Browse Prior Art Database

Externalized Synchronization for Concurrent Updates to Indirectly Referenced Shared Security Permission in Service Based Identity Provisioning Systems

IP.com Disclosure Number: IPCOM000202825D
Publication Date: 2011-Jan-04
Document File: 4 page(s) / 129K

Publishing Venue

The IP.com Prior Art Database

Abstract

This invention provides a method to synchronize concurrent modifications to shared group or security authorization roles when provisioning user accounts. A service external to the client and target provisioning system intercepts and analyses concurrent user account modification requests. Based on the request type, other external services are employed to avoid potential race conditions when updating the common security authorizations on the target system.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 29% of the total text.

Page 01 of 4

Externalized Synchronization for Concurrent Updates to Indirectly Referenced Shared Security Permission in Service Based Identity Provisioning Systems

This invention enables identity provisioning adapters to synchronize concurrent updates to user accounts which include references shared or common security authorizations. Examples of such authorizations include role and group assignments to user accounts. It is common for provisioning target systems to provide a remote or external application programming interface (API) which identity provisioning adapters can use to provision user accounts on target systems. Provisioning includes creation, modification and deletion of user accounts. Provisioning requests are typically sent from a central Identity Management (IdM) server employing a synchronous request-response model. The synchronous model aims to maintain overall responsiveness of the identity provisioning system and IdM server. It is common for communications between the IdM server and provisioning adapters to employ standardized network protocols. Examples of such protocols include Directory Services Markup Language (DSML), Directory Assertion Markup Language (DAML), Services Provisioning Markup Language (SPML), Simple Object Access Protocol (SOAP) Web Services, etc … .

A fundamental component of identity provisioning is the assignment and management of security authorizations associated with user accounts. In some cases, a target system may expose the assignment and management of security authorizations as separate objects or API. However, it is also common to have security authorizations exposed as attributes or state associated with user accounts. In either case, but particularly in the second case, provisioning target systems do not always expose a method or interface to provisioning adapters which allows concurrent assignment or management of one or more shared security authorizations associated with user accounts. In many target systems, the embodiment of the association between a user account and a security authorization is a referential relationship in a relational database system (RDBS). Other embodiments may employ an external role management system. The key point is that updates to shared security authorizations are not directly exposed to target system provisioning adapters.

A common consequence of the referential relationship is the need for the target system to apply a type of lock during write updates which include a security authorization as the subject of the update. For example, if a provisioning adapter submits concurrent requests to the target system which include adding users to a common group, the target system may apply a lock associated with the group as each request is processed to ensure only one request can update the group membership at a time. When this is done while concurrent requests are active within the target system, some requests may fail or result in a partially complete update as a result...