Method and apparatus for token-based reassignment of privileges

US 8,752,143 B2
Filed: 08/15/2011
Issued: 06/10/2014
Est. Priority Date: 08/15/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising a:

a memory operable to store a plurality of tokens comprising a first risk token; and

a hardware processor communicatively coupled to the memory and operable to;

monitor a session, wherein the session facilitates a user'"'"'s access to a resource, the user granted a privilege associated with accessing the resource based at least in part upon the first risk token;

detect a change in at least one token of the plurality of tokens during the session, the change associated with the privilege granted to the user;

communicate the first risk token and a token associated with the change;

receive a second risk token associated with the first risk token and the token, wherein the second risk token indicates an increased risk associated with the change;

determine to revoke the privilege based on the second risk token;

generate a second token associated with the determination to revoke the privilege based at least in part upon the second risk token;

communicate the second token to facilitate the revoking of the privilege;

determine, based on a token-based rule, to grant a new privilege based on the second risk token, wherein the second token is further associated with the determination to grant the new privilege, and wherein communicating the second token facilitates the granting of the new privilege;

determine that a form of authentication associated with the session has been performed;

determine, based at least in part upon the determination that the form of authentication has been performed, that the revoked privilege should be granted;

generate a third token associated with the determination to grant the revoked privileged; and

communicate the third token to facilitate the granting of the revoked privilege.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, an apparatus may monitor a session that facilitates a user'"'"'s access to a resource. The user may be granted a privilege associated with accessing the resource. The apparatus may detect a change associated with the privilege granted to the user in at least one token of a plurality of tokens. The apparatus may then communicate a token that represents the change, and receive a risk token associated with the token. The apparatus may then determine to revoke the privilege based on the risk token, and generate a second token that represents the determination to revoke the privilege. The apparatus may then communicate the second token to facilitate the revoking of the privilege.

36 Citations

18 Claims

1. An apparatus comprising a:
- a memory operable to store a plurality of tokens comprising a first risk token; and
  
  a hardware processor communicatively coupled to the memory and operable to;
  
  monitor a session, wherein the session facilitates a user'"'"'s access to a resource, the user granted a privilege associated with accessing the resource based at least in part upon the first risk token;
  
  detect a change in at least one token of the plurality of tokens during the session, the change associated with the privilege granted to the user;
  
  communicate the first risk token and a token associated with the change;
  
  receive a second risk token associated with the first risk token and the token, wherein the second risk token indicates an increased risk associated with the change;
  
  determine to revoke the privilege based on the second risk token;
  
  generate a second token associated with the determination to revoke the privilege based at least in part upon the second risk token;
  
  communicate the second token to facilitate the revoking of the privilege;
  
  determine, based on a token-based rule, to grant a new privilege based on the second risk token, wherein the second token is further associated with the determination to grant the new privilege, and wherein communicating the second token facilitates the granting of the new privilege;
  
  determine that a form of authentication associated with the session has been performed;
  
  determine, based at least in part upon the determination that the form of authentication has been performed, that the revoked privilege should be granted;
  
  generate a third token associated with the determination to grant the revoked privileged; and
  
  communicate the third token to facilitate the granting of the revoked privilege.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein:
    - the user is granted a set of privileges associated with accessing the resource; and
      
      the second token is associated with a new set of privileges formed by removing the revoked privilege from the set of privileges.
  - 3. The apparatus of claim 2, the processor further operable to determine, based on a token-based rule, to grant a new privilege based on the second risk token, wherein the new set of privileges is formed by further adding the new privilege to the set of privileges.
  - 4. The apparatus of claim 1, wherein the plurality of tokens further comprises at least one of a subject token, a resource token, and a network token and the change during the session occurs in at least one token of the plurality of tokens.
  - 5. The apparatus of claim 1, wherein the second token is communicated to a resource provider.
  - 6. The apparatus of claim 1, wherein the determination to revoke the privilege is based on a token-based rule.

