Delegated privileged access grants

US 10,482,404 B2
Filed: 08/06/2015
Issued: 11/19/2019
Est. Priority Date: 09/25/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor; and

a memory device including instructions for implementing a privileged account manager, wherein the privileged account manager manages access to resources of an organization by user entities of the organization, wherein, when executed by a processor, the instructions cause the processor to perform processing comprising;

generating a first resource group including a first subset of resources from the resources of the organization, wherein the first subset of resources includes at least one account and at least one target system of the organization, and wherein a number of resources in the first subset of resources is less than a number of the resources of the organization;

creating a first group of administrative entities from the user entities of the organization, the first group of administrative entities comprising a first administrative entity;

assigning a first set of administration privileges on the first resource group to the first group of administrative entities, the first set of administration privileges including a particular administration privilege that enables an administrative entity in the first group of administrative entities to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group;

receiving a request from a first administrative entity in the first group of administrative entities to delegate the particular administration privilege from the first set of administration privileges to a particular user entity from the user entities of the organization, wherein the particular user entity is not a member of the first group of administrative entities, and wherein the request specifies one or more conditions under which the particular administration privilege is to be delegated to the particular user entity, the one or more conditions including a temporal condition identifying a time period;

responsive to receiving the request to delegate the particular administration privilege, generating a delegation policy for delegating the particular administration privilege to the particular user entity, the delegation policy including identification of the first administrative entity, the particular user entity, the particular administration privilege, and the one or more conditions;

storing the delegation policy in a policy database;

determining, at a first point in time, that the temporal condition included in the delegation policy is satisfied;

responsive to determining that the temporal condition is satisfied, delegating the particular administration privilege to the particular user entity, wherein the delegating of the particular administration privilege by the privileged account manager to the particular user entity enables the particular user entity to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group without the particular user entity being added to the first group of administrative entities;

determining, at a second point in time after the first point in time, that the temporal condition is no longer satisfied; and

responsive to determining that the temporal condition is no longer satisfied, disabling the particular user entity from using the particular administration privilege.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A privileged account management system is provided that controls the management and access of resources within the organization. Resources may include target systems and accounts of the organization. In an embodiment, the privileged account management system is configured to enable the creation of one or more resource groups. A resource group includes a subset of a plurality of resources provided by the organization. In certain embodiments, the privileged account management system is configured to define one or more groups of administrative entities within the organization and assign to each administrative entity in a group of administrative entities, a set of privileges on a resource group. In certain embodiments, the privileged account manager system may be configured to enable an administrative entity from a group of administrative entities to delegate a subset of privileges associated with a resource group to a user entity not in the group of administrative entities.

Citations

21 Claims

1. A system comprising:
- a processor; and
  
  a memory device including instructions for implementing a privileged account manager, wherein the privileged account manager manages access to resources of an organization by user entities of the organization, wherein, when executed by a processor, the instructions cause the processor to perform processing comprising;
  
  generating a first resource group including a first subset of resources from the resources of the organization, wherein the first subset of resources includes at least one account and at least one target system of the organization, and wherein a number of resources in the first subset of resources is less than a number of the resources of the organization;
  
  creating a first group of administrative entities from the user entities of the organization, the first group of administrative entities comprising a first administrative entity;
  
  assigning a first set of administration privileges on the first resource group to the first group of administrative entities, the first set of administration privileges including a particular administration privilege that enables an administrative entity in the first group of administrative entities to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group;
  
  receiving a request from a first administrative entity in the first group of administrative entities to delegate the particular administration privilege from the first set of administration privileges to a particular user entity from the user entities of the organization, wherein the particular user entity is not a member of the first group of administrative entities, and wherein the request specifies one or more conditions under which the particular administration privilege is to be delegated to the particular user entity, the one or more conditions including a temporal condition identifying a time period;
  
  responsive to receiving the request to delegate the particular administration privilege, generating a delegation policy for delegating the particular administration privilege to the particular user entity, the delegation policy including identification of the first administrative entity, the particular user entity, the particular administration privilege, and the one or more conditions;
  
