[go: up one dir, main page]

GB2489915A - Management system for processing data - Google Patents

Management system for processing data Download PDF

Info

Publication number
GB2489915A
GB2489915A GB1105669.4A GB201105669A GB2489915A GB 2489915 A GB2489915 A GB 2489915A GB 201105669 A GB201105669 A GB 201105669A GB 2489915 A GB2489915 A GB 2489915A
Authority
GB
United Kingdom
Prior art keywords
model
computer system
processing
management system
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1105669.4A
Other versions
GB201105669D0 (en
Inventor
Michael Jones
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intragen Ltd
Original Assignee
Intragen Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intragen Ltd filed Critical Intragen Ltd
Priority to GB1105669.4A priority Critical patent/GB2489915A/en
Publication of GB201105669D0 publication Critical patent/GB201105669D0/en
Priority to PCT/EP2012/055793 priority patent/WO2012136584A2/en
Publication of GB2489915A publication Critical patent/GB2489915A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/107Computer-aided management of electronic mailing [e-mailing]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • G06F17/30002
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • H04L29/06986
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Human Resources & Organizations (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Strategic Management (AREA)
  • Data Mining & Analysis (AREA)
  • Operations Research (AREA)
  • General Business, Economics & Management (AREA)
  • Economics (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Marketing (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Computer And Data Communications (AREA)
  • General Factory Administration (AREA)
  • Hardware Redundancy (AREA)

Abstract

A management system 106 for facilitating processing of at least one computer system 102,104 comprising data and method are provided. A model 112 of a computer system(s) 102,104 is generated using the results of an inspection of the computer system(s) 102,104. The model 112 is configured 108 to validly interact with each of the computer system(s) 102,104 based on the results of the inspection of the computer system(s) 102,104. Processing means 110 of the management system 106 define a processing operation to be performed on the computer system(s) 102,104. The processing means 110 perform the processing operation by interacting with the model112 wherein the model 112 is arranged to then interact with the computer system(s) 102,104 to thereby perform the processing operation. Information relating to permissible operations which are capable of being performed by the model on the computer system(s) 102,104 is determined, and the determined information is used to check, prior to performing, that the processing operation defined by the processing means is a permissible operation which is capable of being performed by the model 112 on the computer system(s) 102,104 without the need to ever perform the processing operations. The model essential translates processing operations, in a standard format, into a particular format for validly interacting with computer systems 102,104. The management system may be an identity management system and the processing means may comprise data synchronisation, user lifecycle management, role modelling and/or a business process workflow.

Description

I
MANAGEMENT SYSTEM
Field of the Invention
The present invention relates to a management system. In particular, the present invention relates to a management system for facilitating processing of data in at least one computer system.
Background
Management systems can be used to control data within a number of computer systems. One example of such a management system is an identity management system. Identity management systems control how individuals, or "users", are identified and authorised across computer systems. An identity management system provides an identity to a user (e.g. person) in order to manage data relating to the user over a number of different computer systems.
This allows users to be identified within a computer system whereby access to resources and facilities in the computer system can be managed by the identity management system. For example, there may be a number of computer systems which include data relating to a set of users, and the identity management system facilitates the management of which resources and facilities of the computer systems are available to which users.
Identity management systems can be automated systems. It is particularly useful to have an automated identity management system when the frequency of changes to the users in the computer systems is high, i.e. too high to be easily implemented manually. The frequency of changes to the users in the computer systems may be high when there is a large number of people in the organization (such as for the NHS in the UK) or when the rate at which people in the organization change is high (such as in a university where a high proportion of the user population changes every year as new students arrive and existing students graduate).
An identity management system may have a configuration module that informs the identity management system about which of the organization's computer systems contain data relating to the organization's users. The configuration module may also set out how the users are identified in those computer systems.
The identity management system may also have a data synchronisation module which can operate in conjunction with the identity management system to synchronise data relating to users between different computer systems. Such synchronisation of data may also include transformation of data. For example, one of the computer systems may be a Human Resources (HR) system which contains data for a user containing attributes called "FirstName" and "LastName". This data is to be included in the data for the user in an email system. The email system stores data having attributes called "firstname", "surname" and "email address". The data synchronisation module can define a processing operation for transferring the data in the "FirstName" attribute of the HR system to the "firstname" attribute in the email system (even though the attributes in the two systems have different names). Likewise, the data synchronisation module can define a processing operation for transferring the data in the "LastName" attribute of the HR system to the "surname" attribute in the email system. The data synchronisation module can also define a processing operation for populating the "email address" attribute of the email system using the data from the HR system. For example, the data synchronisation module may be set up to define a processing operation such as: "email address" = hr("FirstName") ÷ "." ÷ hr("LastName") + "@domain name".
For example, if data in the HR system relating to a user comprises the attributes "FirstName" = "John" and "LastName" = "Smith" then the data synchronisation module defines processing operations for extracting the data from the HR system, transforming the data and loading the data into the email system such that the data in the email system comprises the attributes "firstname" = "John", "surname" = "Smith" and "email address" = "John.Smithexample.com", where the domain name of the organisation associated with the email system in this example is "example.com".
Therefore the data synchronisation module can perform processing operations on the data in one computer system to transform the data or provide additional data in a suitable format for storage in another computer system.
It can be seen that in this way the data synchronisation module is useful in performing Extract, Transform and Load (ETL) operations on data in different computer systems.
The identity management system may also have a user lifecycle management module which is used to manage changes to a user's identity, for example as the user's relationship with the organization changes. For example, the user lifecycle management module defines processing operations to be applied when users enter into an organisation for which the identity management system is implemented, when users change function or department within the organisation (where such changes can be reflected in the data stored in the computer systems and the resources and facilities granted to the user in relation to the data stored in the computer systems) and when users leave the organisation. Therefore the user lifecycle management module can manage a user's lifecycle as he progresses through the organisation.
For each implementation of an identity management system by an organisation comprising multiple computer systems, the different modules described above are setup to provide processing operations to be performed on the specific computer systems of the organisation. In order to achieve this, the mechanism adopted by the modules in defining the processing operations must be adapted to suit each organisation in which the identity management system is to be implemented.
Furthermore, as can be seen in the example of the data synchronisation module given above, the particular attributes, and the names of the attributes, in each of the computer systems can vary from one computer system to the next. The modules described above define processing operations which are adapted to the specific computer systems in which the identity management system is to be implemented. However, if one of the modules defines a processing operation which contains a mistake such that it will not work as intended then this may not be noticed until the identity management system attempts to execute the processing operation. By this point the identity management system may have been installed and provided to the organisation for implementation, at which point it may be difficult to correct mistakes in the definition of the processing operations. Mistakes in the definitions of the processing operations can be common because the different computer systems often do not use a common mechanism for naming attributes (as can be seen above where the HR system has attributes "FirstName" and "LastName", whereas the email system has two differently named attributes "firstname" and "surname" but which may represent the same actual data). Since the mistakes in the processing operations are not apparent until the identity management system is implemented, the mistakes may cause the identity management system to function incorrectly and it may be difficult to determine the cause of the problem and/or how to overcome the problem once the identity management system has been implemented.
Summsy The inventor has realised that at least some of the problems with the existing identity management systems (and other management systems, such as data consolidation, synchronization and transformation systems) can be overcome by generating a model of the computer systems of the organisation for which the identity management system is to be implemented, wherein the model mimics the behaviour of the real computer systems sufficiently closely to thereby allow processing means within the identity management system (or other such management system) to interact with the model rather than the real computer systems. In this way, the model performs the actual processing operations on the computer systems by proxy.
In particular, according to a first aspect of the invention there is provided a management system for facilitating processing of at least one computer system comprising data, the management system comprising: generating means for generating a model of the at least one computer system using the results of an inspection of the at least one computer system, the model being configured to validly interact with each of the at least one computer system based on the results of the inspection of the at least one computer system; processing means for defining a processing operation to be performed on the at least one computer system, and for performing the processing operation by interacting with the model wherein the model is arranged to then interact with the at least one computer system to thereby perform the processing operation; determining means for determining information relating to permissible operations which are capable of being performed by the model on the at least one computer system; and checking means for using the determined information to check, prior to performance of the processing operation, that the processing operation defined by the processing means is a permissible operation which is capable of being performed by the model on the at least one computer system.
According to a second aspect of the invention there is provided a method of implementing a management system for facilitating processing of at least one computer system comprising data, the method comprising: generating a model of the at least one computer system using the results of an inspection of the at least one computer system, the model being configured to validly interact with each of the at least one computer system based on the results of the inspection of the at least one computer system; defining, by processing means of the management system, a processing operation to be performed on the at least one computer system, the processing means performing the processing operation by interacting with the model wherein the model is arranged to then interact with the at least one computer system to thereby perform the processing operation; determining information relating to permissible operations which are capable of being performed by the model on the at least one computer system; and using the determined information to check, prior to the performance of the processing operation, that the processing operation defined by the processing means is a permissible operation which is capable of being performed by the model on the at least one computer system.
According to preferred embodiments, since the model is configured to validly interact with each of the computer system(s) based on the results of the inspection of the computer system(s), the processing means can be configured to interact with the model, without requiring adaptation in accordance with the specific details of the computer system(s) with which the management system is to be implemented. It is the model that adapts to the specific details of the specific computer system(s) based on the results of the inspection of the computer system(s). Since the processing operations defined by the processing means do not need to take account of the specific details of the computer system(s) (which are taken account of by the model) there will be fewer errors in the processing operations. This means that the processing means are simpler to implement in the identity management system due to the generation of the model. The management system may be configured such that the processing means interacts with the model in a standardised manner which is independent of the at least one computer system. In this way the interaction between the processing means and the model can be the same irrespective of the way in which interactions must be performed with the specific computer system(s) with which the management system is to be implemented.
This greatly simplifies the interaction between the processing means and the model and thereby simplifies the implementation of the processing means.
Furthermore, by determining the information relating to permissible operations which are capable of being performed by the model on the computer system(s) the management system can check that a processing operation can be performed on the computer system(s) by the model before the processing operation is executed. In fact in this way, it may be checked that the processing operation defined by the processing means is a permissible operation which is capable of being performed by the model on the computer system(s) without the need to ever perform the processing operations. For example, the step of checking the processing operation may comprise compiling the processing operation defined by the processing means and checking that the compiled processing operation can be performed by the model on the computer system(s). This means that any errors in the processing operation can be found in the development stage of the management system and the model may notify a developer of such errors, so that the developer can fix the errors in the processing operation prior to implementation of the management system at an organisation. in this way, the situation in which the management system does not function correctly when it is implemented at an organisation is less likely to occur.
The inspection of the computer system(s) may be performed automatically by the management system. in this way the model can be generated automatically. Alternatively, the inspection of the computer system(s) may be performed by a user (e.g. the developer) of the management system and the user may input the results of the inspection into the management system so that the model can be generated to correctly model the real computer system(s).
Preferably, the model is a sufficiently accurate representation of components of the real computer system(s) so as to be indistinguishable, for the purposes of the management system, from those components which it represents.
The computer system may be a data storage system such as a database system or a directory, or any other type of computer system for storing and/or processing data. One of the computer systems may be a further management system, such that a single management system can model and manage multiple other management systems in a hierarchical manner.
The model may be implemented as a set of properties and processes (e.g. written in computer code) which represent the computer system(s) of an organisation. The model may be stored in a store of the management system.
The model may operate independently of the management system. Multiple models may represent different components of the computer system(s).
According to a third aspect of the invention there is provided a computer program product comprising computer readable instructions for execution by computer processing means for facilitating processing of at least one computer system comprising data, the instructions comprising instructions for carrying out the method according to the second aspect of the invention.
Brief Description of the Draw1ng
For a better understanding of the present invention and to show how the same may be put into effect, reference will now be made, by way of example, to the following drawings in which: Figure 1 shows an identity management system and two computer systems accord ing to a preferred embodiment; and Figure 2 is a flow chart for a process of implementing an identity management system for facilitating processing of the computer system(s) according to a preferred embodiment.
