[go: up one dir, main page]

WO2009008567A1 - Provisioning apparatus for resources and authorities for integrated identity management - Google Patents

Provisioning apparatus for resources and authorities for integrated identity management Download PDF

Info

Publication number
WO2009008567A1
WO2009008567A1 PCT/KR2007/003594 KR2007003594W WO2009008567A1 WO 2009008567 A1 WO2009008567 A1 WO 2009008567A1 KR 2007003594 W KR2007003594 W KR 2007003594W WO 2009008567 A1 WO2009008567 A1 WO 2009008567A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
authority
resources
user
identity
Prior art date
Application number
PCT/KR2007/003594
Other languages
French (fr)
Inventor
Sung Kwang Moon
Original Assignee
Nets Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nets Co., Ltd. filed Critical Nets Co., Ltd.
Publication of WO2009008567A1 publication Critical patent/WO2009008567A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity

Definitions

  • the present invention relates to a resource provisioning apparatus and method of identity management, and more particularly, to an apparatus for performing provisioning of resource identities and resource authorities according to authorities by managing resources as the authorities in an integrated identity management technology.
  • an identity management field is to automate operations of generating an identity for a resource used by a user and deleting the identity by managing a life cycle of a user identity.
  • identity management according to whether or not to use a resource set to a user or a group, an identity is generated in the resource or deleted from the resource.
  • the user identity is used in a different way from a general authority when associated with internal organization management. More specifically, in the organization management, authority of a particular user over a particular application or a system is set, and a resource identity provisioning function is required according to the resource authority.
  • Resource represents an application system used by a user or an operating system such as UNIX and refers to a system to be provisioned.
  • the application system can have an authority such as a function or a role in an application and the operating system can have an operating system (OS) authority, in general, provisioning is performed on an identity itself.
  • OS operating system
  • Identity means an ID representing a resource-associated user such as a UNIX account, a windows user, and a groupware login ID. Provisioning means automating a life cycle of a resource-associated identity according to a life cycle of a user by generating or deleting identity in or from an associated resource according to whether or not a user can use the resource.
  • Authority is a set representing entitlement in the application or the operating i system and is operated as a function or a role that is a set of functions.
  • a conventional resource identity provisioning method is described as follows.
  • an existing identity management product uses a direct allocation method or an allocation method according to roles.
  • the direct allocation method means one-to-one mapping between a user or a user's organization/group and resource.
  • the allocation method according to roles means one-to-one mapping between the user or the user's organization/group and a role.
  • the allocation may use two schemes. More specifically, a scheme for allocating a resource and a role to be used for a user or an organization/group or a scheme for allocating a user or an organization/group to be used for a resource or a role as a filter type may be used. However, the latter has a problem in that resource information used on the basis of users and organizations cannot be obtained.
  • resource identity provisioning is possible.
  • authority provisioning in the resource is impossible.
  • the present invention provides a provisioning apparatus capable of managing a function in a resource and a role that is a set of functions, a resource independent role, and a resource as an authority and provisioning a resource authority in addition to a resource identity based on the authority. More specifically, the present invention also provides a management method of inheriting or rejecting an authority for resource provisioning and an apparatus for resource provisioning by setting an optimal authority.
  • an authority-based resource identity and authority provisioning apparatus for integrated identity management, comprising: a management application which performs organization/user authority setting; a provisioning component which calculates resource-associated users by using authority information set by the management application to generate resource-associated user provision information; a resource authority component which performs parallel processing on the generated resource-associated user provision information according to resources to calculate an authority in a resource according to users; and a resource adaptor which performs an identity operation by using information on the calculated authority in a resource according to users, wherein the identity operation includes user identity generation, identity change, and identity deletion, and wherein all user identity operations are performed according to resources.
  • the authority information set by the management application includes "authority allowance” for users, and “authority allowance inheritance” and “authority rejection inheritance” for organizations.
  • the management application may include an authority setting user interface which includes authority types (role, resource, and menu or function), a selected authority display, and a resource selection window.
  • the provisioning component may use role/resource/menu or function information data in order to generate resource-associated user provision information by calculating resource-associated users.
  • the provisioning component may have a function of converting an "organization/user/authority management operation" into a "resource-associated identity and authority provisioning operation", obtains information regarding an associated resource to be provisioned to a user from the authority information, and transmits resource-associated operation information to the resource authority component.
  • a resource calculation method used by the provisioning component is as follows.
  • U (included-in-function resources in an allowed role)
  • U (included-in-function resources in a rejected role)
  • U (included-in-rejected-function resources)
  • the resource-associated user calculation may be performed by using: a unit which inquires to-be-changed-authority resource associated user information and setting the information to a set A; a unit which changing an authority of an organization and a user; a unit which inquires to-be-changed-authority resource associated user information and setting the information to a set B; a unit which deletes identities of users who are included in the set A-B and adding the identities to a list, deleting identities of users who are included in the set B-A and adding the identities to a list, and calculating users who are included in the set AfI B; a unit which determines whether or not user-associated operation calculation is completed by inquiring individual user information; and a unit which determines a user-included set when the operation calculation is not completed, and performing resource identity creation and list addition, resource identity update and list addition, or resource identity deletion or list addition when the user-included set is the set B-A, the set A D B, or the set A-B, respectively.
  • Hashtable including a to-be-processed (added/amended/deleted) user information list by using a resource as a key.
  • the resource authority component may obtain authority information regarding users in the resource according to a predetermined resource authority calculation method and transmit user identity and authority (role/function) information to the resource adaptor, and the resource authority calculation method may be performed as follows.
  • the resource adaptor may perform generation, change, deletion, and authority synchronization of identities on an associated system by using the identity management operation for the resource obtained by the provisioning component and identity and authority information regarding resources obtained by the resource authority component.
  • FIG. 1 is a view illustrating a data model which represents an authority structure
  • FIG. 2 is a schematic flowchart illustrating a provisioning operation according to an embodiment of the present invention.
  • FIGS. 3 to 6 are flowcharts illustrating a provisioning operation according to an embodiment of the present invention.
  • FIGS. 7 to 9 are views illustrating examples of a data model used for provisioning according to an embodiment of the present invention.
  • the authority includes a role, a resource, and a function in the resource.
  • the role includes a resource roll that is a set of functions in a resource and a shared role which includes resources and functions.
  • the authority is set by a combination of the following operations. 1 ) Authority inheritance: when an authority is set to be inherited by an organization, a subordinate organization or a user thereof receives the authority. 2) Authority allowance and rejection
  • the authority allocation is classified into authority allocation to a group and authority allocation to a user.
  • a group is managed in a hierarchical structure or in a flat structure.
  • An organization is the same as the group in the hierarchical structure and can generate a user.
  • a group which is not the organization can only include users.
  • the group is allocated with an authority by using the following operations, (a) Authority allowance: only allocated groups have the authority, (b) Authority allowance inheritance: allocated groups and subordinate groups have the authority, (c) Authority rejection: allocated groups do not have the authority, (d) Authority rejection inheritance: allocated groups and subordinate groups do not have the authority.
  • a user of a group has a final authority.
  • the same authority is allocated to or inherited by a group as the allowance or the rejection, the group firstly rejects the authority and does not have the authority.
  • Authority Allocation to User A user is a bottom object in an organization structure and directly is included in the organization. Otherwise, the user may are included in several organizations (concurrent positions) or several groups.
  • the user may be allocated with the authority by using the following operations, (a) Authority allowance: only allocated groups have the authority, (b) Authority rejection: allocated groups do not have the authority.
  • the user receives the authority allocated to all organizations and groups, and has directly allocated authority. When the same authority is allocated to or inherited by the user as the allowance or the rejection, the user firstly rejects the authority and does not have the authority.
  • a structure of the authority is classified into an organization structure (using a hierarchical structure and a multiple-group relationship model), an authority structure (using a role, a resource, a function entity, and a member relationship therebetween), and an authority allocation structure (setting (allowing/rejecting) an authority according to groups and users and determining whether to inherit)).
  • An entity-relationship (ER) diagram of the authority structure is illustrated in FIG. 1.
  • FIG. 2 is a view for explaining a concept of a provisioning method and apparatus according to an embodiment of the present invention.
  • a provisioning component 210 a provisioning component 210, a resource authority component 240, and a resource adaptor 270
  • the authority information set by the management application 100 is exemplified in FIG. 2.
  • "Authority allowance” is set to a user 140
  • "authority allowance inheritance” is set to a department 100 in a first level
  • “authority rejection inheritance” is set to a department 130 in a third level.
  • a provisioning process of the provisioning system 200 is described with reference to a flowchart illustrated in FIG. 3.
  • the management application 100 when the provisioning is started, the management application 100 performs organization/user-associated authority setting (operation 401 ).
  • An example of an authority setting display needed for the organization/user authority setting in operation 401 performed by the management application 100 is illustrated in FIG. 4.
  • an authority setting user interface including authority types (role, resource, and menu or function), a selected authority display, and a resource selection window are illustrated.
  • the provisioning component 210 generates resource-associated user provision information by calculating resource-associated users (operation 403).
  • role, resource, and menu or function information data is used (operation 402).
  • Parallel processing is performed on the generated resource-associated user provision information 404 according to resources so that the resource authority component 240 calculates an authority in a user-associated resource (operation 405).
  • An identity operation is performed on the calculated authority information in the user-associated resource by the resource adaptor 270 (operation 407).
  • the identity operation includes user identity generation 409, identity change 411 , and identity deletion 413. After all user identity operations are completed for each of the resources, the provisioning is terminated.
  • the authority information in the user-associated resource the authority in the resource means an included-in-function resource and a role that is a set including the included-in-function resources. Only allowed authority information that is finally calculated according to authority granting such as allowance, rejection, and inheritance is obtained. For example, when a user receives 'manager' and 'inspector' authorities, and the inspector authority is allocated as the rejection, since the rejection has precedence over the allowance, the user has only the manager authority.
  • a user authority in a user authority updating operation means an allowed function and role that is finally calculated from an included-in-function resource and role.
  • the provisioning component 210 has a function of converting an "organization/user/authority management operation" into a "resource-associated identity and authority provisioning operation".
  • a resource calculation method information regarding an associated resource 300 to be provisioned to a user is obtained from the authority information, and resource-associated operation information is transmitted to the resource authority component 240.