  storing the delegation policy in a policy database;
  
  determining, at a first point in time, that the temporal condition included in the delegation policy is satisfied;
  
  responsive to determining that the temporal condition is satisfied, delegating the particular administration privilege to the particular user entity, wherein the delegating of the particular administration privilege by the privileged account manager to the particular user entity enables the particular user entity to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group without the particular user entity being added to the first group of administrative entities;
  
  determining, at a second point in time after the first point in time, that the temporal condition is no longer satisfied; and
  
  responsive to determining that the temporal condition is no longer satisfied, disabling the particular user entity from using the particular administration privilege.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the at least one account of the organization enables access to first subset of resources.
  - 3. The system of claim 1, wherein only the first group of administration entities have administration privileges modify security settings for the first subset of resources.
  - 4. The system of claim 1, wherein a first privilege from the first set of administration privileges enables the user entities in the first group of administrative entities to modify user entities that are able to use the first subset of resources.
  - 5. The system of claim 1, wherein a first privilege from the first set of administration privileges enables the users in the first group of administrative entities to change the first subset of resources.
  - 6. The system of claim 1, wherein the first set of administration privileges modifies a capability of the first group of administrative entities, wherein the capability is modified with respect to the first resource group.
  - 7. The system of claim 1, wherein the temporal condition identifies a specific time during a day and the one or more conditions include a location condition that indicates a particular geographic location within the organization.
  - 8. The system of claim 1, wherein:
    - the time period is defined by a start time and an end time;
      
      determining at the first point in time comprises determining that the start time has been satisfied; and
      
      determining at the second point in time comprises determining that the end time has been satisfied.

9. A computer-implemented method comprising:
- generating a first resource group including a first subset of resources from resources of an organization, wherein the first subset of resources includes at least one account and at least one target system of the organization, and wherein a number of resources in the first subset of resources is less than a number of the resources of the organization;
  
  creating a first group of administrative entities from user entities of the organization, the first group of administrative entities comprising a first administrative entity;
  
  assigning a first set of administration privileges on the first resource group to the first group of administrative entities, the first set of administration privileges including a particular administration privilege that enables an administrative entity in the first group of administrative entities an ability to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group;
  
  receiving a request from a first administrative entity in the first group of administrative entities to delegate the particular administration privilege from the first set of administration privileges to a particular user entity from the user entities of the organization, wherein the particular user entity is not a member of the first group of administrative entities, and wherein the request specifies one or more conditions under which the particular administration privilege is to be delegated the particular user entity, the one or more conditions including a temporal condition identifying a time period temporal conditions;
  
  responsive to receiving the request to delegate the particular administration privilege, generating a delegation policy for delegating the particular administration privilege to the particular administrative entity, the delegation policy including identification of the first user entity, the particular user entity, the particular administration privilege, and the one or more conditions;
  
  storing the delegation policy in a policy database;
  
  determining, at a first point in time, that the temporal condition included in the delegation policy;
  
  responsive to determining that the temporal condition is satisfied, delegating, at the first point in time, the particular administration privilege to the particular user entity, wherein the delegating of the particular privilege by a privileged account manager to the particular user entity enables the particular user entity to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group without the particular user entity being added to the first group of administrative entities;
  
  determining, at a second point in time after the first point in time, that the temporal condition is no longer satisfied; and
  
  responsive to determining that the temporal condition is no longer satisfied, disabling the particular user entity from using the particular administration privilege.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer-implemented method of claim 9, wherein the at least one account of the organization enables access to first subset of resources.
  - 11. The computer-implemented method of claim 9, wherein only the first group of administration entities have administration privileges modify security settings for the first subset of resources.
  - 12. The computer-implemented method of claim 9, wherein a first privilege from the first set of administration privileges enables the user entities in the first group of administrative entities to modify user entities that are able to use the first subset of resources.
  - 13. The computer-implemented method of claim 9, wherein the first set of administration privileges modifies a capability of the first group of administrative entities, wherein the capability is modified with respect to the first resource group.
  - 14. The computer-implemented method of claim 9, whereinthe temporal condition further comprise at least a specific time during a day and location conditions that indicate at least a particular geographic location within the organization.
  - 15. The computer-implemented method of claim 9, wherein:
    - the time period is defined by a start time and an end time;
      
      instructions for determining at the first point in time comprises determining that the start time has been satisfied; and
      
      instructions for determining at the second point in time comprises determining that the end time has been satisfied.