Detailed Description of Preferred Embodiments
Preferred embodiments of the invention will now be described by way of
example only.
With reference to Figure 1 there is now described an arrangement according to a preferred embodiment. Figure 1 shows a first computer system, D1, 102, a second computer system, D2, 104 and an identity management system 106 according to a preferred embodiment. The first computer system 102 comprises two components, Cl and C2, whilst the second computer system 102 comprises three components, Cl, C3 and C4 as shown in Figure 1. Each component is a group of related data or related processes. For example, the component CI may be a set of information about the users in the first computer system 102 and the second component C2 may be a set of data defining particular processes, e.g. for accounting purposes within the computer system 102. As an example, the first computer system 102 may be an HR system and the second computer system 104 may be an email system. The identity management system 106 comprises: a configuration module 108, processing means 110, and a model 112. The configuration model 108 is configured to gather information relating to the first and second computer systems 102 and 104 and to generate the model 112. The processing means 110 are arranged to interact with the model 112, and the model 112 is arranged to interact with the first and second computer systems 102 and 104. The model 112 shown in Figure 1 comprises three model components Ml to M3 which represent the different types of components in the computer systems 102 and 104. The processing means 110 shown in Figure 1 comprises three processing components Pa, Pb and Pc which define different types of processing operations which can be performed on the computer systems 102 and 104 by themodelll2.
Figure 1 shows that the two components Cl and C2 in computer system 102 are both modelled by the model 112 (by model components Ml and M2 respectively). Cl is a common component between computer systems 102 and 104, and Cl of computer system 104 is also modelled by the model component Ml. Cl is the sufficiently similar in computer systems 102 and 104 for it to be modelled in the same way using the model component Ml. The component C3 is modelled by the model component M3 of the model 112, whereas the component C4 is not modelled by the model 112, demonstrating that not all components of the computer systems need to be modelled by the model 112.
Therefore, common behaviour and characteristics of component parts of different computer systems can be represented by a common model.
Furthermore, multiple model components representing different component parts of the computer systems 102 and 104 may be combined to form a more complete model of the computer systems. The model components can be interacted with separately or as a whole by the identity management system 106 allowing the respective components of the computer systems they represent to be interacted with separately or as a whole.
It will be apparent to a person skilled in the art that in other embodiments the number of components in the computer systems, the number of model components in the model 112 and the number of processing components in the processing means 110 may be different to those shown in Figure 1.
With reference to Figures 1 and 2 there is described a method of using the identity management system 106 according to a preferred embodiment. In step S202 the configuration module 108 inspects the computer systems 102 and 104. In particular the configuration module 108 automatically inspects the components of the computer systems 102 and 104 such that it can describe the components Cl to C4 in terms of the data items to be managed, the valid values for each of those data items, the mechanism for communicating with the computer systems and any other constraints on the interaction with the computer systems (such as security considerations etc). The descriptions of the components Cl to C4 are encoded into a database or other storage structure (e.g. an XML document or file, etc) for storage in the identity management system 106. The description of the components of the computer systems 102 and 104 accurately captures the relevant information about the behaviour, characteristics and method of interaction with the computer systems lO2andlO4.
In step S204 the management system generates the model 112 based on the description stored as a result of the inspection of the computer systems 102 and 104 performed in step S202. The model 112 defines the rules governing how to interact with the computer systems 102 and 104. In this way the model can validly interact with each of the computer systems 102 and 104 in accordance with the specific implementation details of the computer systems 102 and 104.
The model 112 is stored in the identity management system 106. The model 112 represents the components in the computer systems 102 and 104 accurately enough such that the processing means 110 can interact with the model as if the model were the actual computer systems 102 and 104.
However, the model 112 represents the computer systems 102 and 104 in a standardised format, such that the processing means 110 can interact with the model 112 in a standardised manner irrespective of how the model 112 must interact with the computer systems 102 and 104. In this sense the processing means 110 are decoupled from the computer systems 102 and 104 by the model 112. This can advantageously lead to making the identity management system 106 more flexible and maintainable.
The specific computer systems 102 and 104 may have their own format for storing and processing data, which may not be standardised across all computer systems. In the example given above, a user's first name may be stored under the attribute called "FirstName" in the HR system 102, whereas the user's first name may be stored under the attribute called "firstname" in the email system 104. The configuration module 108 ensures that when the model 112 is generated the model 112 always uses the same (standardised) attribute name for each piece of data. This is useful in that it allows the processing means 110 to interact with the model 112 using the standardised format, irrespective of the format used by the computer systems 102 and 104.
In step 5206 information relating to permissible operations which are capable of being performed on the computer systems 102 and 104 is determined by the identity management system 106. Since the model 112 sets out how to interact with the computer systems 102 and 104, it can be determined from the model 112 whether a particular processing operation is capable of being performed on the computer systems 102 and 104. For example, a processing operation that refers to attributes that are present in the computer systems 102 and 104 and acts on those attributes in a manner which is allowed according to the model 112, will most likely be a permissible operation which can be performed on the computer systems 102 and 104. However, if a processing operation refers to an attribute which is not present in the computer systems 102 and 104 or if the processing operation defines actions which cannot be performed on the data in the computer systems 102 and 104 then the processing operation is not a permissible operation. By defining information relating to which operations are permissible operations it can be ensured that only permissible operations are attempted to be performed on the computer systems 102 and 104 as described in more detail below.
