Field of the Invention

[0001] The present invention relates generally to the field of directory services, and more particularly to methods and systems for managing directory information.

Background of the Invention

[0002] Traditionally, the function of extending an application directory schema, which typically involves adding and/or defining attributes, was exclusively an administrative function. Such administrative functions take a considerable amount of time to perform, and most application owners are not current app experts. Further, while the application owners know the business want these authorization attributes, they do not want to be concerned with how it is being done. Currently, the process requires a discussion or negotiation between an administrator and the application owner with a considerable amount of justification that is cumbersome and time-consuming and leads to costly delays.

[0003] There is a present need for methods and systems for managing directory information that address and overcome the problems of existing implementations and allow operational personnel to approve requests without lengthy negotiations with administrators.

[0004] Summary of the Invention

[0005] Embodiments of the invention employ computer hardware and software, including, without limitation, one or more processors coupled to memory and non-transitory computer- readable storage media with one or more executable programs stored thereon which instruct the processors to perform the methods and systems for managing directory information described herein.

[0006] Embodiments of the invention provide methods and systems for managing directory information including, for example, onboarding an enterprise Lightweight Director Access Protocol (LDAP) server that may involve receiving, using a processor coupled to memory, a request related to at least one application from a requestor in pre-determined business logic; acknowledging the request by an approver function likewise using the processor; and provisioning the request into the enterprise LDAP server in the predetermined business logic also using the processor.

[0007] In aspects of embodiments of the invention, receiving the request may involve, for example, receiving the request to provision an attribute for authorization to access the at least one application. In other aspects, receiving the request may involve, for example, receiving the request from a user to provision the user's own attribute for authorization to access the at least one application. In further aspects, receiving the request to provision the attribute for authorization may involve, for example, receiving the request to provision an attribute defining a user within the attribute. In additional aspects, receiving the request to provision the attribute defining a user may involve, for example, receiving the request to provision a string type attribute defining the user within the attribute.

[0008] In other aspects of embodiments of the invention, receiving the request in predetermined business logic may involve, for example, translating the request into LDAP logic. In additional aspects, receiving the request may involve, for example, receiving the request on form fields displayed by a web-based internal application of an enterprise. In further aspects, receiving the request may involve, for example, receiving the request for at least one of delegating or removing an application owner, creating or deleting a function identifier (ID), creating a custom attribute, granting or revoking functional ID access to a custom attribute, creating or deleting a dynamic LDAP group, assigning a dynamic group administrator, and adding or removing a member from a dynamic LDAP group. In additional aspects, receiving the request may involve, for example, receiving the request for at least one of managing functional ID Internet Protocol (IP) address restriction, functional ID password reset, manage enterprise entitlement review system (EERS) feed, and update functional ID contact mail address.

[0009] In further aspects of embodiments of the invention, acknowledging the request may involve, for example, acknowledging the request by at least one of an application owner, an enterprise LDAP owner, a single sign-on (SSO) owner, and an enterprise LDAP group administrator. In still further aspects, acknowledging the request may involve, for example, acknowledging all requests by the application owner. In other aspects, acknowledging the request may involve, for example, reviewing the request and acknowledging the request in a pre-determined automated sequence. In still other aspects, acknowledging the request in the pre-determined automated sequence may involve, for example, approving the request without requiring justification of a need for the request.

[0010] In additional aspects of embodiments of the invention, approving the request may involve, for example, sending the request to a queue for the approver function. In other aspects, provisioning the request may involve, for example, creating an application role as an attribute. In further aspects, provisioning the request may involve, for example, granting functional ID access for the application on an application role attribute. In still further aspects, provisioning the request may involve, for example, defining an application role attribute as a LDAP group. In still other aspects, provisioning the request may involve, for example, performing lookups using a LDAP logic translation of the pre-determined business logic.

