Lifecycle management of privilege sharing using an identity management system

US 8,631,477 B2
Filed: 07/23/2009
Issued: 01/14/2014
Est. Priority Date: 07/23/2009
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor;

a data bus coupled to the processor; and

a computer-usable medium embodying computer program code, the computer-usable medium being coupled to the data bus, the computer program code providing lifecycle management of privilege sharing and comprising instructions executable by the processor and configured for;

providing a proxy service to a plurality of identity services, each identity service being defined in an identity management system and managing a plurality of privileged accounts;

defining a filter to specify the identity services whose privileged accounts will be hosted by the proxy service;

assigning a group of the proxy service to a shared ID authorization account, the assigning to the respective account being managed by an identification (ID) pool manager; and

sharing the use of the privileged account with the shared ID authorization account;

wherein the lifecycle of a shared privileged account is managed by performing;

an account access authorization request operation in response to a shared privileged account being received by the proxy service, wherein the access request operation obtains approval of access;

an account sign-out operation in response to a shared ID authorization account request being received by the proxy service, wherein the account sign-out operation;

generates a shared ID authorization account record comprising the shared usage relationship of the shared ID authorization account and the requestor and account sign-out information;

associates the shared ID authorization account with the requestor;

generates a new password for use of the shared ID authorization account by the requestor; and

an account sign-in operation upon expiration of the shared ID authorization account or its end of use by the requestor, wherein the account sign-in operation;

disassociates the shared privileged account from the requestor;

disables the use of the new password with the shared privileged account;

updates the shared ID authorization account record with account sign-in information; and

an authorization removal operation deleting the shared ID authorization account when access to the system is no longer needed.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Managing a lifecycle of a shared privileged account via a proxy service which comprises an Identity Management (IdM) system that defines and manages identity services, which in turn manage privileged accounts used to access managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requestor. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requestor uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requestor with the shared privileged account by deleting the shared ID authorization account.

46 Citations

View as Search Results

20 Claims

1. A system comprising:
- a processor;
  
  a data bus coupled to the processor; and
  
  a computer-usable medium embodying computer program code, the computer-usable medium being coupled to the data bus, the computer program code providing lifecycle management of privilege sharing and comprising instructions executable by the processor and configured for;
  
  providing a proxy service to a plurality of identity services, each identity service being defined in an identity management system and managing a plurality of privileged accounts;
  
  defining a filter to specify the identity services whose privileged accounts will be hosted by the proxy service;
  
  assigning a group of the proxy service to a shared ID authorization account, the assigning to the respective account being managed by an identification (ID) pool manager; and
  
  sharing the use of the privileged account with the shared ID authorization account;
  
  wherein the lifecycle of a shared privileged account is managed by performing;
  
  an account access authorization request operation in response to a shared privileged account being received by the proxy service, wherein the access request operation obtains approval of access;
  
  an account sign-out operation in response to a shared ID authorization account request being received by the proxy service, wherein the account sign-out operation;
  
  generates a shared ID authorization account record comprising the shared usage relationship of the shared ID authorization account and the requestor and account sign-out information;
  
  associates the shared ID authorization account with the requestor;
  
  generates a new password for use of the shared ID authorization account by the requestor; and
  
  an account sign-in operation upon expiration of the shared ID authorization account or its end of use by the requestor, wherein the account sign-in operation;
  
  disassociates the shared privileged account from the requestor;
  
  disables the use of the new password with the shared privileged account;
  
  updates the shared ID authorization account record with account sign-in information; and
  
  an authorization removal operation deleting the shared ID authorization account when access to the system is no longer needed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further comprising:
    - mapping respective systems and applications to the group, wherein the shared privileged account is used by the group to access the respective systems and applications.
  - 3. The system of claim 1, further comprising managing the lifecycle of the shared privileged account.
  - 4. The system of claim 3, further comprising deleting the Shared ID authorization account and its associated access to the respective systems and applications.
  - 5. The system of claim 1, wherein the password of the privileged account is automatically reset upon deletion of the shared ID authorization account.
  - 6. The system of claim 1, wherein recertification and requested use justification operations related to the requestor are performed to recertify the requestor and justify the use of the privileged account by the requestor.
  - 7. The system of claim 1, wherein:
    - the account sign-out information comprises a starting date and a starting time for the requestor to begin use of the shared privileged account; and
      
      the account sign-in information comprises an ending date and an ending time for the requestor to end use of the shared privileged account.
  - 8. The system of claim 7, wherein the account sign-out and sign-in information is used to generate shared privileged account usage reports and associated audit trail information related to shared privileged account lifecycle events.
  - 9. The system of claim 1, wherein each group comprises a predetermined privilege and contains a pool of privileged accounts managed by the pool manager through a pluggable interface.