In step S208 the processing means 110 (in particular the processing components Pa, Pb and Pc) defines processing operations to be performed on the computer systems 102 and 104. The processing operations are defined by the processing means 110 in response to a user of the identity management system 106, e.g. a developer of the identity management system 106, entering details to the identity management system 106 via a user interface to describe the desired actions to be performed by the processing operations. For example, an operator of the organisation which uses the computer systems 102 and 104 may describe particular functionality that is desired, and then the processing operations are defined in step S208 in order to implement the desired functionality.
The processing components Pa, Pb and Pc may each be one of: (i) a data synchronisation module, (ii) a user lifecycle management module, (iii) a role modelling module, (iv) a business process workflow module and (v) some other processing component as deemed necessary for the purposes of the organization. A data synchronisation module defines processing operations for synchronising data between the computer systems 102 and 104. A user lifecycle management module defines processing operations for updating the computer systems 102 and 104 as the users progress through the organization.
A role modelling module defines processing operations for defining logical roles to be delivered to the users. A business process workflow module defines processing operations for providing users with control over the identity management system 106. In this sense the processing components may define processing operations of a particular type.
In step S210 the identity management system 106 uses the information determined in step S206 to check that the processing operations defined in step S208 are permissible operations. In this way the identity management system 106 can check that the processing operations are defined correctly before the processing operations are actually executed. In this way, if there is a mistake in the definition of the processing operations then this will be found prior to execution of the processing operations. In particular, the mistakes may be found while the identity management system 106 is still in the development stage (i.e. before it is actually implemented in the organisation owning the computer systems 102 and I 04). It is much simpler to correct mistakes found in the development stage rather than trying to correct the mistakes after the identity management system 106 has been implemented.
Once the identity management system 106 has been implemented in the organisation which uses the computer systems 102 and 104, then in step S212 the processing means 110 interacts with the model 112 in order to perform the processing operations. The processing means 110 do not interact directly with the computer systems 102 and 104 themselves.
In step S214 the model 112 performs the processing operations on the data in the computer systems 102 and 104. In this way the model 112 performs the processing operations by proxy on the computer systems 102 and 104. As described above the model 112 is configured to validly interact with the computer systems 102 and 104. In this sense the model 112 can translate the processing operations received from the processing means 110 (which are received in a standardised format) into the particular format required for validly interacting with the particular computer system in question.
Therefore, by using the method shown in Figure 2, the processing means 110 can define processing operations independently of the particular protocol used by the specific computer systems 102 and 104. By interacting with the model 112 using a standardised format, the likelihood of mistakes in the definition of the processing operations is greatly reduced. It is the model 112 that can then convert the processing operations into a suitable format for performing the processing operations on the computer systems 102 and 104. This greatly simplifies the implementation of the processing components Pa, Pb and Pc in the processing means 110.
In one example, the processing operations are written as computer code in a particular computer programming language, e.g. as Java language code. The identity management system 106 can verify that only the methods or functions available in the model 112 are used by the processing operations. One simple implementation of this check is to use a programming language compiler to perform the validation. ln this case, the computer codes of the model 112 and of the processing operations are compiled together. Where the processing operations use the model 112, the compiler will verify that such use satisfies the rules of the programming language in use by the model 112 and the processing operations. Effectively the compiler validates that the processing operations are defined correctly.
When the processing operations are executed, the processing means 110 S interacts with the model 112 and then the model 112 interacts with the computer systems being modelled. Before the processing operations are executed, no interaction occurs between the model 112 and the computer system being modelled. Therefore the definition of the processing operations is verified without the need for interaction with the computer systems to occur (i.e. at "compile time" in the development stage rather than at "run time" in the implementation stage). Therefore when the identity management system 106 is implemented at the organisation the processing operations will compile correctly and, as a result, the identity management system 106 will be more likely to function correctly.
As an example, and as a comparison with the prior art described above in the background section, the processing means 110 may define a processing operation to populate the "email address" attribute of a user in the email system 104 using the data in the HR system 102. The processing operation may be defined as: "email address" = hr.getFirstName() + "." + hr.getLastName() + "@domain_name".
The model 112 tries to compile the processing operation for populating the email address attribute. In the example given above the attributes "FirstName" and "LastName" exist in the HR system 102 so the identity management system 106 determines that the processing operation validly refers to attributes in the HR system 102, However, if the processing operation was written incorrectly, for example if the processing operation was defined as: "email address" = hr.getFirstNmae() + "." + hr.getsurname + "@domain_name", then the processing operation will not compile correctly at the model 112. This is because the data in the HR system 102 does not have an attribute called "FirstNmae" because in the definition of the processing operation this has been spelt incorrectly, and also the data in the HR system 102 does not have an attribute called surname" because the HR system 102 includes an attribute called "LastName" rather than "surname". In response to the failure to compile the processing operation, the identity management system 106 can warn the person (or "developer") setting up the identity management system 106 that the processing operation is incorrectly defined before the identity management system is actually implemented on the computer systems 102 and 104. This advantageously allows the developer to correct errors in the definition of the processing operations prior to implementing the identity management system for real. The identity management system 106 has a user interface for interaction with the developer in order to notify the developer of any problems with the processing operations.
It can be appreciated that in the prior art, if the processing operation was written incorrectly, such that it was defined as: "email address" = hr("FirstNmae") + "." + hr("surname") + "@domain_name", then since "FirstNmae" and "surname" are valid strings in the sense that they are strings, the errors in the processing operation would not be recognised until the processing operation was executed and it was realised that the correct data could not be retrieved from the HR system 102. By that point the identity management system 106 may have been implemented and it may be much more difficult to correct errors in the definition of the processing operations at that point. Furthermore, it may not be obvious what the cause of the error is.
We now present a more detailed description of aspects of different modules within the identity management system 106.
The configuration module 108 simplifies the initial set up and on-going management of the identity management system 106 and configures resources and resource attributes, user's attributes and the organizational structure, etc. The configuration module 108 provides an integrated deployment model which supports a full project life-cycle, from development to production. The configuration module 108 ensures consistency between the development model and the production model, and it is easy to generate and deploy new configurations as requirements evolve. The configuration module 108 can work under the principle of "Configuration by exception", such that it "does the right thing" in most cases, such that a human operator is only required to deal with the exceptional circumstances.
A data synchronization module (which may be implemented as a processing component, e.g. Pa, Pb or Pc) is used in the identity management system 106 to quickly and easily synchronize data between the computer systems 102 and 104, and in many cases can implement automatic synchronization of the computer systems with no effort from a human operator. The data synchronisation module provides a powerful and flexible synchronization model with a choice of implementation languages, such as Java for compile-time checking or scripting languages such as java-script for simplicity. The data synchronisation module supports multiple authoritative sources of data to be managed by the identity management system 106 (e.g. internal staff, external contractors, and partners of an organisation). Automatic validation of the processing operations defined by the data synchronisation module prevents (or at least reduces the likelihood of) data errors being synchronized between computer systems or users being created or updated with invalid data. The data synchronisation module also allows auditing and logging to track how synchronization events are handled.
A user lifecycle management module (which may be implemented as a processing component, e.g. Pa, Pb or Pc) is used in the identity management system 106 to deliver sophisticated automated provisioning with minimal effort from a human operator of the identity management system 106. The user lifecycle management module allows sophisticated user life-cycle business processes to be created by configuration and provides built-in support for many standard joiner-mover-leaver processes, and it is simple for a human operator to add new joiner-mover-leaver processes. The user lifecycle management module supports notifications, request/approval workflow and timed events as part of the user life-cycle.
A role modelling module (which may be implemented as a processing component, e.g. Pa, Pb or Pc) is used in the identity management system 106 to define logical roles for the business and automatically generates relevant objects. The role modelling module defines logical roles to deliver accounts and entitlements to users. The role modelling module de-couples the logical model from the physical implementation and the abstraction works across resource types, i.e. different types of data storage systems which may include an Active Directory, database, SAP, PeopleSoft, etc. A business process workflow module (which may be implemented as a processing component, e.g. Pa, Pb or Pc) is used in the identity management system 106 to empower users, allows the users to retain control and provides auditability with a powerful business-process request and approval workflow.
The business process workflow module defines processing operations which can be performed on the identity management system to implement request and approval workflows, for example in which a user can request access for a particular piece of data from one of the computer systems governed by the identity management system and the business process workflow modu can determine whether to approve the request to thereby grant access to the requested data for the user, which may depend upon the user's role within the organisation. For example, if a managing director of a business requests access to information from an accounts system then the request would most likely be approved by the identity management system 106. However, if a junior assistant made the same request, the request may be denied. The business process workflow module can be used to model complex request and approval processes using configuration. This can simplify the end-user experience, and allow the users to make ad-hoc requests. Anything that can be fulfilled (provisioned) can be requested (e.g. roles, entitlement, accounts, users) and the business process workflow module can provide responses to the requests.
The business process workflow module provides a flexible approval model, which can be multi-step, multi-user/group/role, sequential or parallel. The business process workflow module provides comprehensive logging, auditing and management reporting, and a modular approach allows request, approval and fulfilment (provisioning) to be de-coupled.
Furthermore, storage and retrieval of data by the model 112 to/from the computer systems 102 and 104 can be initiated and achieved by the model 112 independently of the identity management system 106 to allow the model 112 to anticipate the needs of the identity management system 106 and to operate autonomously from it. Data obtained by the identity management system 106 from the model 112 can be processed by the identity management system 106 independently of model 112.
Although the preferred embodiments are described above with reference to the identity management system 106, the system could be implemented with any management system for processing data in computer systems, and is not limited to being used in identity management systems.
Although in the preferred embodiments described above and shown in Figure 1 there are two computer systems, in other embodiments, any number of computer systems may be included. Similarly, although in the preferred embodiments described above and shown in Figure 1 there are three processing components, in other embodiments, any number of processing modules may be included. The identity management system 106 described herein can be useful for any Extract-Transform-Load (ETL) process since it facilitates the synchronisation of data between computer systems.
The method described above may be implemented by executing a computer program product at computer processing means, wherein the computer program product includes instructions for performing the method described herein. The computer program product may be executed on a server or multiple servers to implement the identity management system 106. The server(s) may be owned by the organisation for which the identity management system 106 is to be implemented.
Furthermore, while this invention has been particularly shown and described with reference to preferred embodiments, it will be understood to those skilled in the art that various changes in form and detail may be made without departing from the scope of the invention as defined by the appendant claims.

