AN IDENTITY MANAGEMENT SYSTEM FOR ASSIGNING END-USERS WITH ACCESS RIGHTS TO SYSTEMS COUPLED TO A CENTRAL SERVER

FIELD OF THE INVENTION

The present invention relates to an identity management system and a method for assigning an end-user with access rights to systems coupled to a central server. The present invention further relates to a platform for assigning an end- user with access rights to systems coupled to the central server.

BACKGROUND OF THE INVENTION

Identity Management has become a complex, yet essential part of the business environment. Today, organizations have to deal with numerous cross-functional tasks and approvals. Furthermore, they use multiple systems and applications based on different platforms, each one of them requiring identities with diverse configuration.

Advancements in standardized technologies such as service-oriented architecture, web-services and standardized protocols are giving large-scale organizations an unprecedented ability to dynamically change the way they work and operate in a constant pursue with the aim to meet changing requirements. Hence, the order of the day in many organizations is to develop new organizational setups and management techniques. But as these advancements support still more decentralized and empowered organizational units, the requirements form regulatory bodies and other authorities are becoming stricter and are imposing strong demands on the organization in order to enable them to be in compliance with requirements and standards. Pivotal to this issue is the organization's ability to handle their Identity and Access Management processes.

Identity Management challenges has become a common theme across various types of organizations. As an example, the days of simply supplying new employees with a desk, PC and telephone are over. Now, there are company courses to schedule, a security pass to arrange, and multiple log-ins and passwords to applications and networks set up.

Until now, the Identity Management is a manual operation. This means e.g. that if a new employee or an employee that is moving from one department to another is to be provided with access rights to various systems provided with an organization, a programmer or an expert needs to generate access rights to the various systems. These access rights may include different access levels for different systems, and an access to only a part of the systems present within the organization. If this employee is e.g. later on moved from one department to another department within the same organization a new access profile needs to be created. Also, if e.g. the same employee quits his job and then later on starts again, the access profile needs to be re-created because the old access profile has typically been deleted. Also, in case a new system replaces one or more of the existing systems or is added to the existing systems and an existing employee needs an access to this new added system, a new access profile needs to be created.

It is clear from the above that the prior art Identity Management systems are very complex, time-consuming, costly and not very user friendly. Also, larger organizations need to employ a programmer or an expert to generate access profiles, which is both costly and may cause inconvenience for the users.

BRIEF DESCRIPTION OF THE INVENTION

The object of the present invention is to overcome the above mentioned drawbacks by providing a user friendly and interactive way for assigning an end- user with access rights to various systems coupled to a central server.

According to one aspect the present invention relates to an identity management system for assigning end-users with access rights to systems coupled to a central server, the identity management system comprising:

^~~ an input unit for receiving requests from the end-users, the requests including information identifying the end-users and the requested access rights to at least one of the systems,

^~~ an identity management module for generating electronic access profiles for the end-users based on the received requests, the electronic access profiles

including end-user identifiers identifying the end-users and access rules associated to the end-user identifiers defining the access rights to the systems, and

^~~ a transmitter for transmitting the end-user identifiers and the associated access rules to the central server, wherein the central server is adapted to establish access rights to the systems for the end-users by forwarding the received end-user identifiers and the access rules to the systems, the central server further being adapted to update existing electronic access profiles and establish access rights to the systems based on the updated electronic access profiles.

Therefore, a very user friendly way is provided for generating an end-user access profile for various end-users, and further, an interactive way is provided for updating existing profiles in e.g. cases where the access rights to the systems must be changed. This can be in case the end-user is an employee within a large corporation is transferred between divisions within the same corporation such that the access rights to the systems change. In case the same employee starts his/her job at a later time within the same company the access profile will be reactivated. Accordingly, the access profiles need to be generated only once for one and the same end-user.

In one embodiment, the identity management system further comprises a managing accepter for evaluating the requested access rights for said end-users, the evaluation resulting in accepting or rejecting the requested access rights.

In that way, a kind of filtering criteria is provided where prior to generating the electronic access profile an evaluation of the requested access rights for that particular end-user is performed. This could be done manually where the managing accepter is the manager of the end-user, or this could be an automatic process where a processor or similar means performs the evaluation.

In one embodiment, the identity management system further comprises an administrator for granting or rejecting the evaluation from the managing accepter, the granting resulting in issuing a confirmation signal for the requested access rights, said transmitting of the end-user identifiers and the access rules being

performed after issuing said conformation signal.

This could e.g. be the top level within an organization, e.g. a board committee, which takes a final decision. This might be relevant within organization dealing with highly confidential documents or databases.

