Patents by Inventor David Kuehr-McLaren
David Kuehr-McLaren has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11962624Abstract: An identity governance system that automates launching of identity campaigns (e.g., attestation, certification, etc.) is augmented to provide for the more efficient generation of datasets that are to be evaluated in a particular campaign review. To this end, at least one data model supported in the system is extended to support user- or system-defined metadata that, once populated with data, enable the system to generate campaign datasets from various data sources in an automated, efficient manner. Metadata includes, for example, application properties, entitlement properties, and the like. In lieu of maintaining a list of entitlements manually, an administrator defines metadata that should be associated with various datasets, e.g., for each application, entitlement, organization unit, etc.Type: GrantFiled: September 27, 2019Date of Patent: April 16, 2024Assignee: International Business Machines CorporationInventors: David Kuehr-McLaren, Gabriel C. Rebane
-
Patent number: 11240168Abstract: A technique for identity governance (IG) data exchange includes receiving, by a first adapter, an identity governance message from a first identity governance resource for transmission of the identity governance message to a second identity governance resource. The first adapter analyzes the message and, based on the analysis, selects a routing policy to apply to the message. Based on the routing policy, the adapter determines a select input queue from a plurality of input queues to receive the message and writes the message to the select input queue. The message is then routed from the select input queue to an output queue, and then a second adapter transfers the message from the output queue to the second identity governance resource.Type: GrantFiled: January 6, 2020Date of Patent: February 1, 2022Assignee: International Business Machines CorporationInventors: David Edwards, James Darwin, David Kuehr-McLaren
-
Publication number: 20210211389Abstract: A technique for identity governance (IG) data exchange includes receiving, by a first adapter, an identity governance message from a first identity governance resource for transmission of the identity governance message to a second identity governance resource. The first adapter analyzes the message and, based on the analysis, selects a routing policy to apply to the message. Based on the routing policy, the adapter determines a select input queue from a plurality of input queues to receive the message and writes the message to the select input queue. The message is then routed from the select input queue to an output queue, and then a second adapter transfers the message from the output queue to the second identity governance resource.Type: ApplicationFiled: January 6, 2020Publication date: July 8, 2021Inventors: David Edwards, James Darwin, David Kuehr-McLaren
-
Publication number: 20210099494Abstract: An identity governance system that automates launching of identity campaigns (e.g., attestation, certification, etc.) is augmented to provide for the more efficient generation of datasets that are to be evaluated in a particular campaign review. To this end, at least one data model supported in the system is extended to support user- or system-defined metadata that, once populated with data, enable the system to generate campaign datasets from various data sources in an automated, efficient manner. Metadata includes, for example, application properties, entitlement properties, and the like. In lieu of maintaining a list of entitlements manually, an administrator defines metadata that should be associated with various datasets, e.g., for each application, entitlement, organization unit, etc.Type: ApplicationFiled: September 27, 2019Publication date: April 1, 2021Applicant: International Business Machines CorporationInventors: David Kuehr-McLaren, Gabriel C. Rebane
-
Patent number: 7698736Abstract: A client is impersonalized to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.Type: GrantFiled: August 5, 2008Date of Patent: April 13, 2010Assignee: International Business Machines CorporationInventors: John R. McGarvey, David Kuehr-McLaren
-
Patent number: 7694329Abstract: A client is impersonalized to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.Type: GrantFiled: August 5, 2008Date of Patent: April 6, 2010Assignee: International Business Machines CorporationInventors: John R. McGarvey, David Kuehr-McLaren
-
Publication number: 20090055916Abstract: A client is impersonalized to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.Type: ApplicationFiled: August 5, 2008Publication date: February 26, 2009Applicant: International Business Machines CorporationInventors: John R. McGarvey, David Kuehr-McLaren
-
Publication number: 20090055902Abstract: A client is impersonalized to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.Type: ApplicationFiled: August 5, 2008Publication date: February 26, 2009Applicant: International Business Machines CorporationInventors: John R. McGarvey, David Kuehr-McLaren
-
Patent number: 7428749Abstract: A client is impersonated to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.Type: GrantFiled: August 3, 2001Date of Patent: September 23, 2008Assignee: International Business Machines CorporationInventors: John R. McGarvey, David Kuehr-McLaren
-
Publication number: 20080016104Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.Type: ApplicationFiled: July 20, 2007Publication date: January 17, 2008Inventors: David Kuehr-McLaren, Pratik Gupta, Govindaraj Sampathkumar, Vincent Williams, Sharon Cutcher, Sumit Taank, Brian Stube, Hari Shankar
-
Publication number: 20070156765Abstract: An abstraction layer associates a party-focused object, a security-focused object, or both, with an abstraction object. The party-focused object has a property. The property is presented in the abstraction object defined by the mapping schema. The abstraction layer converts a set of repository objects to at least one abstraction object.Type: ApplicationFiled: December 30, 2005Publication date: July 5, 2007Applicant: International Business Machines CorporationInventors: Mark Hubbard, David Kuehr-McLaren, Govindaraj Sampathkumar, Janette Wong
-
Publication number: 20060253506Abstract: A mechanism is provided for rapid integration of directory based applications. A directory proxy lies between applications and the back end repositories. A filtering mechanism detects application specific operations using a set of rules. Notification of a detected operation is sent to interested application-specific synchronization elements. A notified synchronization element requests the parent application to perform a semantically equivalent operation.Type: ApplicationFiled: May 5, 2005Publication date: November 9, 2006Applicant: International Business Machines CorporationInventors: Mandar Jog, David Kuehr-McLaren, John McGarvey
-
