Maintaining Continuous Operational Access Augmented with User Authentication and Action Attribution in Shared Environments

US 20150222639A1
Filed: 10/01/2013
Published: 08/06/2015
Est. Priority Date: 10/22/2012
Status: Abandoned Application

First Claim

Patent Images

1-23. -23. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for maintaining continuous operational access augmented with user authentication and action attribution in shared environments. Multiple users use the same machine/platform to perform their actions. The system includes an access control application and enforcement module that limit users'"'"' actions based on authentication and authority level, enabling each user to perform the user'"'"'s role in the shared environment. In addition, the user'"'"'s activities can be monitored, logged, and interfered with (such as terminating the session), enabling a key requirement of action attribution.

34 Citations

View as Search Results

60 Claims

1-23. -23. (canceled)

24. A method comprising the steps of:
- (a) providing a user a first level of access to a shared environment;
  
  (b) receiving a first trigger while providing said first level of access;
  
  (c) providing the user a second level of access to the shared environment based on said first trigger and access rules;
  
  (d) receiving a second trigger while providing said second level of access;
  
  (e) providing the user a third level of access to the shared environment based on said second trigger and said access rules,wherein at least a pre-determined level of continuous access to the shared environment is provided to the user during transition;
  
  (i) from said first level of access to said second level of access; and
  
  (ii) from said second level of access to said third level of access.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 25. The method of claim 24 wherein said first and second triggers are selected from the group consisting of:
    - (i) time of day;
      
      (ii) idle time of the shared environment;
      
      (iii) idle time of an operational control system (OCS) associated with the shared environment;
      
      (iv) authentication of the user;
      
      (v) failure of the user to authenticate;
      
      (vi) login of any user to the shared environment;
      
      (vii) logout of any user from the shared environment;
      
      (viii) time since the user was requested to authenticate;
      
      (ix) change in status of the shared environment;
      
      (x) change in status of an operational control system (OCS) associated with the shared environment;
      
      (xi) action or actions of the user in the shared environment(xii) action or actions of the user associated with an operational control system (OCS) associated with the shared environment;
      
      (xiii) command external to the shared environment;
      
      (xiv) any system trigger based on said access rules; and
      
      (xv) a combination of triggerable events.
  - 26. The method of claim 24 wherein said second trigger is:
    - (a) an indication the user has authenticated to the shared environment;
      
      or is(b) an indication the user has failed authentication to the shared environment;
      
      or is(c) based on said access rules.
  - 27. The method of claim 24 wherein said first level of access includes allowing any user said pre-determined level of continuous access to the shared environment.
  - 28. The method of claim 24 wherein said first level of access includes allowing the user said pre-determined level of continuous access to the shared environment while the user is unauthenticated.
  - 29. The method of claim 24 wherein while said second level of access is being provided, the user is required to authenticate for said third level of access.
  - 30. The method of claim 29 wherein:
    - (a) if the user is successful in authenticating, said third level of access is provided; and
      
      (b) if the user fails authentication a fourth level of access is provided based on said access rules
  - 31. The method of claim 30 further including the steps of:
    - (a) when said third level of access is provided, receiving a third trigger indicating that the user has logged out from the shared environment;
      
      (b) providing said first level of access to a subsequent user of the shared environment.
  - 32. The method of claim 24 wherein actions of a current user are logged and attributed to said current user.
  - 33. The method of claim 24 wherein actions of a current user are monitored and attributed to said current user.
  - 34. The method of claim 24 wherein user actions are prevented or changed according to said access rules or an external command.
  - 35. The method of claim 24 wherein access is provided such that:
    - (a) said second level of access is said first level of access;
      
      or such that(b) said third level of access is said second level of access;
      
      or such that(c) said first level of access is said pre-determined level of continuous access;
      
      or such that(d) said second level of access is said pre-determined level of continuous access;
      
      or such that(e) said third level of access is said pre-determined level of continuous access;
      
      or such that(f) said first level of access is an unauthenticated level of access;
      
      or such that(g) said second level of access is an unauthenticated level of access;
      
      or such that(h) said third level of access is an authenticated level of access.
  - 36. The method of claim 24 wherein a Privileged Account Management System (PAMS) provides at least one of:
    - (a) said access rules;
      
      (b) authentication to the user while said second level of access is being provided;
      
      (c) logging and attribution of actions of the user; and
      
      (d) monitoring and attribution of actions of the user.
  - 37. The method of claim 24 wherein the user is a human.
  - 38. The method of claim 24 wherein the user is a computer application.
  - 39. The method of claim 24 wherein the shared environment is a computer system.

