Role-based access to shared resources

US 10,277,713 B2
Filed: 07/14/2015
Issued: 04/30/2019
Est. Priority Date: 07/14/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at an intermediate network connected device from an edge network device, information identifying a user as having accessed a first network device from an external network connected device via the edge network device, wherein the intermediate network connected device is arranged within a network between the first network device and a second network device, wherein the intermediate network connected device, the first network device and the second network device are within the network, wherein the external network connected device is outside the network, wherein the edge network device applies one or more policies defining access rights to the first network device at a network edge, and wherein the information identifying the user as having accessed the first network device includes a mapping of the user to the first network device and a policy of the one or more policies defining a level of access to the second network device for the user;

receiving at the intermediate network connected device a request from the first network device to access the second network device, wherein the request is received from the first network device in response to access by the user of the first network device via the external network device;

determining, from the information at the intermediate network connected device, the user is a source of the request via the first network device from the mapping of the user to the first network device; and

applying, at the intermediate network connected device, one or more policies defining access rights to the second network device to the request from the first network device based upon determining the user to be the source of the request, wherein applying the one or more policies comprises determining a level of access to the second network device for the user from the policy, and providing the level of access to the first network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Information identifying a user as having accessed a first network device from an external network connected device is received at an intermediate network connected device from an edge network device. The intermediate network connected device is arranged between the first network device and a second network device. The intermediate network connected device, the first network device and the second network device are within the network and the external network connected device is outside the network. A request to access the second network device is received at the intermediate network connected device from the first network device. It is determined that the user is a source of the request via the first network device based upon the received information. The request from the first network device is evaluated based upon determining the user is the source of the request.

18 Citations

20 Claims

1. A method comprising:
- receiving, at an intermediate network connected device from an edge network device, information identifying a user as having accessed a first network device from an external network connected device via the edge network device, wherein the intermediate network connected device is arranged within a network between the first network device and a second network device, wherein the intermediate network connected device, the first network device and the second network device are within the network, wherein the external network connected device is outside the network, wherein the edge network device applies one or more policies defining access rights to the first network device at a network edge, and wherein the information identifying the user as having accessed the first network device includes a mapping of the user to the first network device and a policy of the one or more policies defining a level of access to the second network device for the user;
  
  receiving at the intermediate network connected device a request from the first network device to access the second network device, wherein the request is received from the first network device in response to access by the user of the first network device via the external network device;
  
  determining, from the information at the intermediate network connected device, the user is a source of the request via the first network device from the mapping of the user to the first network device; and
  
  applying, at the intermediate network connected device, one or more policies defining access rights to the second network device to the request from the first network device based upon determining the user to be the source of the request, wherein applying the one or more policies comprises determining a level of access to the second network device for the user from the policy, and providing the level of access to the first network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein applying the one or more policies comprises granting the request.
  - 3. The method of claim 1, wherein applying the one or more policies comprises denying the request.
  - 4. The method of claim 1, wherein the information identifying the user as having accessed the first network device is contained in a message sent from an access control gateway, wherein the access control gateway is within the network.
  - 5. The method of claim 1, wherein the information identifying the user as having accessed the first network device is contained in a message sent from a wireless access point.
  - 6. The method of claim 1, wherein receiving, at the intermediate network connected device from the edge network device, information identifying the user as having accessed the first network device from the external network connected device comprises receiving the information at one of a switch, a router or a firewall.
  - 7. The method of claim 1, wherein the information identifying the user as having accessed the first network device includes information identifying the user as having accessed a virtual desktop virtual machine.
  - 8. The method of claim 1, wherein the first network device comprises a first virtual machine.
  - 9. The method of claim 8, wherein the second network device comprises a second virtual machine.

