is a key within the Entity_UserAUTHORIZATION(4)Table, pointing to the Entity_User whoinitiated this particular DelegationAuthorization.DELEGATION—Delegation_Authorization_Eff_DatedatetimeThe date and time in GMT that thisAUTHORIZATION(8)Delegation Authorization is available foruse. Usually it is the same as theDT_Created.DELEGATION—Delegation Authorization_End_DatedatetimeThe date and time in GMT that thisAUTHORIZATION(8)Delegation Authorization is deactivated.DELEGATION—Delegation_Authorization_Use_CountintInitialized to zero. It tracks the numberAUTHORIZATION(4)of times this record was invoked toauthorize a delegation.DELEGATION—Delegation_Transaction_CodevarcharThis is the Delegation Acceptance Code.AUTHORIZATION(40)It is given to a PAA/AA at another entityin order for that PAA/AA to delegate tothe entity referenced by theAdmin Entity Gen Key.DELEGATION—DT_CreateddatetimeThe date and time in GMT that thisAUTHORIZATION(8)Delegation Authorization was added tothe data base.DELEGATION—DT_UpdateddatetimeThe date and time in GMT thatAUTHORIZATION(8)information about this DelegationAuthorization was last updated.DELEGATION—UpdatedBy_Entity_User_Gen_KeyintThis is a key within the Entity_UserAUTHORIZATION(4)Table, pointing to the Entity_User whomost recently updated this particularDelegation Authorization.ENTITY_TYPE_FUNCTIONBus_Func_Set_Gen_KeyintThis is a key within the(4)Business_Function_Set table, pointing toa Business Function Set that may beassociated with the Entity Type identifiedby Entity_Type_Cd.ENTITY_TYPE_FUNCTIONDefault_For_Category_IndcharNot currently used.(1)ENTITY_TYPE_FUNCTIONDT_CreateddatetimeThe date and time in GMT that this(8)Entity_Type_Function row was added tothe data base.ENTITY_TYPE_FUNCTIONDT_UpdateddatetimeThe date and time in GMT that the(8)information in this Entity_Type_Functionrow was last updated.ENTITY_TYPE_FUNCTIONEntity_Type_CdcharA code that identifies the type of entity(6)which may be associated with theBusiness Function Set identified byBus_Func_Set_Gen_Key.ENTITY_USERAccess_Granted_By_UserIdcharThe AKA_Name of the person who(15)granted this user the right to do work onbehalf of this entity.ENTITY_USERAdmin_Entity_Gen_KeyintThis is a key to the External_Entity table,(4)pointing to the External_Entity that theperson, in this context, works for (isemployed by or for Members, it is theirown account). When theBehalfOf_Entity and Admin_Entity arethe same, the person is associated withthe entity that controls the businessfunction : data access. If theBehalfOf_Entity and Admn_Entity aredifferent, then the person is a ‘Virtual’user for the BehalfOf_Entity and will beallowed to do work (processtransactions) using the BehalfOf_Entity'sdata and functions. This is done viadelegation.ENTITY_USERBehalfOf_Entity_Gen_KeyintThis is a key to the External_Entity table,(4)pointing to the External_Entity that theperson will do work on behalf of.ENTITY_USERBlock_CdcharObsolete as of SL 4.0. Y if access to(2)Humana's resources by this person havebeen blocked. Any other value allowsaccess based on access rights grantedby user administrators.ENTITY_USERBlock_DatedatetimeObsolete as of SL 4.0.(8)ENTITY_USERBlock_Reason_Audit_IDcharObsolete as of SL 4.0. The Id of the(15)person who last changed the block codeand block reason code.ENTITY_USERBlock_Reason_CdcharObsolete as of SL 4.0. A code indicating(2)the reason this person's access toHumana's resources has been blocked.ENTITY_USERCD_Table_ID_BlockCdcharObsolete as of SL 4.0. Holds the code(8)table id under which the block reasoncode definitions are stored within thecode tables.ENTITY_USERCD_Table_ID_ReasonCdcharObsolete as of SL 4.0. Holds the code(8)table id under which the block codedefinitions are stored within the codetablesENTITY_USERDT_CreateddatetimeThe date and time in GMT that this(8)Entity_User row was added to the database.ENTITY_USERDT_UpdateddatetimeThe date and time in GMT that the(8)information in this Entity_User row waslast updated.ENTITY_USEREntity_User_Eff_DatedatetimeObsolete in SL 4.0. The date and time in(8)GMT on which this Entity_User entry isfirst valid.ENTITY_USEREntity_User_End_DatedatetimeObsolete in SL 4.0. The date and time in(8)GMT when this Entity_User entry is nolonger valid. This field is initialized to<NULL>. It is set when the Entity_Userrelationship is severed.ENTITY_USEREntity_User_Gen_KeyintThis is a unique key that identifies this(4)Entity_User row. It is generated whenthe Entity_User row is added to the database.ENTITY_USEREntity_User_TitlevarcharA free text title of the person working at(30)the company. This field will be NULL for‘virtual’ users.ENTITY_USEREntity_User_Type_CdvarcharThis code is used to identify the type of(5)user this person is in relation to the entity1 = PAA, 2 = AA, 3 = OA). Valid valuescome from the Lookup_Codes table.ENTITY_USEREntity_User_Type_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Entity_User_Cd values.ENTITY_USERGrantedBy_Entity_Gen_KeyintThis is a key to an entry in the(4)External_Entity table, pointing to theExternal_Entity that was responsible forcreating the relationship between theUser and the Entity in this Entity_Userrow. For virtual users this will be NULLbecause this information is captured inthe DELEGATION table. For initial PAAsthis will be the internal security.organization; for AA and OA this will bethe same as the Admin_Entity andBehalfOf_Entity.ENTITY_USERIs_EmployedbitObsolete as of SL 4.0, although it may(1)still be populated. A value of Trueindicates this User is employed by theentity that granted these access rights.False indicates this User is not employedby the entity that granted these accessrights.ENTITY_USERUser_IDvarcharThis is a key to an entry in the User(25)Table, pointing to the user who is beingassociated with the BehalfOf_Entity.ENTITY_USER_ACCESSAssignment_Type_CdvarcharThis is a code that indicates whether or(5)not this entry may be assigned toanother person. As of SL 4.0, it is notused.ENTITY_USER_ACCESSAssignment_Type_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Assignment_Type_Cd values.ENTITY_USER_ACCESSBus_Func_Gen_KeyintThis is a key within the(4)Business_Function table, pointing to thebusiness function with which thisEntitiy_User_Access row is associated.ENTITY_USER_ACCESSData_Gen_KeyintThis is a key to an entry in either the(4)ACCESS_GROUP orACCESS_IDENTIFIER tables. It pointsto the data with which thisEntity_User_Access row is associated. Ifthis is an Access_Group entry, SecuredLogons will expand the group into itscontents when this Entity_User_Accessrow is used, but will not store theAccess_Group content in this table.ENTITY_USER_ACCESSData_Type_CdvarcharThis code indicates whether the(5)Data_Gen_Key is from theAccess_Identifier table or theAccess_Group table.ENTITY_USER_ACCESSData_Type_Cd_Table_IdvarcharThis code identifies the code table within(8)the lookup codes table which containsthe Data_Type_Cd values.ENTITY_USER_ACCESSDT_CreateddatetimeThe date and time in GMT that this(8)Entity_User_Access row was added tothe data base.ENTITY_USER_ACCESSDT_UpdatedsmalldatetimeThe date and time in GMT that theinformation in this Entity_User_Accessrow was last updated.ENTITY_USER_ACCESSEntity_User_Access_Eff_DatedatetimeThe date and time in GMT on which this(8)Entity_User_Access entry is first valid.ENTITY_USER_ACCESSEntity_User_Access_End_DatedatetimeThe date and time in GMT when this(8)Entity_User_Access entry is no longervalid. This field is initialized to <NULL>.It is set when the access rights impliedby the entry are removed from the user.ENTITY_USER_ACCESSEntity_User_Access_Gen_KeyintThis is a unique key that identifies this(4)Entity_User_Access row. It is generatedwhen the Entity_User_Access row isadded to the data base.ENTITY_USER_ACCESSEntity_User_Gen_KeyintThis is a key to an entry in the Entity-(4)User table that points to the Entity_Userwith which this Entity_User_Access rowis associated.EUA_Delegation_AssocCreated By_Entity_User_Gen_KeyintThis is a key within the(4)Entity_User_Table, pointing to the entityand the person within that entity whichassigned the delegated access.EUA_Delegation_AssocDeactivatedBy_Entity_User_Gen—intThis is a key within theKey(4)Entity_User_Table, pointing to the entityand the person within that entity whichrevoked the delegation.EUA_Delegation_AssocDeactivation_Method_Type_CdvarcharA code that indicates whether a(5)Delegation deactivation resulted from anexplicit deactivation