Abstract: Different types of soft-lockout policies can be associated with different organizations (or groups) in an identity management system. Each soft-lockout policy can indicate different parameters such as a number of login attempts allowed and an amount of time that a user account will be locked-out if the maximum allowed attempts are exceeded unsuccessfully. Users can be associated with the different organizations. For each user, the soft-lockout policies for the organization with which that user is associated are applied to that user when that user attempts to log in. Thus, different groups of users can be handled with different security behaviors regarding unsuccessful login attempts. If, for example, a user were to become moved from one organization to another, then the soft-lockout policies associated with the user's new organization would become applicable to that user.

Abstract: Different types of soft-lockout policies can be associated with different organizations (or groups) in an identity management system. Each soft-lockout policy can indicate different parameters such as a number of login attempts allowed and an amount of time that a user account will be locked-out if the maximum allowed attempts are exceeded unsuccessfully. Users can be associated with the different organizations. For each user, the soft-lockout policies for the organization with which that user is associated are applied to that user when that user attempts to log in. Thus, different groups of users can be handled with different security behaviors regarding unsuccessful login attempts. If, for example, a user were to become moved from one organization to another, then the soft-lockout policies associated with the user's new organization would become applicable to that user.

Abstract: Different types of soft-lockout policies can be associated with different organizations (or groups) in an identity management system. Each soft-lockout policy can indicate different parameters such as a number of login attempts allowed and an amount of time that a user account will be locked-out if the maximum allowed attempts are exceeded unsuccessfully. Users can be associated with the different organizations. For each user, the soft-lockout policies for the organization with which that user is associated are applied to that user when that user attempts to log in. Thus, different groups of users can be handled with different security behaviors regarding unsuccessful login attempts. If, for example, a user were to become moved from one organization to another, then the soft-lockout policies associated with the user's new organization would become applicable to that user.

Abstract: Different types of soft-lockout policies can be associated with different organizations (or groups) in an identity management system. Each soft-lockout policy can indicate different parameters such as a number of login attempts allowed and an amount of time that a user account will be locked-out if the maximum allowed attempts are exceeded unsuccessfully. Users can be associated with the different organizations. For each user, the soft-lockout policies for the organization with which that user is associated are applied to that user when that user attempts to log in. Thus, different groups of users can be handled with different security behaviors regarding unsuccessful login attempts. If, for example, a user were to become moved from one organization to another, then the soft-lockout policies associated with the user's new organization would become applicable to that user.

Abstract: Techniques for representating, managing and storing data related to an organization are provided. An identity management system is disclosed that is configured to manage, represent and store data related to an organization. The identity management system reads data pertaining to an organization from a directory and generates a data model of the organization. The identity management system performs operations to manage the data related to an organization using the data model. The operations include adding logical organizations to the data model and defining user-membership policies associated with entities and logical organizations in the data model. The operations may further include identifying policies to be applied to the users of the organization. In some embodiments, the operations include re-assigning a logical organization and its associated user membership policies to different entities within in the data model while maintaining user-membership policies associated with the logical organization.

Abstract: Techniques for representating, managing and storing data related to an organization are provided. An identity management system is disclosed that is configured to manage, represent and store data related to an organization. The identity management system reads data pertaining to an organization from a directory and generates a data model of the organization. The identity management system performs operations to manage the data related to an organization using the data model. The operations include adding logical organizations to the data model and defining user-membership policies associated with entities and logical organizations in the data model. The operations may further include identifying policies to be applied to the users of the organization. In some embodiments, the operations include re-assigning a logical organization and its associated user membership policies to different entities within in the data model while maintaining user-membership policies associated with the logical organization.

Abstract: A method, system, apparatus, and computer program product are presented for managing access to resources with a role-based access control model that includes dynamic update functionality using role filters and capability filters. Rather than directly connecting individual users to a role, a role filter is defined for a role. The role filter is evaluated to determine which users should be matched to a given role, and matching users are then automatically associated with the given role. In addition to its role filter, each named role contains a set of capabilities. Each capability contains a set of access conditions and a capability filter. Each access condition has a set of rights. Rather than directly connecting individual resources to a capability, the administrator can define a capability filter for each capability. As target instances are added, deleted, or changed, capability filters are re-evaluated to maintain the appropriate set of relationships.

Abstract: An event management service (EMS) of a distributed computing environment includes a filter mechanism for determining whether events generated by one or more event suppliers are communicated to one or more event consumers. Each event consumer that registers for the service also defines an event filter group that determines whether particular events generated by the one or more event suppliers are communicated to that event consumer. The event filter group is derived from one or more predefined event type schemas and/or event header information. Events supplied to the service are applied through a parser of the filter mechanism to control whether and where a particular event is routed.

Abstract: A method and apparatus for the administration of a user registry in a distributed computing environment (DCE). User administration is achieved by encapsulating the DCE principal, extended registry attributes, and account entities into a single object called an account object. The single account object is a subclass of an abstract object called the registry object, which in turn is a subclass of the DCE extended registry attribute object. The invention provides a single object to which requests are made, thus providing a simplified user interface for accessing the contents of the object-oriented account object.

Abstract: A method and apparatus for managing exceptions occurring during an execution of a plurality of objects in an object oriented environment. Under the present invention a message from an object is received in which the message requires processing by the plurality of objects. Error information is stored in a data structure in response to each occurrence of an error in each of the plurality of objects. This data structure is returned to the object.