Secure access infrastructure
First Claim
1. A non-transitory computer-readable medium having instructions for restricting use of service accounts, each service account allowing access to a respective resource within an enterprise, said computer-readable instructions comprising instructions for:
- receiving a request from an application to use a service account of a plurality of service accounts each including a number of resource credentials, said resource credentials including a service account identification, configuration information needed for the service account, and a resource password, said request including an identification for said application;
determining, in response to receiving the request, whether said application is authorized to use said service account of the plurality of service accounts based on said identification for said application, wherein determining includes referencing;
a first database table including the plurality of service accounts and a respective number of resource credentials associated therewith, wherein said plurality of service accounts includes said service account; and
a second database table including applications that have been authorized to use at least one service account of said plurality of service accounts;
retrieving the number of resource credentials associated with said service account of the plurality of service accounts in response to determining that said application is authorized to use said service account of the plurality of service accounts;
connecting, utilizing the retrieved number of resource credentials associated with said service account, said application to an appropriate resource;
caching one or more of the retrieved number of resource credentials of said service account; and
allowing service account owners and security personnel to manage said plurality of service accounts, including;
establishing a secure identity for each application; and
granting authorization to said application to use said service account.
1 Assignment
0 Petitions
Accused Products
Abstract
Method and system are disclosed for limiting use of a service account to only applications that have been authorized. The method and system provide a service account security infrastructure for verifying the identity of an application requesting credentials from a service account and for checking that the application is authorized to use the service account. The infrastructure also allows service account owners and security personnel to manage service accounts, including establishing a secure identity for each application and granting authorization to the application to use a service account.
-
Citations
19 Claims
-
1. A non-transitory computer-readable medium having instructions for restricting use of service accounts, each service account allowing access to a respective resource within an enterprise, said computer-readable instructions comprising instructions for:
-
receiving a request from an application to use a service account of a plurality of service accounts each including a number of resource credentials, said resource credentials including a service account identification, configuration information needed for the service account, and a resource password, said request including an identification for said application; determining, in response to receiving the request, whether said application is authorized to use said service account of the plurality of service accounts based on said identification for said application, wherein determining includes referencing; a first database table including the plurality of service accounts and a respective number of resource credentials associated therewith, wherein said plurality of service accounts includes said service account; and a second database table including applications that have been authorized to use at least one service account of said plurality of service accounts; retrieving the number of resource credentials associated with said service account of the plurality of service accounts in response to determining that said application is authorized to use said service account of the plurality of service accounts; connecting, utilizing the retrieved number of resource credentials associated with said service account, said application to an appropriate resource; caching one or more of the retrieved number of resource credentials of said service account; and allowing service account owners and security personnel to manage said plurality of service accounts, including; establishing a secure identity for each application; and granting authorization to said application to use said service account. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium having computer-readable instructions for establishing identifications for applications, said computer-readable instructions comprising instructions for:
-
receiving a request to let an application use a service account of a plurality of service accounts each including a number of resource credentials, said resource credentials including a service account identification, configuration information needed for the service account, and a resource password, said request including an identification for said application; mapping said identification for said application to a file system path for said application; storing said mapping of said identification to said file system path in a secure repository; storing a number of notes related to the mapping, including time of the request, reason for the request, and who made the request; determining, in response to receiving the request, whether said application is authorized to use the service account of the plurality of service accounts based on said identification for said application, wherein determining includes referencing; a first database table including the plurality of service accounts and a respective number of resource credentials associated therewith, wherein said plurality of service accounts includes said service account; and a second database table including applications that have been authorized to use at least one service account of said plurality of service accounts, wherein said plurality of service accounts includes said service account, said service account allowing access to a system resource within said enterprise application environment; retrieving the number of resource credentials associated with said service account of the plurality of service accounts in response to determining that said application is authorized to use said service account of the plurality of service accounts connecting, utilizing the retrieved number of resource credentials associated with said service account, said application to an appropriate resource; and allowing service account owners and security personnel to manage said plurality of service accounts, including; establishing a secure identity for each application; and granting authorization to said application to use said service account of said plurality of service accounts. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable medium storing instructions executable by a processing resource to cause a computer to:
-
receive a request from an application to use a service account of a plurality of service accounts each including a number of resource credentials, said resource credentials including a service account identification, configuration information needed for the service account, and a resource password, said request including an identification for said application; determine, in response to receiving the request, whether said application is authorized to use said service account of the plurality of service accounts based on said identification for said application, wherein determining includes referencing; a first database table including the plurality of service accounts and a respective number of resource credentials associated therewith, wherein said plurality of service accounts includes said service account; and a second database table including applications that have been authorized to use at least one service account of said plurality of service accounts; retrieve the number of resource credentials associated with the service account of the plurality of service accounts in response to determining that said application is authorized to use said service account of the plurality of service accounts; connect, utilizing the retrieved number of resource credentials associated with the service account, said application to an appropriate resource; cache one or more of the retrieved number of resource credentials of said service account; and allow service account owners and security personnel to manage said plurality of service accounts, including; to establish a secure identity for each application; and to grant authorization to said application to use said service account create a new service account for a corresponding resource within said enterprise; store said new service account and a corresponding plurality of resource credentials in the first database table; provide authorization to one or more applications within said enterprise to use said new service account to access said corresponding resource; and store an identification of said one or more applications and the corresponding authorization in the second database table. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification