WO2009000276A1 - Système de gestion d'identités permettant d'attribuer aux utilisateurs finaux des droits d'accès à des systèmes couplés à un serveur central - Google Patents

Système de gestion d'identités permettant d'attribuer aux utilisateurs finaux des droits d'accès à des systèmes couplés à un serveur central Download PDF

Info

Publication number
WO2009000276A1
WO2009000276A1 PCT/DK2008/050152 DK2008050152W WO2009000276A1 WO 2009000276 A1 WO2009000276 A1 WO 2009000276A1 DK 2008050152 W DK2008050152 W DK 2008050152W WO 2009000276 A1 WO2009000276 A1 WO 2009000276A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
systems
users
user
central server
Prior art date
Application number
PCT/DK2008/050152
Other languages
English (en)
Inventor
Thomas Boel Sigurdsson
Morten Mygind Nielsen
Original Assignee
Omada A/S
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Omada A/S filed Critical Omada A/S
Publication of WO2009000276A1 publication Critical patent/WO2009000276A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Definitions

  • the present invention relates to an identity management system and a method for assigning an end-user with access rights to systems coupled to a central server.
  • the present invention further relates to a platform for assigning an end- user with access rights to systems coupled to the central server.
  • Identity Management challenges has become a common theme across various types of organizations. As an example, the days of simply supplying new employees with a desk, PC and telephone are over. Now, there are company courses to schedule, a security pass to arrange, and multiple log-ins and passwords to applications and networks set up. Until now, the Identity Management is a manual operation. This means e.g. that if a new employee or an employee that is moving from one department to another is to be provided with access rights to various systems provided with an organization, a programmer or an expert needs to generate access rights to the various systems. These access rights may include different access levels for different systems, and an access to only a part of the systems present within the organization. If this employee is e.g.
  • a new access profile needs to be created. Also, if e.g. the same employee quits his job and then later on starts again, the access profile needs to be re-created because the old access profile has typically been deleted. Also, in case a new system replaces one or more of the existing systems or is added to the existing systems and an existing employee needs an access to this new added system, a new access profile needs to be created.
  • the object of the present invention is to overcome the above mentioned drawbacks by providing a user friendly and interactive way for assigning an end- user with access rights to various systems coupled to a central server.
  • the present invention relates to an identity management system for assigning end-users with access rights to systems coupled to a central server, the identity management system comprising:
  • an input unit for receiving requests from the end-users, the requests including information identifying the end-users and the requested access rights to at least one of the systems,
  • an identity management module for generating electronic access profiles for the end-users based on the received requests, the electronic access profiles including end-user identifiers identifying the end-users and access rules associated to the end-user identifiers defining the access rights to the systems, and
  • a transmitter for transmitting the end-user identifiers and the associated access rules to the central server, wherein the central server is adapted to establish access rights to the systems for the end-users by forwarding the received end-user identifiers and the access rules to the systems, the central server further being adapted to update existing electronic access profiles and establish access rights to the systems based on the updated electronic access profiles.
  • a very user friendly way is provided for generating an end-user access profile for various end-users, and further, an interactive way is provided for updating existing profiles in e.g. cases where the access rights to the systems must be changed.
  • This can be in case the end-user is an employee within a large corporation is transferred between divisions within the same corporation such that the access rights to the systems change.
  • the access profile will be reactivated. Accordingly, the access profiles need to be generated only once for one and the same end-user.
  • the identity management system further comprises a managing accepter for evaluating the requested access rights for said end-users, the evaluation resulting in accepting or rejecting the requested access rights.
  • the identity management system further comprises an administrator for granting or rejecting the evaluation from the managing accepter, the granting resulting in issuing a confirmation signal for the requested access rights, said transmitting of the end-user identifiers and the access rules being performed after issuing said conformation signal.
  • the central server is an identity data management server having stored therein said existing electronic access profiles to said systems for the existing end-users, wherein updating the existing electronic access profiles includes adapting the access rules of the existing electronic access profiles to the access rules of the electronic access profiles received from the transmitter having the same end-user identifiers.
  • identity data management server a user friendly way is provided for updating existing access profiles stored at said central server (identity data management server).
  • identity data management server identity data management server
  • the end-users are connected to the input unit over a communication channel and wherein the received request is provided by filling out an electronic access profile template comprising a questionnaire, the questionnaire containing a number of questionnaire elements each being associated with an identifier identifying the questionnaire elements.
  • the request from the end-user is an electronic request which the end- user can submit over e.g. the internet.
  • the employee could therefore fill out the request by e.g. identifying the new role within the department in Germany, enter his/her preferred access rights to the systems that are highly relevant for his/her new job.
  • the employee could currently belong to the booking department but is to be moved to the financial department.