40. A system comprising:
- (a) a rules module configured to receive, store, and provide access rules;
  
  (b) a trigger module configured to receive, store, and provide triggers;
  
  (c) an enforcement module operational to control user input based on an access level, said enforcement module providing a user a first level of access to a shared environment;
  
  (d) an access control application module (ACA) operationally connected to said rules module, said trigger module, and said enforcement module, said ACA configured to;
  
  (i) receive a first trigger from said trigger module while said first level of access is being provided;
  
  (ii) based on said first trigger, receive a first access rule from said rules module;
  
  (iii) based on said first access rule, initiate said enforcement module to provide the user a second level of access to the shared environment;
  
  (iv) based on a second trigger, receive a second access rule from said rules module while said second level of access is being provided;
  
  (v) based on said second access rule, initiate said enforcement module to provide the user a third level of access to the shared environment;
  
  wherein at least a pre-determined level of continuous access to the shared environment is provided to the user during transition;
  
  (A) from said first level of access to said second level of access; and
  
  (B) from said second level of access to said third level of access.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 41. The system of claim 40 wherein said enforcement module monitors user input.
  - 42. The system of claim 40 further including a monitoring module configured to monitor user input.
  - 43. The system of claim 40 further including an authentication module operationally connected to said trigger module and configured to send triggers to said trigger module based on success or failure of the user to authenticate.
  - 44. The system of claim 40 further including a logging module configured to receive, store, and/or transmit data from one or more of the modules.
  - 45. The system of claim 40 wherein said first and second triggers are selected from the group consisting of:
    - (i) time of day;
      
      (ii) idle time of the shared environment;
      
      (iii) idle time of an operational control system (OCS) associated with the shared environment;
      
      (iv) authentication of the user;
      
      (v) failure of the user to authenticate;
      
      (vi) login of any user to the shared environment;
      
      (vii) logout of any user from the shared environment;
      
      (viii) time since the user was requested to authenticate;
      
      (ix) change in status of the shared environment;
      
      (x) change in status of an operational control system (OCS) associated with the shared environment;
      
      (xi) action or actions of the user in the shared environment(xii) action or actions of the user associated with an operational control system (OCS) associated with the shared environment;
      
      (xiii) command external to the shared environment;
      
      (xiv) any system trigger based on said access rules; and
      
      (xv) a combination of triggerable events.
  - 46. The system of claim 40 wherein said second trigger is:
    - (a) an indication said user has authenticated to the shared environment;
      
      or is(b) an indication said user has failed authentication to the shared environment;
      
      or is(c) based on said access rules.
  - 47. The system of claim 40 wherein said first level of access includes allowing any user said pre-determined level of continuous access to the shared environment.
  - 48. The system of claim 40 wherein said first level of access includes allowing the user said pre-determined level of continuous access to the shared environment while the user is unauthenticated.
  - 49. The system of claim 40 wherein while said second level of access is being provided, the user is required to authenticate for said third level of access.
  - 50. The system of claim 49 wherein:
    - (a) if the user is successful in authenticating, said third level of access is provided; and
      
      (b) if the user fails authentication a fourth level of access is provided based on said access rules.
  - 51. The system of claim 50 wherein said ACA is further configured to:
    - (a) when said third level of access is provided, receive a third trigger indicating that the user has logged out from the shared environment;
      
      (b) provide said first level of access to a subsequent user of the shared environment.
  - 52. The system of claim 40 wherein actions of a current user are logged and attributed to said current user.
  - 53. The system of claim 40 wherein actions of a current user are monitored and attributed to said current user.
  - 54. The system of claim 40 wherein user actions are prevented or changed according to said access rules or an external command.
  - 55. The system of claim 40 wherein access is provided such that:
    - (a) said second level of access is said first level of access;
      
      or such that(b) said third level of access is said second level of access;
      
      or such that(c) said first level of access is said pre-determined level of continuous access;
      
      or such that(d) said second level of access is said pre-determined level of continuous access;
      
      or such that(e) said third level of access is said pre-determined level of continuous access;
      
      or such that(f) said first level of access is an unauthenticated level of access;
      
      or such that(g) said second level of access is an unauthenticated level of access;
      
      or such that(h) said third level of access is an authenticated level of access.
  - 56. The system of claim 40 wherein a Privileged Account Management System (PAMS) provides at least one of:
    - (a) said access rules;
      
      (b) authentication to the user while said second level of access is being provided;
      
      (c) logging and attribution of actions of the user; and
      
      (d) monitoring and attribution of actions of the user.
  - 57. The system of claim 40 wherein the user is a human.
  - 58. The system of claim 40 wherein the user is a computer application.
  - 59. The system of claim 40 wherein the shared environment is a computer system.

60. A computer-readable storage medium having embedded thereon computer-readable code for providing access, the computer readable code comprising program code for:
- (a) providing a user a first level of access to a shared environment;
  
  (b) receiving a first trigger while providing said first level of access;
  
  (c) providing the user a second level of access to the shared environment based on said first trigger and access rules;
  
  (d) receiving a second trigger while providing said second level of access;
  
  (e) providing the user a third level of access to the shared environment based on said second trigger and said access rules,wherein at least a pre-determined level of continuous access to the shared environment is provided to the user during transition;
  
  (i) from said first level of access to said second level of access; and
  
  (ii) from said second level of access to said third level of access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Original Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Inventors
Dulkin, Andrey, Sade, Yair

Application Number

US14/110,155
Publication Number

US 20150222639A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Maintaining Continuous Operational Access Augmented with User Authentication and Action Attribution in Shared Environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

60 Claims

Specification

Use Cases

Quick Links

Others

Maintaining Continuous Operational Access Augmented with User Authentication and Action Attribution in Shared Environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

60 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others