Managing elevated rights on a network

US 7,529,931 B2
Filed: 12/23/2004
Issued: 05/05/2009
Est. Priority Date: 12/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

associating a task with one or more elevated rights using a task association table stored in a computer'"'"'s memory, wherein the task is associated with a user'"'"'s job responsibility; and

granting an elevated right account to the user, the granting comprising;

basing the elevated right account on a principle of least right; and

constraining the elevated right account to provide the one or more elevated rights necessary to perform only the task associated with the elevated rights, wherein the rights associated with the elevated right account are non-overlapping with basic rights provided in a basic user account, wherein the basic user account comprises a non-elevated user account.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes associating a task with one or more elevated rights, wherein the task is associated with a user'"'"'s job responsibility and granting an elevated right account to the user based on a principle of least privilege, wherein the elevated right account provides the one or more elevated rights necessary to perform only the task associated with the elevated rights.

118 Citations

View as Search Results

12 Claims

1. A method comprising:
- associating a task with one or more elevated rights using a task association table stored in a computer'"'"'s memory, wherein the task is associated with a user'"'"'s job responsibility; and
  
  granting an elevated right account to the user, the granting comprising;
  
  basing the elevated right account on a principle of least right; and
  
  constraining the elevated right account to provide the one or more elevated rights necessary to perform only the task associated with the elevated rights, wherein the rights associated with the elevated right account are non-overlapping with basic rights provided in a basic user account, wherein the basic user account comprises a non-elevated user account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as recited in claim 1 wherein the elevated right account is separated from the basic user account that provides only basic right to the user.
  - 3. A method as recited in claim 2 further comprising associating the basic user account with the elevated right account.
  - 4. A method as in claim 2, further comprising assigning an account identifier to the elevated right account, wherein the account identifier is different from an account identifier assigned to the basic user account.
  - 5. A method as recited in claim 1 further comprising periodically reevaluating whether the user should be granted the elevated right account based on the user'"'"'s job responsibility.
  - 6. A method as recited in claim 1 wherein the granting further comprises granting elevated right based on job responsibility criteria, the job responsibility criteria comprising one or more of the following:
    - tasks associated with the job responsibility;
      
      frequency of performance of the tasks;
      
      a specific time limit associated with the tasks; and
      
      a specified time limit associated with the job responsibility.
  - 7. A method as recited in claim 1 wherein the elevated right account requires two-factor authentication for access to the elevated right account.
  - 8. A method as recited in claim 7 wherein the two-factor authentication comprises a password and a physical media.
  - 9. A method as recited in claim 1 further comprising receiving a request for the elevated right account, wherein the request comprises a completed web form.
  - 10. A method as recited in claim 1 further comprising provisioning the elevated right account by creating an elevated right account object in an identity store.
  - 11. A computer-readable storage medium having computer-executable instructions for performing the method of claim 1.

12. A system comprising:
- a memory;
  
  a task association table stored on the memory and associating a task with a set of one or more rights required to perform the task; and
  
  means for generating an elevated right account enabling an associated user to perform only the task by virtue of the one or more rights, wherein the rights associated with the elevated right account are non-overlapping with basic rights provided in a basic user account, wherein the basic user account comprises a non-elevated user account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vasishth, Karen, Leibmann, Matthias, Brown, Laurie A., Lawrence, Mark David, Hunter, Kimberley Ann
Primary Examiner(s)
Pich; Ponnoreay

Application Number

US11/021,750
Publication Number

US 20060143447A1
Time in Patent Office

1,594 Days
Field of Search

713/166
US Class Current

713/166
CPC Class Codes

H04L 63/083 using passwords cryptograph...

H04L 63/102 Entity profiles

Managing elevated rights on a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Managing elevated rights on a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links