Delegated privileged access grants
First Claim
1. A system comprising:
- a processor; and
a memory device including instructions for implementing a privileged account manager, wherein the privileged account manager manages access to resources of an organization by user entities of the organization, wherein, when executed by a processor, the instructions cause the processor to perform processing comprising;
generating a first resource group including a first subset of resources from the resources of the organization, wherein the first subset of resources includes at least one account and at least one target system of the organization, and wherein a number of resources in the first subset of resources is less than a number of the resources of the organization;
creating a first group of administrative entities from the user entities of the organization, the first group of administrative entities comprising a first administrative entity;
assigning a first set of administration privileges on the first resource group to the first group of administrative entities, the first set of administration privileges including a particular administration privilege that enables an administrative entity in the first group of administrative entities to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group;
receiving a request from a first administrative entity in the first group of administrative entities to delegate the particular administration privilege from the first set of administration privileges to a particular user entity from the user entities of the organization, wherein the particular user entity is not a member of the first group of administrative entities, and wherein the request specifies one or more conditions under which the particular administration privilege is to be delegated to the particular user entity, the one or more conditions including a temporal condition identifying a time period;
responsive to receiving the request to delegate the particular administration privilege, generating a delegation policy for delegating the particular administration privilege to the particular user entity, the delegation policy including identification of the first administrative entity, the particular user entity, the particular administration privilege, and the one or more conditions;
storing the delegation policy in a policy database;
determining, at a first point in time, that the temporal condition included in the delegation policy is satisfied;
responsive to determining that the temporal condition is satisfied, delegating the particular administration privilege to the particular user entity, wherein the delegating of the particular administration privilege by the privileged account manager to the particular user entity enables the particular user entity to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group without the particular user entity being added to the first group of administrative entities;
determining, at a second point in time after the first point in time, that the temporal condition is no longer satisfied; and
responsive to determining that the temporal condition is no longer satisfied, disabling the particular user entity from using the particular administration privilege.
1 Assignment
0 Petitions
Accused Products
Abstract
A privileged account management system is provided that controls the management and access of resources within the organization. Resources may include target systems and accounts of the organization. In an embodiment, the privileged account management system is configured to enable the creation of one or more resource groups. A resource group includes a subset of a plurality of resources provided by the organization. In certain embodiments, the privileged account management system is configured to define one or more groups of administrative entities within the organization and assign to each administrative entity in a group of administrative entities, a set of privileges on a resource group. In certain embodiments, the privileged account manager system may be configured to enable an administrative entity from a group of administrative entities to delegate a subset of privileges associated with a resource group to a user entity not in the group of administrative entities.
-
Citations
21 Claims
-
1. A system comprising:
-
a processor; and a memory device including instructions for implementing a privileged account manager, wherein the privileged account manager manages access to resources of an organization by user entities of the organization, wherein, when executed by a processor, the instructions cause the processor to perform processing comprising; generating a first resource group including a first subset of resources from the resources of the organization, wherein the first subset of resources includes at least one account and at least one target system of the organization, and wherein a number of resources in the first subset of resources is less than a number of the resources of the organization; creating a first group of administrative entities from the user entities of the organization, the first group of administrative entities comprising a first administrative entity; assigning a first set of administration privileges on the first resource group to the first group of administrative entities, the first set of administration privileges including a particular administration privilege that enables an administrative entity in the first group of administrative entities to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group; receiving a request from a first administrative entity in the first group of administrative entities to delegate the particular administration privilege from the first set of administration privileges to a particular user entity from the user entities of the organization, wherein the particular user entity is not a member of the first group of administrative entities, and wherein the request specifies one or more conditions under which the particular administration privilege is to be delegated to the particular user entity, the one or more conditions including a temporal condition identifying a time period; responsive to receiving the request to delegate the particular administration privilege, generating a delegation policy for delegating the particular administration privilege to the particular user entity, the delegation policy including identification of the first administrative entity, the particular user entity, the particular administration privilege, and the one or more conditions; storing the delegation policy in a policy database; determining, at a first point in time, that the temporal condition included in the delegation policy is satisfied; responsive to determining that the temporal condition is satisfied, delegating the particular administration privilege to the particular user entity, wherein the delegating of the particular administration privilege by the privileged account manager to the particular user entity enables the particular user entity to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group without the particular user entity being added to the first group of administrative entities; determining, at a second point in time after the first point in time, that the temporal condition is no longer satisfied; and responsive to determining that the temporal condition is no longer satisfied, disabling the particular user entity from using the particular administration privilege. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-implemented method comprising:
-
generating a first resource group including a first subset of resources from resources of an organization, wherein the first subset of resources includes at least one account and at least one target system of the organization, and wherein a number of resources in the first subset of resources is less than a number of the resources of the organization; creating a first group of administrative entities from user entities of the organization, the first group of administrative entities comprising a first administrative entity; assigning a first set of administration privileges on the first resource group to the first group of administrative entities, the first set of administration privileges including a particular administration privilege that enables an administrative entity in the first group of administrative entities an ability to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group; receiving a request from a first administrative entity in the first group of administrative entities to delegate the particular administration privilege from the first set of administration privileges to a particular user entity from the user entities of the organization, wherein the particular user entity is not a member of the first group of administrative entities, and wherein the request specifies one or more conditions under which the particular administration privilege is to be delegated the particular user entity, the one or more conditions including a temporal condition identifying a time period temporal conditions; responsive to receiving the request to delegate the particular administration privilege, generating a delegation policy for delegating the particular administration privilege to the particular administrative entity, the delegation policy including identification of the first user entity, the particular user entity, the particular administration privilege, and the one or more conditions; storing the delegation policy in a policy database; determining, at a first point in time, that the temporal condition included in the delegation policy; responsive to determining that the temporal condition is satisfied, delegating, at the first point in time, the particular administration privilege to the particular user entity, wherein the delegating of the particular privilege by a privileged account manager to the particular user entity enables the particular user entity to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group without the particular user entity being added to the first group of administrative entities; determining, at a second point in time after the first point in time, that the temporal condition is no longer satisfied; and responsive to determining that the temporal condition is no longer satisfied, disabling the particular user entity from using the particular administration privilege. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable media storing computer-executable instructions executable by one or more processors, the computer-executable instructions comprising:
-
instructions that cause the one or more processors to generate a first resource group including a first subset of resources from resources of an organization, wherein the first subset of resources includes at least one account and at least one target system of the organization, and wherein a number of resources in the first subset of resources is less than a number of the resources of the organization; instructions that cause the one or more processors to create a first group of administrative entities from user entities of the organization, the first group of administrative entities comprising a first administrative entity; instructions that cause the one or more processors to assign a first set of administration privileges on the first resource group to the first group of administrative entities, the first set of administration privileges including a particular administration privilege that enables an administrative entity in the first group of administrative entities an ability to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group; instructions that cause the one or more processors to receive a request from a first administrative entity in the first group of administrative entities to delegate particular administration privilege from the first set of administration privileges to a particular user entity from the user entities of the organization, wherein the particular user entity is not a member of the first group of administrative entities, and wherein the request specifies one or more conditions under which the particular administration privilege is to be delegated to the particular user entity, the one or more conditions including a temporal condition identifying a time period; responsive to receiving the request to delegate the particular administration privilege, instructions that cause the one or more processors to generate a delegation policy for delegating the particular administration privilege to the particular user entity, the delegation policy including identification of the first administrative entity, the particular user entity, the particular administration privilege, and the one or more conditions; instructions that cause the one or more processors to store the delegation policy in a policy database; instructions that cause the one or more processors to determine, at a first point in time, that the temporal condition included in the delegation policy is satisfied; responsive to determining that the temporal condition is satisfied, instructions that cause the one or more processors to delegate the particular administration privilege to the particular user entity, wherein the delegation of the particular administration privilege by a privileged account manager to the particular user entity enables the particular user entity to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group without the particular user entity being added to the first group of administrative entities; instructions that cause the one or more processors to determine that the temporal condition is no longer satisfied; and responsive to determining that the temporal condition is no longer satisfied, instructions that cause the one or more processors to disable the particular user entity from using the particular administration privilege. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification