Centrally Managed Impersonation

US 20110239275A1
Filed: 09/30/2010
Published: 09/29/2011
Est. Priority Date: 03/26/2010
Status: Active Grant

First Claim

Patent Images

1. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising:

receiving, at a central server, a request action from a user to a remote machine;

authenticating, at the central server, the request action;

retrieving, at the central server, an impersonation policy for the user to act on the remote machine;

connecting to the remote machine;

sending the impersonation policy to a remote shell daemon;

impersonating an elevated account based on the impersonation policy;

executing the request action on the remote machine; and

returning a response to the user.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and computer readable media for centrally managed impersonation are described. Examples include a system having a central server and a remote shell daemon running on a remote machine, wherein a trust relationship is established between the central server and the remote shell daemon. Examples also include a method wherein a user sends the management system a request to act upon a remote machine. The management system determines whether the user is authenticated for the requested action. Upon authentication, the management system identifies an impersonation policy based on user profile and the remote machine. The management system connects to the remote machine, impersonates an elevated privilege account if required, and executes the user action on the remote machine.

Citations

17 Claims

1. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising:
- receiving, at a central server, a request action from a user to a remote machine;
  
  authenticating, at the central server, the request action;
  
  retrieving, at the central server, an impersonation policy for the user to act on the remote machine;
  
  connecting to the remote machine;
  
  sending the impersonation policy to a remote shell daemon;
  
  impersonating an elevated account based on the impersonation policy;
  
  executing the request action on the remote machine; and
  
  returning a response to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 12, 13, 14)
- - 2. The method of claim 1, wherein the act of retrieving an impersonation policy comprises retrieving a policy that defines one or more records, wherein each of the one or more records corresponds to a user action and an elevated privilege account on the remote machine.
  - 3. The method of claim 1, wherein the act of retrieving an impersonation policy comprises retrieving a policy that defines one or more records, wherein at least one of the one or more records corresponds to a user action and an account with reduced privileges on the remote machine.
  - 4. The method of claim 1 further comprising logging the impersonation event on the central server.
  - 5. The method of claim 1, wherein the act of connecting to the remote machine comprises:
    - creating a connection between the central server and a remote shell daemon running on the remote machine; and
      
      spawning a remote shell daemon instance where the user is connected through a default account.
  - 6. The method of claim 1, wherein the act of authenticating a request action to access a remote machine comprises determining, via an access control system, whether the user has access to the remote machine.
  - 7. The method of claim 6, wherein the act of determining whether the user has access to the remote machine comprises using an application username and password.
  - 8. The method of claim 6, wherein act of authenticating a request action to access a remote machine using an access control system comprises using a role based access control system.
  - 12. A computer system for managing one or more computer resources, comprising:
    - a processor;
      
      an operator display coupled to the processor;
      
      a storage subsystem coupled to the processor; and
      
      a software module stored in the storage subsystem, the software module comprising instructions that when executed by the processor cause the processor to perform the method of claim 1.
  - 13. A programmable storage device having programmed instructions stored thereon for causing a programmable control device to perform a method according to claim 1.
  - 14. A networked computer system comprising a plurality of computers communicatively coupled, at least one of the plurality of computers programmed to perform at least a portion of the method of claim 1 wherein the entire method of claim 1 is performed collectively by the plurality of computers.

9. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising,accepting, at a remote machine, a connection request from a central server;
- receiving, at the remote machine, an impersonation policy;
  
  receiving, at the remote machine, a user action;
  
  determining whether the user action requires an elevated privilege to execute;
  
  identifying the elevated privilege based on the impersonation policy if determined;
  
  impersonating an account with the elevated privilege if identified;
  
  executing the user action; and
  
  sending a response to the central server.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9 further comprising removing impersonation data from the remote machine.
  - 11. The method of claim 9 further comprising parsing the impersonation policy.

15. A networked impersonation management system, comprising:
- a remote machine having a remote shell daemon running on the remote machine; and
  
  a central server having—
  
  a processing unit configured to accept a request to act on the remote machine,an authentication unit, coupled to the processing unit, configured to manage access to the impersonation management system,an impersonation unit, coupled to the processing unit, configured to manage connections to the remote machine to impersonate an elevated privilege account, anda storage device, coupled to the processing unit, for storing configuration settings of the authentication unit and the impersonation unit.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the authentication unit comprises a role based access control system.
  - 17. The system of claim 15, wherein the remote shell daemon comprises:
    - a receiving unit configured to receive an impersonation policy and one or more user actions from the central server; and
      
      an impersonation control system configured to impersonate as an elevated privilege account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BMC Software Incorporated (KKR & Co., Inc.)
Original Assignee
BMC Software Incorporated (KKR & Co., Inc.)
Inventors
De Peuter, Geert, Solin, David

Granted Patent

US 8,677,446 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Centrally Managed Impersonation

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Centrally Managed Impersonation

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links