Claims (15)

  1. Claims 1. A management system for facilitating processing of at least one computer system comprising data, the management system comprising: generating means for generating a model of the at least one computer system using the results of an inspection of the at least one computer system, the model being configured to validly interact with each of the at least one computer system based on the results of the inspection of the at least one computer system; processing means for defining a processing operation to be performed on the at least one computer system, and for performing the processing operation by interacting with the model wherein the model is arranged to then interact with the at least one computer system to thereby perform the processing operation; determining means for determining information relating to permissible operations which are capable of being performed by the model on the at least one computer system; and checking means for using the determined information to check, prior to performance of the processing operation, that the processing operation defined by the processing means is a permissible operation which is capable of being performed by the model on the at least one computer system.
  2. 2. The management system of claim I wherein the processing means is configured to interact with the model in a standardised manner which is independent of the at least one computer system.
  3. 3. The management system of any preceding claim wherein the checking means comprises compiling means for compiling the processing operation defined by the processing means and for checking that the compiled processing operation is capable of being performed by the model on the at least one computer system.
  4. 4. The management system of any preceding claim wherein the checking means are configured to: check, in a development stage of the management system, that the processing operation defined by the processing means is a permissible operation which is capable of being performed by the model on the at least one computer system; and notify a developer, via a user interface of the management system, of problems with the processing operation that are found during said check.
  5. 5. The management system of any preceding claim further comprising: inspecting means for performing said inspection of the at least one computer system.
  6. 6. The management system of any of claims I to 4 further comprising: receiving means for receiving, from a user of the management system, the results of said inspection of the at least one computer system.
  7. 7. The management system of any preceding claim wherein there are a plurality of said computer systems which share common components and wherein the model is a common model which models the common components in the plurality of computer systems.
  8. 8. The management system of any preceding claim wherein there are a plurality of model components in the model which are used to model a respective plurality of different components of the at least one computer system.
  9. 9. The management system of any preceding claim wherein there are a plurality of said computer systems, and wherein the processing operation defines steps to be taken to transfer data from one of the computer systems to another one of the computer systems.
  10. 10. The management system of claim 8 wherein the processing means comprise at least one of: (i) a data synchronisation module for defining processing operations for synchronising data between computer systems; (ii) a user lifecycle management module for defining processing operations for updating computer systems as users progress through a user life cycle; (iii) a role modelling module for defining processing operations for defining logical roles to be delivered to the users; (iv) a business process workflow module for defining processing operations for providing users with control of the management system and (v) another processing module for defining processing operations deemed necessary by an organisation which operates the at least one computer system.
  11. 11. The management system of any preceding claim wherein the model operates independently of the management system.
  12. 12. The management system of any preceding claim wherein one of the at least one computer system is a further management system.
  13. 13. A method of implementing a management system for facilitating processing of at least one computer system comprising data, the method comprising: generating a model of the at least one computer system using the results of an inspection of the at least one computer system, the model being configured to validly interact with each of the at least one computer system based on the results of the inspection of the at least one computer system; defining, by processing means of the management system, a processing operation to be performed on the at least one computer system, the processing means performing the processing operation by interacting with the model wherein the model is arranged to then interact with the at least one computer system to thereby perform the processing operation; determining information relating to permissible operations which are capable of being performed by the model on the at least one computer system; and using the determined information to check, prior to the performance of the processing operation, that the processing operation defined by the processing means is a permissible operation which is capable of being performed by the model on the at least one computer system.
  14. 14. The method of claim 13 wherein the processing means is configured to interact with the model in a standardised manner which is independent of the at least one computer system.
  15. 15. A computer program product comprising computer readable instructions for execution by computer processing means for facilitating processing of at least one computer system comprising data, the instructions comprising instructions for carrying out the method according to claim 13 or 14.
GB1105669.4A 2011-04-04 2011-04-04 Management system for processing data Withdrawn GB2489915A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB1105669.4A GB2489915A (en) 2011-04-04 2011-04-04 Management system for processing data
PCT/EP2012/055793 WO2012136584A2 (en) 2011-04-04 2012-03-30 Management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1105669.4A GB2489915A (en) 2011-04-04 2011-04-04 Management system for processing data

