US Patent No. 10,659,469

VERTICALLY INTEGRATED ACCESS CONTROL SYSTEM FOR MANAGING USER ENTITLEMENTS TO COMPUTING RESOURCES


Patent No. 10,659,469
Issue Date May 19, 2020
Title Vertically Integrated Access Control System For Managing User Entitlements To Computing Resources
Inventorship John Howard Kling, Cincinnati, OH (US)
Brandon Sloane, Santa Barbara, CA (US)
Regina Yee Cadavid, San Gabriel, CA (US)
Rachel Yun Kim Bierner, Los Angeles, CA (US)
Ronald James Kuhlmeier, Simi Valley, CA (US)
Assignee Bank of America Corporation, Charlotte, NC (US)

Claim of US Patent No. 10,659,469

1. A computerized vertically integrated access control system for creating user entitlements to computing resources, comprising:a computer processor;
a memory;
a network communication device; and
an access control module stored in the memory, executable by the computer processor, and configured to perform the steps of:
collecting information regarding a plurality of entity capabilities of an entity;
storing, in a database, a plurality of entity capability data records, each entity capability data record corresponding to an entity capability of the plurality of entity capabilities;
collecting information regarding a plurality of flagged combinations of entity capabilities;
storing, in the database, a plurality of flagged combination data records, each flagged combination data record corresponding to a flagged combination of entity capabilities;
collecting information regarding interfaces of an information system of the entity;
collecting information regarding access control rules of the information system;
collecting information regarding computing resources of the information system;
storing, in the database, a plurality of data records corresponding to the interfaces, access control rules, and computing resources of the information system;
for each entity capability, linking in the database such entity capability to each interface that implements such entity capability;
for each interface, linking in the database such interface to each access control rule for accessing such interface;
for each computing resource, linking in the database such computing resource to each access control rule for accessing such computing resource;
for each interface, linking in the database such interface to each computing resource accessed by such interface;
creating a vertically integrated access unit by:
identifying a logical work role, the logical work role comprising one or more first entity capabilities of the plurality of entity capabilities;
identifying, from the database, one or more first interfaces that implement the one or more first entity capabilities;
identifying, from the database, one or more first interface access control rules for accessing the one or more first interfaces;
identifying, from the database, one or more first computing resources accessed by the one or more first interfaces;
identifying, from the database, one or more first computing resource access control rules for accessing the one or more first computing resources; and
storing, in the database, a data record for the vertically integrated access unit that links, in the database, data records for the (i) one or more first entity capabilities, (ii) one or more first interfaces, (iii) or more first interface access control rules, (iv) one or more first computing resources, and (v) one or more first computing resource access control rules;
creating a user group by:
assigning the logical work role to the user group; and
based on the logical work role, storing, in the database, a data record for the user group that is linked to the data record for the vertically integrated access unit;
provisioning an entitlement by:
assigning the logical work role to a first user; and
based on assigning the logical work role to the first user, linking the first user to the user group;
determining that a proposed configuration of the vertically integrated access unit, a proposed configuration of the user group, a proposed configuration of the first user, or a proposed entitlement would result in a first flagged combination of entity capabilities; and
in response to determining that the proposed configuration of the vertically integrated access unit, the proposed configuration of the user group, the proposed configuration of the first user, or the proposed entitlement would result in the first flagged combination of entity capabilities, performing an action to prevent the first flagged combination of entity capabilities.