  • the questionnaire elements include one or more of the following questionnaire elements:
  • the received requests are provided by filling out an electronic access profile template comprising a questionnaire containing a number of questionnaire elements, each questionnaire element being associated with an identifier identifying the questionnaire elements, the system further comprising an access profile updater for updating said access profile templates when a system is added to the central server, or removed from the central server or updated at the central server, where in response to such adding, removing or updating, an identifier is issued identifying the changes being made in the systems, where the identifier is transmitted over the central server to the access profile updater which updates the electronic access profile template accordingly.
  • the communication channel is a wireless or wired communication channel. This could e.g. be the internet, the blue tooth protocol, LAN, fiber optic cables and the like.
  • the identity management system further comprises the memory for storing the electronic access profiles.
  • the input unit, the identity management module and the transmitter are integrated into an access profile management server.
  • the requests made by said end-users are electronic requests and wherein the input unit is a receiver adapted to receive the electronic requests from the end-users.
  • the present invention relates to a method of assigning end-users with access rights to systems coupled to a central server, the method comprising: ⁇ ⁇ receiving a request from the end-users, the request including information identifying the end-users and the requested access rights to at least one of the systems, ⁇ ⁇ generating electronic access profiles for the end-users based on the received requests, the electronic access profiles including end-user identifiers identifying the end-users and access rules associated to the end-user identifiers defining the access rights to the systems, and ⁇ ⁇ transmitting the end-user identifiers and the associated access rules to the central server, wherein the method further comprises:
  • the systems coupled to a central server are associated to a particular organization, and wherein the end-users are employees of said organization.
  • a particular advantage of the present invention is within all kinds of organizations of all sizes, particularly larger organizations where the number of systems can be hundreds or even thousands.
  • the employees are new employees or employees moving between divisions within said organization or employees stopping with his/her work.
  • the method prior to transmitting the end-user identifiers and the access rules, the method further includes the step of:
  • the granting further including issuing a conformation indicating that the request has been granted.
  • the present invention relates to a computer program product for instructing a processing unit to execute the above mentioned method steps when the product is run on a computer.
  • the present invention relates to a platform for assigning end-users with access rights to systems coupled to a central server, comprising:
  • an input unit for receiving requests from the end-users, the requests including information identifying the end-users and the requested access rights to at least one of the systems, ⁇ ⁇ an identity management module for generating an electronic access profile for the end-users based on the received requests, the electronic access profiles including end-user identifiers identifying the end-users and access rules associated to the end-user identifiers defining the access rights to the systems, and ⁇ a transmitter for transmitting the end-user identifiers and the associated access rules to the central server, wherein the central server is adapted to establish access rights to the systems for the end-users by forwarding the received end-user identifiers and the access rules to the systems, the central server further being adapted to update existing electronic access profiles and establish access rights to the systems based on the updated electronic access profiles.
  • the identity data management server is a Microsoft Identity Integration Server® (MIIS).
  • MIIS Microsoft Identity Integration Server®
  • Figure 1 shows an embodiment of an identity management system according to the present invention for assigning an end-user with access rights to systems coupled to a central server
  • FIG. 1 shows another embodiment of an identity management system shown in Fig. 1,
  • Figure 3 shows a flowchart of an embodiment of a method according to the present invention for assigning an end-user with access rights to systems coupled to a central server
  • Figure 4 shows a platform according to the present invention for assigning an end-user with access rights to systems coupled to a central server integrated between a pre-existing server and end-user interface
  • Figure 5 depicts graphically one example of a user interface
  • Figure 6a and 6b depicts an embodiment of data cleaning and attestation.
  • FIG. 1 shows an embodiment of an identity management system 100 according to the present invention for assigning an end-user 103 with access rights to systems 120 coupled to a central server 106.
  • the identity management system 100 comprises an input unit (I_U) 101, an identity management module (I_M_M) 102 and a transmitter (T) 112.
  • the input unit (I_U) 101 is adapted to receive a request from the end-user 103, the request including information identifying the end-user 103 and the requested access rights to at least one of the systems 120.
  • the identity management module (I_M_M) 102 is adapted to generate an electronic access profile 110 for the end-user 103 based on the received request, where the electronic access profile includes an end-user identifier identifying the end-user 103 and access rules associated to the end-user identifier defining the access rights to the systems 110-112.
  • the transmitter (T) 112 is adapted to transmit the end-user identifier and the associated access rules 105 to the central server 106.
  • the central server 106 is adapted to establish access rights to the systems 120 for the end-user 130 by forwarding the received end-user identifier and the access rules 105 to the systems 120.
  • the central server 106 is a kind of a state-machine that contains the valid state of all connected systems 120-125 including the identity management system. It has specific connectors to each of the external systems to which access rules are applied, i.e. it know specifically where and how to apply access rules.
