DE102019129762B3 - Process and system for the implementation of an identity and access management system - Google Patents

Abstract

Method for executing an identity and access management system, in which at least one layer is provided and a master computer communicates with at least one slave computer, - the master computer comprising at least one component, each as an arithmetic unit and / or as a storage unit and / or is designed as at least one working component, each unit of the functionality of the arithmetic unit and / or of the storage unit and / or the further working component of the master computer being generated, and - the respective units of the functionality of the arithmetic unit and / or of the storage unit and / or the functionality of the further work component are translated into code and transmitted in coded form from the master computer to the slave computer, - the master computer being controlled with the aid of the arithmetic logic unit, and at least one software program product working to control , whereby- each units of the functionality of the software pr ogrammprodukts are translated into a code and are transmitted in coded form from the master computer to the slave computer, - the arithmetic unit and / or the storage unit and / or the further work component and / or the software program product of the master computer depending on at least one parameter of the at least one slave computer, and the respective configuration is translated into a code and transmitted in coded form from the master computer to the slave computer, with data and / or information of a User are stored, and a personal profile for identification and / or authentication and / or authorization of the user is created in an arithmetic logic unit of the slave computer from the data and / or from the information, - the units translated into a code the functionality of the arithmetic unit and / or the storage unit and / or the translated into a code units of the functionality of the further working component and / or the software program product and / or the configuration from the master computer to the arithmetic unit and / or to the storage unit and / or to the further working component and to at least one runtime environment (Kubernetes) of the slave computer - the data and / or information of the user being processed and / or processed in the arithmetic unit and / or in the storage unit and / or in the further working component of the slave computer with the aid of the transferred functionalities of the software program product, - and the master Computer to the slave computer, translated into a code units of the functionalities act on the arithmetic unit and / or the storage unit and / or on the further work component and / or on the software program product of the slave computer.

Description

The invention relates to a method and an associated system for executing an identity and access management system. In the case of the method and the system, at least one layer is provided for structuring information and / or data. In the method and the associated system, a master computer communicates with at least one slave computer.

From the DE 2013 102 487 A 1, a method is known with which access to digital data is controlled.

From the US 8 392 420 B2 discloses an architecture for managing digital identity information in a network such as the World Wide Web. The information is organized by the user into one or more profile (s) that reflect the nature of the various relationships between the user and other entities. Each unit is granted or denied access to predetermined profiles.

The WO 2019/204 366 A1 includes a method related to a first computer. The method comprises receiving security service data from a first digital data memory and generating hidden security service data by generating a plurality of portions of the security service data. The method additionally includes forming and storing a readable copy of the hidden security service data using a plurality of decrypted portions of the data. The WO 2019/204 366 A1 further discloses a server representing a computer, data center, virtual machine or virtual computer instance. The server can include a hypervisor. A computer can be disclosed which executes a containerized program system such as DOCKER or KUBERNETES.

The EP 2 355 474 B1 relates to a wireless portable telephone and a system and method for transferring authorized functions or other telephone functions which are connected to the portable telephone to a second telephone.

The method comprises a mobile terminal with a network interface. A spatially limited network segment is provided that provides a network solution. The network solution ensures that the localization of the mobile device takes place. The network segment is also identified. In addition, there is a usage server that controls access to digital data and ensures compliance with specific rights.

Identity and access management methods are known in the prior art for digital markets. These provide functions to enable users to access IT systems. All identities are primarily about efficiency, compliance, usability and security. Users can be all owners of digital identities, for example consumers, employees, B2B partners, alumni or applicants.

They are important, for example, in order to be able to reliably launch products and services on the markets around the world. There are often only very narrow time windows available for this. In the case of digital services in particular, the "time-to-market" factor is a decisive success factor. This describes the time span with which new products and / or services can be introduced into a market from the time of development.

In addition, digital platforms offer the opportunity to try out new business models and use them in the market.

The speed and flexibility with which the new business models can be implemented in the respective market has become a decisive competitive factor.

No less important is the speed with which the business models can be tested and / or adapted to the respective market conditions. Another competitive factor is the speed at which a new business model can be integrated into an existing infrastructure.

The interfaces between the product and / or service launched on the market and the respective user represent a new area of tension. It must be clarified who the respective user is. It must be possible to reliably confirm the identity of the user. In addition, it must be recorded how a consistent experience of the provider with the new product and / or the new service can be recorded across all associated device interfaces.

For this it is essential to implement a high-performance Identity and Access Management System (IAM).

Identity and Access Management (IAM)

An identity and access management system provides a framework in which strategies and Technologies are included to ensure that the right person, preferably in an organization, has the necessary access rights.

With the authorization, the respective person is granted certain rights towards third parties. Through the authentication, the person proves that he / she has been granted the rights mentioned above. Through the identification, the person ensures that he / she can be repeatedly recognized by third parties. The terms authentication, authorization and identification are discussed in more detail below.

The Identity and Access Management System relates primarily, but not exclusively, to dealing with customers. In this context, the term “Customer Identity and Access Management (CIAM) is used.

The Identity and Access Management System can also be applied to other contexts, such as employees, B2B partners, alumni or applicants.

For reasons of simplification, the invention is explained in more detail below by way of example, in connection with customers, under the term “Customer Identity and Access Management”.

In the following, the word sequence “Customer Identity and Access Management” is used in the same way as the word sequence “Customer Identity and Access Management System”.

Customer Identity and Access Management clarifies the identity of the customer (who is who?) In the sense of the invention. It also clarifies what the respective customer can do (who can do what?).

Customer Identity and Access Management depicts the customer's identity in all its facets securely and reliably. With the help of Customer Identity and Access Management, the customer's identity can be reliably checked and protected.

The focus is on ensuring the customer's identity. A password can be assigned to ensure identity. A two-factor authentication system can also be used. Furthermore, biometric features of the customer can be queried using different technical methods.

After determining the identity of the customer (identification) and after clarifying the question of what the respective customer is allowed to do (authentication), a digital profile of the customer is created and / or an existing digital profile is refined.

A customer's digital profile can include master data. These are preferably, but not exclusively, the customer's address, date of birth and contact details.

The master data that is set in the customer's digital profile can also include the customer's preferences and / or interests and / or ownership.

The customer's digital profile can be used to increase security. For example, if a customer is based in Germany and logs on from a far away country, the system can, among other things, request additional user characteristics in order to prove their identity and prevent misuse.

