Run-time trust management system for access impersonation
First Claim
1. A method comprising:
- receiving, at a computer system of an access management system, from a first device associated with a first user, a request by the first user for access to a resource at the first device, wherein access to the resource by the first user is requested based on access to the resource permitted to a second user, and wherein the first user is different from the second user;
in response to receiving the request by the first user for access to the resource, processing the request, which includes;
(i) authenticating the first user based on credential information for the first user, and (ii) determining whether the first user is authorized to access the resource on behalf of the second user based on a policy for impersonation of the second user by the first user;
based on determining that the first user is authenticated and authorized to access the resource on behalf of the second user, generating security data to provide the first user with access to the resource requested by the first user, wherein the security data includes first security data for the first user and second security data for the second user;
sending, from the computer system, the first security data to the first device;
sending, from the computer system, the second security data to a second device associated with the second user;
receiving, by the computer system, first security information from the first device;
receiving, by the computer system, second security information from the first device;
determining whether the received first security information matches first information in the first security data that is sent to the first device from the computer system;
determining whether the received second security information matches second information in the second security data that is sent to the second device from the computer system; and
based on determining that the received first security information matches the first information in the first security data and based on determining that the received second security information matches the second information in the second security data;
enabling, by the computer system, the first user to access the resource at the first device, wherein the access to the resource is enabled based on the access to the resource permitted to the second user.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for facilitating impersonation for accessing resources through an access management system. When a user (“impersonator”) requests access to impersonate another user (“impersonatee”), the access management system may generate security data having two parts. One part may include a first security key that is sent to the impersonator and a second part may include a second security key that is sent to the impersonatee. Receipt of the second security key notifies the impersonatee about a request for impersonation to access a resource according to access permitted to the impersonatee. The impersonatee, if consenting to impersonation, may provide the security key received to the impersonator, thereby implicitly providing the impersonator with trust at run-time to access the resource. Upon verification of both security keys, by the access management system, access to a resource is provided to the impersonator based on access to the resource permitted to the impersonatee.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, at a computer system of an access management system, from a first device associated with a first user, a request by the first user for access to a resource at the first device, wherein access to the resource by the first user is requested based on access to the resource permitted to a second user, and wherein the first user is different from the second user; in response to receiving the request by the first user for access to the resource, processing the request, which includes;
(i) authenticating the first user based on credential information for the first user, and (ii) determining whether the first user is authorized to access the resource on behalf of the second user based on a policy for impersonation of the second user by the first user;based on determining that the first user is authenticated and authorized to access the resource on behalf of the second user, generating security data to provide the first user with access to the resource requested by the first user, wherein the security data includes first security data for the first user and second security data for the second user; sending, from the computer system, the first security data to the first device; sending, from the computer system, the second security data to a second device associated with the second user; receiving, by the computer system, first security information from the first device; receiving, by the computer system, second security information from the first device; determining whether the received first security information matches first information in the first security data that is sent to the first device from the computer system; determining whether the received second security information matches second information in the second security data that is sent to the second device from the computer system; and based on determining that the received first security information matches the first information in the first security data and based on determining that the received second security information matches the second information in the second security data;
enabling, by the computer system, the first user to access the resource at the first device, wherein the access to the resource is enabled based on the access to the resource permitted to the second user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system of an access management system, the system comprising:
-
one or more processors; and a memory accessible by the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, cause the one or more processors to; receive, from a first device associated with a first user, a request by the first user for access to a resource at the first device, wherein access to the resource by the first user is requested based on access to the resource permitted to a second user, and wherein the first user is different from the second user; in response to receiving the request by the first user for access to the resource, processing the request, which includes;
(i) authenticating the first user based on credential information for the first user, and (ii) determining whether the first user is authorized to access the resource on behalf of the second user based on a policy for impersonation of the second user by the first user;based on determining that the first user is authenticated and authorized to access the resource on behalf of the second user, generate security data to provide the first user with access to the resource requested by the first user, wherein the security data includes first security data for the first user and second security data for the second user; send the first security data to the first device; send the second security data to a second device associated with the second user; receive first security information from the first device; receive second security information from the first device; determine whether the received first security information matches first information in the first security data that is sent to the first device from the computer system; determine whether the received second security information matches second information in the second security data that is sent to the second device from the computer system; and based on determining that the received first security information matches the first information in the first security data and based on determining that the received second security information matches the second information in the second security data;
enable the first user to access the resource at the first device, wherein the access to the resource is enabled based on the access to the resource permitted to the second user. - View Dependent Claims (15, 16, 17)
-
-
18. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
-
receiving, at a computer system of an access management system, from a first device associated with a first user, a request by the first user for access to a resource at the first device, wherein access to the resource by the first user is requested based on access to the resource permitted to a second user, and wherein the first user is different from the second user; in response to receiving the request by the first user for access to the resource, processing the request, which includes;
(i) authenticating the first user based on credential information for the first user, and (ii) determining whether the first user is authorized to access the resource on behalf of the second user based on a policy for impersonation of the second user by the first user;based on determining that the first user is authenticated and authorized to access the resource on behalf of the second user, generating security data to provide the first user with access to the resource requested by the first user, wherein the security data includes first security data for the first user and second security data for the second user; sending, from the computer system, the first security data to the first device; sending, from the computer system, the second security data to a second device associated with the second user; receiving, by the computer system, first security information from the first device; receiving, by the computer system, second security information from the first device; determining whether the received first security information matches first information in the first security data that is sent to the first device from the computer system; determine whether the received second security information matches second information in the second security data that is sent to the second device from the computer system; and based on determining that the received first security information matches the first information in the first security data and based on determining that the received second security information matches the second information in the second security data;
enabling, by the computer system, the first user to access the resource at the first device, wherein the access to the resource is enabled based on the access to the resource permitted to the second user. - View Dependent Claims (19, 20)
-
Specification