Patent number: 6920556Abstract: Methods, systems and computer program products are provided of message authentication for an SSL-based protocol connection between a source device and a destination device. A group message authentication code (MAC) is generated based on a plurality of communication packets. Each of the communication packets has at least one data record. The plurality of communication packets is transmitted using the SSL-based protocol connection along with the generated group MAC. Individual ones of the plurality of communication packets do not include an associated packet MAC as transmitted. A data record count to a next group MAC may be transmitted before transmitting the data records corresponding to the data record count and transmitting the next group MAC. The data records of the communication packets may be pre-encrypted and transmitted using the SSL-based protocol connection to encrypt the group MAC but not the data records. Receiver side methods, systems and computer program products are also provided.Type: GrantFiled: July 20, 2001Date of Patent: July 19, 2005Assignee: International Business Machines CorporationInventors: David Kuehr-McLaren, Timothy G. Shoriak
-
Publication number: 20050138061Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.Type: ApplicationFiled: December 19, 2003Publication date: June 23, 2005Inventors: David Kuehr-McLaren, Pratik Gupta, Govindaraj Sampathkumar, Vincent Williams, Sharon Cutcher, Sumit Taank, Brian Stube, Hari Shankar
-
Publication number: 20050138419Abstract: An automated, bottom-up role discovery method for a role based control system includes automatically extracting identities and attributes from data sources and automatically clustering the identities based on the attributes to form recommended roles. The recommended roles may be modified by intervention of an administrator. Additionally, the recommended roles may be aggregated by defining the role definition as an attribute of each constituent identity, and re-clustering the identities to generate refined roles. The recommended, modified, and/or refined roles may then be utilized in a role based control system, such as a role based access control system. Periodically performing the role discovery process provides a means to audit a role based access control system.Type: ApplicationFiled: December 19, 2003Publication date: June 23, 2005Inventors: Pratik Gupta, Govindaraj Sampathkumar, David Kuehr-McLaren, Vincent Williams, Sharon Cutcher, Sumit Taank, Brian Stube, Hari Shankar
-
Publication number: 20050138420Abstract: A role hierarchy is automatically generated by hierarchically ranking roles in a role based control system, each role including a plurality of identities having attributes. Iteratively at each hierarchical level: each non-cohesive role (wherein, in this case, at least one attribute is not possessed by every identity in the role) is replaced, at the same hierarchical level, by a cohesive role formed by grouping identities having at least one common attribute. The remaining identities are clustered into children roles based on attributes other than the common attribute, and the children roles are added to the role hierarchy at a hierarchical level below the cohesive role. If no common attribute exists in the non-cohesive role, the role is clustered into two or more new roles based on all the attributes in the role, and the non-cohesive role is replaced with the new roles at the same hierarchical level.Type: ApplicationFiled: December 19, 2003Publication date: June 23, 2005Inventors: Govindaraj Sampathkumar, Pratik Gupta, David Kuehr-McLaren, Vincent Williams, Sharon Cutcher, Sumit Taank, Brian Stube, Hari Shankar
-
Publication number: 20050102155Abstract: Parties involved in transacting business in an E-marketplace (E-marketplace participants) each identify and submit to the E-marketplace their P3P policy and/or other relevant characteristics related to their privacy policy needs (those that they adhere to, referred to as “privacy policies”; those that they require, referred to as “privacy preferences”, or both). Submitted with the privacy policy is a digital signature that is tied to the owner of the web objects to which the privacy policy pertains. Using a digital signature assures the integrity of the privacy policy since it travels with the privacy policy and thus refers back to the original sender of the policy rather than the middleman (the E-marketplace), and if the document (the privacy policy) to which it is attached has been tampered with, the digital signature will be invalidated.Type: ApplicationFiled: November 12, 2003Publication date: May 12, 2005Applicant: International Business Machines CorporationInventors: David Kuehr-McLaren, Martin Presler-Marshall, Calvin Powers, Timothy Shoriak, John Walczyk
-
Publication number: 20050102194Abstract: Parties involved in transacting business in an E-marketplace (E-marketplace participants) each identify and submit to the E-marketplace relevant characteristics related to their privacy-use needs (those that they adhere to, referred to as “privacy policies”; those that they require, referred to as “privacy preferences”, or both). The privacy policies and privacy preferences of the E-marketplace participants are then matched up, and those with matching characteristics are given access to each other, while those that do not match up are denied access to each other. This serves as a search filter to match up consumers with providers.Type: ApplicationFiled: November 12, 2003Publication date: May 12, 2005Applicant: International Business Machines CorporationInventors: David Kuehr-McLaren, Martin Presler-Marshall, Calvin Powers, Timothy Shoriak, John Walczyk
-
Publication number: 20050102195Abstract: Parties involved in transacting business in an E-marketplace (E-marketplace participants) each identify and submit to the E-marketplace relevant characteristics related to their privacy policy needs. When it is determined that two or more participants are collaborating in a transaction (e.g., a supplier and a shipper; two suppliers; three buyers), the privacy policies of the collaborative group are aggregated to produce a single policy that represents the primary policies of the collaborative transaction being presented by the collaborative group.Type: ApplicationFiled: November 12, 2003Publication date: May 12, 2005Applicant: International Business Machines CorporationInventors: David Kuehr-McLaren, Martin Presler-Marshall, Calvin Powers, Timothy Shoriak, John Walczyk
-
Publication number: 20050040220Abstract: Methods of communicating product status information include maintaining a record of a product identification string associated with a product of a user, the product identification string being associated with a corresponding batch of the product. A batch status request is transmitted to a directory service maintaining batch status information at selected intervals and/or responsive to a user request and the requested batch status information for the product is received. The batch status request need not include personal information of the user. Related directory services, systems and computer program products are also provided.Type: ApplicationFiled: August 22, 2003Publication date: February 24, 2005Inventors: David Kuehr-McLaren, Mark Peters