ATTRIBUTE ORIENTED ENTERPRISE ACCESS PROTOCOL BASED ON
A COMMON INFORMATION MODEL
BACKGROUND OF THE INVENTION Field of the Invention
The present invention pertains to the fine grained access control aspects of security of systems and, in particular, to a method and system for attribute oriented unified access control to a plurality of applications in an enterprise.
Description of Related Art
In an enterprise there are different applications (e.g. Systems Analysis and Product (SAP), peoplesoft ™, custom built applications) which a user/user group/role group has to access. Each time when a user/user group/role group accesses these applications, access control mechanisms have to be defined individually for each application in the enterprise. The access control across an enterprise has to be designed, developed and implemented in this manner individually across all applications. This leads to localization of access controls within each application and highly increases the redundancy. It also becomes extremely difficult to define extensible access control policies for business entities that are standardized across the enterprise.
The current mechanisms for attribute access control address the situations independently for each application and the underlying data source. Data services concepts also are limited to creating a facade over entities without addressing the need for uniform enterprise access control. The existing approaches attempt to solve the aforementioned problem at an application or data source specific level and do not take an enterprise wide holistic approach. Under these approaches, the access control policies need to be defined within each application and that leads to huge amounts of redundancy and issues of identity and access control management. Hence, a change

in access control policy for a user group needs to replicated and propagated across each application individually. In addition each application has its own proprietary way of handling and enforcing access control.
Currently there are no known formalized mechanisms or standards to define enterprise access control policies which can be universally applied across the multitude of applications across the enterprise. The existing products focus on data aggregation and data warehousing, but they completely ignore the facet of standardized access control policies for attributes across the enterprise's heterogeneous applications. There are single sign on applications that allow users to have unified credentials, but there are no mechanisms to implement fine-grained access control at the entity and attribute levels. There are certain products that deal with data services but they are restricted to dealing with certain types of data sources and do not consider a common logical enterprise model.
Considering the aforementioned disadvantages, it would be advantageous to have in place a system that would allow a unified access control mechanism to different applications in an enterprise.
SUMMARY OF THE INVENTION
The present invention discloses a method and system for unified access control to a plurality of applications by a set of users in an enterprise. The method and system of the present invention simplifies the creation of uniform access control security policies for enterprise attributes and entities across disparate data sources and applications. The method uses logical common information model of business entities and its attributes as the base for defining security policies. Also, the method of the present invention leverages these business entities and its attributes to help in defining uniform access control spanning heterogeneous data sources and

applications. This allows a fine grained access control policy to be defined at the attribute level which can be applied across all applications in the enterprise. The translation layer applies the definitions as defined for that particular application and then transforms the enterprise access policy so that it can be enforced for the user role or groups using attribute oriented access protocol. This protocol definition defines and implements fine-grained access control in a standardized manner across a myriad of different data sources and applications within an enterprise.
In an embodiment of the present invention, a method for unified access control to a plurality of applications for a set of users in an enterprise through a logical common information model is provided. The logical common information model creates a set of business entities and attributes for a plurality of application entities and attributes of the applications. The method includes the steps of, defining a uniform enterprise access control policy according to the logical common information model for the set of users in the enterprise, and creating a translation layer an a rules layer mapping definition for mapping the application entities and attributes to the common business entities and attributes. The method also includes providing a display for mapping the application entities and attributes to the common entities and attributes, and providing a storage for storing a set of mapping results in an editable Extensible Markup Language (XML) format.
In another embodiment of the present invention, a system for unified access control to a plurality of applications for a set of users in an enterprise through a logical common information model is provided. The system includes a uniform enterprise access control policy model for defining a uniform enterprise access control policy according to the logical common information model for the set of users, a translation layer for defining mapping rules for mapping the application entities and attributes to the business entities and attributes as defined in the uniform enterprise access control policy, and a rules layer for defining mapping rules for mapping application attributes

and entities to the business entities and attributes. The system also includes a display for creating the uniform enterprise access control policy, and storage for storing a set of mapping results in an editable XML format.
The above summary of the present invention is not intended to describe each disclosed embodiment of the present invention. The figures and detailed description that follow provide additional aspects of the present invention.
BRIEF DESCRIPTION OF DRAWINGS
The invention may be more completely understood in consideration of the following detailed description of various embodiments of the invention in connection with the accompanying drawings, in which:
FIG. 1 is a flow diagram illustrating an embodiment of the method for unified access control to a set of enterprise applications.
FIG. 2 is a flow diagram illustrating the functioning of unified access control mechanism according to an embodiment of the present invention.
FIG. 3 illustrates an overview of an embodiment of the system for enabling unified access control to a set of enterprise applications.
DETAILED DESCRIPTION OF DRAWINGS
In the following description, numerous specific details are set forth in order to provide a more thorough understanding of the present invention. However, it will be apparent to one skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known features have not been described in detail in order to avoid obscuring the present invention.