  • the resource calculation method is performed as follows. Using the method, the associated resource to be provisioned can be obtained even when only a function is allocated, and a resource of which a function is not defined can be allocated.
  • total allowed resources (allowed resources) U (resources in an allowed role) U (included-in-function resources in an allowed role) U (included-in-allowed-function resources)
  • total rejected resources (rejected resources) U (resources in a rejected role) U (included-in-function resources in a rejected role) U (included-in-rejected-function resources)
  • a resource into which an identity is generated and a resource from an identity is deleted are determined. For example, when it is assumed that a user uses systems S1 and S2 from among systems S1 , S2, and S3 according to an existing authority, and it is calculated that the authority of the user is changed to use the systems S2 and S3, an identity deletion operation is performed on the system S1 , an identity generation operation is performed on the system S3, and only when the authority to the system S2 is changed, is an identity changing operation performed on the system S2 that is continuously used.
  • the resource-associated user calculation algorithm is illustrated by a flowchart of FIG. 6.
  • to-be-changed-authority resource associated user information is inquired about and set to a set A (operation 501 )
  • authorities of an organization and a user is changed (operation 503)
  • to-be-changed-authority resource associated user information is inquired about and set to a set B (operation 505).
  • Resource-associated user provision information may be configured as illustrated in FIG. 6.
  • the resource-associated user provision information can be configured as a Hashtable including a to-be-processed (added/amended/deleted) user information list by using a resource as a key.
  • a to-be-changed-authority refers to organizations or users that grant an authority.
  • identities of users who are included in the set A-B are deleted and the identities are added to a list (operation 507), identities of users who are included in the set B-A are added and the identities are added to a list, and users who are included in the set AfI B are calculated (operation 511 )..
  • a user-included set is determined (operation 517).
  • the user-included set is the set B-A (operation 520), the set API B (operation 530), or the set A-B (operation 540), resource identity creation and list addition (operation 521 ), resource identity update and list addition (operation 522), or resource identity deletion and list addition (operation 525), is performed, respectively.
  • the resource authority component 240 obtains authority information regarding users in the resource 300 according to a resource authority calculation method, and transmits user identity and authority (role/function) information to the resource adaptor 270.
  • the resource adaptor 270 performs generation, change, deletion, and authority synchronization of identities on an associated system by using the identity management operation for the resource 300 obtained by the provisioning component 210 and identity and authority information regarding resources obtained by the resource authority component 240.
  • FIG. 7 illustrates initial data used for resource provisioning according to an embodiment of the present invention.
  • a premise configuration is described as follows.
  • Hong Gil-Dong is a user included in the general affairs team.
  • a KM user uses a KM resource, and the KM resource has a knowledge inquiry function.
  • a GW user uses a GW resource, and the GW resource has a mail transfer and payment function.
  • the general affairs department inherits a KM user role.
  • Hong Gil-Dong has an identity and an authority over the KM resource.
  • FIG. 8 illustrates a data model after a function allowance operation is performed.
  • Hong Gil-Dong has the GW user authority.
  • the provisioning operation performed by using the data model illustrated in FIG. 8 is described as follows.
  • the provisioning component calculates that Hong Gil-Dong uses the GW resource, and Hong Gil-Dong uses the KM resource.
  • the resource adaptor The resource adaptor
  • Hong Gil-Dong has the identity and authority over the KM resource and GW resource.
  • FIG. 9 illustrates a data model after a function rejecting operation is performed.
  • Hong Gil-Dong when the knowledge inquiry function for Hong Gil-Dong is rejected, although Hong Gil-Dong has the knowledge inquiry authority due to the KM user authority, since the knowledge inquiry authority is additionally set to be rejected, Hong Gil-Dong does not have the knowledge inquiry authority finally.
  • the knowledge inquiry authority is an authority of the KM resource. However, since Hong Gil-Dong does not have any authority of the KM resource currently, Hong Gil-Dong does not have an identity of the KM resource.
  • the provisioning component calculates that Hong Gil-Dong is using the GW resource.
  • the resource authority component obtains the mail transfer and payment authority of Hong Gil-Ding for the GW resource.
  • the resource adaptor deletes the identity of Hong Gil-Dong from the KM resource.
  • Hong Gil-Dong has the identity and authority over the GW resource.
  • the invention can also be embodied as computer readable codes on a computer readable recording medium.
  • the computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system. Examples of the computer readable recording medium include read-only memory (ROM), random-access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the Internet).
  • ROM read-only memory
  • RAM random-access memory
  • CD-ROMs compact discs
  • magnetic tapes magnetic tapes
  • floppy disks optical data storage devices
  • carrier waves such as data transmission through the Internet
  • a function and a role in a resource can be defined. 2) A role including a resource can be defined as a shared role. 3) An authority (role, resource, function) can be allocated as allowance or rejection to an organization and a user. Accordingly, an authority allocated to a final user can be easily inquired about. 4) The provisioning system can provision an identity according to resources allocated to a final user and provision an authority (function and role) in resources, so that integrated identity and authority management can be implemented in the center.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Provided is a resource provisioning apparatus in identity management. More specifically, provided is an apparatus for managing a resource as an authority and provisioning a resource identity and a resource authority according to the authority in an integrated identity management technology. Using a method according to an embodiment of the present invention, customers can have the following advantages. 1) A function and a role in a resource can be defined. 2) A role including a resource can be defined as a shared role. 3) An authority (role, resource, function) can be allocated as allowance or rejection to an organization and a user. Accordingly, an authority allocated to a final user can be easily inquired about. 4) The provisioning system can provide an identity according to resources allocated to a final user and provide an authority (function and role) in resources, so that integrated identity and authority management can be implemented in a center.

Description

PROVISIONING APPARATUS FOR RESOURCES AND AUTHORITIES FOR INTEGRATED IDENTITY MANAGEMENT
TECHNICAL FIELD The present invention relates to a resource provisioning apparatus and method of identity management, and more particularly, to an apparatus for performing provisioning of resource identities and resource authorities according to authorities by managing resources as the authorities in an integrated identity management technology.
BACKGROUND ART
The purpose of an identity management field is to automate operations of generating an identity for a resource used by a user and deleting the identity by managing a life cycle of a user identity. In identity management, according to whether or not to use a resource set to a user or a group, an identity is generated in the resource or deleted from the resource.
The user identity is used in a different way from a general authority when associated with internal organization management. More specifically, in the organization management, authority of a particular user over a particular application or a system is set, and a resource identity provisioning function is required according to the resource authority.
First, terms used in the description will now be defined. Resource represents an application system used by a user or an operating system such as UNIX and refers to a system to be provisioned. Although the application system can have an authority such as a function or a role in an application and the operating system can have an operating system (OS) authority, in general, provisioning is performed on an identity itself.
Identity means an ID representing a resource-associated user such as a UNIX account, a windows user, and a groupware login ID. Provisioning means automating a life cycle of a resource-associated identity according to a life cycle of a user by generating or deleting identity in or from an associated resource according to whether or not a user can use the resource.
Authority is a set representing entitlement in the application or the operating i system and is operated as a function or a role that is a set of functions.
A conventional resource identity provisioning method is described as follows. For resource allocation, an existing identity management product uses a direct allocation method or an allocation method according to roles. The direct allocation method means one-to-one mapping between a user or a user's organization/group and resource. The allocation method according to roles means one-to-one mapping between the user or the user's organization/group and a role.
The allocation may use two schemes. More specifically, a scheme for allocating a resource and a role to be used for a user or an organization/group or a scheme for allocating a user or an organization/group to be used for a resource or a role as a filter type may be used. However, the latter has a problem in that resource information used on the basis of users and organizations cannot be obtained.
In existing resource identity provisioning, whether or not the resource is to be used can be set. However, setting whether or not the resource is to be used by using a resource internal authority is impossible. Specifically, setting whether or not the resource is to be used according to whether a detailed function of the resource is used is impossible. In addition, since a role is defined as a set of resources, a role in a resource cannot be expressed.
In addition, in existing resource identity provisioning, resource identity provisioning is possible. However, authority provisioning in the resource is impossible.
DETAILED DESCRIPTION OF THE INVENTION
TECHNICAL PROBLEM
The present invention provides a provisioning apparatus capable of managing a function in a resource and a role that is a set of functions, a resource independent role, and a resource as an authority and provisioning a resource authority in addition to a resource identity based on the authority. More specifically, the present invention also provides a management method of inheriting or rejecting an authority for resource provisioning and an apparatus for resource provisioning by setting an optimal authority. TECHNICAL SOLUTION
According to an aspect of the present invention, there is provided an authority-based resource identity and authority provisioning apparatus for integrated identity management, comprising: a management application which performs organization/user authority setting; a provisioning component which calculates resource-associated users by using authority information set by the management application to generate resource-associated user provision information; a resource authority component which performs parallel processing on the generated resource-associated user provision information according to resources to calculate an authority in a resource according to users; and a resource adaptor which performs an identity operation by using information on the calculated authority in a resource according to users, wherein the identity operation includes user identity generation, identity change, and identity deletion, and wherein all user identity operations are performed according to resources.
In the above aspect of the present invention, the authority information set by the management application includes "authority allowance" for users, and "authority allowance inheritance" and "authority rejection inheritance" for organizations. In addition, the management application may include an authority setting user interface which includes authority types (role, resource, and menu or function), a selected authority display, and a resource selection window.
In addition, the provisioning component may use role/resource/menu or function information data in order to generate resource-associated user provision information by calculating resource-associated users. In addition, the provisioning component may have a function of converting an "organization/user/authority management operation" into a "resource-associated identity and authority provisioning operation", obtains information regarding an associated resource to be provisioned to a user from the authority information, and transmits resource-associated operation information to the resource authority component. A resource calculation method used by the provisioning component is as follows.
(to-be-provisioned resources) = (total allowed resources) - (total rejected resources)
(total allowed resources) = (allowed resources)
U (resources in an allowed role)
U (included-in-function resources in an allowed role) U (included-in-allowable-function resources) (total rejected resources) = (rejected resources) U (resources in a rejected role) U (included-in-function resources in a rejected role) U (included-in-rejected-function resources)
In addition, the resource-associated user calculation may be performed by using: a unit which inquires to-be-changed-authority resource associated user information and setting the information to a set A; a unit which changing an authority of an organization and a user; a unit which inquires to-be-changed-authority resource associated user information and setting the information to a set B; a unit which deletes identities of users who are included in the set A-B and adding the identities to a list, deleting identities of users who are included in the set B-A and adding the identities to a list, and calculating users who are included in the set AfI B; a unit which determines whether or not user-associated operation calculation is completed by inquiring individual user information; and a unit which determines a user-included set when the operation calculation is not completed, and performing resource identity creation and list addition, resource identity update and list addition, or resource identity deletion or list addition when the user-included set is the set B-A, the set A D B, or the set A-B, respectively. In addition, the resource-associated user information may be configured as a
Hashtable including a to-be-processed (added/amended/deleted) user information list by using a resource as a key.
In addition, the resource authority component may obtain authority information regarding users in the resource according to a predetermined resource authority calculation method and transmit user identity and authority (role/function) information to the resource adaptor, and the resource authority calculation method may be performed as follows.
