Search

US-12621307-B1 - Unified identity and access management solution for federated legal entities with hybrid cloud infrastructure

US12621307B1US 12621307 B1US12621307 B1US 12621307B1US-12621307-B1

Abstract

Distributed computer system for multi-national enterprise comprises a parent Identity Governance and Administration (IGA) system; a parent HR system in communication with the parent IGA system; a parent LDAP system in communication with the parent HR system; a child IGA system; a child HR system in communication with the child IGA system; a child LDAP system in communication with the child HR system; and a child IGA integrator coupled between the child IGA system and the child LDAP system to integrate the child LDAP system and the child IGA system. System also comprises an HR data integrator in communication with the parent HR system and the child HR system to share data between the parent HR system and the child HR system within constraints of laws and regulations of the first and second countries of parent and child and generates a unified identifier for an employee to identify the employee.

Inventors

  • Jun Wu
  • Fan Liu
  • James McGuire

Assignees

  • MORGAN STANLEY SERVICES GROUP INC.

Dates

Publication Date
20260505
Application Date
20240606

Claims (15)

  1. 1 . A distributed computer system for a global enterprise that comprises a parent entity and a child entity, where the parent entity operates in a first country and the child entity operates in a second country that is different from the first country, the distributed computer system comprising a plurality of internetworked computer systems, the plurality of internetworked computer systems comprising: a parent Identity Governance and Administration (IGA) system; a parent human resources (HR) system in communication with the parent IGA system; a parent lightweight directory access protocol (LDAP) system in communication with the parent HR system; a child IGA system; a child HR system in communication with the child IGA system; a child LDAP system in communication with the child HR system; a child IGA integrator that integrates the child LDAP system and the child IGA system, wherein the child IGA integrator is coupled between the child IGA system and the child LDAP system; and an HR data integrator in communication with the parent HR system and the child HR system, wherein the HR data integrator: shares data between the parent HR system and the child HR system within constraints of laws and regulations of the first and second countries; and generates a unified identifier for an employee of the global enterprise, wherein the unified identifier identifies the employee, and wherein the HR data integrator is configured to: receive employee data for the employee from child HR system; and upload the employee data to the parent HR system to update the employee data for the employee identified by the unified identifier.
  2. 2 . The distributed computer system of claim 1 , wherein the HR data integrator is configured to send the unified identifier from the parent HR system to the child HR system.
  3. 3 . The distributed computer system of claim 2 , wherein the child IGA system is configured to collect information associated with the employee.
  4. 4 . The distributed computer system of claim 3 , wherein, in response to the employee being transferred within the child entity, the child IGA system triggers a worker transfer process.
  5. 5 . The distributed computer system of claim 3 , wherein in response to the employee being terminated by the global enterprise, the child IGA system triggers a termination process.
  6. 6 . The distributed computer system of claim 5 , wherein the termination process includes revoking worker privileges for the employee.
  7. 7 . The distributed computer system of claim 3 , wherein the employee is a new employee, the IGA system collects information associated with the unified identifier.
  8. 8 . The distributed computer system of claim 7 , wherein the IGA integrator creates at least one LDAP account for the employee.
  9. 9 . The distributed computer system of claim 8 , further comprising at least one child application, wherein the child LDAP system is configured to control access to the at least one child application for the employee based on unified identifier of the employee.
  10. 10 . The distributed computer system of claim 1 , further comprising a global IGA integrator coupled between the child IGA system and the parent IGA system, wherein the global IGA integrator is to report security risks and alarms.
  11. 11 . A distributed computer system for a global enterprise that comprises a parent entity and a child entity, where the parent entity operates in a first country and the child entity operates in a second country that is different from the first country, the distributed computer system comprising a plurality of internetworked computer systems, the plurality of internetworked computer systems comprising: a parent Identity Governance and Administration (IGA) server system; a parent human resources (HR) server system in communication with the parent IGA server system; a parent lightweight directory access protocol (LDAP) server system in communication with the parent HR server system; a child IGA server system; a child HR server system in communication with the child IGA system; a child server LDAP system in communication with the child HR system; a child IGA integrator server that integrates the child LDAP system and the child IGA system, wherein the child IGA integrator is coupled between the child IGA system and the child LDAP system; and an HR data integrator server in communication with the parent HR system and the child HR system, wherein the HR data integrator is configured to: share data between the parent HR system and the child HR system within constraints of laws and regulations of the first and second countries; and generate a unified identifier for an employee of the global enterprise, wherein the unified identifier identifies the employee; and wherein in response to child and parent users being invited to a collaboration tenant, the parent IGA system is configured to collect employee identification and email.
  12. 12 . A distributed computer system for a global enterprise that comprises a parent entity and a child entity, where the parent entity operates in a first country and the child entity operates in a second country that is different from the first country, the distributed computer system comprising a plurality of internetworked computer systems, the plurality of internetworked computer systems comprising: a parent Identity Governance and Administration (IGA) server system; a parent human resources (HR) server system in communication with the parent IGA server system; a parent lightweight directory access protocol (LDAP) server system in communication with the parent HR server system; a child IGA server system; a child HR server system in communication with the child IGA system; a child server LDAP system in communication with the child HR system; a child IGA integrator server that integrates the child LDAP system and the child IGA system, wherein the child IGA integrator is coupled between the child IGA system and the child LDAP system; and an HR data integrator server in communication with the parent HR system and the child HR system, wherein the HR data integrator is configured to: share data between the parent HR system and the child HR system within constraints of laws and regulations of the first and second countries; and generate a unified identifier for an employee of the global enterprise, wherein the unified identifier identifies the employee; wherein, for a new child entity employee: the child HR system creates new identity records for the new child entity employee; the child HR system uploads data for a Joiner to the parent HR System via the HR data integrator; the parent HR system generates the unified identifier for the new child entity employee; the child HR system receives the unified identifier from the parent HR system via the HR data integrator; and the child IGA system collects new Joiner information associated with the unified identifier.
  13. 13 . The distributed computer system of claim 12 , the child IGA integrator creates an LDAP account in the child LDAP system for the Joiner, wherein the LDAP account controls access by the Joiner to an on-premises child application.
  14. 14 . The distributed computer system of claim 12 , the new child entity employee is recognized by the parent IGA system and the Parent LDAP system does not store an account for the new child entity employee.
  15. 15 . A distributed computer system for a global enterprise that comprises a parent entity and a child entity, where the parent entity operates in a first country and the child entity operates in a second country that is different from the first country, the distributed computer system comprising a plurality of internetworked computer systems, the plurality of internetworked computer systems comprising: a parent Identity Governance and Administration (IGA) server system; a parent human resources (HR) server system in communication with the parent IGA server system; a parent lightweight directory access protocol (LDAP) server system in communication with the parent HR server system; a child IGA server system; a child HR server system in communication with the child IGA system; a child server LDAP system in communication with the child HR system; a child IGA integrator server that integrates the child LDAP system and the child IGA system, wherein the child IGA integrator is coupled between the child IGA system and the child LDAP system; and an HR data integrator server in communication with the parent HR system and the child HR system, wherein the HR data integrator is configured to: share data between the parent HR system and the child HR system within constraints of laws and regulations of the first and second countries; generate a unified identifier for an employee of the global enterprise, wherein the unified identifier identifies the employee; a collaboration application, wherein a guest user requests access to the collaboration application; and in response the parent IGA system collects an employee identification and email for the guest user from the parent entity.