Publications (2)

Publication Number Publication Date
GB201105669D0 GB201105669D0 (en) 2011-05-18
GB2489915A true GB2489915A (en) 2012-10-17

Family

ID=44071913

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1105669.4A Withdrawn GB2489915A (en) 2011-04-04 2011-04-04 Management system for processing data

Country Status (2)

Country Link
GB (1) GB2489915A (en)
WO (1) WO2012136584A2 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050015674A1 (en) * 2003-07-01 2005-01-20 International Business Machines Corporation Method, apparatus, and program for converting, administering, and maintaining access control lists between differing filesystem types
US20100211936A1 (en) * 2009-02-16 2010-08-19 Schmitz Jeffrey A Methods and apparatus for integrating engineering models from disparate tools in support of model resue
US20110023107A1 (en) * 2009-07-23 2011-01-27 Chen Leanne L Lifecycle Management Of Privilege Sharing Using An Identity Management System

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7734778B2 (en) * 2002-04-05 2010-06-08 Sheng (Ted) Tai Tsao Distributed intelligent virtual server
US8776050B2 (en) * 2003-08-20 2014-07-08 Oracle International Corporation Distributed virtual machine monitor for managing multiple virtual resources across multiple physical nodes

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050015674A1 (en) * 2003-07-01 2005-01-20 International Business Machines Corporation Method, apparatus, and program for converting, administering, and maintaining access control lists between differing filesystem types
US20100211936A1 (en) * 2009-02-16 2010-08-19 Schmitz Jeffrey A Methods and apparatus for integrating engineering models from disparate tools in support of model resue
US20110023107A1 (en) * 2009-07-23 2011-01-27 Chen Leanne L Lifecycle Management Of Privilege Sharing Using An Identity Management System

Also Published As

Publication number Publication date
GB201105669D0 (en) 2011-05-18
WO2012136584A3 (en) 2012-12-20
WO2012136584A2 (en) 2012-10-11

Similar Documents

Publication Publication Date Title
US11513776B2 (en) System for self modification
US12424303B2 (en) Clinical data management system
CA2777443C (en) Automated enterprise software development
US8631387B2 (en) System and method for the structuring and interpretation of organic computer programs
US11783254B2 (en) Method and system for implementing an adaptive data governance system
CN101794226B (en) Service software construction method and system adapting to multiple business abstraction levels
US10621531B2 (en) Executing a business process by a standard business process engine
US20150081744A1 (en) Metadata model repository
Corradini et al. Flexible execution of multi-party business processes on blockchain
Tankov et al. Kotless: A serverless framework for kotlin
CN115993966A (en) Application development system and method
Kazman et al. Integrating software-architecture-centric methods into the Rational Unified Process
Bochon et al. Challenges of cloud business process management
Singh A blockchain-based decentralized application for user-driven contribution to Open Government Data
GB2489915A (en) Management system for processing data
Leal et al. Using metamodels to improve model-based testing of service orchestrations
Lehmann Data access in workflow management systems
Enos A Model-Based System for On-Premises Software-Defined Infrastructure
Wipp Workflows on Android: A framework supporting business process execution and rule-based analysis
Laksitowening et al. ACTIFIST: Adaptive architecture for integrated information system
KR20250067992A (en) An integrated management system for metadata and standardization work for distributed development environments and small-scale development and an integrated management method using the same
Cederbom Improving software configuration management across multiple Microsoft Dynamics AX 2009 applications
Poggi et al. Multilanguage Semantic Interoperability in Distributed Applications
Hudeib Design a model for dynamic workflow management system
Romero et al. Project Deliverable

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)