(resource role) = (total allowed roles in allowed resources) - (total rejected roles in allowed resources)
(function) = (total allowed functions in allowed resources) - (total rejected functions in allowed resources) (total allowed functions) = (allowed functions) U (functions in allowed roles)
(total rejected functions) = (rejected functions) U (functions in rejected roles)
In addition, the resource adaptor may perform generation, change, deletion, and authority synchronization of identities on an associated system by using the identity management operation for the resource obtained by the provisioning component and identity and authority information regarding resources obtained by the resource authority component.
DESCRIPTION OF THE DRAWINGS
FIG. 1 is a view illustrating a data model which represents an authority structure, FIG. 2 is a schematic flowchart illustrating a provisioning operation according to an embodiment of the present invention.
FIGS. 3 to 6 are flowcharts illustrating a provisioning operation according to an embodiment of the present invention.
FIGS. 7 to 9 are views illustrating examples of a data model used for provisioning according to an embodiment of the present invention.
BEST MODE
<Description of Authority Setting and Allocation as a Premise of the Present lnvention> First, "authority", which is an object of the present invention, is defined. The authority includes a role, a resource, and a function in the resource. The role includes a resource roll that is a set of functions in a resource and a shared role which includes resources and functions.
The authority is set by a combination of the following operations. 1 ) Authority inheritance: when an authority is set to be inherited by an organization, a subordinate organization or a user thereof receives the authority. 2) Authority allowance and rejection
When an authority is allowed by an organization/user, the user can finally have an inheritance result and a right to use components of the authority. When the authority for the organization/user is rejected, the user cannot have the inheritance result and the right to use the components of the authority. When the allowance and the rejection are set at the same time for the same role, resource, and function, the rejection has precedence over the allowance. The authority allocation is classified into authority allocation to a group and authority allocation to a user.
1 ) Authority Allocation to Group
A group is managed in a hierarchical structure or in a flat structure. An organization is the same as the group in the hierarchical structure and can generate a user. A group which is not the organization can only include users.
The group is allocated with an authority by using the following operations, (a) Authority allowance: only allocated groups have the authority, (b) Authority allowance inheritance: allocated groups and subordinate groups have the authority, (c) Authority rejection: allocated groups do not have the authority, (d) Authority rejection inheritance: allocated groups and subordinate groups do not have the authority.
A user of a group has a final authority. When the same authority is allocated to or inherited by a group as the allowance or the rejection, the group firstly rejects the authority and does not have the authority.
2) Authority Allocation to User A user is a bottom object in an organization structure and directly is included in the organization. Otherwise, the user may are included in several organizations (concurrent positions) or several groups. The user may be allocated with the authority by using the following operations, (a) Authority allowance: only allocated groups have the authority, (b) Authority rejection: allocated groups do not have the authority. The user receives the authority allocated to all organizations and groups, and has directly allocated authority. When the same authority is allocated to or inherited by the user as the allowance or the rejection, the user firstly rejects the authority and does not have the authority.
A structure of the authority is classified into an organization structure (using a hierarchical structure and a multiple-group relationship model), an authority structure (using a role, a resource, a function entity, and a member relationship therebetween), and an authority allocation structure (setting (allowing/rejecting) an authority according to groups and users and determining whether to inherit)). An entity-relationship (ER) diagram of the authority structure is illustrated in FIG. 1.
Provisioning Flow>
FIG. 2 is a view for explaining a concept of a provisioning method and apparatus according to an embodiment of the present invention. Referring to FIG. 2, by using authority information set by a management application 100, three components (a provisioning component 210, a resource authority component 240, and a resource adaptor 270) of a provisioning system 200 provisions identity/authority information according to resources 300. The authority information set by the management application 100 is exemplified in FIG. 2. "Authority allowance" is set to a user 140, "authority allowance inheritance" is set to a department 100 in a first level, and "authority rejection inheritance" is set to a department 130 in a third level. A provisioning process of the provisioning system 200 is described with reference to a flowchart illustrated in FIG. 3. Referring to FIG. 3, when the provisioning is started, the management application 100 performs organization/user-associated authority setting (operation 401 ). An example of an authority setting display needed for the organization/user authority setting in operation 401 performed by the management application 100 is illustrated in FIG. 4. In FIG. 4, an authority setting user interface (Ul) including authority types (role, resource, and menu or function), a selected authority display, and a resource selection window are illustrated.
Next, the provisioning component 210 generates resource-associated user provision information by calculating resource-associated users (operation 403). Here, role, resource, and menu or function information data is used (operation 402). Parallel processing is performed on the generated resource-associated user provision information 404 according to resources so that the resource authority component 240 calculates an authority in a user-associated resource (operation 405).
An identity operation is performed on the calculated authority information in the user-associated resource by the resource adaptor 270 (operation 407). The identity operation includes user identity generation 409, identity change 411 , and identity deletion 413. After all user identity operations are completed for each of the resources, the provisioning is terminated. In the authority information in the user-associated resource, the authority in the resource means an included-in-function resource and a role that is a set including the included-in-function resources. Only allowed authority information that is finally calculated according to authority granting such as allowance, rejection, and inheritance is obtained. For example, when a user receives 'manager' and 'inspector' authorities, and the inspector authority is allocated as the rejection, since the rejection has precedence over the allowance, the user has only the manager authority. In addition, a user authority in a user authority updating operation means an allowed function and role that is finally calculated from an included-in-function resource and role.
Returning to FIG. 2, the provisioning component 210 has a function of converting an "organization/user/authority management operation" into a "resource-associated identity and authority provisioning operation". According to a resource calculation method, information regarding an associated resource 300 to be provisioned to a user is obtained from the authority information, and resource-associated operation information is transmitted to the resource authority component 240. The resource calculation method is performed as follows. Using the method, the associated resource to be provisioned can be obtained even when only a function is allocated, and a resource of which a function is not defined can be allocated.
(to-be-provisioned resources) = (total allowed resources) - (total rejected resources)
(total allowed resources) = (allowed resources) U (resources in an allowed role) U (included-in-function resources in an allowed role) U (included-in-allowed-function resources)
(total rejected resources) = (rejected resources) U (resources in a rejected role) U (included-in-function resources in a rejected role) U (included-in-rejected-function resources)
According to a change in the authority information, a resource into which an identity is generated and a resource from an identity is deleted are determined. For example, when it is assumed that a user uses systems S1 and S2 from among systems S1 , S2, and S3 according to an existing authority, and it is calculated that the authority of the user is changed to use the systems S2 and S3, an identity deletion operation is performed on the system S1 , an identity generation operation is performed on the system S3, and only when the authority to the system S2 is changed, is an identity changing operation performed on the system S2 that is continuously used.
The resource-associated user calculation algorithm is illustrated by a flowchart of FIG. 6. Referring to FIG. 6, to-be-changed-authority resource associated user information is inquired about and set to a set A (operation 501 ), authorities of an organization and a user is changed (operation 503), and to-be-changed-authority resource associated user information is inquired about and set to a set B (operation 505). Resource-associated user provision information may be configured as illustrated in FIG. 6. Specifically, in operations 501 and 505, the resource-associated user provision information can be configured as a Hashtable including a to-be-processed (added/amended/deleted) user information list by using a resource as a key. In the two aforementioned operations, a to-be-changed-authority refers to organizations or users that grant an authority. Next, identities of users who are included in the set A-B are deleted and the identities are added to a list (operation 507), identities of users who are included in the set B-A are added and the identities are added to a list, and users who are included in the set AfI B are calculated (operation 511 )..
Next, individual user information is inquired about (operation 513) to determine whether or not user-associated operation calculation is completed (operation 515). When the operation calculation is not completed, a user-included set is determined (operation 517). When the user-included set is the set B-A (operation 520), the set API B (operation 530), or the set A-B (operation 540), resource identity creation and list addition (operation 521 ), resource identity update and list addition (operation 522), or resource identity deletion and list addition (operation 525), is performed, respectively. The resource authority component 240 obtains authority information regarding users in the resource 300 according to a resource authority calculation method, and transmits user identity and authority (role/function) information to the resource adaptor 270. The resource authority calculation method is performed as follows. (resource role) = (total allowed roles in allowed resources) - (total rejected roles in allowed resources)
(function) = (total allowed functions in allowed resources) - (total rejected functions in allowed resources)
(total allowed functions) = (allowed functions) U (functions in allowed roles)
(total rejected functions) = (rejected functions) U (functions in rejected roles)
The resource adaptor 270 performs generation, change, deletion, and authority synchronization of identities on an associated system by using the identity management operation for the resource 300 obtained by the provisioning component 210 and identity and authority information regarding resources obtained by the resource authority component 240.
The resource provisioning method according to the identity management operations will now be described. Management operations for groups and users occur as described in the following table according to resources in consideration of authority inheritance.
Figure imgf000011_0001
Figure imgf000012_0001
A data model in a resource provisioning process according to an embodiment of the present invention will now be described.
FIG. 7 illustrates initial data used for resource provisioning according to an embodiment of the present invention. First, a premise configuration is described as follows.
The general affairs team is subordinate to the general affairs department.
Hong Gil-Dong is a user included in the general affairs team.
A KM user uses a KM resource, and the KM resource has a knowledge inquiry function.
A GW user uses a GW resource, and the GW resource has a mail transfer and payment function.
The general affairs department inherits a KM user role.
-> Hong Gil-Dong uses the KM resource and has the knowledge inquiry function.
Consequently, Hong Gil-Dong has an identity and an authority over the KM resource.
FIG. 8 illustrates a data model after a function allowance operation is performed. In the embodiment, after a GW manager role is allowed for Hong Gil-Dong, Hong Gil-Dong has the GW user authority. The provisioning operation performed by using the data model illustrated in FIG. 8 is described as follows.
The provisioning component calculates that Hong Gil-Dong uses the GW resource, and Hong Gil-Dong uses the KM resource.
- Since the KM resource has been used, an operation of updating an authority is obtained for the KM resource as needed.
- Since the GW resource is newly allocated, an operation of generating a Hong Gil-Dong identity is obtained for the GW resource.
The resource authority component
- obtains a knowledge inquiry authority of Hong Gil-Dong for the KM resource.
- obtains the mail transfer, payment authority of Hong Gil-Dong for the GW resource.
The resource adaptor
- generates an identity of Hong Gil-Dong for the GW resource and registers the mail transfer, and payment authority. Finally, Hong Gil-Dong has the identity and authority over the KM resource and GW resource.
FIG. 9 illustrates a data model after a function rejecting operation is performed.
First, when the knowledge inquiry function for Hong Gil-Dong is rejected, although Hong Gil-Dong has the knowledge inquiry authority due to the KM user authority, since the knowledge inquiry authority is additionally set to be rejected, Hong Gil-Dong does not have the knowledge inquiry authority finally. The knowledge inquiry authority is an authority of the KM resource. However, since Hong Gil-Dong does not have any authority of the KM resource currently, Hong Gil-Dong does not have an identity of the KM resource.
The provisioning operation performed by using the data model illustrated in FIG. 9 is described as follows.
The provisioning component calculates that Hong Gil-Dong is using the GW resource.
- Since the KM resource is not used, an operation of deleting an identity of Hong Gil-Dong from the KM resource is obtained.
- Since the GW resource has been used, an operation of updating an authority over the GW resource is obtained as needed.
The resource authority component obtains the mail transfer and payment authority of Hong Gil-Ding for the GW resource.
The resource adaptor deletes the identity of Hong Gil-Dong from the KM resource.
Consequently, Hong Gil-Dong has the identity and authority over the GW resource.
The invention can also be embodied as computer readable codes on a computer readable recording medium. The computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system. Examples of the computer readable recording medium include read-only memory (ROM), random-access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the Internet). The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
INDUSTRIAL APPLICABILITY In an integrated identity management market, customers want to manage an authority of an associated resource as well as an identity. Using the method according to the embodiment of the present invention, customers can have the following advantages.
1 ) A function and a role in a resource can be defined. 2) A role including a resource can be defined as a shared role. 3) An authority (role, resource, function) can be allocated as allowance or rejection to an organization and a user. Accordingly, an authority allocated to a final user can be easily inquired about. 4) The provisioning system can provision an identity according to resources allocated to a final user and provision an authority (function and role) in resources, so that integrated identity and authority management can be implemented in the center.

