System to prevent misuse of access rights in a single sign on environment
First Claim
Patent Images
1. A method of restricting access in a single sign on environment, comprising:
- (a) providing a resource which comprises a software application,(b) providing a user which is a role for a human operator in said environment,(c) providing a resource administrator which is a role for a human operator in said environment,(d) providing a security administrator which is a role for a human operator in said environment,(e) providing a client which is able to send an access request to said resource on behalf of said user,(f) providing an agent which will intercept said access request before it reaches said resource,(g) providing a database which is operationally connected to said agent for storing information on said resource, said user, said resource administrator, said security administrator, and said access request,(h) providing a data access means which said resource administrator can interact with said database,(i) providing a data access means which said security administrator can interact with said database,whereby said agent will intercept said access request to determine whether said user has previously successfully accessed said resource within a predetermined time period, said agent will notify said resource administrator should said user have not successfully accessed said resource within said predetermined time period, said agent will reject said access request should said user have not successfully accessed said resource within said predetermined time period, and said resource administrator may update said database to set the time of last successful access.
1 Assignment
0 Petitions
Accused Products
Abstract
A system which provides additional controls in access management for single sign on deployments, in order to restrict the range of resources in the deployment which could be accessed by an attacker, without unnecessarily burdening the user for their typical and legitimate use of these resources via single sign on. A misuse protection agent (12) intercepts access requests before they reach the target resource, and will check the status of the user for this resource in the database (28).
60 Citations
10 Claims
-
1. A method of restricting access in a single sign on environment, comprising:
-
(a) providing a resource which comprises a software application, (b) providing a user which is a role for a human operator in said environment, (c) providing a resource administrator which is a role for a human operator in said environment, (d) providing a security administrator which is a role for a human operator in said environment, (e) providing a client which is able to send an access request to said resource on behalf of said user, (f) providing an agent which will intercept said access request before it reaches said resource, (g) providing a database which is operationally connected to said agent for storing information on said resource, said user, said resource administrator, said security administrator, and said access request, (h) providing a data access means which said resource administrator can interact with said database, (i) providing a data access means which said security administrator can interact with said database, whereby said agent will intercept said access request to determine whether said user has previously successfully accessed said resource within a predetermined time period, said agent will notify said resource administrator should said user have not successfully accessed said resource within said predetermined time period, said agent will reject said access request should said user have not successfully accessed said resource within said predetermined time period, and said resource administrator may update said database to set the time of last successful access. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A machine for restricting access in a single sign on environment, comprising:
-
(a) a resource comprising a software application, (b) a client which is able to send an access request to said resource on behalf of a user, (c) an agent which will intercept said access request before it reaches said resource, (d) an application for security administration for use by a security administrator, (e) an application for resource administration for use by a resource administrator, (f) a database which is operationally connected to said agent for storing information on said resource, said user, said resource administrator, said security administrator, and said access request, whereby said agent will intercept said access request to determine whether said user has previously successfully accessed said resource within a predetermined time period, said agent will notify said resource administrator should said user have not successfully accessed said resource within said predetermined time period, said agent will reject said access request should said user have not successfully accessed said resource within said predetermined time period, and said resource administrator may update said database to set the time of last successful access. - View Dependent Claims (7, 8, 9, 10)
-
Specification