In addition, the customer's digital profile enables them to get to know the customer better. The needs of the respective customer can be better assessed.

Due to the digital profile, relevant offers can be made to the customer at the right time and in the right circumstances, even before they have registered a corresponding need.

The creation of a digital profile requires the customer's consent for the collection and / or further processing of his data. The data and / or information in the customer's digital profile can be used for so-called e-mail marketing and / or to carry out a customer data analysis.

Customer Identity and Access Management enables the customer to present his identity to computer software and / or a computer platform, preferably using a password.

With the help of the password, the customer can preferably log into a web shop. With the help of his password, he can move around independently in a data-secured, personalized area, preferably a platform.

With the help of Customer Identity and Access Management, the customer can preferably, but not exclusively, gain uniform and convenient access to a broadly based offer system via a “single sign-on”. With the “single sign-on” access, the user gains access via a one-time identification and / or a one-time authentication all computers and / or services, for example at his workplace, for which he is preferably authorized locally (authorization).

Thanks to the “single sign-on” system, the user can access all other computers and / or services from his workstation without having to be identified and authorized again each time.

The only requirement is that the user is authorized, that is to say authorized, to access the predetermined computers and / or predetermined services.

A renewed identification and authentication is no longer necessary for access to the predetermined computers and for the predetermined services.

Identity and access management can also include consistent data integration using a CRM system.

The invention understands the CRM system to be customer relationship management.

Within customer relationship management, a provider aligns its company specifically and consistently with the customer.

As part of customer relationship management or customer care, the provider of a product and / or service systematically designs its customer relationship processes.

Customer relationship management includes the documentation and administration of its relationships with customers. With the help of customer relationship management, the relationships between the provider of goods and / or services and the customer can be deepened and aligned in the long term.

Customer relationship management allows the provider preferably, but not exclusively, a 360 ° view of their customers.

Customer relationship management opens up additional points of contact for the provider with his customers. The points of contact can e.g. be a website or a smartphone app.

The points of contact between the provider and the customer can also be guaranteed by a service advisor from the provider. In addition, the points of contact with the customer can be established via a local dealer and / or a telephone hotline.

Customer Identity and Access Management enables providers to streamline and / or improve their portfolio.

Offers to customers can be delivered promptly and in a targeted manner.

Data and / or information on the behavior of the customer can be collected and / or structured and / or stored.

Within the Customer Identity and Access Management, data and / or information for the development of the customer profile can be summarized and / or evaluated from a wide variety of sources.

In the context of customer identity and access management, the provider of goods and / or services can create a platform, preferably in the memory of his computer, which he and / or the customer can access.

With the help of the platform, the provider can create an interface to applications from other providers of goods and services.

The so-called Open API describes a scheme for the uniform specification and description of a program interface, also called Application Programming Interface (API), so that other systems and developers can easily understand, use and integrate it.

In this way, customer identity and access management covers different functions. It is a key success factor, preferably, but not exclusively, for digital business processes.

Customer Identity and Access Management requires a short time interval between the creation of the product and / or service and its launch on the market.

The provider must be able to offer the goods and / or services to national and international customers in the same way and under the same conditions.

The products and / or services must be reliably available to customers at both national and international level.

Mergers and acquisitions must be supported flexibly. Business models must be redeveloped and deployed without wasting time.

The cost structure for the offer of goods and / or services must be presented to the customer in a transparent and calculable way.

Well-known customer identity and access management systems are adapted to the needs of the customer as part of a product approach.

However, this approach often proves to be very time-consuming and / or cost-intensive. A high training and maintenance effort leads to high costs in the same way.

Cloud services

The invention understands “cloud services” to mean an “IT infrastructure” that is preferably made available via the Internet. Within the "cloud service", the user is provided with additional storage space and / or additional computing power.

Within the “cloud services”, the user can also receive application software as a service.

Well-known cloud service providers preferably offer the user Identity-as-a-Service (IDaaS) solutions.

Well-known cloud services are e.g. Auth0 or OKTA, which are only available online.

The aforementioned cloud services are standardized solutions. However, the solutions only offer the user very little space for individual adaptation measures.

Identity-as-a-Service

The invention understands the term “Identity-as-a-Service” (IDaaS) preferably, but not comprehensively, an authentication infrastructure. The authentication infrastructure is preferably set up, operated and managed by a service provider. The “Identity-as-a-Service” service is preferably a “single sign-on” service for “cloud services”.

"Identity-as-a-Service" services lead to higher standardization.

Inadequacies of methods for performing identity and access management from the prior art

The installation of a software program product for an identity and access management system is often very time-consuming and therefore cost-intensive. The associated software program product includes a variety of components that must be installed. The installation, preferably in the context of a cluster operation, is very time-consuming, even if it always follows the same scheme.

The provision of the infrastructure for the implementation of procedures for the execution of an identity and access management system in the given user environment often turns out to be very time-consuming, since many departments of the user are involved.

If a somewhat comparable infrastructure is to be established conventionally, at least two servers with an associated operating system must be provided per region, for example. Otherwise the solution produced would not be highly available because the failure of a server leads directly to the failure of the system. A network with an appropriate firewall must be installed. In addition, so-called load balancers and / or certificates are required.

In the case of a conventional installation, the infrastructure specifically required for the system must be created, which has special requirements for preferably, but not exclusively, firewalls, network configuration, certificates, load balancers, etc. As different departments / teams are often responsible for these components in companies the processes are often complex and take a long time.

Often with conventional installation only an extremely low degree of automation is even produced or achieved. The specific consequence of this is that, for example, if parts of the company are outsourced, the entire project must be carried out again for the outsourced part.

The automations are therefore comparatively expensive to implement and cannot be transferred to other users.

So-called software-as-a-service solutions (SaaS solutions) cannot be used as possible alternatives for many users. Several users are set up as so-called "clients" on a single system.

Individual requirements of the user (individual client) can only be taken into account to a limited extent or not at all. The user (client) has no way of adapting, in particular, a software program product to his or her individual requirements and circumstances during the installation (deployment) of the identity and access management system.

The user has no influence on the strategy and / or the project plan (roadmap) for installing the identity and access management system.

Well-known identity and access management systems often place the user in great dependence on the respective system. For this reason, users are often reluctant to implement known identity and access management systems.

In addition, the user has no influence on the point in time at which changes are made to the identity and access management system.

The installation of an identity and access management system and / or an associated software program product turns out to be very time-consuming.

The users make the same errors independently of one another due to the system. Effective learning from errors across independent systems and software product programs is often not possible.

Known identity and access management systems and / or associated software program products include a large number of standard tasks which - depending on the system - are installed by each user. An adaptation of the Identity and Access Management System and / or the associated software program product to the specific needs of the user and / or to operational features cannot be carried out, or only to a limited extent.

Well-known identity and access management systems cannot be used, or only to a limited extent, for worldwide use. Performance problems and / or legal circumstances stand in the way of worldwide use of the identity and access management systems known from the prior art.

Objects of the invention

The object of the invention is therefore to provide a method and an associated system for executing an identity and access management system that eliminates the above-listed inadequacies of known systems.

Solution of the tasks

The objects are achieved by a method for implementing an identity and access management system according to the features of claim 1.

The objects are also achieved by the features of a system for carrying out the method according to claim 25.

The method for implementing an identity and access management system provides a master computer that communicates with at least one slave computer.

In the method, the master computer comprises at least one component. The component is designed as an arithmetic unit and / or as a storage unit.

The component is also designed as at least one working component.

According to the method, one unit of a functionality of the arithmetic unit and / or the storage unit is generated in each case. In addition, a unit of the functionality of the further work component of the master computer is generated in each case.

The respective units of the functionality of the arithmetic logic unit and / or the storage unit and / or the functionality of the further work component are translated into at least one code.

The units of the respective functionalities are transmitted in coded form from the master computer to the slave computer.

The master computer is controlled using the arithmetic unit.

At least one software program product operates to control the master computer.

In each case one unit of the functionality of the software program product is translated into at least one code.

The respective unit of functionality of the software program product is transmitted in coded form from the master computer to the slave computer.

The arithmetic unit and / or the storage unit and / or the further work component and / or the software program product of the master Computers are configured as a function of at least one parameter of the at least one slave computer.

The respective configuration is translated into a code.

The configuration is thereby transmitted in coded form from the master computer to the slave computer.

Data and / or information about a user are stored in a memory unit of the slave computer.

From the data and / or the information of the user, a personal profile of the user is created in the arithmetic unit of the slave computer to identify and / or authenticate the user and / or to authorize the user.

The units of the functionality of the arithmetic unit and / or the storage unit translated into the code are transferred to the arithmetic unit and / or the storage unit and / or to the further working component and to at least one runtime environment (Kubernetes) of the slave computer.

The units of the respective functionalities of the additional work component translated into code and the units of the software program product translated into code and / or the configuration of the master computer are stored in the arithmetic unit and / or in the storage unit and / or in the additional work component and in at least a runtime environment (Kubernetes) of the slave computer.

The data and / or information of the user are edited and / or processed in the arithmetic unit and / or in the storage unit and / or in the further work component of the slave computer. Editing and / or processing takes place there with the aid of the transferred functionalities of the software program product to the slave computer.

The units of the respective functionalities that are transferred from the master computer to the slave computer and translated into a code act on the arithmetic unit and / or on the storage unit and / or on the further work component and / or on the software program product of the slave computer.

The at least one layer of the method is discussed in detail below.

Background of the invention

Infrastructure as Code

If a software program product is installed in an existing data center and / or a computer, preferably as part of an identity and access management system, this is usually a very lengthy and costly process.

With the “Infrastructure as Code” approach, the requirements of the user with regard to the required hardware and / or the required software are programmed into a code.

The code can be a platform code.

With the help of “Infrastructure as Code”, specified hardware infrastructures and / or software infrastructures with “cloud infrastructures” are provided.

The invention preferably, but not exclusively, understands “cloud infrastructures” as systems such as “Amazon”, “AWS”, “Microsoft Azure” or “Google Cloud Platform”.

It goes without saying that the preceding list is only meant as an example.

Configuration as code

The invention understands “Configuration as Code” to mean the separation of the configuration based on the specific needs and / or the specific requirements of a user from a product. The invention preferably, but not exclusively, understands the term product to be a software program product.

Depending on the needs and requirements of the user, the user-specific configuration of the product is separated from the product as such. The product is, preferably, but not exclusively, a software program product.

The configuration is stored separately from the product as code and allows to react dynamically to the runtime environment. If, for example, the runtime environment can be reached under a certain Uniform Resource Locator (URL) (e.g. Kundenciam.de), this URL can be configured automatically so that the system can be addressed there. The URL is not configured statically, but is only configured dynamically at runtime. The advantage is, among other things, that a user typically wants to operate several environments for Development, testing and productive use. So it is not necessary to maintain three configurations, but the system can be rolled out three times and it will be dynamically accessible at development system.kundenciam.de, testsystem.kundenciam.de and produktivsystem.kundenciam.de (all URLs only as examples for clarification).

There are many more examples where this approach is clearly superior, including responding to the resources available. The system is able to adapt itself dynamically, depending on how many users are currently using the system or, for example, which hardware versions are available in the runtime environment.

In an administration of different versions, uniquely coded configurations are defined. The different codes can be compared with one another.

With the help of coding, a considerable increase in quality is achieved, since every change to the coding can be traced and manual, error-prone configuration changes are omitted. Every code artifact can be reused at any time and / or with every user and / or with every Identity and Access Management System.

The terms “Infrastructure-as-Code” and “Configuration-as-Code” will be discussed separately below.

The invention provides that the installation of the identity and access management system and / or the installation of the associated software program product take place in a completely automated manner.

The user is provided with the infrastructure required in a cloud to install the identity and access management system and / or the associated software program product. The configuration of the Identity and Access Management System and the associated software program product is carried out by transferring a code from the master computer to the slave computer.

The cloud environment shown above can either be provided by the user himself or by an external person. The former allows further advantages in terms of security and governance. Since the user is a direct contractual partner of the cloud provider, he has all direct access options himself and can also, for example, assert audit rights. This represents a significant gain compared to a complex contractual structure via subcontractors.

This advantage is made even more accessible by the possibility that users can equip their own data center with the same runtime environment (Kubernetes). Then it is not even necessary to purchase a cloud service and the data remains completely under the control of the user.

All artifacts of the identity and access management system and the associated software program product required for production are transmitted to the user in coded form.

Automatic backups and / or monitoring functions are transferred to the user in the form of codes on his slave computer.

Implementation of identity and access management systems with Kubernetes

The invention understands the term “Kubernetes” as a “runtime environment” or an “execution environment”.

The term runtime environment is used below. The runtime environment is a software program with which software program products can preferably be made executable within the framework of the identity and access management system, preferably in an unfamiliar environment.

The runtime environment preferably connects user software programs with the operating system preinstalled in the respective computer. The central aspect of Kubernetes is that it is designed to run application programs in highly available environments. It therefore represents a runtime environment for distributed, redundant systems across multiple computers.

The identity and access management system can preferably be designed as a micro-service-based architecture.

The identity and access management system and / or the software program product can be divided into individual microservices.

The identity and access management system and / or the software program product can be supplemented and / or expanded independently of further components of the identity and access management system or the software program product.

Configurations can be transferred in coded form from the master computer to any slave computer.

The "time-to-market" is reduced to a minimum of the time originally required.

With the transfer of coded units of the respective functionality from the master computer to the slave computer, a so-called “international rollout” is achieved without having to adapt market-specific requirements and / or regulatory and legal requirements to locally different parameters.

Geographical and / or legal adaptations can be set up with the aid of at least one coding and transferred from the master computer to the slave computer.

To do this, it is sufficient to upload a duplicate of a production environment to a storage device on a master computer.

The storage system of the master computer can be a data center or a local cloud.

In this way, the installation times and the set-up times can be minimized.

The master computers can each have host locations at locations that differ from one another locally.

Host locations may be exemplary and in no way exclusive, in every country and / or on every continent of the world.

This proves to be advantageous because the user no longer has to deal with local and / or national and / or regional hosting issues.

The "hosting" guarantees short server latencies with simultaneous availability of support and service over 24 hours, 7 days a week.

Identity and access management systems and / or associated software program products can be divided into different versions, depending on the needs and / or the requirements of the user. Regardless of any market- and / or user-specific adaptations, the Identity and Access Management System and / or the associated software program product remains the same in the basic version.

In this way, the development effort can be reduced across all versions. Process reliability can also be increased across all versions.

The basis for each new version is a tried and tested version of the Identity and Access Management System and / or the associated software product.

Identity and access management systems and / or associated software program products can continue to be used as so-called cloned systems and software program products as soon as they have been checked and approved by users.

The method ensures the consistency of the user data and / or information.

Instead of integrating the user's user data management processes directly into the user's slave computer, the data and / or information is imported into a duplicated system in the master computer.

The tested and error-free data and / or information are preferably transmitted in coded form from the master computer to the slave computer of the user.

In this way, the systems of the master computer can be identical to the system of the slave computer.

Since the systems of the master computer are identical to the system of the slave computer in this way, the migration of data and / or information from the master computer to the slave computer can be carried out without great effort.

A planned production system of the user, including all the necessary processes, can be tested in detail using the master computer.

Valuable usage data of the user remain in the slave computer and can therefore not be damaged.

After the identity and access management system has been successfully tested in the slave computer and after the software program product has been successfully tested in the master computer, the systems and software program products that have been tested and found to be good can be transferred from the master computer to the slave computer.

Master computer and slave computer

The relationship between the master computer and the slave computer describes a hierarchical management of access to shared resources, data or information.

The resources comprise the units of the functionalities of the respective components of the master computer. The master computer comprises at least one arithmetic unit and / or at least one storage unit as components. An additional component of the master computer is the further work component.

The further work component can be any hardware unit of the master computer that is required to execute a computer program product.

The master computer communicates with at least one slave computer.

The master computer is designed to generate functional units of its arithmetic logic unit and / or functional units of its storage unit and / or functional units of a further work component.

To transfer the unit of the respective functionality from the master computer to the slave computer, the respective unit of the functionality of the arithmetic unit and / or the storage unit and / or the functionality of the further working components is translated into a code.

Depending on the needs and / or requirements of the user, the units of the respective functionality are transmitted in coded form from the master computer to the slave computer.

The master computer also includes a software program product. The master computer's software program product controls the master computer.

The master computer preferably generates units of the functionality of the software program product with the aid of its arithmetic unit.

The respective unit of functionality of the software program product of the master computer is translated into code.

To the extent and / or to the extent that the slave computer requires the respective units of functionality of the master computer, the units of functionality are transmitted in coded form from the master computer to the slave computer.

The master computer includes a storage unit. The storage unit is designed as a data memory or as a storage medium and is used to store data and / or information.

The storage unit of the master computer can be an electronic component. It can also be a data carrier or a storage medium. The storage facility can be a cloud in which data and / or information is stored via the Internet.

The invention preferably understands the term “arithmetic logic unit” to mean an electronic switching unit for executing commands of a software program product. The arithmetic unit of the computer has building blocks for programming, with which any processing logic for data can be mapped.

By way of example and in no way exclusively, the arithmetic unit of the master computer is an arithmetic-logic unit (ALU).

code

A code is a regulation in which a character and / or a character sequence from another character set is uniquely assigned to each character from a first set of characters.

In the present invention, the code is used to exchange data and / or information between the master computer and the slave computer.

The code is preferably used to transfer units of the functionality of the arithmetic unit and / or the storage unit and / or the further working component of the master computer to the slave computer.

The code is used to transfer the unit of functionality of the software program product from the master computer to the slave computer.

To transfer the respective units from the master computer to the slave computer, the respective unit of functionality is translated into at least one code. In this way, the respective unit of functionality is transmitted in coded form from the master computer to the slave computer.

To transmit the code, the master computer and / or the slave computer include at least one information-formulating entity (recorder / transmitter).

The master computer and / or the slave computer additionally comprise at least one information-receiving entity. The entity receiving information is designed as a reading device or as a receiver.

The coded unit of the respective functionality is transmitted as information in coded form between the master computer and / or the slave computer.

The transfer of units of the respective functionality takes place from the master computer to the slave computer.

The transmission of data and / or information, preferably in the form of units of a respective functionality, can also be transmitted from the slave computer to the master computer.

At least two codes can be stored in at least one code storage device (code repository).

The invention understands the code storage device to be a device of the arithmetic unit and / or the storage unit of the master computer in which each version of the identity and access management system and / or each version of the software program product is managed.

In the code memory device, all versions of the units of functionality, preferably of the arithmetic unit and / or of the storage unit and / or of the further work component, are translated into the respective code, bundled and stored.

All codes of the respective units of functionality are managed and structured in the code storage device.

With the help of predetermined rules, the code is continuously provided by the master computer. With the help of the rules, the code is continuously integrated into the slave computer.

When the at least one code is transmitted from the master computer to the slave computer, the code is provided and / or integrated into the slave computer with the aid of a predetermined automation infrastructure (CI / CD).

The code that is transmitted from the master computer to the slave computer is preferably a text file and in particular follows predetermined semantics.

The automation infrastructure applies dynamic changes to the transfer from the master computer to the slave computer based on the existing runtime conditions. Which these are is specified by the "Configuration-as-Code". The "Configuration-as-Code" can be carried out using the Go-Templating-Language as an example, but not exclusively. This is a language for the semantic description of logical dependencies for the modification of any output. It is implemented in the Go programming language.

Unity of functionality

The unit of the respective functionality and / or the unit of configuration are adapted and / or adapted before or during or after the transfer from the master computer to the slave computer.

The respective unit of functionality and / or configuration is transmitted individually or in so-called packages.

The unit of the respective functionality and / or the configuration is scaled before or during or after the transfer from the master computer to the slave computer.

The term “scaling” is understood by the invention to mean a subdivision and / or an evaluation of the units of the functionalities or the configuration according to a certain ranking, preferably according to physical quantities.

The units of the functionalities and / or the configuration can be scaled before or during or after the transmission according to predetermined numerical values and / or according to units of measurement. The preceding list is only exemplary and in no way intended to be conclusive.

By transferring the unit of functionality or configuration translated into at least one code, the capacity of the arithmetic unit and / or the capacity of the storage unit and / or the capacity of the further work component are preferably expanded and / or changed.

By transmitting the unit of the functionality and / or the configuration of the software program product translated into at least one code, the capacity and / or areas and / or steps of the software program product are expanded and / or changed. Here, too, the list is only exemplary and in no way intended to be conclusive.

The units of the functionalities and / or the configuration transferred from the master computer to the slave computer are each designed as a service. The master computer provides the service for the slave computer.

The service is provided by the master computer to the arithmetic unit and / or to the storage unit and / or to the further work component of the slave computer made.

The transfer of at least one unit of the functionality and / or the configuration of the software program product of the master computer to the slave computer is carried out as a service. The service is provided from the master computer to the slave computer.

The transmission of the unit of functionality and / or configuration translated into the code from the master computer to the slave computer is preferably carried out automatically.

It goes without saying that the transmission can also take place manually or according to predetermined rules.

The software program product is designed as system software. The software program product can be support software. It can also be application software. The list provided is only to be seen as an example and is in no way intended to be conclusive.

Runtime environment (Kubernetes)

In the context of the invention, the term “runtime environment” describes the available and specified requirements of a runtime system, preferably in the slave computer, which are preferably required for operating the software program product.

The runtime environment (Kubernetes) is defined by elementary components of a programming language. The elementary components of the programming language are preferably, but not comprehensively, the behavior of language constructs and / or functions such as type checking, debugging or code generation or code optimization.

The runtime environment comprises at least one runtime library and / or a standard library and / or programming interfaces.

The runtime environment includes runtime variables. Hardware and software components can be provided via operating system functions.

The runtime environment comprises at least one function with which a monitoring and / or a process check can preferably be carried out.

The runtime environment comprises at least one function with which a debugging process and / or code generation and / or code optimization can be carried out.

Interfaces can be set up and operated with the runtime environment.

A “single sign-on process” can also be carried out through the software system introduced into the runtime environment.

The transfer of the units of the functionalities and / or the configuration from the master computer to the slave computer can take place simultaneously and / or automatically in at least two runtime environments.

Runtime environments are arranged in parallel or in series with one another.

Runtime environments are arranged in locally different locations.

Runtime environments are adapted to locally differing parameters.

The runtime environment allows containers to be executed. The identity and access management system that is the subject of the invention follows the microservice architecture concept and the runtime environment is designed to be able to run systems that follow this concept particularly well. A micro-service is the smallest possible component in a distributed system.

At least two runtime environments are configured in clusters of runtime environments (Kubernetes clusters).

layers

The respective layer of the layer architecture is referred to as the “service layer”. In the following, however, a “layer” is used to simplify matters.

The components and / or the code storage device of the master computer and / or the slave computer are structured in at least two layers that differ from one another.

The units of the functionalities and / or the configurations and / or the associated codes and / or the specified rules for providing or for integrating the codes are each structured in at least two layers that differ from one another.

The units of the software program product translated into codes and / or the at least two parameters for configuration are in each case structured at least two different layers.

Likewise, at least two runtime environments can each be structured in at least two different layers.

The at least one unit of the functionality of the software program product and / or the configuration are structured in at least two layers according to an internal dependency and / or an external dependency.

The structuring of the unit of functionality of the software program product and / or the configuration can be structured separately in at least two layers according to an external dependency and / or according to an integration logic and / or according to a basic configuration.

The at least one unit of the functionality of the arithmetic logic unit and / or the at least one unit of the functionality of the storage unit and / or the at least one unit of the functionality of the working component and / or the at least one unit of the functionality of the software program product can at least after an internal reference in at least two layers are structured. The structuring in at least two layers can also be structured separately in layers according to a specified user configuration and / or according to a deployment abstraction (that part of the configuration that relates to an environment must be abstracted).

The at least one unit of the functionality of the arithmetic unit and / or the at least one unit of the functionality of the storage unit and / or the at least one unit of the functionality of the work component can, depending on at least one infrastructure configuration and / or depending on at least one cluster service Configuration and / or can be structured in at least two layers depending on a user service configuration.

The at least one unit of the functionality of the software program product can be structured in at least two layers depending on at least one infrastructure configuration and / or depending on at least one cluster service configuration and / or depending on at least one user service configuration.

The structuring enables a layer architecture according to hierarchical levels that differ from one another.

The respective layers can be connected to one another and / or integrated into one another by assigning references. A shift can overwrite another shift if necessary.

Each layer can preferably comprise at least two so-called “sub-layers”.

Layered architecture

For clarification, the layer architecture is explained in more detail using the example of three assumed layers. By way of example and in no way exclusive, a first layer (referred to as: component) is assumed that relates to the software program product of the master computer.

A second layer (referred to as: user service) comprises the configuration of the hardware components of the slave computer and / or the configuration of the software program product according to the requirements and special features of the user.

The third layer (referred to as: user stage) preferably relates to the units of functionality of the hardware components that are transmitted from the master computer as respective units of functionality in coded form to the slave computer.

The layers of the layer architecture form the basis for structuring the respective codes. With the help of the layered architecture, the code storage facilities (code repository) and the artifacts (files that are used by the automation infrastructure for further processing. They are for example precompiled software code, containers and other files) can be structured.

The respective layers form the automation infrastructure within the process for executing the identity and access management system, as well as the associated software program product.

The layers of the layered architecture are used to implement and / or ensure continuous installation and continuous integration of the units of functionality and / or configuration that are communicated and transmitted from the master computer to the slave computer.

With the help of the layer architecture, specific user environments can preferably be transmitted from the master computer to the slave computer in coded form and installed.

With the help of the automation infrastructure, the data and / or information that are defined in the respective layer architecture can be used across at least two users.

With the help of the automation infrastructure, different versions of identity and access management systems and / or of the associated software program products can be developed and / or completely installed on the slave computer.

Specific changes to the identity and access management system as well as to the associated software program product can be developed and tested for the respective user in the master computer.

The tested changes are transmitted from the master computer in coded form to the slave computer, where they are implemented and configured to the respective requirements and needs of the user.

With the help of the layers of the layer architecture, a layer architecture of the slave computer can be simulated in the master computer.

The layer architecture of the slave computer, which is simulated in the master computer, enables the installation and / or testing of all special features and / or requirements that are necessary for the slave computer of the user. The replication of the slave computer of the user in the master computer comprises the complete environment of the slave computer with all necessary peripheral systems that are subject to the control of the layers of the layered architecture.

The data or information of the hardware components of the master computer and the associated software program product are configured within the master computer to the requirements and requirements of the user.

The units of the functionalities configured in each case for the user are then communicated and transferred from the master computer to the slave computer.

The configuration files, which contain the data and / or information on the configuration of the user, are transferred in codes and in the form of codes across all layers using, for example, but not limited to, a go-templating language from the master computer to the slave computer transfer.

The configuration files to be transmitted from the master computer to the slave computer can include and / or map at least one logic. In this way, the configuration can be used to react flexibly and dynamically to user dependencies or parameters.

First layer (referred to as: component)

In connection with the first layer, the invention understands the term “internal dependency” to be a reference of the respective first layer, preferably to any hardware component, in order in this way to make the layer dependent on the respective hardware component.

The term “external dependency” expresses a dependency of the respective layer, preferably on external software libraries. The term “software library” is preferably, but not exclusively, understood to mean “open source”. It can also mean “Docker Images” or “Helm Charts”.

The internal and / or external dependencies are copied into the infrastructure of the layer architecture. As part of the master computer, the internal and / or external dependencies are checked for so-called vulnerabilities (preferably CVEs) or for license compatibility.

The term “integration logic” describes that logic is preferably implemented in the respective layer in order to integrate the respective component with preferably at least one cluster service. The term integration logic also includes automated monitoring of availability and / or monitoring of metrics. Integration into a centralized log management is also included. In addition, an implementation of required logics for the installation, preferably of software program products, can also be meant.

The term “basic configuration” is understood by the invention to mean the configuration of so-called use cases, with the help of which projects can be started with less expenditure of time.

The so-called basic configuration can preferably be combined with other hardware components or with software components or integrated into other components. However, there is no need to depend on the basic configuration and the respective component.

The configuration is transferred from the master computer to the slave computer in the tried and / or tested state.

The aforementioned first layer is preferably designed as a cluster service. It can also be a basic component (one or more basic components are referenced and configured in a user service - see next layer - in order to configure the user-specific part and implement the IAM use cases. They provide the basis or basis for higher-quality components.).

A “cluster service” is operated by at least two layers (so-called service layers). A cluster service can be designed to be user-specific.

The cluster service is preferably, but not exclusively, presented as a centralized "logging system". The cluster service can also be an automated monitoring system or a so-called “tagger”.

With the help of the tagger, resource evaluations are carried out in cloud environments.

At least one so-called basic component can be referenced and configured with the second layer (referred to as: user service).

The user-specific part of the respective units of the functionalities is configured with the help of the layer of the layer architecture “User Service”. At the same time, an identity and access management use case is implemented.

Second layer (referred to as: user service)

The layer of the layered architecture “user service” is the center of the identity and access management system from the perspective of the user.

All data and / or information that is user-specific is bundled in the form of configurations in the second layer (referred to as: user service). In the context of the second layer of the layered architecture (referred to as: user service) the invention understands the term “internal references” to mean a reference to one or more basic components within the layered architecture.

The term “configuration of the user” includes a complete user-specific configuration according to the needs and / or requirements of the user. The basic configuration can be supplemented by further data and / or information from the user and in particular also overwritten.

An addition and / or overwriting of the basic configuration enables further implementation of individual requirements of the user.

In addition, codes or parts of codes for the configuration of the basic components can also be overwritten or supplemented.

In this way, comprehensive flexibility is achieved within the identity and access management system.

The term “installation abstraction” (deployment abstraction) is understood by the invention to mean that that part of the configuration that relates to an environment must be abstracted.

An environment-specific part of the configuration differs depending on the progress of the installation.

As an example, but in no way exclusively, the URL under which the Identity and Access Management System can be reached will have to be configured differently depending on the system.

As a result, the configuration does not take place in the aforementioned second layer (referred to as: user service).

Rather, this part of the configuration is abstracted as an environment variable. The configuration only takes place when the system is installed.

The same artifacts are therefore used in different environments.

In this way, quality assurance is guaranteed across a large number of installations.

An abstraction of the part of the configuration preferably includes passwords from individual systems or versions.

The so-called user component is a logical component. The logical component can comprise at least two so-called “subsystems and / or subcomponents”. The sub-systems and / or sub-components represent a complex overall system.

The combination of the user service layer into one user component enables the identity and access management system to be divided into different versions.

The entire system can be transferred to other environments (stages).

The entire system can also be made available in a single stage.

Third layer (referred to as: user stage)

The third layer (referred to as the user stage) is passed through for each phase of the identity and access management system that the user requires.

The first layer (component) and the second layer (user service) essentially relate to at least one software program product (software artifacts).

The third layer “user stage” preferably, but not exclusively, includes hardware components. Hardware components are preferably, but not exclusively, the arithmetic unit and / or the storage unit and / or the at least one working component of the respective computer.