of rights for theentity_user or was the side-effect(cascading delete) of a deactivation ofrights for another entity_user.EUA_Delegation_AssocDeactivation_Method_Type_CdvarcharThis code identifies the code table withinTable_Id(8)the lookup codes table which containsthe Deactivation_Method_Type_CdvaluesEUA_Delegation_AssocDelegation_Gen_KeyintThis is a key within the Delegation table,(4)pointing to the Delegation that explainshow and why the Entity_User_Accessidentified by theEntity_User_Access_Gen_Key has beencreated from delegation.EUA_Delegation_AssocDT_CreateddatetimeThe date and time in GMT that this EUA(8)Delegation Association was added to thedata base.EUA_Delegation_AssocDT_UpdateddatetimeThe date and time in GMT that(8)information about this EUA DelegationAssociation was last updated.EUA_Delegation_AssocEntity_User_Access_Gen_KeyintThis is a key to the Entity_User_Access(4)table, pointing to an Entity_User_Accessrow that is valid due to the reasonsidentified in the Delegation defined bythe Delegation_Gen_Key.EUA_Delegation_AssocEUA_Delegation_End_DatedatetimeThe date and time in GMT when this(8)EUA Delegation Association isinactivated. It is initially NULL.MENU_TEMPLATEBus_Func_Gen_KeyintThis is a key within the(4)Business_Function table, pointing to aBusiness Function that is associated withthis Menu Template Item.MENU_TEMPLATEDT_CreateddatetimeThe date and time in GMT that this Menu(8)Template Item was added to the database.MENU_TEMPLATEDT_UpdateddatetimeThe date and time in GMT that(8)information about this Menu TemplateItem was last updated.MENU_TEMPLATEMenu_Gen_KeyintThis is a unique key that identifies this(4)Menu_Template row. It is generatedwhen the Menu_Template row is addedto the data base.MENU_TEMPLATEMenu_LeveltinyintIdentifies the level, or layer, within the(1)menu system at which this MenuTemplate Item is presented. The firstlayer is layer 1, the next layer is layer 2,etc.MENU_TEMPLATEMenu_SequencetinyintThis is a numeric sequence number that(1)determines the order Menu TemplateItems are displayed within a particularparent and menu level.MENU_TEMPLATEMenu_Short_NamevarcharA short name for the menu item. This is(40)the value typically displayed to the userfor the Menu Template Item.MENU_TEMPLATEMenu_Tool_TipvarcharThe text displayed when a user places(60)his/her mouse over this Menu TemplateItem.MENU_TEMPLATEOrigin_Gen_KeyintThis a key within the Port_Of_Origin(4)table, pointing to the Port of Origin inwhich this Menu Template Item is valid.MENU_TEMPLATEParent_Menu_Gen_KeyintIdentifies the menu item to which this(4)menu item is a child. Top level menuitems have a value of zero in this field.All the children of a particular menu itemwill have the value of theMenu_Gen_Key of the parent in thiscolumn.MENU_TEMPLATEReturn_URLvarcharThis is the URL to return to when the(255)function controlled by the MenuTemplate Item completes. It is used inconjunction with the ReturnToSL.asppage.MENU_TEMPLATETag1varcharThis is a user-defined field. It stores(2048)additional information about this menuitem. This can be used to provideinstructions to a menu processor on howto handle the presentation of the menuitem. It can also be used to storeinformation that a business functiondeveloper may need. This fieldcommonly contains XML tags.MENU_TEMPLATETag2varcharThis is a user-defined field. It stores(2048)additional information about this menuitem. This can be used to provideinstructions to a menu processor on howto handle the presentation of the menuitem. It can also be used to storeinformation that a business functiondeveloper may need. This fieldcommonly contains XML tags.PORT_OF_ORIGINDefault_Passback_StringvarcharThe default string to be passed back to(255)an external system when a call from thatsystem ends. This string may containinformation of any kind, but is anticipatedto be information the external system willuse to re-establish the environment thatexists immediately prior to placing thecall to Humana's system.PORT_OF_ORIGINDefault_Return_LocationvarcharThe URL to which control will be(255)returned when a call from the Port ofOrigin to Secured Logons hascompleted. This often is the menu pagefor the Port of Origin or an intermediatepage that