Browse Prior Art Database

Model and Method for Centralized Management of Resource Associated Functionality

IP.com Disclosure Number: IPCOM000030253D
Original Publication Date: 2004-Aug-03
Included in the Prior Art Database: 2004-Aug-03
Document File: 6 page(s) / 93K

Publishing Venue

IBM

Abstract

One of the challenges faced today when integrating different applications into a single centralized administration console is how to resolve the entitlements of the many applications, system, and resource managers that have separate and distinct access control mechanisms. Often, integrated consoles can only show high level entitlements, such as, which applications a customer can use. The consoles have much more difficulty expressing the entitlements to the resources within the separate applications that run within the integrated console. This paper describes a methodology for centralized management of enterprise resource management software. This methodology allows for an administrator to map resources to users from a single application while leaving enforcement to the individual applications. This facilitates ease of use, entitlement checks, and creates a centralized policy enforcement point.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 32% of the total text.

Page 1 of 6

Model and Method for Centralized Management of Resource Associated Functionality

  This technique defines a common infrastructure whereby all products that wish to be able to grant functionality to users can do so in a standard fashion, and allow one administrative tool to be able to support all products that subscribe to this model. Many middleware products at some level deal with the concept of mapping functionality and resources to specific users. The mapping, as well as the representation of the users and the functionality, is usually proprietary to the product and does not necessarily integrate well with similar mappings and representations, even though they may share many common components. Similarly, each of these products usually supplies its own method of managing the users, functionality and mapping that they must create. However, even though assignment of individual resource-related functionality is better assigned at a level close to the resource, each resource manager has its own definitions regarding the assignment of their resources which in turn makes it very difficult to do resource management in a centralized fashion. This methodology addresses this problem, and by doing so enables new functionality, such as the ability to do entitlement checks would become elementary as well.

  The core of this paper is a flexible data model that separates the concept of 'capabilities' or functionality provided, from the users and the organizational concepts that facilitate management (such as groups, roles, organizations, etc), and a method for publishing and subscribing to these capabilities.

  The advantage of this solution is its standardized model of user and policy management that is broad enough to allow products of all types to subscribe to its infrastructure while allowing a separate management interface to actually deal with the administrative actions required to utilize their functionality. This allows for a singular user experience, as opposed to dealing with management separately across all products

The Data Model

    A user is a unique identifier that is tied to a set of information such as name, contact number, password, and accesses. Usually a user corresponds to an entity that uses the system.

    Users can be grouped in many ways, such as roles, organizations, and so forth. However, for the purposes of this disclosure the method of grouping has no impact.

    Capabilities would come in two types: Specific and Generic. Specific Capabilities represent functionality that can be mapped to a user or group of users.Generic Capabilities represent a type of functionality that is available (for example, Access Management via Tivoli Access Manager*) but must be refined into a Specific Capability before it can actually be mapped to a user or group of users.

Publication and Subscription

    Each resource management application would publish to the management server a list of specific and generic capabilities that it will be providing. In additi...