METHOD AND APPARATUS FOR TOKEN-BASED REASSIGNMENT OF PRIVILEGES

US 20130047215A1
Filed: 08/15/2011
Published: 02/21/2013
Est. Priority Date: 08/15/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising a processor operable to:

monitor a session, wherein the session facilitates a user'"'"'s access to a resource, the user granted a privilege associated with accessing the resource;

detect a change in at least one token of a plurality of tokens during the session, the change associated with the privilege granted to the user;

communicate a token that represents the change;

receive a risk token associated with the token;

determine to revoke the privilege based on the risk token;

generate a second token that represents the determination to revoke the privilege; and

communicate the second token to facilitate the revoking of the privilege.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, an apparatus may monitor a session that facilitates a user'"'"'s access to a resource. The user may be granted a privilege associated with accessing the resource. The apparatus may detect a change associated with the privilege granted to the user in at least one token of a plurality of tokens. The apparatus may then communicate a token that represents the change, and receive a risk token associated with the token. The apparatus may then determine to revoke the privilege based on the risk token, and generate a second token that represents the determination to revoke the privilege. The apparatus may then communicate the second token to facilitate the revoking of the privilege.

20 Citations

View as Search Results

21 Claims

1. An apparatus comprising a processor operable to:
- monitor a session, wherein the session facilitates a user'"'"'s access to a resource, the user granted a privilege associated with accessing the resource;
  
  detect a change in at least one token of a plurality of tokens during the session, the change associated with the privilege granted to the user;
  
  communicate a token that represents the change;
  
  receive a risk token associated with the token;
  
  determine to revoke the privilege based on the risk token;
  
  generate a second token that represents the determination to revoke the privilege; and
  
  communicate the second token to facilitate the revoking of the privilege.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, the processor further operable to determine, based on a token-based rule, to grant a new privilege based on the risk token, wherein the second token further represents the determination to grant the new privilege, and wherein communicating the second token facilitates the granting of the new privilege.
  - 3. The apparatus of claim 1, wherein:
    - the user is granted a set of privileges associated with accessing the resource; and
      
      the second token represents a new set of privileges formed by removing the revoked privilege from the set of privileges.
  - 4. The apparatus of claim 3, the processor further operable to determine, based on a token-based rule, to grant a new privilege based on the risk token, wherein the new set of privileges is formed by further adding the new privilege to the set of privileges.
  - 5. The apparatus of claim 1, wherein the plurality of tokens comprises at least one of a subject token, a resource token, and a network token and the change during the session occurs in at least one token of the plurality of tokens.
  - 6. The apparatus of claim 1, wherein the second token is communicated to a resource provider.
  - 7. The apparatus of claim 1, wherein the determination to revoke the privilege is based on a token-based rule.

8. A method for privilege-based access control in a token-based environment, comprising:
- monitoring a session, wherein the session facilitates a user'"'"'s access to a resource, the user granted a privilege associated with accessing the resource;
  
  detecting a change in at least one token of a plurality of tokens during the session, the change associated with the privilege granted to the user;
  
  communicating a token that represents the change;
  
  receiving a risk token associated with the token;
  
  determining, by a processor, to revoke the privilege based on the risk token;
  
  generating, by the processor, a second token that represents the determination to revoke the privilege; and
  
  communicating the second token to facilitate the revoking of the privilege.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising determining, by the processor, based on a token-based rule, to grant a new privilege based on the risk token, wherein the second token further represents the determination to grant the new privilege, and wherein communicating the second token facilitates the granting of the new privilege.
  - 10. The method of claim 8, wherein:
    - the user is granted a set of privileges associated with accessing the resource; and
      
      the second token represents a new set of privileges formed by removing the revoked privilege from the set of privileges.
  - 11. The method of claim 10, further comprising determining, by the processor, based on a token-based rule, to grant a new privilege based on the risk token, wherein the new set of privileges is formed by further adding the new privilege to the set of privileges.
  - 12. The method of claim 8, wherein the plurality of tokens comprises at least one of a subject token, a resource token, and a network token and the change during the session occurs in at least one token of the plurality of tokens.
  - 13. The method of claim 8, wherein the second token is communicated to a resource provider.
  - 14. The method of claim 8, wherein the determination to revoke the privilege is based on a token-based rule.

15. One or more computer-readable non-transitory storage media embodying software that is operable when executed to:
- monitor a session, wherein the session facilitates a user'"'"'s access to a resource, the user granted a privilege associated with accessing the resource;
  
  detect a change in at least one token of a plurality of tokens during the session, the change associated with the privilege granted to the user;
  
  communicate a token that represents the change;
  
  receive a risk token associated with the token;
  
  determine to revoke the privilege based on the risk token;
  
  generate a second token that represents the determination to revoke the privilege; and
  
  communicate the second token to facilitate the revoking of the privilege.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The media of claim 15 embodying software further operable when executed to determine, based on a token-based rule, to grant a new privilege based on the risk token, wherein the second token further represents the determination to grant the new privilege, and wherein communicating the second token facilitates the granting of the new privilege.
  - 17. The media of claim 15, wherein:
    - the user is granted a set of privileges associated with accessing the resource; and
      
      the second token represents a new set of privileges formed by removing the revoked privilege from the set of privileges.
  - 18. The media of claim 17, embodying software further operable when execute to determine, based on a token-based rule, to grant a new privilege based on the risk token, wherein the new set of privileges is formed by further adding the new privilege to the set of privileges.
  - 19. The media of claim 15, wherein the plurality of tokens comprises at least one of a subject token, a resource token, and a network token and the change during the session occurs in at least one token of the plurality of tokens.
  - 20. The media of claim 15, wherein the second token is communicated to a resource provider.
  - 21. The media of claim 15, wherein the determination to revoke the privilege is based on a token-based rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Radhakrishnan, Rakesh, Frick, Cynthia Ann, Marian, Radu, Barbir, Abdulkader Omar, Badhwar, Rajat P.

Granted Patent

US 8,752,143 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/1076   Revocation

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

METHOD AND APPARATUS FOR TOKEN-BASED REASSIGNMENT OF PRIVILEGES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR TOKEN-BASED REASSIGNMENT OF PRIVILEGES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links