determines which menu pageto go to.PORT_OF_ORIGINDT_CreateddatetimeThe date and time in GMT that this Port(8)of Origin was added to the database.PORT_OF_ORIGINDT_UpdateddatetimeThe date and time in GMT that(8)information about this Port of Origin waslast updated.PORT_OF_ORIGINLogo_URLvarcharThe URL to the logo for this Port of(255)Origin. The logo will be displayed on allscreens that Secured Logons populatesin that Port of Origin.PORT_OF_ORIGINOrigin_Gen_KeyintThis is a unique key that identifies this(4)Port of Origin. It is generated when thePort of Origin is added to the database.PORT_OF_ORIGINOrigin_NamevarcharA short, concise, name by which this(255)Port of Origin may be known. It must beunique and it must not contain anyspaces.PORT_OF_ORIGINStyle_Sheet_URLvarcharThe URL to the style sheet for the Port of(255)Origin. The style sheet will be applied toall screens that Secured Logonspopulates in that Port of Origin.PORT_OF_ORIGIN—Attr_NbrtinyintA number that uniquely identifies thisATTRIBUTES(1)attribute for this Port of Origin.PORT_OF_ORIGIN—Attribute_IdentifiervarcharA name that identifies the purpose of thisATTRIBUTES(20)Port of Origin Attribute.PORT_OF_ORIGIN—Attribute_Sequence(tinyintDefines the sequence in which this PortATTRIBUTES(1)of Origin Attribute is presented onreports and management screens.PORT_OF_ORIGIN—Attribute_ValuevarcharThe value of this Port of Origin Attribute.ATTRIBUTES(255)PORT_OF_ORIGIN—DT_CreateddatetimeThe date and time in GMT that this PortATTRIBUTES(8)of Origin Attribute was added to thedatabase.PORT_OF_ORIGIN—DT_UpdateddatetimeThe date and time in GMT thatATTRIBUTES(8)information about this Port of OriginAttribute was last updated.PORT_OF_ORIGIN—Origin_Gen_KeyintThis a key within the Port_Of_OriginATTRIBUTES(4)table, pointing to the Port of Origin towhich this Attribute belongs.STATUS_CONTROLActor_RoleintThis is a code indicating the role of the(4)user who created the Status Controlitem. 1 = internal security; 2 = externaluser; 3 = transaction acceptor.STATUS_CONTROLAdded_ByvarcharThis is the AKAName of the user who(30)created the Status Control item.STATUS_CONTROLCancelled_ByvarcharThis is the AKAName of the user who(30)initiated the cancel or replacementaction.STATUS_CONTROLDisposition_CdvarcharCode that identifies the disposition of this(5)status item. Blank = Good - This recordshould be used along with other recordshaving a blank disposition code indetermining the current status. HIS =History - this record is no longer activeand has been replaced by another one.IGN = Ignore - This records is no longeractive and has not been replaced byanother. OVR = Overridden - Thisrecord is no longer active, and waseliminated because someone put in aconflicting record/record set andrequested this record to be overridden.STATUS_CONTROLdt_Added_OndatetimeThe date and time in GMT that this(8)Status Control item was added to thedata base.STATUS_CONTROLdt_CancelleddatetimeThe date and time in GMT that this(8)Status Control item was cancelled orreplaced by another Status Control item.STATUS_CONTROLdt_To_ActdatetimeThe date and time in GMT that this(8)Status Control item goes into effect.STATUS_CONTROLImpact_Type_CdvarcharIdentifies the overall impact of the Status(5)Control item. A = Restart, P = Permanent,R = Registered, S = Started, T = TemporarySTATUS_CONTROLReason_CdvarcharCode that provides a reason why this(5)Status Control item exists. Reasons canbe “Begin Leave,” “Begin Suspend,”“Begin Vacation,” “Revoked,” or“End Revoke.”STATUS_CONTROLReason_CommentvarcharA free-form field in which comments(250)regarding the Status Control item may beentered.STATUS_CONTROLRelated_Reason_CdvarcharWhen this Status Control item is related(5)to another Status Control item, this codeexplains that relationship: B = thisrecord ends and the other record beginsa set of records that represents a rangeor period of time when status wasinterrupted. E = this record begins andthe other record ends a set of recordsthat represents a range or period of timewhen status was interrupted. R = theother record is a replacement for thisone.STATUS_CONTROLRelated_Status_Control_Gen_KeyintThis is a key within the Status_Control(4)table pointing to a Status Control itemthat