10. A non-transitory computer-usable medium embodying computer program code, the computer program code comprising computer executable instructions configured for:
- providing a proxy service to a plurality of identity services, each identity service being defined in an identity management system and managing a plurality of privileged accounts;
  
  defining a filter to specify the identity services whose privileged accounts will be hosted by the proxy service;
  
  assigning a group of the proxy service to a shared ID authorization account, the assigning to the respective account being managed by an identification (ID) pool manager; and
  
  sharing the use of the privileged account with the shared ID authorization account;
  
  wherein the lifecycle of a shared privileged account is managed by the shared privileges module performing;
  
  an account access authorization request operation in response to a shared privileged account being received by the proxy service, wherein the access request operation obtains approval of access;
  
  an account sign-out operation in response to a shared ID authorization account request being received by the proxy service, wherein the account sign-out operation;
  
  generates a shared ID authorization account record comprising the shared usage relationship of the shared ID authorization account and the requestor and account sign-out information;
  
  associates the shared ID authorization account with the requestor;
  
  generates a new password for use of the shared privileged account by the requestor; and
  
  an account sign-in operation upon expiration of the shared ID authorization account or its end of use by the requestor, wherein the account sign-in operation;
  
  disassociates the shared privileged account from the requestor;
  
  disables the use of the new password with the shared privileged account;
  
  updates the shared ID authorization account record with account sign-in information; and
  
  an authorization removal operation deleting the shared ID authorization account when access to the system is no longer needed.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The non-transitory computer usable medium of claim 10, further comprising:
    - mapping respective systems and applications to the group, wherein the shared privileged account is used by the group to access the respective systems and applications.
  - 12. The non-transitory computer usable medium of claim 10, further comprising managing the lifecycle of the shared privileged account.
  - 13. The non-transitory computer usable medium of claim 12, further comprising deleting the privileged account and its associated access to the respective systems and applications.
  - 14. The non-transitory computer usable medium of claim 10, wherein the password of the privileged account is automatically reset upon deletion of the shared ID authorization account.
  - 15. The non-transitory computer usable medium of claim 10, wherein recertification and requested use justification operations related to the requestor are performed to recertify the requestor and justify the use of the privileged account by the requestor.
  - 16. The non-transitory computer usable medium of claim 10, wherein:
    - the account sign-out information comprises a starting date and a starting time for the requestor to begin use of the shared privileged account; and
      
      the account sign-in information comprises an ending date and an ending time for the requestor to end use of the shared privileged account.
  - 17. The non-transitory computer usable medium of claim 16, wherein the account sign-out and sign-in information is used to generate shared privileged account usage reports and associated audit trail information related to shared privileged account lifecycle events.
  - 18. The non-transitory computer usable medium of claim 10, wherein each group comprises a predetermined privilege and contains a pool of privileged accounts managed by the pool manager through a pluggable interface.
  - 19. The non-transitory computer usable medium of claim 10, wherein the computer executable instructions are deployable to a client computer from a server at a remote location.
  - 20. The non-transitory computer usable medium of claim 10, wherein the computer executable instructions are provided by a service provider to a customer on an on-demand basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chen, Leanne L., Ames, Alexander P., Vivekanandan, Prema
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Branske, Hilary

Application Number

US12/508,102
Publication Number

US 20110023107A1
Time in Patent Office

1,636 Days
Field of Search

726/6, 726/7, 726/8, 726/12, 726/13, 726/18, 726/19, 726/27, 726/28, 726/29, 726/30
US Class Current

726/6
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

Lifecycle management of privilege sharing using an identity management system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Lifecycle management of privilege sharing using an identity management system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links