FIG. 1 is a flow diagram illustrating an embodiment of the method for unified access control to a set of enterprise applications. A step 100 creates a logical common information model for the entities and attributes of the set of applications included in a particular enterprise. This logical common information model is used as a base for defining security policies for user/user group/role group access to the different applications. The logical common information model uniformly makes a logical and unified representation of business entities and attributes across all applications within the enterprise. A step 105 defines a uniform enterprise access control policy according to the logical common information model for various users/user groups/role groups. The enterprise access control policy is created against the unified business entities and attributes identified in the common information model. This mechanism removes the redundancy to recreate proprietary access control policies across different applications and underlying technologies and also, leverages the business entities and its attributes to help define enterprise uniform access control spanning heterogeneous data sources and applications. This approach allows a fine grained access control policy to be defined at the attribute level which can be applied across all applications in the enterprise.
A step 110 creates a translational layer mapping definition for mapping application entities and attributes to the common information model business entities and attributes as defined in the logical common information model. The translation layer applies the semantic definitions as defined for that particular application and then transforms the enterprise access policy so that it can be enforced for the user/user group/role group using attribute oriented access protocol. Translational layer acts as a mediation layer which maps the logical common information model to an application specific attribute model. The underlying translation layer enforces the application specific transformation rules under the singular access control policy. The transformation rules are defined in a step 115. The step 115 creates a rules layer mapping definition for mapping application attributes and entities to the business

entities and attributes. A display is provided for mapping the application entities and attributes to the business entities and attributes. The set of mapping results are stored in a storage in an editable XML format.
FIG. 2 is a flow diagram illustrating the functioning of unified access control mechanism according to an embodiment of the present invention. In a step 200, users/user groups/role groups log into any enterprise application. The enterprise application checks the access control rights for the users/user groups/role groups in a step 205. After confirming the access control rights for the users, enterprise application contacts the enterprise access control service with the user credentials in a step 210. In step 215, enterprise access control uses the translation rules to identify the invoking enterprise application and the corresponding entity attribute mapping to identify the entities and attributes for which the access control has to be verified. In another step 220, the unified access control service checks the enterprise access policy store and retrieves the entities and attributes that the users/user groups/role groups have access as defined in the access control policy. The unified access control policy also verifies whether the user/role/user group has access to the specified entity or attribute.
The service returns a list of enterprise entities and attributes the user has access as defined in the logical common information model in a step 225. Then, in a step 230, the translation layer identifies and applies the application specific mapping to return the application context sensitive attributes and entities, and in another step 235, the rules layer identifies and applies the application specific transformation rules to return the specific application context sensitive attributes and entities.
FIG. 3 illustrates an overview of an embodiment of the system for enabling unified access control to a set of enterprise applications 300. The system mainly includes a set of users (users/user groups/role groups) 305, a set of enterprise applications (custom application, packaged application, legacy application and system

application) 310, a uniform enterprise access control policy model 315, a translation layer 320, a rules layer 325 and enterprise application databases (legacy system database, packaged application database, system application database and custom application database) 330. The users 305 log into any enterprise applications 310. The access control rights for the users 305 are checked by the particular enterprise application 310. The uniform enterprise access control policy model 315 defines a solitary uniform access control policy across the enterprise that can encompass all applications 310. The attribute oriented access control protocol enables the evolution and implementation of uniform attribute enterprise access control using a solitary access control policy being accesses by all applications in the enterprise. The translation layer 320 acts as a mediation layer that maps the logical common information model to an application specific attribute model. The underlying translation layer 320 enforces the application specific transformation rules as defined in the rules layer 325 under the singular access control policy.
The uniform access control policy is explained through the following example. Consider a situation where a user group 305 is accessing legacy systems application from a set of applications (legacy systems, packaged applications, system applications and custom applications) 310 in an enterprise. Cust is an entity in legacy systems and the attributes for the customer as an entity includes customer_ID, customer number, customer name, date of birth, address and account balance. The logical common information model defines the mapping as Customer_Id for the Customer entity. The mapping layer shall contain the information that the entity called as 'Client' in the legacy application "A" shall map to the Customer entity in the Common Information model. It further defines that the client_ID attribute maps to Customer_Id attribute in the common information model. Similarly a packaged application "B" might have defined the entity as 'Cust' and have a field called CustomerJSfumber. There shall be another mapping that maps the entity 'Cust' from application "B" maps to 'Customer' entity in the common information model. The underlying attribute Customer_Number