[0011] These and other aspects of the invention will be set forth in part in the description which follows and in part will become more apparent to those skilled in the art upon examination of the following or may be learned from practice of the invention. It is intended that all such aspects are to be included within this description, are to be within the scope of the present invention, and are to be protected by the accompanying claims.

Brief Description of the Drawings

[0012] Fig. 1 is a table that illustrates examples of attributes that are not presently available via existing single sign-on (SSO) Lightweight Directory Assistance Protocol (LDAP) services that are made available by embodiments of the invention;

[0013] Fig. 2 is a flow chart that illustrates an overview example of the process of onboarding and maintaining applications from an application owner's perspective for embodiments of the invention;

[0014] Fig. 3 is a schematic diagram which illustrates an overview example of components and the flow of information between components for embodiments of the invention; and

[0015] Fig. 4 is a flow chart that illustrates an example of the process of onboarding an enterprise LDAP server according to embodiments of the invention.

Detailed Description [0016] Reference will now be made in detail to embodiments of the invention, one or more examples of which are illustrated in the accompanying drawings. Each example is provided by way of explanation of the invention, not as a limitation of the invention. It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope or spirit of the invention. For example, features illustrated or described as part of one embodiment can be used in another embodiment to yield a still further embodiment. Thus, it is intended that the present invention cover such modifications and variations that come within the scope of the invention.

[0017] Embodiments of the invention provide methods and systems for managing directory information that enables application owners, who are typically also the end users of an application, to provision their own attributes for authorization purposes. Fig. 1 is a table 100 that illustrates examples of attributes that are not presently available via existing single sign-on (SSO) Lightweight Directory Assistance Protocol (LDAP) services and which are made available by embodiments of the invention. Typically, such attributes may be string type attributes wherein, for example, a particular user may be defined within the attribute. For example, a user profile may have an attribute called "role" for which the value may be set as "admin", which means that the user is an administrator of some type. Embodiments of the invention enable the owner of an application who understands his or her business and also understands the user's role, in turn, to translate that understanding into LDAP and provision it for a particular application.

[0018] Fig. 2 is a flow chart that illustrates an overview example of the process of onboarding and maintaining applications from an application owner's perspective for embodiments of the invention. Fig. 3 is a schematic diagram which illustrates an overview example of components and the flow of information between components for embodiments of the invention. Referring to Figs. 2 and 3, the process may follow a sequence executed on an internal application 300 of the enterprise. As a brief overview of the functionality of such an internal application 300, within an enterprise, every service or product may be ordered through the internal application 300. The internal application 300 may include, for example, various forms and involve workflows that allow users to order from the application in a manner somewhat similar to an e-commerce form. Thus, a user may order a service or product which is then submitted for approval and after approval, the product or service is delivered.

[0019] Referring to Fig. 2, embodiments of the invention may involve a number of roles within the LDAP service of the enterprise. Such roles may include, for example, a requestor 200, a systems inventory application owner 202, an enterprise LDAP owner 204, a single sign-on (SSO) owner 206, and an enterprise LDAP group administrator 208. Referring to Fig. 3, it is noted that a systems inventory server 302 may store all application details for the enterprise. Thus, the systems inventory server 302 may be a repository of the enterprise with which all of its applications are registered.

[0020] Referring further to Figs. 2 and 3, assume, for example, that an application owner 202 wants to define rules for the application, referred to herein as app rules. In order to accomplish this, the application owner 202 may log in as a requestor 200 to the internal application 300 for embodiments of the invention. Generally, the application manager 202 is in charge of an enterprise systems inventory application. The application manager 202, as the requestor 200, may recognize, for example, that he or she may not be available at a particular time and that it would not be good to interrupt a process of the application because of such unavailability. Thus, at 2081, the app owner 202 may assign his or her delegates.