In one embodiment, the central server is an identity data management server having stored therein said existing electronic access profiles to said systems for the existing end-users, wherein updating the existing electronic access profiles includes adapting the access rules of the existing electronic access profiles to the access rules of the electronic access profiles received from the transmitter having the same end-user identifiers.

Accordingly, a user friendly way is provided for updating existing access profiles stored at said central server (identity data management server). Thus, there is no need to do such update directly at said systems or directly at said identity data management server. Therefore, such update is performed via said identity management system, which thus acts as a platform for such prior art identity data management server.

In one embodiment, the end-users are connected to the input unit over a communication channel and wherein the received request is provided by filling out an electronic access profile template comprising a questionnaire, the questionnaire containing a number of questionnaire elements each being associated with an identifier identifying the questionnaire elements.

Accordingly, the request from the end-user is an electronic request which the end- user can submit over e.g. the internet. This could be of a great advantage where e.g. an employee within a large organization is currently situated in Chine, but is to be moved to the department in Germany. The employee could therefore fill out the request by e.g. identifying the new role within the department in Germany, enter his/her preferred access rights to the systems that are highly relevant for his/her new job. As an example, the employee could currently belong to the booking department but is to be moved to the financial department.

In one embodiment, the questionnaire elements include one or more of the following questionnaire elements:

^~~ the name of the end-user or the end-user's ID number, ~ ^~ the systems coupled to a central server, ~ ^~ the name of the manager of the end-user or the manager's ID number, ^~~ the access levels within one or more of said systems, and ~ ^~ the role of the end-user, the role identifying the position of the user within a given organization incorporating said systems.

In one embodiment, the received requests are provided by filling out an electronic access profile template comprising a questionnaire containing a number of questionnaire elements, each questionnaire element being associated with an identifier identifying the questionnaire elements, the system further comprising an access profile updater for updating said access profile templates when a system is added to the central server, or removed from the central server or updated at the central server, where in response to such adding, removing or updating, an identifier is issued identifying the changes being made in the systems, where the identifier is transmitted over the central server to the access profile updater which updates the electronic access profile template accordingly.

It follows that in case that a system is added, removed or upgraded the electronic access profile template will be updated. Thus, e.g. an existing user having an electronic access profile can be provided an additional access after e.g. adding a new system to the existing systems. Thus, it is not necessary to generate a new access profile for that particular end-user.

In one embodiment, the communication channel is a wireless or wired communication channel. This could e.g. be the internet, the blue tooth protocol, LAN, fiber optic cables and the like.

In one embodiment, the identity management system further comprises the memory for storing the electronic access profiles.

Accordingly, within said system all the existing electronic access profiles are stored, thus enabling a later access to them to update them etc.

In one embodiment, the input unit, the identity management module and the transmitter are integrated into an access profile management server.

In one embodiment, the requests made by said end-users are electronic requests and wherein the input unit is a receiver adapted to receive the electronic requests from the end-users.

According to another aspect, the present invention relates to a method of assigning end-users with access rights to systems coupled to a central server, the method comprising: ~ ^~ receiving a request from the end-users, the request including information identifying the end-users and the requested access rights to at least one of the systems, ~ ^~ generating electronic access profiles for the end-users based on the received requests, the electronic access profiles including end-user identifiers identifying the end-users and access rules associated to the end-user identifiers defining the access rights to the systems, and ~ ^~ transmitting the end-user identifiers and the associated access rules to the central server, wherein the method further comprises:

^~~ establishing access rights for the end-users by forwarding the received end- user identifiers and the access rules to the systems, and

^~~ updating existing electronic access profiles and establishing access rights to the systems based on the updated electronic access profiles.

In one embodiment, the systems coupled to a central server are associated to a particular organization, and wherein the end-users are employees of said organization.

A particular advantage of the present invention is within all kinds of organizations of all sizes, particularly larger organizations where the number of systems can be hundreds or even thousands.

In one embodiment, the employees are new employees or employees moving

between divisions within said organization or employees stopping with his/her work.

In one embodiment, prior to transmitting the end-user identifiers and the access rules, the method further includes the step of:

^~~ accepting the request from the end-users, and subsequently ~ ^~ granting an access to said systems, the granting further including issuing a conformation indicating that the request has been granted.

According to still another aspect, the present invention relates to a computer program product for instructing a processing unit to execute the above mentioned method steps when the product is run on a computer.

