Run-time trust management system for access impersonation

US 10,581,826 B2
Filed: 10/12/2016
Issued: 03/03/2020
Est. Priority Date: 10/22/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a computer system of an access management system, from a first device associated with a first user, a request by the first user for access to a resource at the first device, wherein access to the resource by the first user is requested based on access to the resource permitted to a second user, and wherein the first user is different from the second user;

in response to receiving the request by the first user for access to the resource, processing the request, which includes;

(i) authenticating the first user based on credential information for the first user, and (ii) determining whether the first user is authorized to access the resource on behalf of the second user based on a policy for impersonation of the second user by the first user;

based on determining that the first user is authenticated and authorized to access the resource on behalf of the second user, generating security data to provide the first user with access to the resource requested by the first user, wherein the security data includes first security data for the first user and second security data for the second user;

sending, from the computer system, the first security data to the first device;

sending, from the computer system, the second security data to a second device associated with the second user;

receiving, by the computer system, first security information from the first device;

receiving, by the computer system, second security information from the first device;

determining whether the received first security information matches first information in the first security data that is sent to the first device from the computer system;

determining whether the received second security information matches second information in the second security data that is sent to the second device from the computer system; and

based on determining that the received first security information matches the first information in the first security data and based on determining that the received second security information matches the second information in the second security data;

enabling, by the computer system, the first user to access the resource at the first device, wherein the access to the resource is enabled based on the access to the resource permitted to the second user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for facilitating impersonation for accessing resources through an access management system. When a user (“impersonator”) requests access to impersonate another user (“impersonatee”), the access management system may generate security data having two parts. One part may include a first security key that is sent to the impersonator and a second part may include a second security key that is sent to the impersonatee. Receipt of the second security key notifies the impersonatee about a request for impersonation to access a resource according to access permitted to the impersonatee. The impersonatee, if consenting to impersonation, may provide the security key received to the impersonator, thereby implicitly providing the impersonator with trust at run-time to access the resource. Upon verification of both security keys, by the access management system, access to a resource is provided to the impersonator based on access to the resource permitted to the impersonatee.

Citations

20 Claims

1. A method comprising:
- receiving, at a computer system of an access management system, from a first device associated with a first user, a request by the first user for access to a resource at the first device, wherein access to the resource by the first user is requested based on access to the resource permitted to a second user, and wherein the first user is different from the second user;
  
  in response to receiving the request by the first user for access to the resource, processing the request, which includes;
  
  (i) authenticating the first user based on credential information for the first user, and (ii) determining whether the first user is authorized to access the resource on behalf of the second user based on a policy for impersonation of the second user by the first user;
  
  based on determining that the first user is authenticated and authorized to access the resource on behalf of the second user, generating security data to provide the first user with access to the resource requested by the first user, wherein the security data includes first security data for the first user and second security data for the second user;
  
  sending, from the computer system, the first security data to the first device;
  
  sending, from the computer system, the second security data to a second device associated with the second user;
  
  receiving, by the computer system, first security information from the first device;
  
  receiving, by the computer system, second security information from the first device;
  
  determining whether the received first security information matches first information in the first security data that is sent to the first device from the computer system;
  
  determining whether the received second security information matches second information in the second security data that is sent to the second device from the computer system; and
  
  based on determining that the received first security information matches the first information in the first security data and based on determining that the received second security information matches the second information in the second security data;
  
  enabling, by the computer system, the first user to access the resource at the first device, wherein the access to the resource is enabled based on the access to the resource permitted to the second user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the access to the resource that is enabled for the first user is identical to the access to the resource permitted to the second user.
  - 3. The method of claim 1, wherein the access to the resource that is enabled for the first user is a portion of the access to the resource permitted to the second user.
  - 4. The method of claim 1, wherein the first security information and the second security information are received together from the first device.
  - 5. The method of claim 1, wherein the first security data is different from the second security data, and wherein the first security information is different from the second security information.
  - 6. The method of claim 5, wherein the first security information includes a first access key obtained from the first security data received by the first device from the computer system, and wherein the second security information includes a second access key obtained from the second security data sent by the computer system.
  - 7. The method of claim 6, wherein the first device obtains the second access key from the second security data.
  - 8. The method of claim 1, wherein after the second device receives the second security data from the computer system, the second device sends the second security data to the first device.
  - 9. The method of claim 1, further comprising:
    - in response to receiving the request by the first user for access to the resource;
      
      determining, by the computer system, that access to the resource is not permitted to the second user;
      
      denying the first user with the access to the resource at the first device; and
      
      sending a message to the first device to indicate that the access to the resource is not permitted.
  - 10. The method of claim 1, wherein the computer system is a first computer system, wherein the first computer system is different from a second computer system, and wherein the second computer system provides the resource upon the first computer system enabling the first user to access the resource at the first device.
  - 11. The method of claim 10, wherein upon the first computer system enabling access to the resource, access to the resource is provided at the first device via a uniform resource locator (URL), the URL specifying a location where the resource is provided by the second computer system.
  - 12. The method of claim 1, further comprising:
    - based on determining that the received first security information does not match the security information in the first security data or based on determining that the second security information does not match the security information in the second security data;
      
      denying access to the resource by the first user through the first device, wherein the access to the resource is denied based on the access to the resource permitted to the second user.
  - 13. The method of claim 1, wherein enabling the first user to access the resource through the first device includes establishing a session at the computer system, and wherein the session is established for the first user to access the resource using the first device.