[0021] Once that is done, the requestor 200, who may be the application owner 202 or someone else, may request a functional ID with the enterprise LDAP server 304. Any system application user or other person who needs to connect to the enterprise LDAP 304 must prove or authenticate himself or herself to the LDAP 304 in order to obtain the connection. The user's functional ID may be used to make the LDAP server 304 aware of the user's entitlement to access. Applications may use a functional ID to connect to the LDAP server 304 in order, for example, to enter a modification or query.

[0022] Referring again to Figs. 2 and 3, at 2082, the application owner as requestor 200 may create a functional ID for the application with the enterprise LDAP server 304. Form fields for the create functional ID process at 2082 may include, for example, functional ID identifier, application support group mail alias, justification, additional comments, and a reason for the request. It is to be understood that instead of requiring the requestor 200 to provide an administrator a justification in the sense of proving a need, for example, to create the functional ID, it is only necessary for the requestor 200 to provide the reason for requesting the creation of the functional ID. [0023] Approval of the functional ID creation may be performed by the enterprise LDAP owner 204 and the SSO team 206, which is an operational team. It is to be further understood that the approval is automated, so that when a request is received, it is only necessary for the approver to review and approve the request. There is no need for the requestor 200 to negotiate, for example, with an administrator, because the process is a predetermined, automated process in which a request is simply reviewed. If everything appears to be in order, the request is approved. Thus, it is not necessary, for example, for someone to return to the LDAP server behind the scenes and run customized commands and the like.

[0024] Referring further to Figs. 2 and 3, after the functional ID is created, at 2083, the requestor 200 may request, for example, the creation of a custom attribute, such as "app role". Accordingly, after the approval, an "app role" may be created as the attribute. Form fields for the process to the custom attribute may include, for example, application ID, attribute identifier, derived attribute name, attribute alias, attribute option, reason for the request, and additional comments. Once the attribute is created, at 2084, functional ID access to the customer attribute may be granted or revoked. After creating the functional ID at 2082 and creating the custom attribute at 2083, they may be bound together at 2084. At 2084, access may be granted to the functional ID on the attribute, and access may likewise be revoked. Thus, an application owner as requestor 200 has complete control over determining which functional IDs can update attributes, and if the application owner judges that someone should not have access, that person's access may be revoked. In the past, granting and revoking functional ID access to attributes required the application owner to call up, for example, the administrator or first level support personnel and channel such grant or revocation through one of those entities, which was extremely time consuming.

[0025] Referring once more to Figs. 2 and 3, as noted above, after the attribute is created at 2083, it may be necessary to bind the attribute providing, in effect, that a functional ID for the application has complete access over the particular attribute, "app role" at 2084. Thus, no other application may be allowed to update the particular attribute. For this purpose, form fields for the grant access to functional ID process may include blanks for entry, for example, of application ID, attribute, to whom the application ID functional ID belongs, functional ID, access type, whether the access (ACI) already exists, whether the LDAP service is required to have IP based restrictions for the particular functional ID, acknowledgements, source IP restriction, reason for the request, and additional comments. It is to be understood that granting functional ID access to the custom attribute at 2084 is complex on the backend because many things must be managed. For example, access control information (AO's) must be designed. Such AO's may consist of access control lists which tell the LDAP server 304 which functional IDs and other IDs have what type or types of access within the LDAP service. Thus, after approval, at 2084, functional ID access may be granted for the particular application on the "app role" attribute.

[0026] Referring also to Figs. 2 and 3, at 2085, the "app role" attribute may be defined as a LDAP group. This means, for example, that anyone who has "app role" equals "admin" would fall under an admin group, and anyone who has "app role" equals "user" would fall under a user group. Form fields for the create dynamic LDAP group may include, for example, application ID, attribute name, attribute value, dynamic group name, does this LDAP already exist in the enterprise LDAP server 304, does the application own the chosen LDAP group name in the enterprise SSO LDAP server 306, is an enterprise entitlement review system EERS feed 308 required and related fields, reason for the request, and additional comments. In addition, at 2086, administrators may be added who will represent the application and may be allowed to add or remove people from the LDAP group or from the "app role". Form fields for the assigning group administrator process may include, for example, application ID, dynamic group name, administrator user ID, test if the user ID is already an administrator, reason for the request, and additional comments. It is to be understood that the approvals referred to in each of the foregoing processes is an

acknowledgment rather that a granting of permission.