According to yet another aspect, the present invention relates to a platform for assigning end-users with access rights to systems coupled to a central server, comprising:

^~~ an input unit for receiving requests from the end-users, the requests including information identifying the end-users and the requested access rights to at least one of the systems, ~ ^~ an identity management module for generating an electronic access profile for the end-users based on the received requests, the electronic access profiles including end-user identifiers identifying the end-users and access rules associated to the end-user identifiers defining the access rights to the systems, and ~ a transmitter for transmitting the end-user identifiers and the associated access rules to the central server, wherein the central server is adapted to establish access rights to the systems for the end-users by forwarding the received end-user identifiers and the access rules to the systems, the central server further being adapted to update existing electronic access profiles and establish access rights to the systems based on the updated electronic access profiles.

Accordingly, it is possible to implement the present platform on top of pre-existing identity management servers.

In one embodiment, the identity data management server is a Microsoft Identity Integration Server® (MIIS).

The aspects of the present invention may each be combined with any of the other aspects. These and other aspects of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention will be described, by way of example only, with reference to the drawings, in which

Figure 1 shows an embodiment of an identity management system according to the present invention for assigning an end-user with access rights to systems coupled to a central server,

Figure 2 shows another embodiment of an identity management system shown in Fig. 1,

Figure 3 shows a flowchart of an embodiment of a method according to the present invention for assigning an end-user with access rights to systems coupled to a central server,

Figure 4 shows a platform according to the present invention for assigning an end-user with access rights to systems coupled to a central server integrated between a pre-existing server and end-user interface,

Figure 5 depicts graphically one example of a user interface, and

Figure 6a and 6b depicts an embodiment of data cleaning and attestation.

DESCRIPTION OF EMBODIMENTS

Figure 1 shows an embodiment of an identity management system 100 according to the present invention for assigning an end-user 103 with access rights to

systems 120 coupled to a central server 106. The identity management system 100 comprises an input unit (I_U) 101, an identity management module (I_M_M) 102 and a transmitter (T) 112.

The input unit (I_U) 101 is adapted to receive a request from the end-user 103, the request including information identifying the end-user 103 and the requested access rights to at least one of the systems 120.

The identity management module (I_M_M) 102 is adapted to generate an electronic access profile 110 for the end-user 103 based on the received request, where the electronic access profile includes an end-user identifier identifying the end-user 103 and access rules associated to the end-user identifier defining the access rights to the systems 110-112.

The transmitter (T) 112 is adapted to transmit the end-user identifier and the associated access rules 105 to the central server 106. The central server 106 is adapted to establish access rights to the systems 120 for the end-user 130 by forwarding the received end-user identifier and the access rules 105 to the systems 120.

The central server 106 is a kind of a state-machine that contains the valid state of all connected systems 120-125 including the identity management system. It has specific connectors to each of the external systems to which access rules are applied, i.e. it know specifically where and how to apply access rules.

In an embodiment, the central server 106 is an identity data management server. This may e.g. be a "Microsoft Identity Integration Server 2003" and "Microsoft Identity Lifecycle Manager 2007. Typically, such servers are adapted to store and integrate access profiles of an organization/company with multiple directories. Accordingly, such a central server provides organizations with a unified view of all known identity information about users, applications, and network resources, and the access status each individual (employee as an example) has to the systems coupled to the server. A typical prior art identity data management server works such that it receives identity information from the connected systems and stores the information in the connector space as connector space objects, or e.g.

CSEntry objects in the case the central server 106 of MIIS. The CSEntry objects are then mapped to entries in the metaverse called metaverse objects or MVEntry objects. This process allows data from separate connected data sources to be mapped to the same MVEntry object. For example, an organization's e-mail system can be linked to its human resources database through the metaverse. As an example, MIIS 2003, Enterprise Edition, includes support for a wide variety of identity repositories including the following:

Network operating systems and directory services such as Microsoft Windows NT, Active Directory, Active Directory Application Mode, IBM Directory Server, Novell eDirectory, Resource Access Control Facility (RACF), SunONE/iPlanet Directory, X.500 systems, and other metadirectory products; E-mail such as Lotus Notes and Domino, Microsoft Exchange 5.5, Application/systems such as PeopleSoft, SAP, ERPl, telephone switches, XML- and DSML-based systems, database such as Microsoft SQL Server, Oracle, Informix, dBase, IBM DB2, and file-based such as DSMLv2, LDIF, CSV, delimited, fixed width, attribute value pairs.

According to the present invention, the central server 106 has access profiles stored therein. These access profiles can then be updated in a user friendly way for an end-user. In one embodiment, this is done by the identity management system 100 by means of transmitting said end-user identifier and the associated access rules 105 to the central server 106, which then updates the access profiles stored at the central server 106. By updating the previously stored access profiles, the access rights to the various systems coupled to the server 106 will be updated by forwarding the information in the updated access profiles to said systems 120-125.

In one embodiment, the identity management system 100 further comprises a memory 111 having among others stored therein the electronic access profiles for various end-users and a software program containing a software code for instructing a processing unit (not shown) to perform the above mentioned steps.

As depicted in the scenario illustrated in Fig. 1, the access right include access to three systems, namely system (Sl) 121, (S3) 122 and (S6) 123. In this example, the ID identifier identifies the end-user 103, e.g. via an identification number

provided within the organization the end-user is employed by, and the access rules identify the access rights to the systems 120. In one embodiment, the access rights comprise to which of the systems 120 the end-user 103 is to have access to, plus on which access level the end-user is to have access since some of the systems (or all) may be provided with various access levels.

In one embodiment, the request received by the end-user 103 is provided by filling out an electronic access profile template comprising a questionnaire containing a number of questionnaire elements each being associated with an identifier identifying the questionnaire elements and wherein the input unit (I_U) 101 is a receiver adapted to receive the electronic request from the end-user 103. The electronic access profile template will be discussed in more details later.

As depicted here, the end-user 103 may be connected to the input unit (I_U) 101 over a communication channel 118, 119, such as the Internet 119, or via personal area network (PAN) such as Blue Tooth, ZigBee, Ambient Network and the like, or via a wired communication channel 118 such as fiber optic cables. The received request may be provided by filling out an electronic access profile template comprising a questionnaire, the questionnaire containing a number of questionnaire elements each being associated with an identifier identifying the questionnaire elements. Accordingly, the user could be sitting anywhere in the world and simply, e.g. over the Internet, fill out said request form.

In one embodiment, the questionnaire elements include one or more of the following questionnaire elements:

^~~ the name of the end-user or the end-user's ID number,

^~~ the systems coupled to a central server,

^~~ the name of the manager of the end-user or the manager's ID number,

^~~ the access levels within one or more of said systems, and ~ ^~ the role of the end-user, the role identifying the position of the user within a given organization incorporating said systems.

In one embodiment, the system further comprises an access profile updater (A_P_U) 114 for updating said access profile template when a system 124, 125 is added to the central server, or removed from the central server or updated at the

central server. In such cases, an identifier is issued 117, either by the new/updated systems 124, 125, or by the central server 106, identifying the changes being made in the systems and subsequently transmitted over the central server to the access profile updater (A_P_U) 114. The access profile updater (A_P_U) 114 then updates the electronic access profile template accordingly. If the access profile template is stored in the memory 111, the access profile updater (A_P_U) would update this pre-stored template.

In one embodiment, the input unit (I_U) 101, the identity management module (I_M_M) 102 and the transmitter (T) 112, the memory 111 are integrated into an access profile management server 130.

Figure 2 shows another embodiment of an identity management system 100 shown Fig. 1, where in this embodiment the system further comprises a managing accepter (AU) 201 for evaluating the requested access rights for said end-user 103, the evaluation resulting in accepting or rejecting the requested access rights. The managing accepter (AU) 201 could e.g. be the manager within a given organization that takes a look at the request from the end-user 103, or the managing accepter (AU) 201 could be an automatic process performed by a processing unit. In this embodiment, the identity management system 100 further comprises an administrator (AD) 202 for granting or rejecting the evaluation from the managing accepter (AU) 201, the granting resulting in issuing a confirmation signal for the requested access rights, where the transmitting of the end-user identifier and the access rules 105 are performed after issuing the conformation signal. Referring to the example above, in the managing accepter (AU) 201 is the manager/boss of the end-user 103, the administrator (AD) 202 could be the general director or a department within the organization which give the final acceptance for the request. Also, the administrator (AD) 202 could be a computer system or the like, which is accordance to a pre-defined set of rules automatically accepts or rejects the acceptance from the managing accepter (AU) 201.

Figure 3 shows a flowchart of an embodiment of a method according to the present invention for assigning an end-user 103 with access rights to systems 120 coupled to a central server 106.

The method includes receiving a request from the end-user (Sl) 301, where the request includes information identifying the end-user and the requested access rights to at least one of the systems. The access rights may e.g. include to which systems the end-user wants to have access to and which access levels the end- user prefers. Such a request could e.g. received via a phone call where the user calls the human resource department within a given organization giving his/her ID number and the systems he/she wish to access, or via a written request form, or by filling out an electronic access profile template.

Subsequently, an electronic access profile is generated (S2) 302 for the end-user based on the received request, the electronic access profile including end-user identifier identifying the end-user and access rules associated to the end-user identifier defining the access rights to the systems. Accordingly, an electronic access profile is provided and stored e.g. at said memory 111 or an external memory (not shown).

