Delegating security policy management authority to managed accounts
First Claim
1. A system comprising:
- at least one processor; and
at least one memory in communication with the at least one processor, the at least one memory having computer-readable instructions stored thereupon that, when executed by the at least one processor, cause the at least one processor to;
obtain a security policy that includes application management settings that are generated from at least one administrative authority account that corresponds to a greater level of administrative rights than a managed account, wherein the application management settings indicate a set of permitted applications that are permitted to access one or more enterprise resources from the managed account;
receive a request to access a particular data resource through a particular application that is operating from the managed account;
determine, based on the request, that the particular data resource is tagged as an enterprise data resource and that the particular application is not included in the set of permitted applications;
expose an application exemption manager that is configured to enable a standard user to generate, from the managed account, an exemption instruction to at least partially exempt the particular application from the security policy, wherein the exemption instruction is generated from the managed account independently from the at least one administrative authority account; and
permit, based on the exemption instruction, the particular application to access the particular data resource from the managed account.
1 Assignment
0 Petitions
Accused Products
Abstract
A system may delegate authority to manage aspects of a security policy developed by administrative personnel to standard users (e.g. non-administrative personnel) corresponding to managed accounts within an administrative hierarchy. An exemplary security policy may include application management settings that allow or deny individual applications with access to various enterprise resources. The system may expose one or more user interfaces to standard users of an enterprise network to enable these standard users to modify the security policy being deployed for their managed account and/or to at least temporarily exempt a particular application from the enterprise'"'"'s security policy. For example, upon a standard user attempting to access enterprise data with a particular application that is not permitted such access, the system may enable this standard user to change the security policy as applied to her device or to simply exempt the particular application from the security policy.
-
Citations
19 Claims
-
1. A system comprising:
-
at least one processor; and at least one memory in communication with the at least one processor, the at least one memory having computer-readable instructions stored thereupon that, when executed by the at least one processor, cause the at least one processor to; obtain a security policy that includes application management settings that are generated from at least one administrative authority account that corresponds to a greater level of administrative rights than a managed account, wherein the application management settings indicate a set of permitted applications that are permitted to access one or more enterprise resources from the managed account; receive a request to access a particular data resource through a particular application that is operating from the managed account; determine, based on the request, that the particular data resource is tagged as an enterprise data resource and that the particular application is not included in the set of permitted applications; expose an application exemption manager that is configured to enable a standard user to generate, from the managed account, an exemption instruction to at least partially exempt the particular application from the security policy, wherein the exemption instruction is generated from the managed account independently from the at least one administrative authority account; and permit, based on the exemption instruction, the particular application to access the particular data resource from the managed account. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method, comprising:
-
obtaining, from an administrative authority account, security policy data that indicates a set of approved applications that an administrative authority has approved for use to access enterprise resources from a managed account that corresponds to a standard user, wherein the administrative authority account is associated with a greater level of administrative rights than the managed account that corresponds to the standard user; determining, based on the security policy data, a default security policy that includes application management settings to indicate a set of permitted applications that are permitted to access the enterprise resources from the managed account; receiving a request associated with accessing the enterprise resources from the managed account through a particular application that is not included in the set of permitted applications; determining that the particular application is included in the set of approved applications; exposing, based at least in part on the request, a security policy customization interface to enable the standard user to generate, from the managed account, a custom security policy by modifying the application management settings to include the particular application within the set of permitted applications, wherein the custom security policy is generated from the managed account without prompting input from the administrative authority account; and permitting, based on the custom security policy, the particular application to access the enterprise resources from the managed account. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method, comprising:
obtaining a security policy that includes application management settings that define a set of permitted applications that have been indicated as being permitted to access one or more enterprise resources from a managed account that corresponds to a standard user, wherein the application management settings are generated through an administrative authority account that corresponds to a greater level of administrative rights than the managed account that corresponds to the standard user; receiving a request to access a particular data resource through a particular application that is operating from the managed account that corresponds to the standard user; determining that the particular data resource is tagged as an enterprise data resource and that the particular application is not included in the set of permitted applications that have been indicated as being permitted to access the one or more enterprise resources from the managed account that corresponds to the standard user; exposing an application exemption manager that is configured to enable the standard user to generate, from the managed account without prompting input from the administrative authority account, an exemption instruction to at least partially exempt the particular application from the security policy; and permitting, based on the exemption instruction, the particular application to access the particular data resource from the managed account. - View Dependent Claims (16, 17, 18, 19)
Specification