Description

BACKGROUND Many countries have local laws pertaining to cross-border data transfer, e.g., the sharing of data from that country to an entity or person in another country. Such laws can complicate operations for a global entity, which can comprise federated legal entities across multiple countries. The complications can involve complying with the data protection laws and regulations of each country where the global company operates. Another complication is that cross-border data transfers can increase the risk of cyber-attacks and data breaches. SUMMARY In one general aspect, the present invention is directed to a distributed computer system for a global enterprise that comprises a parent entity and a child entity, where the parent entity operates in a first country and the child entity operates in a second country that is different from the first country. The distributed computer system can comprise, according to various embodiments: a parent Identity Governance and Administration (IGA) system; a parent HR system in communication with the parent IGA system; a parent LDAP system in communication with the parent HR system; a child IGA system; a child HR system in communication with the child IGA system; a child LDAP system in communication with the c child HR system; and a child IGA integrator that is coupled between the child IGA system and the child LDAP system and that integrates the child LDAP system and the child IGA system. The distributed computer system also comprises an HR data integrator in communication with the parent HR system and the child HR system. The HR data integrator shares data between the parent HR system and the child HR system within constraints of laws and regulations of the first and second countries. The HR data integrator also generates a unified identifier for an employee, where the unified identifier identifies the employee. For example, the HR data integrator can receive employee data from the child HR system and upload the employee data to the parent HR system to update the employee data for the employee identified by the unified identifier. The HR data integrator can also be configured to send the unified identifier from the parent HR system to the child HR system. The child IGA can also be configured to collect information associated with the employee. In response to the employee being transferred, the child IGA system can trigger a worker transfer process. In response to the employee being terminated, the child IGA system triggers a termination process, such as revoking worker privileges for the terminated employee. Where the employee is a new employee, the IGA system collects information associated with the unified identifier and the IGA integrator can create an LDAP at least one account for the new employee. The distributed computer system can further comprise at least one child application, where the LDAP is configured to control access to the at least one child application for the employee based on unified identifier of the employee. In various embodiments, therefore, the interactions and communications between legal entities are exceptional based, and strictly controlled by the IAM mechanism cross-board. The unified IAM solution can integrate with the whole eco-system by leveraging Identity Federation capability as well as integrating with HR system with a consistent process while remaining autonomous operationally in each legal entity. The deployment method can also provide flexibility, with each component being deployable either on-premises or on-cloud. These and other features of the applicant's teachings are set forth herein. DESCRIPTION OF THE FIGURES Various embodiments of the present invention are described herein by way of example in conjunction with the following figures. FIG. 1 is a distributed computer system for a global enterprise, according to an exemplary embodiment of the disclosure. FIG. 2 is a process for operating the distributed computer system, according to an exemplary embodiment of this disclosure. DESCRIPTION In one general aspect, the present invention relates to unified identify and access management solutions for a global company that operates in multiple countries. Local cybersecurity laws and industrial regulations often set strict requirements on cross-border data transfer. The present invention, in one general aspect, creates a physical IT segregation between legal entities from different jurisdictions of the global company. In general, by default, no data are shared across legal entities. Yet employee information in a global company requires shared access across different legal entities. Thus, the present disclosure sets up different HR systems between legal entities but with data sharing within the confined scoped defined by laws and regulations. In addition, some business data are required to be shared among different legal entities within the global company. The present invention can, in various embodiments, set data access rules betwe