System and method for policy based privileged user access management

US 8,869,234 B2
Filed: 05/03/2012
Issued: 10/21/2014
Est. Priority Date: 05/03/2012
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

providing a Policy Enforcement Point (PEP) comprising a rule engine;

causing the PEP to recognize an emergency based upon a condition level of a first target system or application;

providing to the PEP, an identification (ID), that is specific to the first target system or application, to gain access to the first target system or application according to the condition level, wherein the provided identification is different than an identification to gain access to the first target system or application when there is no emergency based upon the condition level;

creating an authentication assertion of the ID; and

in response to receipt of the authentication assertion, causing the first target system or application to invoke the PEP such that the rule engine grants a user an emergency access session, tagged with the provided ID, to the first target system or application according to a parameter determined by a policy;

wherein the parameter comprises a logging level of activity of the user in the emergency access session that is recorded in a first activity log supplemental to a second activity log of the first target system or application, wherein during the emergency access session the first activity log comprises session data tagged with the provided ID, the first activity log is available for review, and access to the second activity log is disrupted as a result of the condition level of the first target system or application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments dynamically manage privileged access to a computer system according to policies enforced by rule engine. User input to the rule engine may determine an extent of system access, as well as other features such as intensity of user activity logging (including logging supplemental to a system activity log). Certain embodiments may provide access based upon user selection of a pre-configured ID at a dashboard, while other embodiments may rely upon direct user input to the rule engine to generate an ID at a policy enforcement point. Embodiments of methods and apparatuses may be particularly useful in granting and/or logging broad temporary access rights allowed based upon emergency conditions.

6 Citations

View as Search Results

20 Claims

1. A computer implemented method comprising:
- providing a Policy Enforcement Point (PEP) comprising a rule engine;
  
  causing the PEP to recognize an emergency based upon a condition level of a first target system or application;
  
  providing to the PEP, an identification (ID), that is specific to the first target system or application, to gain access to the first target system or application according to the condition level, wherein the provided identification is different than an identification to gain access to the first target system or application when there is no emergency based upon the condition level;
  
  creating an authentication assertion of the ID; and
  
  in response to receipt of the authentication assertion, causing the first target system or application to invoke the PEP such that the rule engine grants a user an emergency access session, tagged with the provided ID, to the first target system or application according to a parameter determined by a policy;
  
  wherein the parameter comprises a logging level of activity of the user in the emergency access session that is recorded in a first activity log supplemental to a second activity log of the first target system or application, wherein during the emergency access session the first activity log comprises session data tagged with the provided ID, the first activity log is available for review, and access to the second activity log is disrupted as a result of the condition level of the first target system or application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as in claim 1 wherein the emergency access session is restricted by time and/or by portions of the first target system or application available to the user.
  - 3. A method as in claim 1 wherein the ID comprises a pre-configured ID selected by the user from a list on a dashboard.
  - 4. A method as in claim 1 further comprising causing the PEP to dynamically select the ID in response to an input by the user to the rule engine.
  - 5. A method as in claim 4 wherein the input comprises the user response to a question posed by the PEP.
  - 6. A method as in claim 1 wherein the PEP is in communication with a second target system or application, and the ID is specific to the first target system or application.
  - 7. A method as in claim 6 wherein the authentication assertion is federated across the first target system or application and the second target system or application.

8. A non-transitory computer readable storage medium embodying a computer program for performing a method, said method comprising:
- providing a Policy Enforcement Point (PEP) comprising a rule engine;
  
  causing the PEP to recognize an emergency based upon a condition level of a first target system or application;
  
  providing to the PEP, an identification (ID), that is specific to the first target system or application, to gain access to the first target system or application according to the condition level, wherein the provided identification is different than an identification to gain access to the first target system or application when there is no emergency based upon the condition level;
  
  creating an authentication assertion of the ID; and
  
  in response to receipt of the authentication assertion, causing the first target system or application to invoke the PEP such that the rule engine grants a user an emergency access session, tagged with the provided ID, to the first target system or application according to a parameter determined by a policy;
  
  wherein the parameter comprises a logging level of activity of the user in the emergency access session that is recorded in a first activity log supplemental to a second activity log of the first target system or application, wherein during the emergency access session the first activity log comprises session data tagged with the provided ID, the first activity log is available for review, and access to the second activity log is disrupted as a result of the condition level of the first target system or application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A non-transitory computer readable storage medium as in claim 8 wherein the emergency access session is restricted by time and/or by portions of the first target system or application available to the user.
  - 10. A non-transitory computer readable storage medium as in claim 8 wherein the ID comprises a pre-configured ID selected by the user from a list on a dashboard.
  - 11. A non-transitory computer readable storage medium as in claim 8 wherein the method further comprises causing the PEP to dynamically select the ID in response to an input by the user to the rule engine.
  - 12. A non-transitory computer readable storage medium as in claim 11 wherein the input comprises the user response to a question posed by the PEP.
  - 13. A non-transitory computer readable storage medium as in claim 8 wherein the PEP is in communication with a second target system or application, and the ID is specific to the first target system or application.
  - 14. A non-transitory computer readable storage medium as in claim 8 wherein the authentication assertion is federated across the first target system or application and the second target system or application.

15. A computer system comprising:
- one or more computer processors; and
  
  a non-transitory computer readable storage medium comprising instructions for controlling the one or more computer processors to be operable to;
  
  provide a Policy Enforcement Point (PEP) comprising a rule engine;
  
  cause the PEP to recognize an emergency based upon a condition level of a first target system or application;
  
  provide to the PEP, an identification (ID), that is specific to the first target system or application, to gain access to the first target system or application according to the condition level, wherein the provided identification is different than an identification to gain access to the first target system or application when there is no emergency based upon the condition level;
  
  create an authentication assertion of the ID; and
  
  in response to receipt of the authentication assertion, cause the first target system or application to invoke the PEP such that the rule engine grants a user an emergency access session, tagged with the provided ID, to the first target system or application according to a parameter determined by a policy;
  
  wherein the parameter comprises a logging level of activity of the user in the emergency access session that is recorded in a first activity log supplemental to a second activity log of the first target system or application, wherein during the emergency access session the first activity log comprises session data tagged with the provided ID, the first activity log is available for review, and access to the second activity log is disrupted as a result of the condition level of the first target system or application.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. A computer system as in claim 15 wherein the emergency access session is restricted by time and/or by portions of the first target system or application available to the user.
  - 17. A computer system as in claim 15 wherein the ID comprises a pre-configured ID selected by the user from a list on a dashboard.
  - 18. A computer system as in claim 15 further comprising causing the PEP to dynamically select the ID in response to an input by the user to the rule engine.
  - 19. A computer system as in claim 18 wherein the input comprises the user response to a question posed by the PEP.
  - 20. A computer system as in claim 15 wherein the PEP is in communication with a second target system or application, the ID is specific to the first target system or application, and the authentication assertion is federated across the first target system or application and the second target system or application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Radkowski, John Christopher, Singh, Swetta
Primary Examiner(s)
SHAW, BRIAN F

Application Number

US13/463,160
Publication Number

US 20130298186A1
Time in Patent Office

901 Days
Field of Search

726/1, 726/4, 726/3, 726/2, 726/6, 726/26, 726/5, 726/7, 726/8
US Class Current

726/1
CPC Class Codes

G06F 17/00   Digital computing or data p...

G06F 21/00   Security arrangements for p...

G06F 21/6218   to a system of files or obj...

System and method for policy based privileged user access management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for policy based privileged user access management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links