The present disclosure relates generally to management of enterprise systems and cloud computing systems, and more particularly to techniques for using an access policy to manage accounts for an enterprise system or a cloud computing system.
In the context of information technology (IT) systems, one or more accounts may be provisioned for a user that enable the user to access various resources, for example, various resources within an enterprise system or a cloud computing system. Examples of such resources can include, without limitation, software products, applications (e.g., cloud-based applications, enterprise applications, or any other applications), cloud services, various types of data (e.g., networked files, directory information, databases, or the like), and other resources. In addition to accounts, many enterprises manage access to resources using roles. In a roles-based access system, various roles may be defined in the enterprise system. A role may be associated with one or more access policies that control how resources within the enterprise will be accessed. One or more roles may then be associated with a user or a group of users. The provisioning and management of access rights for a user are automated based on the role(s) associated with the user.
In many enterprises, accounts may be provisioned separately from configuring of access policies. This may lead to situations where accounts providing access to various resources provided by target systems may not be established based on the access policies applicable to those resources. In some instances, accounts may be provisioned before access policies are implemented. As a result, the access to a resource provided by such accounts may not conform to current access policies of an organization. The access provided to a resource by these accounts may be out-dated or not based on a current access policy governing access to the resource. In large enterprises with many users and many different access policies, accounts that have not been associated with an access policy may have to be manually configured to conform those accounts to current access policies corresponding to the resources indicated by those accounts. Many enterprises have changing needs with respect to use of resources by users within these enterprises. Thus, accounts not linked to an access policy may have to be manually configured to adjust access provided by those accounts.
Some enterprises have implemented unsupported solutions or non-scalable custom solutions (e.g., an SQL script) to enable accounts to be associated with an existing access policy. Such attempts may be burdensome and unreliable because they are temporary and must be manually performed to configure accounts based on updates to access policies. In some instances, such solutions are temporary as they do not afford an enterprise the flexibility to handle future change in access policies without performing the additional solutions. Enterprises may benefit for techniques to automatically manage accounts using access policies.