Subsequently, the end-user identifier and the associated access rules is transmitted (S3) 303 to the central server, which then establish access rights to the systems for the end-user by forwarding the received end-user identifier and the access rules to the systems.

A typical scenario of implementing said method steps is where the end-user is an employee of an organization, and this user is moving from one department to another department within the same organization, or the end-user is a new employee. In the former case, an existing profile is updated meaning that the new request replaces the previous existing request in the previous electronic access profile, whereas in the latter case a new electronic access profile is generated, or if the end-user was a previous employee within the organization the previous electronic access profile is re-activated and eventually updated.

In an embodiment, prior to transmitting the end-user identifier and the access rules, the method further includes the step of accepting or rejecting the request from the end-user (S4) 304, and subsequently in case of accepting, granting an access to said systems (S5) 305, the granting further including issuing a conformation indicating that the request has been granted.

Figure 4 shows a platform 402 according to the present invention for assigning an end-user with access rights to systems coupled to a central server integrated between a pre-existing server 403 having a number of systems coupled thereto 5 404 and end-user interface 401.

The platform comprises said input unit (I_U) 101 for receiving a request from the end-user, the request including information identifying the end-user and the requested access rights to at least one of the systems, said identity management0 module (I_M_M) 102 for generating an electronic access profile for the end-user based on the received request, the electronic access profile including end-user identifier identifying the end-user and access rules associated to the end-user identifier defining the access rights to the systems, and said transmitter (T) 112 for transmitting the end-user identifier and the associated access rules to the5 central server, the central server being adapted to establish access rights to the systems for the end-user by forwarding the received end-user identifier and the access rules to the systems.

As shown, the end-user interface 401 is depicted where e.g. the end-user fill out0 electronic access profile form where he/she enter e.g. the ID number, the department he/she belong to, the systems to be accessed, the access levels within the systems etc. This interface could e.g. be Microsoft Office ^® Infopath, Web forms, and the like. 5 The platform 402 is accordingly placed on a top of a central server, preferably pre-existing identity integration server 403 or an identity data management server, e.g. a Microsoft Identity Integration Server® (MIIS).

The central server is coupled to multiple systems 404, such as SAP systems0 including service access points (SAP). This can e.g. be active directory, exchange server and the like.

Figure 5 depicts graphically one example of a user interface 401, where the en- user begins by selecting between whether he/she is a "joiner" (new employee)5 501, "mover" (moving between departments within the same organization) 502,

"leaver" (stopping) 503 etc. Accordingly, by selecting e.g. the "joiner" function, the end-user 103 selects which systems he/she want access to and maybe which access levels he/she wants to have to the selected systems.

Figure 6a depicts an embodiment of data cleaning and attestation.

Step 1 601 is an Algorithmic Pattern Matching. Here, an algorithmic pattern matching is performed on Enterprise Managed Systems to verify user accounts. This is the first step to reconciling system accounts with the Authoritative Identity and reducing much of the project cost. As an example, a pattern based matching may score 60-70% success rate on account mapping.

Step 2 603 is a Rules Based Matching. Business rules based matching is performed on Enterprise Managed Systems to verify user accounts. This is the second step to reconciling system accounts with the Authoritative Identity. As an example, rules based matching may score 20-30% success rate on account mapping.

Step 3 605 is a collaborative matching. Collaborative matching on Enterprise Managed Systems to verify user accounts. This is the third step to reconciling system accounts with the Authoritative Identity and involves the users as 'Project Team'. As an example, collaborative matching may score 10-20% success rate on account mapping.

In figure 6b, an attestation (collaborative matching) of accounts on Enterprise Managed Systems is performed. This may be a periodic activity to verify user account ownership of reconciled accounts with the Authoritative Identity and involves the users as 'Project Team'. A collaborative matching may e.g. score 10- 20% success rate on account mapping.

Certain specific details of the disclosed embodiment are set forth for purposes of explanation rather than limitation, so as to provide a clear and thorough understanding of the present invention. However, it should be understood by those skilled in this art, that the present invention might be practiced in other embodiments that do not conform exactly to the details set forth herein, without

departing significantly from the spirit and scope of this disclosure. Further, in this context, and for the purposes of brevity and clarity, detailed descriptions of well- known apparatuses, circuits and methodologies have been omitted so as to avoid unnecessary detail and possible confusion.

Reference signs are included in the claims, however the inclusion of the reference signs is only for clarity reasons and should not be construed as limiting the scope of the claims.