Abstract: An identity governance system that automates launching of identity campaigns (e.g., attestation, certification, etc.) is augmented to provide for the more efficient generation of datasets that are to be evaluated in a particular campaign review. To this end, at least one data model supported in the system is extended to support user- or system-defined metadata that, once populated with data, enable the system to generate campaign datasets from various data sources in an automated, efficient manner. Metadata includes, for example, application properties, entitlement properties, and the like. In lieu of maintaining a list of entitlements manually, an administrator defines metadata that should be associated with various datasets, e.g., for each application, entitlement, organization unit, etc.

Abstract: A technique for identity governance (IG) data exchange includes receiving, by a first adapter, an identity governance message from a first identity governance resource for transmission of the identity governance message to a second identity governance resource. The first adapter analyzes the message and, based on the analysis, selects a routing policy to apply to the message. Based on the routing policy, the adapter determines a select input queue from a plurality of input queues to receive the message and writes the message to the select input queue. The message is then routed from the select input queue to an output queue, and then a second adapter transfers the message from the output queue to the second identity governance resource.

Abstract: A technique for identity governance (IG) data exchange includes receiving, by a first adapter, an identity governance message from a first identity governance resource for transmission of the identity governance message to a second identity governance resource. The first adapter analyzes the message and, based on the analysis, selects a routing policy to apply to the message. Based on the routing policy, the adapter determines a select input queue from a plurality of input queues to receive the message and writes the message to the select input queue. The message is then routed from the select input queue to an output queue, and then a second adapter transfers the message from the output queue to the second identity governance resource.

Abstract: An identity governance system that automates launching of identity campaigns (e.g., attestation, certification, etc.) is augmented to provide for the more efficient generation of datasets that are to be evaluated in a particular campaign review. To this end, at least one data model supported in the system is extended to support user- or system-defined metadata that, once populated with data, enable the system to generate campaign datasets from various data sources in an automated, efficient manner. Metadata includes, for example, application properties, entitlement properties, and the like. In lieu of maintaining a list of entitlements manually, an administrator defines metadata that should be associated with various datasets, e.g., for each application, entitlement, organization unit, etc.

Abstract: A client is impersonalized to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.

Abstract: A client is impersonalized to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.

Abstract: A client is impersonalized to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.

Abstract: A client is impersonalized to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.

Abstract: A client is impersonated to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: An abstraction layer associates a party-focused object, a security-focused object, or both, with an abstraction object. The party-focused object has a property. The property is presented in the abstraction object defined by the mapping schema. The abstraction layer converts a set of repository objects to at least one abstraction object.

Abstract: A mechanism is provided for rapid integration of directory based applications. A directory proxy lies between applications and the back end repositories. A filtering mechanism detects application specific operations using a set of rules. Notification of a detected operation is sent to interested application-specific synchronization elements. A notified synchronization element requests the parent application to perform a semantically equivalent operation.

Abstract: Methods, systems and computer program products are provided of message authentication for an SSL-based protocol connection between a source device and a destination device. A group message authentication code (MAC) is generated based on a plurality of communication packets. Each of the communication packets has at least one data record. The plurality of communication packets is transmitted using the SSL-based protocol connection along with the generated group MAC. Individual ones of the plurality of communication packets do not include an associated packet MAC as transmitted. A data record count to a next group MAC may be transmitted before transmitting the data records corresponding to the data record count and transmitting the next group MAC. The data records of the communication packets may be pre-encrypted and transmitted using the SSL-based protocol connection to encrypt the group MAC but not the data records. Receiver side methods, systems and computer program products are also provided.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: An automated, bottom-up role discovery method for a role based control system includes automatically extracting identities and attributes from data sources and automatically clustering the identities based on the attributes to form recommended roles. The recommended roles may be modified by intervention of an administrator. Additionally, the recommended roles may be aggregated by defining the role definition as an attribute of each constituent identity, and re-clustering the identities to generate refined roles. The recommended, modified, and/or refined roles may then be utilized in a role based control system, such as a role based access control system. Periodically performing the role discovery process provides a means to audit a role based access control system.

Abstract: A role hierarchy is automatically generated by hierarchically ranking roles in a role based control system, each role including a plurality of identities having attributes. Iteratively at each hierarchical level: each non-cohesive role (wherein, in this case, at least one attribute is not possessed by every identity in the role) is replaced, at the same hierarchical level, by a cohesive role formed by grouping identities having at least one common attribute. The remaining identities are clustered into children roles based on attributes other than the common attribute, and the children roles are added to the role hierarchy at a hierarchical level below the cohesive role. If no common attribute exists in the non-cohesive role, the role is clustered into two or more new roles based on all the attributes in the role, and the non-cohesive role is replaced with the new roles at the same hierarchical level.

Abstract: Parties involved in transacting business in an E-marketplace (E-marketplace participants) each identify and submit to the E-marketplace their P3P policy and/or other relevant characteristics related to their privacy policy needs (those that they adhere to, referred to as “privacy policies”; those that they require, referred to as “privacy preferences”, or both). Submitted with the privacy policy is a digital signature that is tied to the owner of the web objects to which the privacy policy pertains. Using a digital signature assures the integrity of the privacy policy since it travels with the privacy policy and thus refers back to the original sender of the policy rather than the middleman (the E-marketplace), and if the document (the privacy policy) to which it is attached has been tampered with, the digital signature will be invalidated.

Abstract: Parties involved in transacting business in an E-marketplace (E-marketplace participants) each identify and submit to the E-marketplace relevant characteristics related to their privacy-use needs (those that they adhere to, referred to as “privacy policies”; those that they require, referred to as “privacy preferences”, or both). The privacy policies and privacy preferences of the E-marketplace participants are then matched up, and those with matching characteristics are given access to each other, while those that do not match up are denied access to each other. This serves as a search filter to match up consumers with providers.

Abstract: Parties involved in transacting business in an E-marketplace (E-marketplace participants) each identify and submit to the E-marketplace relevant characteristics related to their privacy policy needs. When it is determined that two or more participants are collaborating in a transaction (e.g., a supplier and a shipper; two suppliers; three buyers), the privacy policies of the collaborative group are aggregated to produce a single policy that represents the primary policies of the collaborative transaction being presented by the collaborative group.

Abstract: Methods of communicating product status information include maintaining a record of a product identification string associated with a product of a user, the product identification string being associated with a corresponding batch of the product. A batch status request is transmitted to a directory service maintaining batch status information at selected intervals and/or responsive to a user request and the requested batch status information for the product is received. The batch status request need not include personal information of the user. Related directory services, systems and computer program products are also provided.