14. A system of an access management system, the system comprising:
- one or more processors; and
  
  a memory accessible by the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, cause the one or more processors to;
  
  receive, from a first device associated with a first user, a request by the first user for access to a resource at the first device, wherein access to the resource by the first user is requested based on access to the resource permitted to a second user, and wherein the first user is different from the second user;
  
  in response to receiving the request by the first user for access to the resource, processing the request, which includes;
  
  (i) authenticating the first user based on credential information for the first user, and (ii) determining whether the first user is authorized to access the resource on behalf of the second user based on a policy for impersonation of the second user by the first user;
  
  based on determining that the first user is authenticated and authorized to access the resource on behalf of the second user, generate security data to provide the first user with access to the resource requested by the first user, wherein the security data includes first security data for the first user and second security data for the second user;
  
  send the first security data to the first device;
  
  send the second security data to a second device associated with the second user;
  
  receive first security information from the first device;
  
  receive second security information from the first device;
  
  determine whether the received first security information matches first information in the first security data that is sent to the first device from the computer system;
  
  determine whether the received second security information matches second information in the second security data that is sent to the second device from the computer system; and
  
  based on determining that the received first security information matches the first information in the first security data and based on determining that the received second security information matches the second information in the second security data;
  
  enable the first user to access the resource at the first device, wherein the access to the resource is enabled based on the access to the resource permitted to the second user.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, wherein the first security data is different from the second security data, wherein the first security information includes a first access key obtained from the first security data received by the first device from the computer system, wherein the second security information includes a second access key obtained from the second security data sent by the computer system.
  - 16. The system of claim 15, wherein the second device sends the second security data to the first device after the second device receives the second security data sent by the computer system, and wherein the first device obtains the second access key from the second security data sent by the second device.
  - 17. The system of claim 14, wherein the one or more instructions which, upon execution by the one or more processors, further causes the one or more processors to:
    - receive, from the second device, a configuration by the second user of the access to the resource permitted to the first user, wherein the configuration indicates that the access to the resource by the first user is a portion of the of the access to the resource permitted to the second user.

18. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
- receiving, at a computer system of an access management system, from a first device associated with a first user, a request by the first user for access to a resource at the first device, wherein access to the resource by the first user is requested based on access to the resource permitted to a second user, and wherein the first user is different from the second user;
  
  in response to receiving the request by the first user for access to the resource, processing the request, which includes;
  
  (i) authenticating the first user based on credential information for the first user, and (ii) determining whether the first user is authorized to access the resource on behalf of the second user based on a policy for impersonation of the second user by the first user;
  
  based on determining that the first user is authenticated and authorized to access the resource on behalf of the second user, generating security data to provide the first user with access to the resource requested by the first user, wherein the security data includes first security data for the first user and second security data for the second user;
  
  sending, from the computer system, the first security data to the first device;
  
  sending, from the computer system, the second security data to a second device associated with the second user;
  
  receiving, by the computer system, first security information from the first device;
  
  receiving, by the computer system, second security information from the first device;
  
  determining whether the received first security information matches first information in the first security data that is sent to the first device from the computer system;
  
  determine whether the received second security information matches second information in the second security data that is sent to the second device from the computer system; and
  
  based on determining that the received first security information matches the first information in the first security data and based on determining that the received second security information matches the second information in the second security data;
  
  enabling, by the computer system, the first user to access the resource at the first device, wherein the access to the resource is enabled based on the access to the resource permitted to the second user.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable medium of claim 18, wherein the second device sends the second security data to the first device after the second device receives the second security data sent by the computer system, and wherein the first device obtains the second information from the second security data sent by the second device.
  - 20. The non-transitory computer-readable medium of claim 18, wherein the one or more instructions which, upon execution by the one or more processors, further causes the one or more processors to:
    - receive, from the second device, a configuration by the second user of the access to the resource permitted to the first user, wherein the configuration indicates that the access to the resource by the first user is a portion of the of the access to the resource permitted to the second user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kukehalli Subramanya, Ramya, Mathew, Stephen, Koottayi, Vipin Anaparakkal
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US15/291,804
Publication Number

US 20170118222A1
Time in Patent Office

1,238 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/0815 providing single-sign-on or...

Run-time trust management system for access impersonation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Run-time trust management system for access impersonation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links