Abstract: An identity management system is augmented to provide for automated suspension of all dormant accounts before launching a re-certification campaign (pass). In one implementation, prior to receiving a recertification notice from the system, the affected user's account is already suspended and thus cannot be accessed. Once the recertification succeeds, however, the account is restored. Preferably, the technique is exposed to an IAM system administrator through a simple interface, e.g., a one-click “suspend and re-certify” button in an administrative menu. When the administrator initiates the re-certification process, he or she may select the button for a particular account or user.

Abstract: An identity and access management IAM system is augmented to provide for supervised, iterative machine learning (ML), preferably with a user-generated training set for classification. The training set may include various types of data, including characteristics or attributes of the account types, the users, or the like. A goal of the initial ML training, which may include one or multiple passes, is to enable the machine to identify specific characteristics or attributes that provide a good classification result, with the resulting classifications then applied within the IAM system. In particular, the output of the ML system may be used by the IAM system for enforcing rights associated with the identified accounts, managing accounts, and so forth.

Abstract: An identity management system is augmented to provide for automated suspension of all dormant accounts before launching a re-certification campaign (pass). In one implementation, prior to receiving a recertification notice from the system, the affected user's account is already suspended and thus cannot be accessed. Once the recertification succeeds, however, the account is restored. Preferably, the technique is exposed to an IAM system administrator through a simple interface, e.g., a one-click “suspend and re-certify” button in an administrative menu. When the administrator initiates the re-certification process, he or she may select the button for a particular account or user.

Abstract: An identity management system is augmented to provide for automated suspension of all dormant accounts before launching a re-certification campaign (pass). In one implementation, prior to receiving a recertification notice from the system, the affected user's account is already suspended and thus cannot be accessed. Once the recertification succeeds, however, the account is restored. Preferably, the technique is exposed to an IAM system administrator through a simple interface, e.g., a one-click “suspend and re-certify” button in an administrative menu. When the administrator initiates the re-certification process, he or she may select the button for a particular account or user.

Abstract: An identity management system is augmented to provide a methodology to generate an objective measure of administrative effectiveness with respect to account certification. In the approach, erroneous account information is intentionally inserted into a recertification campaign. The erroneous account information is tracked through the recertification process and used as a measurement to evaluate whether a particular manager/administrator whose accounts are impacted is successful in recognizing the erroneous account information (e.g., as a percentage of erroneous account records located). The dummy information is tracked and used to generate a quantitative measure of the effectiveness of a particular recertification campaign or a particular manager who is responsible for recertifying accounts. The results can also be used to drive other enterprise metrics and compliance systems.

Abstract: An identity and access management IAM system is augmented to provide for supervised, iterative machine learning (ML), preferably with a user-generated training set for classification. The training set may include various types of data, including characteristics or attributes of the account types, the users, or the like. A goal of the initial ML training, which may include one or multiple passes, is to enable the machine to identify specific characteristics or attributes that provide a good classification result, with the resulting classifications then applied within the IAM system. In particular, the output of the ML system may be used by the IAM system for enforcing rights associated with the identified accounts, managing accounts, and so forth.

Abstract: An identity management system is augmented to provide a methodology to generate an objective measure of administrative effectiveness with respect to account certification. In the approach, erroneous account information is intentionally inserted into a recertification campaign. The erroneous account information is tracked through the recertification process and used as a measurement to evaluate whether a particular manager/administrator whose accounts are impacted is successful in recognizing the erroneous account information (e.g., as a percentage of erroneous account records located). The dummy information is tracked and used to generate a quantitative measure of the effectiveness of a particular recertification campaign or a particular manager who is responsible for recertifying accounts. The results can also be used to drive other enterprise metrics and compliance systems.

Abstract: An identity management system is augmented to provide for automated suspension of all dormant accounts before launching a re-certification campaign (pass). In one implementation, prior to receiving a recertification notice from the system, the affected user's account is already suspended and thus cannot be accessed. Once the recertification succeeds, however, the account is restored. Preferably, the technique is exposed to an IAM system administrator through a simple interface, e.g., a one-click “suspend and re-certify” button in an administrative menu. When the administrator initiates the re-certification process, he or she may select the button for a particular account or user.

Abstract: An identity management system is augmented to enable a manager to associate “risk” metadata with different types of access requests representing computer system accounts that can be requested by authorized users. When an authorized user then requests access to a particular account, any “risk” associated with that access is shown to the user, typically in the form of a visual “badge” or other such indicator. The badge includes an appropriate informational display (e.g., “High Risk” or “Regulated”) that provides an appropriate risk warning. The risk metadata badge information preferably also is displayed for risk-based access request approval routing; in such context, the risk metadata may also determine the risk approval workflow itself. Thus, for example, if the risk metadata is present when the authorized user requests access, an approval workflow may be modified so that the request approval is routed appropriately.

Abstract: An identity management system is augmented to enable a manager to associate “risk” metadata with different types of access requests representing computer system accounts that can be requested by authorized users. When an authorized user then requests access to a particular account, any “risk” associated with that access is shown to the user, typically in the form of a visual “badge” or other such indicator. The badge includes an appropriate informational display (e.g., “High Risk” or “Regulated”) that provides an appropriate risk warning. The risk metadata badge information preferably also is displayed for risk-based access request approval routing; in such context, the risk metadata may also determine the risk approval workflow itself. Thus, for example, if the risk metadata is present when the authorized user requests access, an approval workflow may be modified so that the request approval is routed appropriately.

Abstract: Embodiments of the invention provide a method, a system and a computer program product for analyzing the effect of a software maintenance patch on configuration items of a CMDB. One embodiment, directed to a method, is associated with a CMDB containing information that relates to configuration items (CIs) included in one or more managed configurable systems. The method includes the step of generating a manifest that defines a target system, and contains a description of a maintenance patch disposed to update one or more specified software components. The method further includes using information contained in the manifest to search the CMDB, in order to detect each configurable system in the CMDB that corresponds to the definition of the target system, and contains at least one CI that includes at least one of the specified software components.

Abstract: A system for synchronizing account names from a plurality of source security systems. In response to coupling a conversion system between the plurality of source security systems and a target security system, identity data from a human resource system and account data from the plurality of local source security systems is loaded into the conversion system. A name resolution rule set is retrieved and a unique account name identification is generated for a set of account names associated with an identity using the name resolution rule set. The set of account names associated with the identity is converted to the unique account name identification to produce a synchronized set of account names associated with the identity. Then, the synchronized set of account names associated with the identity is stored in the target security system.

Abstract: Embodiments of the invention provide a method, a system and a computer program product for analyzing the effect of a software maintenance patch on configuration items of a CMDB. One embodiment, directed to a method, is associated with a CMDB containing information that relates to configuration items (CIs) included in one or more managed configurable systems. The method includes the step of generating a manifest that defines a target system, and contains a description of a maintenance patch disposed to update one or more specified software components. The method further includes using information contained in the manifest to search the CMDB, in order to detect each configurable system in the CMDB that corresponds to the definition of the target system, and contains at least one CI that includes at least one of the specified software components.

Abstract: A system for synchronizing account names from a plurality of source security systems. In response to coupling a conversion system between the plurality of source security systems and a target security system, identity data from a human resource system and account data from the plurality of local source security systems is loaded into the conversion system. A name resolution rule set is retrieved and a unique account name identification is generated for a set of account names associated with an identity using the name resolution rule set. The set of account names associated with the identity is converted to the unique account name identification to produce a synchronized set of account names associated with the identity. Then, the synchronized set of account names associated with the identity is stored in the target security system.