Control of resource access privileges via agent authentication
First Claim
1. A method comprising:
- initializing a group with respective entries corresponding to respective users that have controlled access to a resource;
subsequently to the initializing, and in response to installing an agent program on a client computer having an association with at least one of the users, deleting at least one entry from a cached copy of the group, the deleted entry corresponding to the at least one user;
subsequently to the installing, and in response to uninstalling the agent program from the client computer, adding an entry to the cached copy, the added entry corresponding to the at least one user;
subsequently to the initializing, and in response to a request from the at least one user to access the resource, consulting the cached copy to determine if there is an entry corresponding to a source of the request, and if so, then denying the request; and
wherein after the initializing, the at least one user is denied access to the resource unless the agent program is installed on the client computer associated with the at least one user.
14 Assignments
0 Petitions
Accused Products
Abstract
A client computer and/or a user is authenticated via installation of an agent, permitting access to previously inaccessible resources. All users are initially denied access to a resource via a permission list, such as a by being a member of a group that is denied access. The user, once authenticated, is permitted to access the resource, e.g. by being temporarily removed from a cached copy of the group, by being temporarily added to a cached copy of a group allowed to access the resource, or both. Authentication is revoked when the agent is uninstalled. Subsequent accesses to the resource are not permitted, e.g. by undoing the temporary removal or addition. An optional resource firewall proxy server between client computers and a resource filters requests for the resource, and until a user is authenticated via an out-of-band communication from an agent, the user is denied access to the resource.
-
Citations
20 Claims
-
1. A method comprising:
-
initializing a group with respective entries corresponding to respective users that have controlled access to a resource; subsequently to the initializing, and in response to installing an agent program on a client computer having an association with at least one of the users, deleting at least one entry from a cached copy of the group, the deleted entry corresponding to the at least one user; subsequently to the installing, and in response to uninstalling the agent program from the client computer, adding an entry to the cached copy, the added entry corresponding to the at least one user; subsequently to the initializing, and in response to a request from the at least one user to access the resource, consulting the cached copy to determine if there is an entry corresponding to a source of the request, and if so, then denying the request; and wherein after the initializing, the at least one user is denied access to the resource unless the agent program is installed on the client computer associated with the at least one user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a processor enabled to communicate via a network interface; and a memory, the memory enabled to store instructions that when executed by the processor cause the processor to perform functions comprising; (a) initializing a first group with respective entries corresponding to respective client computers having controlled access to a resource, the first group being denied access to the resource; (b) subsequently to the initializing, and in response to installing an agent program on a particular one of the client computers, deleting an entry corresponding to the particular client computer from a cached copy of the first group; (c) subsequently to the installing, and in response to uninstalling the agent program from the particular client computer, adding an entry to the cached copy of the first group, the added entry corresponding to the particular client computer; (d) subsequently to the initializing, and in response to a request from the particular client computer received via the network interface, the request being to access the resource, consulting the cached copy of the first group to determine if there is an entry corresponding to the particular client computer, and if so, then denying the request; (e) consulting a cached copy of a second group to selectively allow the request if there is not an entry in the cached copy of the first group corresponding to the particular client computer, the second group being allowed access to the resource; and wherein after the initializing, the particular client computer is denied access to the resource unless the agent program is installed on the particular client computer. - View Dependent Claims (13, 14)
-
-
15. A non-transitory computer readable medium having a set of instructions stored therein that when executed by a processing element causes the processing element to perform functions comprising:
-
initializing a first group with respective entries corresponding to respective users having controlled access to a resource, the first group being denied access to the resource; subsequently to the initializing, and in response to installing an agent program on a client computer having an association with at least one of the users, deleting at least one entry from a cached copy of the first group, the deleted entry corresponding to the at least one user; subsequently to the installing, and in response to uninstalling the agent program from the client computer, adding an entry to the cached copy of the first group, the added entry corresponding to the at least one user; subsequently to the initializing, and in response to a request from the at least one user to access the resource, consulting the cached copy of the first group to determine if there is an entry corresponding to the at least one, and if so, then denying the request; consulting a cached copy of a second group to selectively allow the request if there is not an entry in the cached copy of the first group corresponding to the at least one user, the second group being allowed access to the resource; and wherein after the initializing, the at least one user is denied access to the resource unless the agent program is installed on the client computer associated with the at least one user. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification