Dynamic access policies

US 8,819,763 B1
Filed: 10/06/2008
Issued: 08/26/2014
Est. Priority Date: 10/05/2007
Status: Active Grant

First Claim

Patent Images

1. A system for securely granting access to a target system to a user comprising:

an interface configured to receive an access request;

a processor; and

a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;

request a plurality of security policies from a plurality of distributed policy systems,wherein the plurality of distributed policy systems includes at least one of a change management system associated with planned events and a ticket system;

obtain the plurality of security policies from the plurality of distributed policy systems;

determine a temporary grant of access for the user, wherein the determining includes dynamically generating a temporary, multi-dimensional access policy for the user,wherein the multi-dimensional access policy is an aggregate of at least some of the plurality of security policies, and wherein the dynamically generated multi-dimensional access policy governs a set of network resources that the user is permitted to access and includes at least one of an authorized access time and an authorized access protocol;

implement the determined temporary grant of access for the user;

determine whether rules associated with the at least some of the plurality of security policies aggregated into the multi-dimensional access policy conflict with at least some of one another when applied in conjunction with implementing the determined temporary grant of access for the user; and

in the event that rules associated with the at least some of the plurality of security policies aggregated into the multi-dimensional access policy are determined to conflict with at least some of one another when applied in conjunction with implementing the determined temporary grant of access for the user, resolve the conflict.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for securely granting access to a target system to a user includes requesting a plurality of security policies from a plurality of distributed policy systems. It further includes obtaining a plurality of security policies from the plurality of distributed policy systems. It further includes granting a temporary grant of access that is an aggregate of the plurality of security policies. It further includes implementing the temporary access grant for the user.

Citations

17 Claims

1. A system for securely granting access to a target system to a user comprising:
- an interface configured to receive an access request;
  
  a processor; and
  
  a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;
  
  request a plurality of security policies from a plurality of distributed policy systems,wherein the plurality of distributed policy systems includes at least one of a change management system associated with planned events and a ticket system;
  
  obtain the plurality of security policies from the plurality of distributed policy systems;
  
  determine a temporary grant of access for the user, wherein the determining includes dynamically generating a temporary, multi-dimensional access policy for the user,wherein the multi-dimensional access policy is an aggregate of at least some of the plurality of security policies, and wherein the dynamically generated multi-dimensional access policy governs a set of network resources that the user is permitted to access and includes at least one of an authorized access time and an authorized access protocol;
  
  implement the determined temporary grant of access for the user;
  
  determine whether rules associated with the at least some of the plurality of security policies aggregated into the multi-dimensional access policy conflict with at least some of one another when applied in conjunction with implementing the determined temporary grant of access for the user; and
  
  in the event that rules associated with the at least some of the plurality of security policies aggregated into the multi-dimensional access policy are determined to conflict with at least some of one another when applied in conjunction with implementing the determined temporary grant of access for the user, resolve the conflict.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1 wherein the plurality of distributed policy systems include an Active Directory system.
  - 3. The system of claim 1 wherein the plurality of distributed policy systems include a Lightweight Directory Access Protocol system.
  - 4. The system of claim 1 wherein the plurality of distributed policy systems include a business service management system.
  - 5. The system of claim 1 wherein the plurality of security policies includes a user policy.
  - 6. The system of claim 1 wherein the plurality of security policies includes a device policy.
  - 7. The system of claim 1 wherein the plurality of security policies include a business policy.
  - 8. The system of claim 1 wherein the plurality of security policies is requested in response to a detection of a trigger action.
  - 9. The system of claim 8 wherein the trigger action includes a receipt of a user credential.
  - 10. The system of claim 9 wherein the user credential includes a password.
  - 11. The system of claim 9 wherein the user credential includes a user identifier.
  - 12. The system of claim 1 wherein determining a temporary grant includes prioritizing the plurality of security policies.
  - 13. The system of claim 1 wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to contact an administrator.

14. A method of securely granting access to a target system to a user comprising:
- receiving an access request;
  
  requesting a plurality of security policies from a plurality of distributed policy systems,wherein the plurality of distributed policy systems includes at least one of a change management system associated with planned events and a ticket system;
  
  obtaining the plurality of security policies from the plurality of distributed policy systems;
  
  determining, by a computer processor, a temporary grant of access for the user,wherein the determining includes dynamically generating a temporary, multi-dimensional access policy for the user, wherein the multi-dimensional access policy is an aggregate of at least some of the plurality of security policies, and wherein the dynamically generated multi-dimensional access policy governs a set of network resources that the user is permitted to access and includes at least one of an authorized access time and an authorized access protocol;
  
  implementing the determined temporary grant of access for the user;
  
  determining whether rules associated with the at least some of the plurality of security policies aggregated into the multi-dimensional access policy conflict with at least some of one another when applied in conjunction with implementing the determined temporary grant of access for the user; and
  
  in the event that rules associated with the at least some of the plurality of security policies aggregated into the multi-dimensional access policy are determined to conflict with at least some of one another when applied in conjunction with implementing the determined temporary grant of access for the user, resolving the conflict.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 wherein the plurality of security policies is requested in response to a detection of a trigger action.
  - 16. The method of claim 15 wherein the trigger action includes an elapse of an amount of time.

17. A computer program product for securely granting access to a target system to a user, the computer program product being embodied in a non-transitory computer readable medium and comprising computer instructions for:
- receiving an access request;
  
  requesting a plurality of security policies from a plurality of distributed policy systems,wherein the plurality of distributed policy systems includes at least one of a change management system associated with planned events and a ticket system;
  
  obtaining the plurality of security policies from the plurality of distributed policy systems;
  
  determining a temporary grant of access for the user, wherein the determining includes dynamically generating a temporary, multi-dimensional access policy for the user,wherein the multi-dimensional access policy is an aggregate of at least some of the plurality of security policies, and wherein the dynamically generated multi-dimensional access policy governs a set of network resources that the user is permitted to access and includes at least one of an authorized access time and an authorized access protocol;
  
  implementing the determined temporary grant of access for the user;
  
  determining whether rules associated with the at least some of the plurality of security policies aggregated into the multi-dimensional access policy conflict with at least some of one another when applied in conjunction with implementing the determined temporary grant of access for the user; and
  
  in the event that rules associated with the at least some of the plurality of security policies aggregated into the multi-dimensional access policy are determined to conflict with at least some of one another when applied in conjunction with implementing the determined temporary grant of access for the user, resolving the conflict.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Xceedium Incorporated. (Broadcom, Inc.)
Inventors
Van, David, Cheung, David W.
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US12/287,263
Time in Patent Office

2,150 Days
Field of Search

726/1, 726/2, 726/5, 726/24, 726/25, 726/27, 726/28
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Dynamic access policies

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic access policies

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links