One time use password for temporary privilege escalation in a role-based access control (RBAC) system

US 10,075,450 B2
Filed: 05/12/2016
Issued: 09/11/2018
Est. Priority Date: 05/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method of operating a computing system to facilitate temporary escalation of access privileges for a machine control program associated with a machine system in an industrial automation environment, the method comprising:

receiving, in the machine system and from a user, a login request comprising a username and password, wherein the username and the password are associated with the user and are stored on a machine authority of the machine system;

granting, via the machine system, the user an access level to utilize one or more functions of the machine control program corresponding with a role of the user;

receiving, in the machine system and from the user, a request for a temporary access level increase to utilize a protected function of the machine control program associated with the machine system, wherein the protected function corresponds with a temporary role distinct from the role of the user;

in response to the request for the temporary access level increase, generating, via the machine system, an encrypted string comprising a temporary password authorized to allow the user to access the protected function of the machine control program;

providing the encrypted string to the user, wherein the user provides the encrypted string to an administrator and the administrator authenticates the user for the temporary access level increase, decrypts the temporary password, and provides the temporary password to the user;

receiving, in the machine system and from the user, an elevated login request comprising the username and the temporary password authorized to allow the user to access the protected function of the machine control program; and

responsive to receiving the elevated login request, granting, via the machine system, the temporary access level increase to allow the user to utilize the protected function of the machine control program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to facilitate temporary escalation of access privileges for a control program associated with a machine system in an industrial automation environment are disclosed. In at least one implementation, a request is received from a user for a temporary access level increase to utilize protected functions of the control program. An encrypted string is generated comprising a temporary password authorized to access the protected functions of the control program. The encrypted string is provided to the user, wherein the user provides the encrypted string to an administrator and the administrator authenticates the user for the temporary access level increase, decrypts the temporary password, and provides the temporary password to the user. A login request is received from the user with the temporary password, and the temporary access level increase is responsively granted to allow the user to utilize the protected functions of the control program.

30 Citations

View as Search Results

20 Claims

1. A method of operating a computing system to facilitate temporary escalation of access privileges for a machine control program associated with a machine system in an industrial automation environment, the method comprising:
- receiving, in the machine system and from a user, a login request comprising a username and password, wherein the username and the password are associated with the user and are stored on a machine authority of the machine system;
  
  granting, via the machine system, the user an access level to utilize one or more functions of the machine control program corresponding with a role of the user;
  
  receiving, in the machine system and from the user, a request for a temporary access level increase to utilize a protected function of the machine control program associated with the machine system, wherein the protected function corresponds with a temporary role distinct from the role of the user;
  
  in response to the request for the temporary access level increase, generating, via the machine system, an encrypted string comprising a temporary password authorized to allow the user to access the protected function of the machine control program;
  
  providing the encrypted string to the user, wherein the user provides the encrypted string to an administrator and the administrator authenticates the user for the temporary access level increase, decrypts the temporary password, and provides the temporary password to the user;
  
  receiving, in the machine system and from the user, an elevated login request comprising the username and the temporary password authorized to allow the user to access the protected function of the machine control program; and
  
  responsive to receiving the elevated login request, granting, via the machine system, the temporary access level increase to allow the user to utilize the protected function of the machine control program.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein granting the temporary access level increase comprises granting the temporary access level increase for only a single elevated login request.
  - 3. The method of claim 1 wherein generating the encrypted string further comprises generating the encrypted string comprising the temporary role.
  - 4. The method of claim 1 wherein the machine control program comprises controller program code that directs an industrial controller to drive the machine system.
  - 5. The method of claim 1 wherein granting the temporary access level increase comprises granting the temporary access level increase for a predetermined time period.
  - 6. The method of claim 1 wherein receiving the request for the temporary access level increase comprises receiving the request for the temporary access level increase via a function of the one or more functions of the machine control program corresponding with the role of the user.

7. One or more computer-readable storage media having program instructions stored thereon to facilitate temporary escalation of access privileges for a machine control program associated with a machine system in an industrial automation environment, wherein the program instructions, when executed by a computing system, direct the computing system to at least:
- receive, in the machine system and from a user, a login request comprising a username and password, wherein the username and the password are associated with the user and are stored on a machine authority of the machine system;
  
  grant, via the machine system, the user an access level to utilize one or more functions of the machine control program corresponding with a role of the user;
  
  receive, in the machine system, a request from the user for a temporary access level increase to utilize protected functions of the machine control program associated with the machine system, wherein the protected functions correspond with a temporary role distinct from the role of the user;
  
  in response to the request for the temporary access level increase, generate, via the machine system, an encrypted string comprising a temporary password authorized to allow the user to access the protected functions of the machine control program;
  