7. A method for privilege-based access control in a token-based environment, comprising:
- monitoring a session, wherein the session facilitates a user'"'"'s access to a resource, the user granted a privilege associated with accessing the resource based at least in part upon a first risk token;
  
  detecting a change in at least one token of a plurality of tokens during the session, the change associated with the privilege granted to the user;
  
  communicating the first risk token and a token associated with the change;
  
  receiving a second risk token associated with the first risk token the token, wherein the second risk token indicates an increased risk associated with the change;
  
  determining, by a hardware processor, to revoke the privilege based on the second risk token;
  
  generating, by the processor, a second token associated with the determination to revoke the privilege based at least in part upon the second risk token; and
  
  communicating the second token to facilitate the revoking of the privilege;
  
  determining, by the processor, based on a token-based rule, to grant a new privilege based on the second risk token, wherein the second token is further associated with the determination to grant the new privilege, and wherein communicating the second token facilitates the granting of the new privilege;
  
  determining, by the processor, that a form of authentication associated with the session has been performed;
  
  determining, by the processor, based at least in part upon the determination that the form of authentication has been performed, that the revoked privilege should be granted;
  
  generating a third token associated with the determination to grant the revoked privileged; and
  
  communicating the third token to facilitate the granting of the revoked privilege.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein:
    - the user is granted a set of privileges associated with accessing the resource; and
      
      the second token is associated with a new set of privileges formed by removing the revoked privilege from the set of privileges.
  - 9. The method of claim 8, further comprising determining, by the processor, based on a token-based rule, to grant a new privilege based on the second risk token, wherein the new set of privileges is formed by further adding the new privilege to the set of privileges.
  - 10. The method of claim 7, wherein the plurality of tokens comprises at least one of a subject token, a resource token, and a network token and the change during the session occurs in at least one token of the plurality of tokens.
  - 11. The method of claim 7, wherein the second token is communicated to a resource provider.
  - 12. The method of claim 7, wherein the determination to revoke the privilege is based on a token-based rule.

13. One or more computer-readable non-transitory storage media embodying software that is operable when executed to:
- monitor a session, wherein the session facilitates a user'"'"'s access to a resource, the user granted a privilege associated with accessing the resource based at least in part upon a first risk token;
  
  detect a change in at least one token of a plurality of tokens during the session, the change associated with the privilege granted to the user;
  
  communicate the first risk token and a token associated with the change;
  
  receive a second risk token associated with the first risk token and the token, wherein the second risk token indicates an increased risk associated with the change;
  
  determine to revoke the privilege based on the second risk token;
  
  generate a second token associated with the determination to revoke the privilege based at least in part upon the second risk token; and
  
  communicate the second token to facilitate the revoking of the privilege;
  
  determine, based on a token-based rule, to grant a new privilege based on the second risk token, wherein the second token is further associated with the determination to grant the new privilege, and wherein communicating the second token facilitates the granting of the new privilege;
  
  determine that a form of authentication associated with the session has been performed;
  
  determine, based at least in part upon the determination that the form of authentication has been performed, that the revoked privilege should be granted;
  
  generate a third token associated with the determination to grant the revoked privileged; and
  
  communicate the third token to facilitate the granting of the revoked privilege.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The media of claim 13, wherein:
    - the user is granted a set of privileges associated with accessing the resource; and
      
      the second token is associated with a new set of privileges formed by removing the revoked privilege from the set of privileges.
  - 15. The media of claim 14, embodying software further operable when execute to determine, based on a token-based rule, to grant a new privilege based on the second risk token, wherein the new set of privileges is formed by further adding the new privilege to the set of privileges.
  - 16. The media of claim 13, wherein the plurality of tokens comprises at least one of a subject token, a resource token, and a network token and the change during the session occurs in at least one token of the plurality of tokens.
  - 17. The media of claim 13, wherein the second token is communicated to a resource provider.
  - 18. The media of claim 13, wherein the determination to revoke the privilege is based on a token-based rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Radhakrishnan, Rakesh, Frick, Cynthia Ann, Marian, Radu, Barbir, Abdulkader Omar, Badhwar, Rajat P.
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/210,277
Publication Number

US 20130047215A1
Time in Patent Office

1,030 Days
Field of Search

726 1- 10, 726 26- 30, 713164-167
US Class Current

726/6
CPC Class Codes

G06F 21/1076   Revocation

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

Method and apparatus for token-based reassignment of privileges

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for token-based reassignment of privileges

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others