1. Field of the Invention
The present invention is directed to technology for supporting a framework for controlled access of common data store information among multiple accessing entities.
2. Description of the Related Art
With the growth of the Internet, the use of networks and other information technologies, Identity Systems have become more popular. In general, an Identity System provides for the creation, removal, editing and other managing of identity information stored in various types of data stores. The identity information pertains to users, groups, organizations and/or things. For each entry in the data store, a set of attributes are stored. For example, the attributes stored for a user may include a name, address, employee number, telephone number, email address, user ID and password. The Identity System can also manage access privileges that govern what an entity can view, create, modify or use in the Identity System. Often, this management of access privileges is based on one or more specific attributes, membership in a group and/or association with an organization.
In some instances, multiple applications running within the Identity System or outside of the Identity System want to access the same information in the data store. For example, the Identity System may include multiple identity servers that each wish to access the same profile of a user maintained in the data store. No conflict occurs if multiple identity server applications read the same data store information, such as attributes in the user profile.
One of the applications, however, may need to modify the user profile. If the other applications access the profile before the modification is complete, they may obtain stale data. During a resource provisioning process, the profile may undergo multiple modifications—making it undesirable to give any entity access to the profile other than the resource provisioning entity. It is desirable to implement a framework that facilitates the controlled access of common data store information among multiple accessing entities.
Some Identity System users also employ an Access Systems. An Access System provides for the authentication and authorization of users attempting to access resources. For efficiency purposes, there is an advantage to integrating the Identity System and the Access System. For example, both systems may utilize information in a common data store. Additionally, integrating the Identity System and the Access System allows for single-sign-on functionality across multiple resources. Thus, there is also a need to support a framework for controlled access of common data store information among multiple accessing entities for Access Systems and integrated Identity/Access Systems. Systems other than Identity and Access Systems can also benefit from such an access control framework.