  provide the encrypted string to the user, wherein the user provides the encrypted string to an administrator and the administrator authenticates the user for the temporary access level increase, decrypts the temporary password, and provides the temporary password to the user; and
  
  receive, in the machine system and from the user, an elevated login request comprising the username and the temporary password authorized to allow the user to access the protected functions of the machine control program, and responsively grant, via the machine system, the temporary access level increase to allow the user to utilize the protected functions of the machine control program.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The one or more computer-readable storage media of claim 7 wherein the program instructions that direct the computing system to grant the temporary access level increase direct the computing system to grant the temporary access level increase for only a single elevated login request.
  - 9. The one or more computer-readable storage media of claim 7 wherein the program instructions that direct the computing system to generate the encrypted string direct the computing system to generate the encrypted string comprising the temporary role.
  - 10. The one or more computer-readable storage media of claim 7 wherein the program instructions that direct the computing system to grant the temporary access level increase direct the computing system to grant the temporary access level increase for a predetermined time period.
  - 11. The one or more computer-readable storage media of claim 7 wherein the program instructions that direct the computing system to grant the temporary access level increase direct the computing system to grant the temporary access level increase for a predetermined number of elevated login requests.
  - 12. The one or more computer-readable storage media of claim 7 wherein the program instructions that direct the computing system to receive the request for the temporary access level increase direct the computing system to receive the request for the temporary access level increase via a function of the one or more functions of the machine control program corresponding with the role of the user.

13. An apparatus to facilitate temporary escalation of access privileges for a machine control program associated with a machine system in an industrial automation environment, the apparatus comprising:
- one or more computer-readable storage media; and
  
  program instructions stored on the one or more computer-readable storage media that, when executed by a processing system, direct the processing system to at least;
  
  receive, in the machine system and from a user, a login request comprising a username and password, wherein the username and the password are associated with the user and are stored on a machine authority of the machine system;
  
  grant, via the machine system, the user an access level to utilize one or more functions of the machine control program corresponding with a role of the user;
  
  receive, in the machine system, a request from the user for a temporary access level increase to utilize a protected function of the machine control program associated with the machine system, wherein the protected function corresponds with a temporary role distinct from the role of the user;
  
  in response to the request for the temporary access level increase, generate, via the machine system, an encrypted string comprising a temporary password authorized to allow the user to access the protected function of the machine control program;
  
  provide the encrypted string to the user, wherein the user provides the encrypted string to an administrator and the administrator authenticates the user for the temporary access level increase, decrypts the temporary password, and provides the temporary password to the user; and
  
  receive, in the machine system and from the user, an elevated login request comprising the username and the temporary password authorized to allow the user to access the protected function of the machine control program, and responsively grant, via the machine system, the temporary access level increase to allow the user to utilize the protected function of the machine control program.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The apparatus of claim 13 wherein the program instructions direct the processing system to generate the encrypted string by directing the processing system to generate the temporary password authorized to access the protected function of the machine control program and include the temporary password in the encrypted string.
  - 15. The apparatus of claim 13 wherein the program instructions direct the processing system to generate the encrypted string by directing the processing system to generate the encrypted string comprising the temporary password and the temporary access level increase requested by the user.
  - 16. The apparatus of claim 13 wherein the program instructions direct the processing system to grant the temporary access level increase for only a single elevated login request.
  - 17. The apparatus of claim 13 wherein the program instructions direct the processing system to grant the temporary access level increase for predetermined number of elevated login requests.
  - 18. The apparatus of claim 13 wherein the program instructions direct the processing system to grant the temporary access level increase for a predetermined period of time.
  - 19. The apparatus of claim 13 wherein the program instructions direct the processing system to generate the encrypted string by system to generate the encrypted string comprising the temporary password and the temporary role.
  - 20. The apparatus of claim 13 wherein the program instructions direct the processing system to receive the request for the temporary access level increase by directing the processing system to receive the request for the temporary access level increase via a function of the one or more functions of the machine control program corresponding with the role of the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Inventors
Bush, Michael A., Case, Clark L., Jasper, Taryl J.
Primary Examiner(s)
Zhao, Don G

Application Number

US15/153,663
Publication Number

US 20160352752A1
Time in Patent Office

852 Days
Field of Search
US Class Current
CPC Class Codes

G05B 2219/24154   Password with time limited ...

H04L 63/0428   wherein the data content is...

H04L 63/0838   using one-time-passwords

H04L 63/105   Multiple levels of security

One time use password for temporary privilege escalation in a role-based access control (RBAC) system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

One time use password for temporary privilege escalation in a role-based access control (RBAC) system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others