[0027] Referring again to Fig. 2, additional processes for embodiments of the invention may include, for example, managing functional ID and IP address restriction 2088 by which source IP addresses from which a functional ID can connect may be restricted. Thus, an unauthorized person who acquires a functional ID and password cannot connect from a server other than via connections that have been pre-assigned and pre-approved. Form fields for the manage functional ID/IP address restriction may include, for example, attribute application ID, attribute, to whom does application ID functional ID belong, functional ID, access type, does the access (AO) already exist, ACI, current IP address restriction, new IP address restriction, new ACI, acknowledgements, reason for the request, and additional comments. Another process may involve functional ID password reset 2089, so that someone who needs to reset a password may accomplish this as well. At the same time, an enterprise paradigm may require a review of all accesses that everyone at the enterprise may have. Form fields for the functional ID password reset process may include, for example, application ID, functional ID, password, reason for the request, and additional comments. Using an EERS feed setting process 2090, applications may also be allowed to opt in or out of a feeder process in which the type or types of access a particular person or user profile is fed to an (EERS) 308. In an update functional ID contact mail address process 2091, primarily for operational purposes, contacts may be set, for example, if system maintenance or a system upgrade is being performed about which a contact address may be needed.

[0028] It is to be noted that the foregoing processes are illustrated from a high level point of view of an app owner or application. It is not necessary, for example, for the application to know how the LDAP service is constructed or how it works behind the scenes. In embodiments of the invention, the world of the LDAP is translated into a business world wherein the process is defined in business terms instead of LDAP terms and provisioned into the enterprise LDAP server 304.

[0029] Referring to Fig. 3 a component of the invention is the enterprise LDAP server 304 which may be characterized as a hub of the functionality for embodiments of the invention. Another component is the enterprise SSO LDAP server 306 which may be, for example, a repository of all the internal users, which may include employees as well as consultants and others who are not customers, such as consumers and business customers. The enterprise SSO LDAP server 306 stores user IDs, passwords and various profile details for such internal users. A function of the enterprise SSO LDAP server 306 is to enable single sign-on in which a user may access multiple applications using the same user ID and password. Thus, all enterprise applications point to a web access management (WAM) tool, which is in turn coupled to the enterprise SSO LDAP server 306. The enterprise SSO LDAP server 306 may be characterized as a type of authentication system, although it is not intended to function as a full-fledged authorization system in which an application can connect directly into whatever resource it needs or wants. However, the enterprise SSO LDAP server 306 was designed and functions as an authentication system that stores user ID's and passwords for all the users in the enterprise that perform single sign-on.

Embodiments of the invention involve a solution in which the enterprise LDAP server 304 provides the authorization information. The enterprise LDAP server 304 not only provides the authorization information but also manages the information on its own. Thus, it is not necessary for enterprise applications to ask any of the enterprise support teams,

administrative teams, engineering teams or operations teams to do anything specific for them. [0030] Referring further to Fig. 3, other components for embodiments of the invention include, for example, EERS feed 308 and RITS feed 310 which initialize the enterprise LDAP server 304. The EERS feed 308 and RITS feed 310 serve as sources populated from the human resources (HR) system within the enterprise LDAP server 304. For example, the RITS feed 310 receives its files from the HR system and feeds all the user details into the enterprise LDAP server 304 for embodiments of the invention. A reason for having a lookup 312 into the enterprise SSO LDAP server 306 is to avoid a situation in which a group or role may have already been defined in the enterprise SSO LDAP server 306. Apart from that issue, the system for embodiments of the invention is literally independent.