  • the central server 106 is an identity data management server. This may e.g. be a "Microsoft Identity Integration Server 2003" and "Microsoft Identity Lifecycle Manager 2007. Typically, such servers are adapted to store and integrate access profiles of an organization/company with multiple directories. Accordingly, such a central server provides organizations with a unified view of all known identity information about users, applications, and network resources, and the access status each individual (employee as an example) has to the systems coupled to the server.
  • a typical prior art identity data management server works such that it receives identity information from the connected systems and stores the information in the connector space as connector space objects, or e.g. CSEntry objects in the case the central server 106 of MIIS.
  • the CSEntry objects are then mapped to entries in the metaverse called metaverse objects or MVEntry objects.
  • This process allows data from separate connected data sources to be mapped to the same MVEntry object.
  • an organization's e-mail system can be linked to its human resources database through the metaverse.
  • MIIS 2003, Enterprise Edition includes support for a wide variety of identity repositories including the following:
  • Network operating systems and directory services such as Microsoft Windows NT, Active Directory, Active Directory Application Mode, IBM Directory Server, Novell eDirectory, Resource Access Control Facility (RACF), SunONE/iPlanet Directory, X.500 systems, and other metadirectory products; E-mail such as Lotus Notes and Domino, Microsoft Exchange 5.5, Application/systems such as PeopleSoft, SAP, ERPl, telephone switches, XML- and DSML-based systems, database such as Microsoft SQL Server, Oracle, Informix, dBase, IBM DB2, and file-based such as DSMLv2, LDIF, CSV, delimited, fixed width, attribute value pairs.
  • Microsoft Windows NT Active Directory
  • Active Directory Application Mode IBM Directory Server
  • Novell eDirectory Resource Access Control Facility (RACF)
  • SunONE/iPlanet Directory X.500 systems, and other metadirectory products
  • E-mail such as Lotus Notes and Domino
  • Application/systems such as PeopleSoft, SAP, ERPl, telephone switches, XML- and DSML-based
  • the central server 106 has access profiles stored therein. These access profiles can then be updated in a user friendly way for an end-user. In one embodiment, this is done by the identity management system 100 by means of transmitting said end-user identifier and the associated access rules 105 to the central server 106, which then updates the access profiles stored at the central server 106. By updating the previously stored access profiles, the access rights to the various systems coupled to the server 106 will be updated by forwarding the information in the updated access profiles to said systems 120-125.
  • the identity management system 100 further comprises a memory 111 having among others stored therein the electronic access profiles for various end-users and a software program containing a software code for instructing a processing unit (not shown) to perform the above mentioned steps.
  • the access right include access to three systems, namely system (Sl) 121, (S3) 122 and (S6) 123.
  • the ID identifier identifies the end-user 103, e.g. via an identification number provided within the organization the end-user is employed by, and the access rules identify the access rights to the systems 120.
  • the access rights comprise to which of the systems 120 the end-user 103 is to have access to, plus on which access level the end-user is to have access since some of the systems (or all) may be provided with various access levels.
  • the request received by the end-user 103 is provided by filling out an electronic access profile template comprising a questionnaire containing a number of questionnaire elements each being associated with an identifier identifying the questionnaire elements and wherein the input unit (I_U) 101 is a receiver adapted to receive the electronic request from the end-user 103.
  • the electronic access profile template will be discussed in more details later.
  • the end-user 103 may be connected to the input unit (I_U) 101 over a communication channel 118, 119, such as the Internet 119, or via personal area network (PAN) such as Blue Tooth, ZigBee, Ambient Network and the like, or via a wired communication channel 118 such as fiber optic cables.
  • the received request may be provided by filling out an electronic access profile template comprising a questionnaire, the questionnaire containing a number of questionnaire elements each being associated with an identifier identifying the questionnaire elements. Accordingly, the user could be sitting anywhere in the world and simply, e.g. over the Internet, fill out said request form.
  • the questionnaire elements include one or more of the following questionnaire elements:
  • the system further comprises an access profile updater (A_P_U) 114 for updating said access profile template when a system 124, 125 is added to the central server, or removed from the central server or updated at the central server.
  • an identifier is issued 117, either by the new/updated systems 124, 125, or by the central server 106, identifying the changes being made in the systems and subsequently transmitted over the central server to the access profile updater (A_P_U) 114.
  • the access profile updater (A_P_U) 114 then updates the electronic access profile template accordingly. If the access profile template is stored in the memory 111, the access profile updater (A_P_U) would update this pre-stored template.
  • the input unit (I_U) 101, the identity management module (I_M_M) 102 and the transmitter (T) 112, the memory 111 are integrated into an access profile management server 130.
  • Figure 2 shows another embodiment of an identity management system 100 shown Fig. 1, where in this embodiment the system further comprises a managing accepter (AU) 201 for evaluating the requested access rights for said end-user 103, the evaluation resulting in accepting or rejecting the requested access rights.
  • the managing accepter (AU) 201 could e.g. be the manager within a given organization that takes a look at the request from the end-user 103, or the managing accepter (AU) 201 could be an automatic process performed by a processing unit.
  • the identity management system 100 further comprises an administrator (AD) 202 for granting or rejecting the evaluation from the managing accepter (AU) 201, the granting resulting in issuing a confirmation signal for the requested access rights, where the transmitting of the end-user identifier and the access rules 105 are performed after issuing the conformation signal.
  • the administrator (AD) 202 could be the general director or a department within the organization which give the final acceptance for the request.
  • the administrator (AD) 202 could be a computer system or the like, which is accordance to a pre-defined set of rules automatically accepts or rejects the acceptance from the managing accepter (AU) 201.
  • Figure 3 shows a flowchart of an embodiment of a method according to the present invention for assigning an end-user 103 with access rights to systems 120 coupled to a central server 106.
  • the method includes receiving a request from the end-user (Sl) 301, where the request includes information identifying the end-user and the requested access rights to at least one of the systems.
  • the access rights may e.g. include to which systems the end-user wants to have access to and which access levels the end- user prefers.
  • Such a request could e.g. received via a phone call where the user calls the human resource department within a given organization giving his/her ID number and the systems he/she wish to access, or via a written request form, or by filling out an electronic access profile template.
  • an electronic access profile is generated (S2) 302 for the end-user based on the received request, the electronic access profile including end-user identifier identifying the end-user and access rules associated to the end-user identifier defining the access rights to the systems. Accordingly, an electronic access profile is provided and stored e.g. at said memory 111 or an external memory (not shown).
  • the end-user identifier and the associated access rules is transmitted (S3) 303 to the central server, which then establish access rights to the systems for the end-user by forwarding the received end-user identifier and the access rules to the systems.
  • a typical scenario of implementing said method steps is where the end-user is an employee of an organization, and this user is moving from one department to another department within the same organization, or the end-user is a new employee.
  • an existing profile is updated meaning that the new request replaces the previous existing request in the previous electronic access profile, whereas in the latter case a new electronic access profile is generated, or if the end-user was a previous employee within the organization the previous electronic access profile is re-activated and eventually updated.
  • the method prior to transmitting the end-user identifier and the access rules, further includes the step of accepting or rejecting the request from the end-user (S4) 304, and subsequently in case of accepting, granting an access to said systems (S5) 305, the granting further including issuing a conformation indicating that the request has been granted.
  • Figure 4 shows a platform 402 according to the present invention for assigning an end-user with access rights to systems coupled to a central server integrated between a pre-existing server 403 having a number of systems coupled thereto 5 404 and end-user interface 401.
  • the platform comprises said input unit (I_U) 101 for receiving a request from the end-user, the request including information identifying the end-user and the requested access rights to at least one of the systems, said identity management0 module (I_M_M) 102 for generating an electronic access profile for the end-user based on the received request, the electronic access profile including end-user identifier identifying the end-user and access rules associated to the end-user identifier defining the access rights to the systems, and said transmitter (T) 112 for transmitting the end-user identifier and the associated access rules to the5 central server, the central server being adapted to establish access rights to the systems for the end-user by forwarding the received end-user identifier and the access rules to the systems.
  • I_U input unit
  • I_M_M identity management0 module
  • the end-user interface 401 is depicted where e.g. the end-user fill out0 electronic access profile form where he/she enter e.g. the ID number, the department he/she belong to, the systems to be accessed, the access levels within the systems etc.
  • This interface could e.g. be Microsoft Office ® Infopath, Web forms, and the like.
  • the platform 402 is accordingly placed on a top of a central server, preferably pre-existing identity integration server 403 or an identity data management server, e.g. a Microsoft Identity Integration Server® (MIIS).
  • MIIS Microsoft Identity Integration Server®
  • the central server is coupled to multiple systems 404, such as SAP systems0 including service access points (SAP).
  • SAP systems0 including service access points (SAP).
  • SAP service access points
  • This can e.g. be active directory, exchange server and the like.
  • Figure 5 depicts graphically one example of a user interface 401, where the en- user begins by selecting between whether he/she is a "joiner” (new employee)5 501, "mover” (moving between departments within the same organization) 502, “leaver” (stopping) 503 etc. Accordingly, by selecting e.g. the "joiner” function, the end-user 103 selects which systems he/she want access to and maybe which access levels he/she wants to have to the selected systems.
  • Figure 6a depicts an embodiment of data cleaning and attestation.
  • Step 1 601 is an Algorithmic Pattern Matching.
  • an algorithmic pattern matching is performed on Enterprise Managed Systems to verify user accounts. This is the first step to reconciling system accounts with the Authoritative Identity and reducing much of the project cost.
  • a pattern based matching may score 60-70% success rate on account mapping.
  • Step 2 603 is a Rules Based Matching.
  • Business rules based matching is performed on Enterprise Managed Systems to verify user accounts. This is the second step to reconciling system accounts with the Authoritative Identity. As an example, rules based matching may score 20-30% success rate on account mapping.
  • Step 3 605 is a collaborative matching.
  • collaborative matching may score 10-20% success rate on account mapping.
  • an attestation (collaborative matching) of accounts on Enterprise Managed Systems is performed. This may be a periodic activity to verify user account ownership of reconciled accounts with the Authoritative Identity and involves the users as 'Project Team'.
  • a collaborative matching may e.g. score 10- 20% success rate on account mapping.

Abstract

Cette invention concerne un système de gestion d'identités permettant d'attribuer à un utilisateur final des droits d'accès à des systèmes couplés à un serveur central. Une unité d'entrée est utilisée pour recevoir une requête de la part de l'utilisateur final, la requête comprenant des informations identifiant l'utilisateur final et les droits d'accès demandés aux systèmes. Un module de gestion d'identités crée un profil d'accès électronique pour l'utilisateur final sur la base de la requête reçue, le profil d'accès électronique comprenant un identifiant de l'utilisateur final qui identifie l'utilisateur final et des règles d'accès associées à l'identifiant de l'utilisateur final qui définissent les droits d'accès aux systèmes. Un émetteur transmet ensuite l'identifiant de l'utilisateur final et les règles d'accès associées au serveur central, qui établit alors des droits d'accès aux systèmes pour l'utilisateur final par transmission de l'identifiant de l'utilisateur final reçu et des règles d'accès aux systèmes.
PCT/DK2008/050152 2007-06-22 2008-06-17 Système de gestion d'identités permettant d'attribuer aux utilisateurs finaux des droits d'accès à des systèmes couplés à un serveur central WO2009000276A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US94563507P 2007-06-22 2007-06-22
DKPA200700904 2007-06-22
DKPA200700904 2007-06-22
US60/945,635 2007-06-22

Publications (1)

Publication Number Publication Date
WO2009000276A1 true WO2009000276A1 (fr) 2008-12-31

Family

ID=39671777

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2008/050152 WO2009000276A1 (fr) 2007-06-22 2008-06-17 Système de gestion d'identités permettant d'attribuer aux utilisateurs finaux des droits d'accès à des systèmes couplés à un serveur central

Country Status (1)

Country Link
WO (1) WO2009000276A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011151589A1 (fr) * 2010-06-03 2011-12-08 France Telecom Procede de determination d'un profil d'acces d'un couple utilisateur/service applicatif a des donnees relatives au fonctionnement d'un reseau de communication
US8176256B2 (en) 2008-06-12 2012-05-08 Microsoft Corporation Cache regions
US8943271B2 (en) 2008-06-12 2015-01-27 Microsoft Corporation Distributed cache arrangement
US9582673B2 (en) 2010-09-27 2017-02-28 Microsoft Technology Licensing, Llc Separation of duties checks from entitlement sets