Claims

1. An authority-based resource identity and authority provisioning apparatus for integrated identity management, comprising: a management application which performs organization/user authority setting; a provisioning component which operates resource-associated users by using authority information set by the management application to generate resource-associated user provision information; a resource authority component which performs parallel processing on the generated resource-associated user provision information according to resources to calculate an authority in a resource according to users; and a resource adaptor which performs an identity operation by using information on the calculated authority in a resource according to users, wherein the identity operation includes user identity generation, identity change, and identity deletion, and wherein all user identity operations are performed according to resources.
2. The apparatus of claim 1 , wherein the authority information set by the management application includes "authority allowance" for users, and "authority allowance inheritance" and "authority rejection inheritance" for organizations.
3. The apparatus of claim 1 , wherein the management application includes an authority setting user interface which includes authority types (role, resource, and menu), a selected authority display, and a resource selection window.
4. The apparatus of claim 1 , wherein the provisioning component uses role/resource/function information data in order to generate resource-associated user provision information by operating resource-associated users.
5. The apparatus of claim 1 , wherein the provisioning component has a function of converting an "organization/user/authority management operation" into a "resource-associated identity and authority provisioning operation", obtains information regarding an associated resource to be provisioned to a user from the authority information, and transmits resource-associated operation information to the resource authority component.
6. The apparatus of claim 1 , wherein a resource calculation method used by the provisioning component is as follows.
(to-be-provisioned resources) = (total allowed resources) - (total rejected resources)
(total allowed resources) = (allowed resources) U (resources in an allowed role) U (included-in-function resources in an allowed role) U (included-in-allowed-function resources)
(total rejected resources) = (rejected resources) U (resources in a rejected role) U (included-in-function resources in a rejected role) U (included-in-rejected-function resources)
7. The apparatus of claim 1 , wherein the resource-associated user calculation is performed by using: a unit which inquires about to-be-changed-authority resource associated user information and setting the information to a set A; a unit which changes an authority of an organization and a user; a unit which inquires about to-be-changed-authority resource associated user information and setting the information to a set B; a unit which deletes identities of users who are included in the set A-B and adding the identities to a list, deleting identities of users who are included in the set B-A and adding the identities to a list, and calculating users who are included in the set A H B; a unit which determines whether or not a user-associated operation calculation is completed by inquiring about individual user information; and a unit which determines a user-included set when the operation calculation is not completed, and performing resource identity creation and list addition, resource identity update and list addition, or resource identity deletion or list addition when the user-included set is the set B-A, the set A fl B, or the set A-B, respectively.
8. The apparatus of claim 7, wherein the resource-associated user information is configured as a Hashtable including a to-be-processed (added/amended/deleted) user information list by using a resource as a key.
9. The apparatus of claim 1 , wherein the resource authority component obtains authority information regarding users in the resource according to a predetermined resource authority calculation method, and transmits user identity and authority (role/function) information to the resource adaptor, and wherein the resource authority calculation method is performed as follows.
(resource role) = (total allowed roles in allowed resources) - (total rejected roles in allowed resources)
(function) = (total allowed functions in allowed resources) - (total rejected functions in allowed resources)
(total allowed functions) = (allowed functions) U (functions in allowed roles)
(total rejected functions) = (rejected functions) U (functions in rejected roles)
10. The apparatus of claim 1 , wherein the resource adaptor performs generation, change, deletion, and authority synchronization of identities on an associated system by using the identity management operation for the resource obtained by the provisioning component and identity and authority information regarding resources obtained by the resource authority component.
11. A computer-readable medium having embodied thereon a computer program for implementing the apparatus of any one of claims 1 to 10.
PCT/KR2007/003594 2007-07-09 2007-07-26 Provisioning apparatus for resources and authorities for integrated identity management WO2009008567A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2007-0068773 2007-07-09
KR1020070068773A KR100832093B1 (en) 2007-07-09 2007-07-09 Rights-based resource account and provisioning device for integrated account management

Publications (1)

Publication Number Publication Date
WO2009008567A1 true WO2009008567A1 (en) 2009-01-15

Family

ID=39665130

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2007/003594 WO2009008567A1 (en) 2007-07-09 2007-07-26 Provisioning apparatus for resources and authorities for integrated identity management

Country Status (2)

Country Link
KR (1) KR100832093B1 (en)
WO (1) WO2009008567A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101916339A (en) * 2010-06-22 2010-12-15 用友软件股份有限公司 Authority query method and device
CN104519072A (en) * 2015-01-14 2015-04-15 浪潮(北京)电子信息产业有限公司 Authority control method and device
CN107273155A (en) * 2017-06-06 2017-10-20 福州汇思博信息技术有限公司 A kind of APK authority distributing methods and system
US9818085B2 (en) 2014-01-08 2017-11-14 International Business Machines Corporation Late constraint management

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014126276A1 (en) * 2013-02-14 2014-08-21 엘지전자 주식회사 Apparatus for managing contents and method therefor
KR101692964B1 (en) * 2016-07-11 2017-01-05 주식회사 넷츠 Provisioning apparatus and method
KR101707186B1 (en) * 2016-07-11 2017-02-15 주식회사 넷츠 Apparatus and method for synchronizing human resource information
KR101702650B1 (en) * 2016-08-04 2017-02-03 주식회사 넷츠 Login control method and apparatus for active directory domain
KR101711131B1 (en) * 2016-08-04 2017-02-28 주식회사 넷츠 Provisioning method and apparatus using active directory
KR101757849B1 (en) 2016-08-04 2017-07-14 주식회사 넷츠 Rule-group management apparatus and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020026592A1 (en) * 2000-06-16 2002-02-28 Vdg, Inc. Method for automatic permission management in role-based access control systems
US6757680B1 (en) * 2000-07-03 2004-06-29 International Business Machines Corporation System and method for inheriting access control rules
US6950825B2 (en) * 2002-05-30 2005-09-27 International Business Machines Corporation Fine grained role-based access to system resources
US20050240996A1 (en) * 2004-04-23 2005-10-27 Microsoft Corporation Method and system for displaying and managing security information

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100673329B1 (en) * 2005-02-03 2007-01-24 학교법인 대전기독학원 한남대학교 User Role / Permission Setting System using Certificate in Grid Environment and Its Method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020026592A1 (en) * 2000-06-16 2002-02-28 Vdg, Inc. Method for automatic permission management in role-based access control systems
US6757680B1 (en) * 2000-07-03 2004-06-29 International Business Machines Corporation System and method for inheriting access control rules
US6950825B2 (en) * 2002-05-30 2005-09-27 International Business Machines Corporation Fine grained role-based access to system resources
US20050240996A1 (en) * 2004-04-23 2005-10-27 Microsoft Corporation Method and system for displaying and managing security information

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101916339A (en) * 2010-06-22 2010-12-15 用友软件股份有限公司 Authority query method and device
CN101916339B (en) * 2010-06-22 2012-07-04 用友软件股份有限公司 Method and device for inquiring authority
US9818085B2 (en) 2014-01-08 2017-11-14 International Business Machines Corporation Late constraint management
CN104519072A (en) * 2015-01-14 2015-04-15 浪潮(北京)电子信息产业有限公司 Authority control method and device
CN107273155A (en) * 2017-06-06 2017-10-20 福州汇思博信息技术有限公司 A kind of APK authority distributing methods and system

Also Published As

Publication number Publication date
KR100832093B1 (en) 2008-05-27

Similar Documents

Publication Publication Date Title
WO2009008567A1 (en) Provisioning apparatus for resources and authorities for integrated identity management
CN105024865B (en) Cloud Federation as a Service
US7703667B2 (en) Management and application of entitlements
US10762559B2 (en) Management of payroll lending within an enterprise system
CN101730099B (en) Terminal management method based on authority control and device
US8261329B2 (en) Trust and identity in secure calendar sharing collaboration
US8484746B2 (en) Method and system for managing electronic messages
US20050060572A1 (en) System and method for managing access entitlements in a computing network
US8875997B2 (en) Information card overlay
US8484747B2 (en) Method and system for managing electronic messages
US20070294237A1 (en) Enterprise-Wide Configuration Management Database Searches
US20170111476A1 (en) Dynamic Application Programming Interface Builder
EP2453397A1 (en) Systems and methods for business network management discovery and consolidation
US8365261B2 (en) Implementing organization-specific policy during establishment of an autonomous connection between computer resources
US20070282985A1 (en) Service Delivery Using Profile Based Management
US20110302265A1 (en) Leader arbitration for provisioning services
US20170111444A1 (en) Dynamic Proxy Server
US9860280B1 (en) Cognitive authentication with employee onboarding
EP3643005A1 (en) Standardization of network management across cloud computing environments and data control policies
CN106095641A (en) A kind of monitoring methods, devices and systems
CN113761552A (en) Access control method, device, system, server and storage medium
EP1679650A1 (en) List management server for managing updating of list by third-party terminal, list management system, list managing method, and program
US20130151704A1 (en) Domain based management of partitions and resource groups
CN113779515B (en) Authority management method, system and storage medium
US20130290437A1 (en) Systems and methods for mining organizational data to form social networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07793256

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07793256

Country of ref document: EP

Kind code of ref document: A1