is related to this Status Control item.The reason for the relationship isindicated in Related_Reason_Cd.STATUS_CONTROLStatus_CdvarcharCode indicating what the status will be(5)as of the dt_To_Act. A = Active,I = InActive, R = RevokedSTATUS_CONTROLStatus_Control_Gen_KeyintThis is a unique key that identifies this(4)Status Control item. It is generatedwhen the Status Control item is added tothe data base.STATUS_CONTROLStatus_Control_TypevarcharCode indicating whether this Status(2)Control item is for a user (U), entity (E),or entity_user (EU).STATUS_CONTROLType_Gen_KeyintThis is a key within the User,(4)External_Entity, or Entity_User table,pointing to the user, entity, or entity_userfor which this Status Control item exists.SYSTEM_APPLICATIONActiveDatedatetimeThe date and time in GMT that this(8)System Application became active.SYSTEM_APPLICATIONDeActiveDatedatetimeThe date and time in GMT that this(8)System Application became deactivated.SYSTEM_APPLICATIONDT_CreateddatetimeThe date and time in GMT that this(8)System Application was added to thedatabase.SYSTEM_APPLICATIONDT_UpdateddatetimeThe date and time in GMT that(8)information about this SystemApplication was last updated.SYSTEM_APPLICATIONSystem_Application_DescriptionvarcharA detailed description or definition of this(255)System Application.SYSTEM_APPLICATIONSystem_Application_IDintThis is a unique key that identifies this(4)System Application. It is generatedwhen the System Application is added tothe database.SYSTEM_APPLICATIONSystem_Application_Short_NamevarcharThe concise name of a System(50)ApplicationSYSTEM_APPLICATION—DT_CreateddatetimeThe date and time in GMT that thisATTRIBUTES(8)System Application Attribute was addedto the database.SYSTEM_APPLICATION—DT_UpdateddatetimeThe date and time in GMT thatATTRIBUTES(8)information about this SystemApplication Attribute was last updated.SYSTEM_APPLICATION—System_Application_Attr_NbrtinyintA number that uniquely identifies thisATTRIBUTES(1)attribute for this System Application.SYSTEM_APPLICATION—System_Application_IDintThis a key within the System_ApplicationATTRIBUTES(4)table, pointing to the System Applicationto which this Attribute belongs.SYSTEM_APPLICATION—System_Application_IdentifiervarcharA name that identifies the purpose of thisATTRIBUTES(20)System Application Attribute.SYSTEM_APPLICATION—System_Application_Identifier_SequencetinyintThe sequence in which the menuingATTRIBUTES(1)program passes this value to theexternal system application.SYSTEM_APPLICATION—System_Application_ValuevarcharThe value of this System ApplicationATTRIBUTES(255)Attribute.SYSTEM_CONFIGAttr_NamevarcharA name that identifies the purpose of this(30)System Configuration Attribute.SYSTEM_CONFIGAttr_ValuevarcharThe value of this System Configuration(1024)Attribute.SYSTEM_CONFIGDescriptionvarcharA description or definition or purpose of(255)this System Configuration Attribute.SYSTEM_CONFIGDT_CreateddatetimeThe date and time in GMT that this(8)System Configuration Attribute wasadded to the database.SYSTEM_CONFIGDT_UpdateddatetimeThe date and time in GMT that(8)information about this SystemConfiguration Attribute was last updated.SYSTEM_CONFIGEff_DatedatetimeThe date and time in GMT that this(8)System Configuration Attribute becomeseffective.SYSTEM_CONFIGEnd_DatedatetimeThe date and time in GMT that this(8)System Configuration Attribute is nolonger effective.SYSTEM_CONFIGLoad_As_Application_VariablebitA code indicating whether this System(1)Configuration Attribute should be loadedas an application variable; Yes = 1 or No =0.

[0972] Modifications and variations of the above-described embodiments of the present invention are possible, as appreciated by those skilled in the art in light of the above teachings. It is therefore to be understood that, within the scope of the appended claims and their equivalents, the invention may be practiced otherwise than as specifically described.

Web-based security with controlled access to data and resources

Information

Publication Number

Date Filed

Date Published

Inventors

CPC

US Classifications

International Classifications

Abstract

Description

Claims

CROSS-REFERENCE TO RELATED APPLICATIONS

Provisional Applications (1)