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1260906A1 (fr) * 2000-04-24 2002-11-27 Matsushita Electric Industrial Co., Ltd Dispositif de definition de droit d'acces et terminal gestionnaire
EP1320018A2 (fr) * 2001-12-12 2003-06-18 Pervasive Security Systems Inc. Distribution garantie des modifications dans des politiques de sécurité dans un système distribué
WO2005022367A1 (fr) * 2003-09-02 2005-03-10 Trulogica, Inc. Systeme et procede de gestion de droits d'acces dans un reseau informatique

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1260906A1 (fr) * 2000-04-24 2002-11-27 Matsushita Electric Industrial Co., Ltd Dispositif de definition de droit d'acces et terminal gestionnaire
EP1320018A2 (fr) * 2001-12-12 2003-06-18 Pervasive Security Systems Inc. Distribution garantie des modifications dans des politiques de sécurité dans un système distribué
WO2005022367A1 (fr) * 2003-09-02 2005-03-10 Trulogica, Inc. Systeme et procede de gestion de droits d'acces dans un reseau informatique

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8176256B2 (en) 2008-06-12 2012-05-08 Microsoft Corporation Cache regions
US8943271B2 (en) 2008-06-12 2015-01-27 Microsoft Corporation Distributed cache arrangement
US9952971B2 (en) 2008-06-12 2018-04-24 Microsoft Technology Licensing, Llc Distributed cache arrangement
WO2011151589A1 (fr) * 2010-06-03 2011-12-08 France Telecom Procede de determination d'un profil d'acces d'un couple utilisateur/service applicatif a des donnees relatives au fonctionnement d'un reseau de communication
CN103039058A (zh) * 2010-06-03 2013-04-10 法国电信公司 确定用于由应用用户/服务对访问与通信网络的操作相关的数据的配置文件的方法
US20130091265A1 (en) * 2010-06-03 2013-04-11 France Telecom Method for determining a profile for a user/application service pair to access data related to the operation of a communication network
US9582673B2 (en) 2010-09-27 2017-02-28 Microsoft Technology Licensing, Llc Separation of duties checks from entitlement sets

Similar Documents

Publication Publication Date Title
US7467142B2 (en) Rule based data management
US8219431B2 (en) Workflow management system, method and device for managing a workflow including plural hierarchically-classified tasks
EP2510466B1 (fr) Gestion de permissions à base d'actifs déléguée et restreinte pour des installations colocalisées
US7114037B2 (en) Employing local data stores to maintain data during workflows
US11086692B2 (en) Multiplatform management system and method for mobile devices
CN100580653C (zh) 用于管理更新分发系统中软件更新的分发的应用程序编程接口
US8375113B2 (en) Employing wrapper profiles
US20050060572A1 (en) System and method for managing access entitlements in a computing network
US7703667B2 (en) Management and application of entitlements
EP1103029A1 (fr) Dispositif et procede servant a gerer des sources de numeros
US8365261B2 (en) Implementing organization-specific policy during establishment of an autonomous connection between computer resources
US8271387B2 (en) Method and apparatus for providing limited access to data objects or files within an electronic software delivery and management system
CN106951773A (zh) 用户角色分配校验方法及系统
US20070208698A1 (en) Avoiding duplicate service requests
CN105453072A (zh) 以用户为中心的数据维护
WO2009000276A1 (fr) Système de gestion d'identités permettant d'attribuer aux utilisateurs finaux des droits d'accès à des systèmes couplés à un serveur central
CA2638470A1 (fr) Gestion de sequence des messages d'evenements correles bases sur une entreprise
KR20030004838A (ko) 기업 업무 관리 시스템 및 그 제어방법
KR20240019964A (ko) 분산형 데이터베이스를 이용한 업무 관리 방법
CA2740758C (fr) Procede et apareil pour le partage de classes de services d'utilisateurs
US20040216148A1 (en) Service and support mechanism for delivering electronic customer support services
CN113794619A (zh) 群组创建方法、群组人员更新方法、装置、设备和介质
CN117407844A (zh) 一种基于用户属性和角色授权单点登录的方法及系统
JP2009205318A (ja) 内装監理システムおよび内装監理プログラム
KR20040100088A (ko) 외주 업체 도면 배포 시스템 및 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08758289

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08758289

Country of ref document: EP

Kind code of ref document: A1