[0031] Referring still further to Fig. 3, as previously mentioned, embodiments of the invention include within the enterprise an internal application 300 through which every service or product may be ordered. An application owner or application admin may login to the internal application 300, which is a web-based application, and invoke all of the products previously discussed herein, including without limitation, the functionality for creating attributes and ACIs, associating attributes and functional ID's, and all the other steps in order to manage a dynamic LDAP group. The enterprise identity management (IDM) service 314 functions somewhat as a backend for the enterprise internal application 300. Thus, the enterprise internal application asset 300 functions as a workflow engine, and the IDM service 314 functions as a provisioning engine. Once an approval is made, the process goes to the enterprise identity management (IDM) service 314 and in turn to the enterprise LDAP server 304 and performs the provisioning previously defined within the IDM system 314, such as custom attributes, dynamic group definition ACI's, and entries in functional ID's.

[0032] Referring again to Fig. 3, the CIMS web services 316 provides information, for example, to look up user profiles, ACIs, and dynamic groups which are defined to enable enterprise internal application lookups, because a significant number of lookups occur within the workflow. Embodiments of the invention ensure that when lookups are performed, the business logic remains intact and all that is being done is translating the lookups into LDAP requirements. Thus, a considerable portion of the functions for embodiments of the invention goes into the CIMS search service 316 and also the IDM service 314 where much of the translation occurs. That also forms a part of the backend for embodiments of the invention, because it enables applications to be independent. Other components, such as the enterprise systems inventory 302, where details of all enterprise applications are stored, are provided primarily for looking up application details. In embodiments of the invention, an application manager delegates to an application owner within the enterprise LDAP server 304, so a preliminary action is using an enterprise systems inventory to perform a look-up 318 and to identify the application manager, because that is the only person who is entitled to approve system requests. Once the application manager assigns a delegate, the system for

embodiments of the invention becomes practically self-sustaining. Further, that is done only once in the lifecycle of the application at the initiation of a project.

[0033] Again referring to Figs. 2 and 3, as previously noted, the requestor 200 may be the application owner 202 or any enterprise employee other than the application owner. The application owner 202 is identified by using the enterprise inventory system look-up 318. While any enterprise employee may be a requestor 200, the application owner 202 must approve any action requested. In embodiments of the invention, the application owner 202 is the person or role who would typically log in to the enterprise internal application 300.

However, any of the roles defined in Fig. 2, such as the requestor 200 or the approver roles may log in to the enterprise internal application 300. At 2081, the application owner 202 is looked up on the enterprise systems inventory 302 prior to approval. At the same time, the enterprise internal application 300 has the relevant forms, and after an approval, the process proceeds to the enterprise IDM server 314, which creates the delegates. At 2082, wherein functional ID's are created, a similar model is followed. Thus, a user logs into the enterprise internal application 300 and fills in a form, after which the process proceeds to the enterprise IDM server 314 and is provisioned into the enterprise LDAP server 304, and the process is iterated several times from 2081 through 2086.

[0034] Additional processes which do not follow a particular sequence include, for example, manage functional ID IP address restriction 2088, functional ID password reset 2089, manage EERS feed setting 2090, and update functional ID contact mail address 2091. While not performed in any particular order, the process of each of those functions follows a similar model.

[0035] In embodiments of the invention, the components involved in any invocation of the process include, for example, the enterprise internal application 300, the enterprise IDM server 314, and the enterprise LDAP server 304 using the CIMS search service 316 and the CSI service 302. In each case, a user may be provided with a form which helps the user, for example, with looking up values, details of applications, details of attributes, functional ID's, and LDAP groups. [0036] In the past, the onboarding process required negotiations with and approval by an administrator in which the application owner or representative of the application owner called up the SSO team or the LDAP team and asked to create an attribute. In response, the owner or representative was asked to provide a justification for the requested attribute. In addition, the owner or representative was asked to describe the kind of attributes being requested and the number of such attributes. Again, the owner or representative was required to justify a need for the number of attributes. Thereafter, it was necessary to log on the LDAP server and run several commands, for example, to first create an attribute in the schema and then to create ACIs. It is self-apparent that such process was a burdensome administrative task which required the administrator to take time to create files in which the ACFs were defined to restrict access to a functional ID and attribute. Even after all that was done, testing on development was required, in which development staging for a cycle was required to be followed. The process was entirely manual and without standards and required an inordinate amount of time.

[0037] Fig. 4 is a flow chart that illustrates an example of the process of onboarding an enterprise LDAP server according to embodiments of the invention which overcome those problems and allow operational personnel to approve requests without lengthy negotiations with administrators. Referring to Fig. 4, at SI, using a processor coupled to memory, a request related to at least one application is received from a requestor in pre-determined business logic. At S2, also using the processor, the request is acknowledged by an approver function without requiring the requestor to negotiate, for example, with an LDAP administrator to justify the request. As S3, the request is provisioned into the enterprise LDAP server in the pre-determined business logic, likewise using the processor.

[0038] Another feature of embodiments of the invention is standardization of all the processes involved, for example, by naming conventions. With embodiments of the invention, when a need arises for a role to be created, it can be done immediately. The only possible delay is for approvals which are required to maintain checks and balances, but the business and the infrastructure teams know what is being requested. The requests are immediately approved, and everything else occurs behind the scenes. The approvals are manual only in a sense that once a request is placed, it goes into the queues of the approvers. When a request goes into the queue of an approver, the approver simply makes the approval, and thereafter, the process is entirely automated. The approval is actually a notification to the approver and acknowledgement by the approver to assure the all of the approvers know that an action has been taken.

[0039] It is to be understood that embodiments of the invention may be implemented as processes of a computer program product, each process of which is operable on one or more processors either alone on a single physical platform, such as a personal computer, or across a plurality of platforms, such as a system or network, including networks such as the Internet, an intranet, a WAN, a LAN, a cellular network, or any other suitable network. Embodiments of the invention may employ client devices that may each comprise a computer-readable medium, including but not limited to, random access memory (RAM) coupled to a processor. The processor may execute computer-executable program instructions stored in memory. Such processors may include, but are not limited to, a microprocessor, an application specific integrated circuit (ASIC), and or state machines. Such processors may comprise, or may be in communication with, media, such as computer-readable media, which stores instructions that, when executed by the processor, cause the processor to perform one or more of the steps described herein.

[0040] It is also to be understood that such computer-readable media may include, but are not limited to, electronic, optical, magnetic, RFID, or other storage or transmission device capable of providing a processor with computer-readable instructions. Other examples of suitable media include, but are not limited to, CD-ROM, DVD, magnetic disk, memory chip, ROM, RAM, ASIC, a configured processor, optical media, magnetic media, or any other suitable medium from which a computer processor can read instructions. Embodiments of the invention may employ other forms of such computer-readable media to transmit or carry instructions to a computer, including a router, private or public network, or other transmission device or channel, both wired or wireless. Such instructions may comprise code from any suitable computer programming language including, without limitation, C, C++, C#, Visual Basic, Java, Python, Perl, and JavaScript.

[0041] It is to be further understood that client devices that may be employed by embodiments of the invention may also comprise a number of external or internal devices, such as a mouse, a CD-ROM, DVD, keyboard, display, or other input or output devices. In general such client devices may be any suitable type of processor-based platform that is connected to a network and that interacts with one or more application programs and may operate on any suitable operating system. Server devices may also be coupled to the network and, similarly to client devices, such server devices may comprise a processor coupled to a computer-readable medium, such as a random access memory (RAM). Such server devices, which may be a single computer system, may also be implemented as a network of computer processors. Examples of such server devices are servers, mainframe computers, networked computers, a processor-based device, and similar types of systems and devices