US 12,455,878 B2
System and method for SQL server resources and permissions analysis in identity management systems
Itay Maichel, Ra'anana (IL); Anatoly Gutnik, Herzliya (IL); and Shlomi Wexler, Udim (IL)
Assigned to SAILPOINT TECHNOLOGIES ISRAEL LTD., Ramat Gan (IL)
Filed by SailPoint Technologies Israel Ltd., Ramat Gan (IL)
Filed on Nov. 21, 2022, as Appl. No. 17/991,130.
Application 17/991,130 is a continuation of application No. 17/387,462, filed on Jul. 28, 2021, granted, now 11,537,603.
Claims priority of provisional application 63/064,182, filed on Aug. 11, 2020.
Prior Publication US 2023/0083054 A1, Mar. 16, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 16/00 (2019.01); G06F 16/242 (2019.01)
CPC G06F 16/2433 (2019.01) 20 Claims
OG exemplary drawing
 
1. An identity management system, comprising:
a processor;
a non-transitory, computer-readable storage medium, including computer instructions for:
obtaining identity management data associated with a plurality of source systems in a distributed enterprise computing environment, the obtaining identity management data further comprising:
initiating a crawl process of the plurality of source systems to obtain a plurality of database objects of SQL servers of the plurality of source systems, and
initiating a permission collection service to fetch permissions of the obtained database objects from respective SQL servers of the plurality of source systems, the identity management data comprising data on a set of identity management artifacts utilized in identity management in the distributed enterprise computing environment, including a set of identities, each identity of the set of identities being associated with one or more criteria, SQL database objects, and entitlements associated with each of the plurality of SQL database objects, wherein:
the plurality of source systems include an authoritative source system and the identity management data comprises identity data on a set of identities obtained from the authoritative source system, and
the plurality of source systems include at least one SQL server and the identity management data comprises SQL object data on SQL database objects of the SQL server and entitlement data on a set of entitlements;
generating a SQL permissions model that represents a native entitlement structure and object hierarchy of each of the respective plurality of distinct SQL servers, the SQL permissions model including direct entitlements, group or role-inherited entitlements, and implicitly granted entitlements based on the respective database object hierarchy, the generating further comprising analyzing schema and permission data of the plurality of distinct SQL servers to determine the direct, group or role-inherited, and implicitly granted entitlements for each obtained SQL database object;
receiving a criteria associated with a first identity of the set of identities;
determining, based on the SQL permissions model, a consolidated view of substantially all entitlements for the first identity across the plurality of distinct SQL servers, the determining comprising correlating identity data associated with the first identity with entitlements in the SQL permissions model, including identifying entitlements derived from group or role membership and implicitly granted permissions based on the SQL database object hierarchy; and
presenting the consolidated view of the substantially all entitlements for the first identity, including the associated SQL database objects and any respective sub-objects that inherit permissions, in a unified, identity-centric display for identity governance.