PRIVILEGED ACCOUNT MANAGER, DYNAMIC POLICY ENGINE

US 20130086065A1
Filed: 05/31/2012
Published: 04/04/2013
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory storing a plurality of instructions; and

one or more processors configured to access the memory, wherein the one or more processors are further configured to execute the plurality of instructions to;

receive information associated with a plurality of accounts associated with a target system, the plurality of accounts for accessing resources used by the associated target system;

organize one or more of the plurality of accounts together in a group based at least in part on a role for each of the one or more of the plurality of accounts; and

assign a grant to the group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing accounts are provided. An access management system may check out credentials for accessing target systems. For example a user may receive a password for a period of time or until checked back in. Access to the target system may be logged during this time. Upon the password being checked in, a security account may modify the password so that the user may not log back in without checking out a new password. Additionally, in some examples, password policies for the security account may be managed. As such, when a password policy changes, the security account password may be dynamically updated. Additionally, in some examples, hierarchical viewing perspectives may be determined and/or selected for visualizing one or more managed accounts. Further, accounts may be organized into groups based on roles, and grants for the accounts may be dynamically updated as changes occur or new accounts are managed.

Citations

20 Claims

1. A system, comprising:
- a memory storing a plurality of instructions; and
  
  one or more processors configured to access the memory, wherein the one or more processors are further configured to execute the plurality of instructions to;
  
  receive information associated with a plurality of accounts associated with a target system, the plurality of accounts for accessing resources used by the associated target system;
  
  organize one or more of the plurality of accounts together in a group based at least in part on a role for each of the one or more of the plurality of accounts; and
  
  assign a grant to the group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein a first account and a second account of the plurality of accounts each comprise a different type of account.
  - 3. The system of claim 2, wherein the type comprises a user account, a root account, an administrative account, or a user-defined account.
  - 4. The system of claim 1, wherein a first account and a second account of the plurality of accounts are associated with a first target system and a second target system, respectively.
  - 5. The system of claim 4, wherein the first target system and the second target system each comprise a different type of target system.
  - 6. The system of claim 1, wherein the information associated with the plurality of accounts indicates a particular target system associated with the account, a type of the account, or a role associated with the account.
  - 7. The system of claim 1, wherein the one or more processors are further configured to execute the plurality of instructions to receive grant information for the group, wherein the assignment of the grant to the group is based at least in part on the received grant information.
  - 8. The system of claim 1, wherein the one or more processors are further configured to execute the plurality of instructions to:
    - receive information associated with a new account associated with the target system; and
      
      add the new account to the group based at least in part on information indicating that a role of the new account matches a role of the group.
  - 9. The system of claim 8, wherein the one or more processors are further configured to execute the plurality of instructions to update the grant of each of the one or more of the plurality of accounts in the group.

10. A computer-implemented method, comprising:
- receiving, by a computer system, information associated with a plurality of accounts associated with a plurality of target systems, at least a first target system of the plurality of target systems being different from at least a second target system of the plurality of target systems;
  
  receiving, by the computer system, role information for at least one of the plurality of accounts;
  
  forming, by the computer system, a group of the plurality of accounts based at least in part on the role information; and
  
  assigning, by the computer system, a grant policy to the group of the plurality of accounts.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer-implemented method of claim 10, wherein the role information comprises identification of a role for the at least one of the plurality of accounts, the role comprising administrative, root, user, security, or user-defined.
  - 12. The computer-implemented method of claim 10, wherein the role information is received from an administrative account of an account management service configured to manage the plurality of accounts associated with the plurality of target systems.
  - 13. The computer-implemented method of claim 10, further comprising receiving grant information for the group, wherein the assigning of the grant policy to the group is based at least in part on the received grant policy.
  - 14. The computer-implemented method of claim 10, further comprising:
    - receiving information associated with a new account associated with the plurality of target systems; and
      
      adding the new account to the group when a role of the new account matches a role of the group.
  - 15. The computer-implemented method of claim 14, further comprising updating the grant of each of the one or more of the plurality of accounts in the group based at least in part on the adding of the new account to the group.
  - 16. The computer-implemented method of claim 14, further comprising updating the grant of each of the one or more of the plurality of accounts in the group based at least in part on a change in the grant policy for the group.

17. A computer-readable memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:
- instructions that cause the one or more processors to receive information associated with a plurality of accounts associated with a plurality of target systems, at least a first target system of the plurality of target systems being different from at least a second target system of the plurality of target systems;
  
  instructions that cause the one or more processors to receive, from an administrative account of an account management service configured to manage the plurality of accounts associated with the plurality of target systems, role information for at least one of the plurality of accounts;
  
  instructions that cause the one or more processors to form a group of the plurality of accounts based at least in part on the role information;
  
  instructions that cause the one or more processors to assign a grant policy to the group of the plurality of accounts; and
  
  instructions that cause the one or more processors to update the grant policy of each of the plurality of accounts in the group based at least in part on triggering event.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable memory of claim 17, wherein the plurality of accounts managed by the administrative account includes at least a first account that is a different type of account from at least a second account.
  - 19. The computer-readable memory of claim 17, the plurality of instructions further comprising:
    - instructions that cause the one or more processors to receive information associated with a new account associated with the plurality of target systems; and
      
      add the new account to the group when a role of the new account matches a role of the group.
  - 20. The computer-readable memory of claim 19, the plurality of instructions further comprising instructions that cause the one or more processors to update the grant of each of the one or more of the plurality of accounts in the group based at least in part on the adding of the new account to the group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Theebaprakasam, Arun, Kottahachchi, Buddhika, Shih, Kuang-Yu, Sharma, Himanshu

Granted Patent

US 9,390,255 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/737
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/45   Structures or tools for the...

G06F 21/46   by designing passwords or c...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/604   Tools and structures for ma...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

PRIVILEGED ACCOUNT MANAGER, DYNAMIC POLICY ENGINE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PRIVILEGED ACCOUNT MANAGER, DYNAMIC POLICY ENGINE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links