10. An apparatus comprising:
- a network interface unit configured to enable communication over a network;
  
  a memory; and
  
  a processor coupled to the network interface unit, wherein the processor is configured to;
  
  receive, via the network interface unit from a n edge network device, information identifying a user as having accessed a first network device from an external network connected device via the edge network device, wherein the apparatus is arranged within the network between the first network device and a second network device, wherein the apparatus, the first network device and the second network device are within the network, wherein the external network connected device is outside the network, wherein the edge network device applies one or more policies defining access rights to the first network device at a network edge, and wherein the information identifying the user as having accessed the first network device includes a mapping of the user to the first network device and a policy of the one or more policies defining a level of access to the second network device for the user;
  
  receive, via the network interface unit, a request from the first network device to access the second network device, wherein the request is received from the first network device in response to access by the user of the first network device via the external network device;
  
  determine the user is a source of the request via the first network device from the mapping of the user to the first network device; and
  
  apply one or more policies defining access rights to the second network device to the request from the first network device based upon determining the user is the source of the request, wherein the processor is configured to apply the one or more policies by determining a level of access to the second network device for the user from the policy and providing the level of access to the first network device.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein the first network device comprises a first virtual machine.
  - 12. The apparatus of claim 11, wherein the second network device comprises a second virtual machine.
  - 13. The apparatus of claim 10, wherein the processor is configured to receive the information identifying the user as having accessed the first network device by receiving a message sent from an access control gateway.
  - 14. The apparatus of claim 10, wherein the processor is configured to receive the information identifying the user as having accessed the first network device by receiving a mapping of the user to the first network device, and a policy of the one or more policies defining a level of access to the second network device for the user.
  - 15. The apparatus of claim 10, wherein the processor is configured to apply the one or more policies by denying the request.

16. A non-transitory computer readable storage media encoded with instructions, wherein the instructions, when executed by a processor, cause the processor to:
- receive information, from an edge network device, identifying a user as having accessed a first network device from an external network connected device, wherein the processor is included in an apparatus that is arranged within a network between the first network device and a second network device, wherein the apparatus, the first network device and the second network device are within the network, wherein the external network connected device is outside the network and accesses the first network device via the edge network device, wherein the edge network device applies one or more policies defining access rights to the first network device at a network edge, and wherein the information identifying the user as having accessed the first network device includes a mapping of the user to the first network device and a policy of the one or more policies defining a level of access to the second network device for the user;
  
  receive a request from the first network device to access the second network device, wherein the request is received from the first network device in response to access by the user of the first network device via the external network device;
  
  determine the user is a source of the request via the first network device from the mapping of the user to the first network device; and
  
  apply one or more policies defining access rights to the second network device to the request from the first network device based upon determining the user is the source of the request, wherein the instructions that cause the processor to apply the one or more policies cause the processor to apply the one or more policies by determining a level of access to the second network device for the user from the policy and providing the level of access to the first network device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage media of claim 16, wherein the first network device comprises a first virtual machine.
  - 18. The non-transitory computer readable storage media of claim 16, wherein the instructions that cause the processor to receive the information identifying the user as having accessed the first network device further cause the processor to receive a message sent from an access control gateway.
  - 19. The non-transitory computer readable storage media of claim 16, wherein the instructions that cause the processor to receive the information identifying the user as having accessed the first network device further cause the processor to receive a mapping of the user to the first network device, and a policy of the one or more policies defining a level of access to the second network device for the user.
  - 20. The non-transitory computer readable storage media of claim 16, wherein the instructions that cause the processor to apply the one or more policies cause the processor to apply the one or more policies by denying the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ng, Mark Ka Yau, Freilich, Max, Lam, Tak Cheung
Primary Examiner(s)
Patel, Dhairya A

Application Number

US14/798,863
Publication Number

US 20170019498A1
Time in Patent Office

1,386 Days
Field of Search

709223, 709224, 709225, 709229, 709217, 726 1, 726 2, 726 4
US Class Current
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/105 Multiple levels of security

Role-based access to shared resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based access to shared resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links