Lifecycle management of privilege sharing using an identity management system
First Claim
1. A system comprising:
- a processor;
a data bus coupled to the processor; and
a computer-usable medium embodying computer program code, the computer-usable medium being coupled to the data bus, the computer program code providing lifecycle management of privilege sharing and comprising instructions executable by the processor and configured for;
providing a proxy service to a plurality of identity services, each identity service being defined in an identity management system and managing a plurality of privileged accounts;
defining a filter to specify the identity services whose privileged accounts will be hosted by the proxy service;
assigning a group of the proxy service to a shared ID authorization account, the assigning to the respective account being managed by an identification (ID) pool manager; and
sharing the use of the privileged account with the shared ID authorization account;
wherein the lifecycle of a shared privileged account is managed by performing;
an account access authorization request operation in response to a shared privileged account being received by the proxy service, wherein the access request operation obtains approval of access;
an account sign-out operation in response to a shared ID authorization account request being received by the proxy service, wherein the account sign-out operation;
generates a shared ID authorization account record comprising the shared usage relationship of the shared ID authorization account and the requestor and account sign-out information;
associates the shared ID authorization account with the requestor;
generates a new password for use of the shared ID authorization account by the requestor; and
an account sign-in operation upon expiration of the shared ID authorization account or its end of use by the requestor, wherein the account sign-in operation;
disassociates the shared privileged account from the requestor;
disables the use of the new password with the shared privileged account;
updates the shared ID authorization account record with account sign-in information; and
an authorization removal operation deleting the shared ID authorization account when access to the system is no longer needed.
2 Assignments
0 Petitions
Accused Products
Abstract
Managing a lifecycle of a shared privileged account via a proxy service which comprises an Identity Management (IdM) system that defines and manages identity services, which in turn manage privileged accounts used to access managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requestor. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requestor uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requestor with the shared privileged account by deleting the shared ID authorization account.
46 Citations
20 Claims
-
1. A system comprising:
-
a processor; a data bus coupled to the processor; and a computer-usable medium embodying computer program code, the computer-usable medium being coupled to the data bus, the computer program code providing lifecycle management of privilege sharing and comprising instructions executable by the processor and configured for; providing a proxy service to a plurality of identity services, each identity service being defined in an identity management system and managing a plurality of privileged accounts; defining a filter to specify the identity services whose privileged accounts will be hosted by the proxy service; assigning a group of the proxy service to a shared ID authorization account, the assigning to the respective account being managed by an identification (ID) pool manager; and sharing the use of the privileged account with the shared ID authorization account; wherein the lifecycle of a shared privileged account is managed by performing; an account access authorization request operation in response to a shared privileged account being received by the proxy service, wherein the access request operation obtains approval of access; an account sign-out operation in response to a shared ID authorization account request being received by the proxy service, wherein the account sign-out operation; generates a shared ID authorization account record comprising the shared usage relationship of the shared ID authorization account and the requestor and account sign-out information; associates the shared ID authorization account with the requestor; generates a new password for use of the shared ID authorization account by the requestor; and an account sign-in operation upon expiration of the shared ID authorization account or its end of use by the requestor, wherein the account sign-in operation; disassociates the shared privileged account from the requestor; disables the use of the new password with the shared privileged account; updates the shared ID authorization account record with account sign-in information; and an authorization removal operation deleting the shared ID authorization account when access to the system is no longer needed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-usable medium embodying computer program code, the computer program code comprising computer executable instructions configured for:
-
providing a proxy service to a plurality of identity services, each identity service being defined in an identity management system and managing a plurality of privileged accounts; defining a filter to specify the identity services whose privileged accounts will be hosted by the proxy service; assigning a group of the proxy service to a shared ID authorization account, the assigning to the respective account being managed by an identification (ID) pool manager; and sharing the use of the privileged account with the shared ID authorization account; wherein the lifecycle of a shared privileged account is managed by the shared privileges module performing; an account access authorization request operation in response to a shared privileged account being received by the proxy service, wherein the access request operation obtains approval of access; an account sign-out operation in response to a shared ID authorization account request being received by the proxy service, wherein the account sign-out operation; generates a shared ID authorization account record comprising the shared usage relationship of the shared ID authorization account and the requestor and account sign-out information; associates the shared ID authorization account with the requestor; generates a new password for use of the shared privileged account by the requestor; and an account sign-in operation upon expiration of the shared ID authorization account or its end of use by the requestor, wherein the account sign-in operation; disassociates the shared privileged account from the requestor; disables the use of the new password with the shared privileged account; updates the shared ID authorization account record with account sign-in information; and an authorization removal operation deleting the shared ID authorization account when access to the system is no longer needed. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification