The disclosure generally relates to the field of identity and access management systems, and more particularly to correlating and synchronizing identity profile information with account profile information to generate system access synchronization policies.
Identity and Access Management (IAM) systems generally employ information sharing mechanisms and techniques to efficiently manage user identity profiles and the relation of the identity profiles with accounts profiles. In the context of an IAM system, an identity profile generally includes authentication information that is associated with a single consumer entity (e.g., a user) and that is applicable within a particular IAM to one or more consumer accounts. Consumer accounts include account profiles for accessing hardware resources (e.g., a storage device), system software components (e.g., a virtual machine), application software components, or any combination of the foregoing (e.g., applications installed or otherwise accessible from a computer workstation). Information within account profiles may include consumer description information and information for authenticating or otherwise identifying the consumer entity including information regarding access level authorizations.
The extent of access enabled by a given identity profile is determined based on the configuration and reconfiguration of the identity profile and account profiles within a given access management domain. An IAM manager determines accessibility and level of accessibility to a given system endpoint (e.g., desktop client application) within the domain based on relations and associations between identity information in the universally applicable identity profiles and corresponding identity information within account profiles. The correspondence between the identity profile information and the identity information maintained in association with each of the system resource account profiles is established by authentication rules. Runtime enforcement of the identity-to-account correspondence is governed by synchronization policies that enable the IAM manager to update identity information in response to the same or other identity information being added or modified within the identity and account profiles.
Establishing and utilizing identity-to-account data correlations typically requires associating specified attributes of the identity profiles with corresponding attributes of one or more of the account profiles. Such profile attributes are the primary constituent components of the identity and account profiles. For example, an identity profile may comprises attributes in the form of defined data fields including a “NAME” field and an “EMPLOYEE ID” field. An account profile also includes attributes in the form of fields such as “FULL NAME,” “UID,” etc. While effective for establishing profile information synchronization to enable efficient IAM operations, several issues arise relating to the efficiency of configuring and synchronizing profiles in expansive and heterogeneous IAM domains.