With the third layer (denoted: user stage), units of the functionality of the arithmetic unit and / or of the storage unit and / or of the further working components of the master computer are preferably transferred from the master computer to the slave computer.

The transmission takes place in coded form.

The third layer (called: user stage) leads to an executable and usable identity and access management system on the slave computer.

In the context of the third layer, the invention understands the term “infrastructure configuration” to mean the case of a system in which at least one runtime environment (Kubernetes) is provided.

The runtime environment is configured using a code. A so-called “Infrastructure-as-Code” approach is used here.

The infrastructure configuration includes the configuration of at least two accesses to at least two infrastructure components.

Within the infrastructure configuration, the type of resources used and the limits set for the automatic, elastic scaling relative to the runtime are configured according to the needs and / or the requirements of the user.

Preferably, but not exclusively, it is determined how many so-called “worker nodes” can be booked in clusters and dynamically, preferably in a cloud environment, when the load is high.

In the context of the third layer (referred to as: user stage), the invention understands the term “cluster services configuration” to be a reference between the cluster services to be used.

For the cluster services used, those parts that are stage-specific are configured.

For example, but in no way comprehensive, automated monitoring is activated. Due to the specific configuration of the stages, an alarm, preferably of a support staff, is only issued in the productively used stage, but not, for example, in stages used for test purposes.

In the context of the term “user service configuration”, the data and / or information are configured that were preferably configured in a “deployment abstraction” sub-layer.

Resource limits of individual components can preferably be overwritten as part of the user service configuration.

As an example, but in no way comprehensive, the components in a further “Production” stage use more resources than in a further “Quality Assurance Stage” layer.

Representation of a layer architecture using the example of automatic registration for monitoring

In the present example it is assumed that each component has an interface to the respective external environment.

It is further assumed that the first layer (referred to as: component) comprises a sub-layer “integration logic”.

In the "integration logic" sub-layer of the first layer, it is defined how the first layer is monitored. It is also defined in which cases alarms should be sent.

A cluster service "Active Monitor Watcher" is provided, which monitors an installation in a cluster.

If further additional services are added to the identity and access management system, the configuration is evaluated dynamically. The dynamically evaluated configuration is registered with an external monitoring service via an API.

The component installed in this way is automatically monitored.

Depending on the respective user configuration, alarm messages are sent directly to the support staff in the event of specific problems.

This proves to be particularly advantageous since a complete monitoring system does not have to be set up for each individual user. Rather, the “Active Monitor Watcher” cluster service can react to the current current status. Necessary configurations are made automatically.

The “Active Monitor Watcher” cluster service has proven to be extremely advantageous, as the availability and unavailability of exposed endpoints can be monitored automatically.

The cluster service is preferably, but not exclusively, supplemented by a so-called "health service".

The so-called “health service” makes it possible to describe test cases for the overall system in a preferably descriptive and / or human-readable language. For example, but not limited to the Gurkin language.

The test cases for the overall system go beyond a pure availability check.

A single sign-on scenario across multiple systems can be tested as an example and also not comprehensively.

The “health service” enables the user to specify so-called performance target values for the response times of components.

To validate so-called service level agreements, tests can be carried out using human-readable language, with which the service level agreements can be validated.

The validation can be carried out together with the user.

The validation can also be checked automatically.

With the help of the aforementioned "Active Monitor Watcher", the health service can automatically monitor test cases. With the help of the "Active Monitor Watcher", alarm signals can be sent to available support staff.

In addition, so-called reporting values can be reported back by the support staff.

Global token processing

Identity and access management systems from different countries or regions each have at least one token independently of one another.

The respective tokens of the different countries or regions are incompatible with one another.

In order to decrypt the respective national or regional tokens, keys must be distributed worldwide.

The distribution of such keys represents a particular security risk. The exchange of data within such tokens between individual countries and / or regions may be inadmissible for legal reasons.

This global check takes place without having to replicate personal data between the respective countries and / or regions.

Intelligent user roaming

The invention provides that data and / or information are subdivided into at least two areas within the framework of the identity and access management system.

A first profile can preferably be read by the user in plain text. However, legibility does not include passwords and stored knowledge.

A global profile is planned.

The global profile includes at least two attributes of the local profile.

The attributes of the local profile can be configured in the global profile in a form that cannot be restored and / or is not readable. This is a so-called hash.

The global profile preferably, but not exclusively, includes so-called unique identifiers.

As an example, but not exclusively, a so-called hash of a login name must be entered in order to carry out a login in at least one other region.

The hash of the login name in particular denotes a value that the user types in when logging in. This can in particular be the email address or the mobile phone number of the user.

In addition, a so-called hash of the password must be provided.

The local profile can be supplemented by further, in particular user-specific, attributes. In this way, users in other regions can also connect to the system of the respective region without having to transfer and save the complete profile.

The user's digital services can thus be used without compromising on travel, for example.

Automatic detection of an LDAP topology for a replication

In the context of the layer architecture, a so-called “topology configurator” can preferably be installed in a lower layer of the “component” layer.

The lower layer is designed as an "integration logic".

Such a topology configurator is preferably executed when a so-called pod is started. A target / actual comparison is carried out using the topology configurator.

With the aid of the target / actual comparison, the role of a so-called pod in the present Identity and Access Management System is recognized and configured.

The topology configurator carries out further steps so that the so-called pod can preferably delete existing data and / or create backups of other systems.

In this way, a pod can react dynamically to the existing situation of the runtime environment and other pods that belong to the same LDAP cluster. He can independently determine whether he is required in the role of master or slave and, depending on this, make his own configuration dynamically.

It goes without saying that the pod can also include other functions.