16. A non-transitory computer-readable media storing computer-executable instructions executable by one or more processors, the computer-executable instructions comprising:
- instructions that cause the one or more processors to generate a first resource group including a first subset of resources from resources of an organization, wherein the first subset of resources includes at least one account and at least one target system of the organization, and wherein a number of resources in the first subset of resources is less than a number of the resources of the organization;
  
  instructions that cause the one or more processors to create a first group of administrative entities from user entities of the organization, the first group of administrative entities comprising a first administrative entity;
  
  instructions that cause the one or more processors to assign a first set of administration privileges on the first resource group to the first group of administrative entities, the first set of administration privileges including a particular administration privilege that enables an administrative entity in the first group of administrative entities an ability to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group;
  
  instructions that cause the one or more processors to receive a request from a first administrative entity in the first group of administrative entities to delegate particular administration privilege from the first set of administration privileges to a particular user entity from the user entities of the organization, wherein the particular user entity is not a member of the first group of administrative entities, and wherein the request specifies one or more conditions under which the particular administration privilege is to be delegated to the particular user entity, the one or more conditions including a temporal condition identifying a time period;
  
  responsive to receiving the request to delegate the particular administration privilege, instructions that cause the one or more processors to generate a delegation policy for delegating the particular administration privilege to the particular user entity, the delegation policy including identification of the first administrative entity, the particular user entity, the particular administration privilege, and the one or more conditions;
  
  instructions that cause the one or more processors to store the delegation policy in a policy database;
  
  instructions that cause the one or more processors to determine, at a first point in time, that the temporal condition included in the delegation policy is satisfied;
  
  responsive to determining that the temporal condition is satisfied, instructions that cause the one or more processors to delegate the particular administration privilege to the particular user entity, wherein the delegation of the particular administration privilege by a privileged account manager to the particular user entity enables the particular user entity to grant an account included in the first resource group or to change a password of an account on a target system included in the first resource group without the particular user entity being added to the first group of administrative entities;
  
  instructions that cause the one or more processors to determine that the temporal condition is no longer satisfied; and
  
  responsive to determining that the temporal condition is no longer satisfied, instructions that cause the one or more processors to disable the particular user entity from using the particular administration privilege.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The non-transitory computer-readable media of claim 16, wherein only the first group of administration entities have administration privileges to modify security settings for the first subset of resources.
  - 18. The non-transitory computer-readable media of claim 16, wherein a first privilege from the first set of administration privileges enables the user entities in the first group of administrative entities to modify user entities that are able to use the first subset of resources.
  - 19. The non-transitory computer-readable media of claim 16, wherein the first set of administration privileges modifies a capability of the first group of administrative entities, wherein the capability is modified with respect to the first resource group.
  - 20. The non-transitory computer-readable media of claim 16, wherein the temporal condition further comprise at least a specific time during a day and location conditions that indicate at least a particular geographic location within the organization.
  - 21. The non-transitory computer-readable media of claim 16, wherein:
    - the time period is defined by a start time and an end time;
      
      determining at the first point in time comprises determining that the start time has been satisfied; and
      
      determining at the second point in time comprises determining that the end time has been satisfied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Theebaprakasam, Arun, Shih, Kuang-Yu, Wang, Zhe
Primary Examiner(s)
Waesco, Joseph M

Application Number

US14/819,970
Publication Number

US 20160092802A1
Time in Patent Office

1,566 Days
Field of Search

None
US Class Current
CPC Class Codes

G06Q 10/0631 Resource planning, allocati...

Delegated privileged access grants

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Delegated privileged access grants

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links