maps to Customer_Id. In order to make a uniform enterprise access policy, the logical common information model defines the access control that the user group 305 has access to the 'Customer' as an entity and in turn has access to the attributes associated with that particular entity irrespective of the enterprise applications 310. So in this situation if the user group 305 has access to ficlient_ID' in legacy systems, and when the user group 305 access packaged applications, they will have access to 'Customer_Number' ('Customer)Id' maps to &customer_number' in packaged applications). Hence, if the customer as an entity is defined for one enterprise application, it can be reused through out the other enterprise applications at an attribute level.
As described above, the embodiments of the invention may be embodied in the form of computer program code containing instructions embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other computer-readable storage medium, wherein, when the computer program code is loaded into and executed by a computer, the computer becomes an apparatus for practicing the invention. The present invention can also be embodied in the form of computer program code, for example, whether stored in a storage medium, loaded into and/or executed by a computer, where when the computer program code is loaded into and executed by a computer, the computer becomes an apparatus for practicing the invention. When implemented on a general-purpose microprocessor, the computer program code segments configure the microprocessor to create specific logic circuits.
INDUSTRIAL APPLICATIONS
The present invention finds its applications in data warehousing, data services and other related products. It would be beneficial to incorporate the method and system of the present invention in these products. Also, the enterprise middleware products dealing with data integration across multiple applications and data sources can make

use of the method and system of the present invention. Another application will be in providing unified views to the user in Enterprise Information Integration (EII) products which deals with data aggregation over disparate data sources.
While the present invention has been described with reference to several particular example embodiments, those skilled in the art will recognize that many changes may be made thereto without departing from the spirit and scope of the present invention, which is set forth in the following claims.

We Claim:
1. A method for unified access control to a plurality of applications for a
set of users in an enterprise through a logical common information model
comprising:
defining a uniform enterprise access control policy according to said logical common information model for said set of users in said enterprise; and
creating a translation layer and a rules layer mapping definition for mapping a set of application entities and attributes to a set of business entities and attributes as defined in said uniform enterprise access control policy.
2. The method of claim 1, further comprises:
providing a display for mapping the application entities and attributes to the business entities and attributes.
3. The method of claim 1, further comprises:
providing a storage for storing a set of mapping results in an editable extensible markup language format.
4. The method of claim 1, wherein said translation layer applies semantic
definitions as defined in said uniform enterprise access control policy for a
particular application and transforms the uniform enterprise access control policy
so that the uniform enterprise access control policy is enforced for the set of users
using an attribute oriented access protocol.
5. The method of claim 1, wherein said set of users comprise a user, a
user group and a role group.

6. A system for unified access control to a plurality of applications for a
set of users in an enterprise through a logical common information model
comprising:
a uniform enterprise access control policy model for defining a uniform enterprise access control policy according to said logical common information model for said set of users;
a translation layer for defining mapping rules for mapping a set of application entities and attributes to a set of business entities and attributes as defined in said uniform enterprise access control policy; and
a rules layer for defining mapping rules for mapping application entities and attributes to the business entities and attributes.
7. The system as in claim 6, wherein the uniform enterprise access
control policy model further comprises:
a display for creating said uniform enterprise access control policy.
8. The system as in claim 6, wherein the uniform enterprise access
control policy defines the application attributes and entities which are accessed by
the set of users.
9. The system as in claim 6, further comprises: a storage for storing a set
of mapping results in an editable XML format.
10. The system as in claim 6, wherein said translation layer applies
semantic definitions as defined in said uniform enterprise access control policy

for a particular application and transforms the uniform enterprise access control policy so that the uniform enterprise access control policy is enforced for the set of users using an attribute oriented access protocol.
11. The system as in claim 6, wherein said set of users comprise a user, a
user group and a role group.