Claims (25)

Method for executing an identity and access management system, in which at least one layer is provided and a master computer communicates with at least one slave computer, - the master computer comprising at least one component, each as an arithmetic unit and / or as a storage unit and / or is designed as at least one working component, with each unit of the functionality of the arithmetic unit and / or the storage unit and / or the further working component of the master computer being generated, and - the respective units of the functionality of the arithmetic unit and / or of the storage unit and / or the functionality of the further work component are translated into code and transmitted in coded form from the master computer to the slave computer, - the master computer being controlled with the aid of the arithmetic logic unit, and at least one software program product working to control , where - units of the functionality of the softw are program product are translated into a code and transmitted in coded form from the master computer to the slave computer, - the arithmetic unit and / or the memory unit and / or the further work component and / or the software program product of the master computer depending on at least one parameter of the at least one slave computer, and - the respective configuration is translated into a code and transmitted in coded form from the master computer to the slave computer, - wherein in a memory of the slave computer data and / or information User are stored, and - in an arithmetic unit of the slave computer from the data and / or from the information, a personal profile for identification and / or authentication and / or authorization of the user is created, - the units translated into a code the functionality of the arithmetic logic unit and / or the storage unit and / or which translates into a code eten units of the functionality of the further work component and / or the software program product and / or the configuration from the master computer in the arithmetic unit and / or in the storage unit and / or in the further work component and in at least one runtime environment (Kubernetes) of the slave computer - whereby the data and / or information of the user in the arithmetic unit and / or in the storage unit and / or in the further working component of the slave computer with the help of the transferred functionalities of the software program product and / or processed, and the units of the functionalities transferred from the master computer to the slave computer and translated into a code on the arithmetic unit and / or the storage unit and / or act on the further work component and / or on the software program product of the slave computer. Procedure according to Claim 1 , characterized in that at least two codes are stored in at least one code storage device (code repository). Procedure according to Claim 1 , characterized in that the at least one code is continuously provided and / or continuously integrated with the aid of predetermined rules (CI / CD). Procedure according to Claim 1 or 2 , characterized in that the components and / or the code storage device and / or the rules and / or the translated units and / or the at least one software program product and / or the at least one code and / or the at least one parameter and / or the at least one Runtime environment can be structured in at least two different layers. Procedure according to Claim 1 , characterized in that the at least one code is provided and / or integrated with the aid of a predetermined automation infrastructure. Procedure according to Claim 1 , characterized in that the at least one code is edited and processed with the aid of a so-called templating language. Procedure according to Claim 1 , characterized in that the code is a text file and / or follows predetermined semantics. Procedure according to Claim 4 , characterized in that the at least one unit of functionality of the software program product is structured in layers according to an internal dependency and / or an external dependency and / or an integration logic and / or a basic configuration. Procedure according to Claim 1 , characterized in that the at least one unit of the functionality of the arithmetic unit and / or the at least one unit of the functionality of the storage unit and / or the at least one unit of the functionality of the working components and / or the at least one unit of the functionality of the software program product at least according to an internal Reference and / or separated according to a user configuration and / or according to a deployment abstraction, structured in layers. Procedure according to Claim 1 , characterized in that the at least one unit of the functionality of the arithmetic unit and / or the at least one unit of the functionality of the storage unit and / or the at least one unit of the functionality of the working component and / or the at least one unit of the functionality of the software program product depending on at least one Infrastructure configuration and / or at least one cluster service configuration and / or at least one user service configuration, are structured in layers. Procedure according to Claim 1 , characterized in that the units of the functionalities and / or the configuration are adapted before or during or after the transmission. Procedure according to Claim 1 , characterized in that the units of the functionalities and / or the configuration are transmitted individually or in packages. Procedure according to Claim 1 , characterized in that the units of the functionalities are scaled before or during or after the transmission. Procedure according to Claim 1 , characterized in that the capacity of the arithmetic unit and / or the storage unit and / or the further work component and / or the software program product of the slave computer is expanded and / or changed by the transmission of the unit of functionality translated into at least one code. Procedure according to Claim 1 , characterized in that the units of the functionalities transmitted from the master computer to the slave computer are each designed as a service that is carried out on the arithmetic unit and / or on the storage unit and / or on the further work component. Procedure according to Claim 1 , characterized in that the transfer from the master computer to the slave computer takes place automatically. Procedure according to Claim 1 , characterized in that the runtime environment comprises at least one function with which a monitoring and / or a sequence check and / or a debugging process and / or a code generation and / or a code optimization and / or an interface is preferably carried out. Procedure according to Claim 1 , characterized in that the transfer of the units of the functionalities and / or the configuration from the master computer to the slave computer takes place simultaneously and / or automatically in all runtime environments. Procedure according to Claim 1 , characterized in that the at least two runtime environments are arranged in parallel or in series next to one another. Procedure according to Claim 1 , characterized in that the runtime environments are arranged at locally different locations. Procedure according to Claim 1 , characterized in that the runtime environments are adapted to locally differing parameters. Procedure according to Claim 1 , characterized in that the identity and access management system is designed as a container, preferably as a micro-service. Procedure according to Claim 1 , characterized in that the runtime environments are configured in clusters of runtime environments (Kubernetes clusters). Procedure according to Claim 1 , characterized in that the software program product is system software or support software or application software. System for carrying out the method according to one or more of the preceding claims, characterized in that a master computer communicates with at least one slave computer, - wherein the master computer comprises at least one component, each as an arithmetic unit and / or as a Storage unit and / or is designed as at least one working component, wherein - each units of the functionality of the arithmetic unit and / or the storage unit and / or the further working component of the master computer are generated, and - the respective units of the functionality of the arithmetic unit and / or the Storage unit and / or the functionality of the further working component are translated into a code and transmitted in coded form from the master computer to the slave computer, - the master computer being controlled with the aid of the arithmetic unit, and at least one software program product working to control it, where - each units of the functionality of the Sof tware program product are translated into a code and transmitted in coded form from the master computer to the slave computer, - the arithmetic unit and / or the storage unit and / or the further working component and / or the software program product of the master computer depending on at least one parameter of the at least one slave computer, and - the respective configuration is translated into a code and transmitted in coded form from the master computer to the slave computer, - wherein in a memory of the slave computer data and / or information User are stored, and - in an arithmetic unit of the slave computer from the data and / or from the information, a personal profile for identification and / or authentication and / or authorization of the user is created, - the units translated into a code the functionality of the arithmetic logic unit and / or the storage unit and / or which practice in a code Transferring set units of the functionality of the further work component and / or the software program product and / or the configuration from the master computer to the arithmetic unit and / or to the storage unit and / or to the further work component and to at least one runtime environment (Kubernetes) of the slave computer - the data and / or information of the user being edited and / or processed in the arithmetic unit and / or in the storage unit and / or in the further work component of the slave computer with the aid of the transferred functionalities of the software program product, - and those of the master -Computer to the slave computer, translated into a code units of the functionalities act on the arithmetic unit and / or the storage unit and / or on the further working component and / or on the software program product of the slave computer.