Providing secure dynamic role selection and managing privileged user access from a client device

US 8,869,250 B2
Filed: 08/23/2012
Issued: 10/21/2014
Est. Priority Date: 12/29/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method comprising:

provisioning a plurality of user accounts to access one or more software applications, wherein the provisioning comprises associating a set of one or more user accounts, selected from the plurality of user accounts, with a corresponding role, selected from a plurality of roles;

receiving a first role selection from a client device, wherein the first role selection is selected from the plurality of roles;

receiving a first authentication challenge and a first audit level, from an authentication service, wherein the first authentication challenge and the first audit level are based upon the first role selection received from the client device;

transmitting the first authentication challenge to the client device;

receiving a first authentication submission from the client device;

authenticating the first authentication submission; and

in response to authenticating the first authentication submission;

granting the client device access to one or more of the software applications using the provisioned user accounts included in the first role selection; and

recording audit data of usage of the software applications by the client device, wherein the audit data includes identification of the provisioned user accounts used to access the software applications using the first role selection, and wherein the recording further comprises gathering the audit data based on the first audit level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.

25 Citations

View as Search Results

18 Claims

1. A computer-implemented method comprising:
- provisioning a plurality of user accounts to access one or more software applications, wherein the provisioning comprises associating a set of one or more user accounts, selected from the plurality of user accounts, with a corresponding role, selected from a plurality of roles;
  
  receiving a first role selection from a client device, wherein the first role selection is selected from the plurality of roles;
  
  receiving a first authentication challenge and a first audit level, from an authentication service, wherein the first authentication challenge and the first audit level are based upon the first role selection received from the client device;
  
  transmitting the first authentication challenge to the client device;
  
  receiving a first authentication submission from the client device;
  
  authenticating the first authentication submission; and
  
  in response to authenticating the first authentication submission;
  
  granting the client device access to one or more of the software applications using the provisioned user accounts included in the first role selection; and
  
  recording audit data of usage of the software applications by the client device, wherein the audit data includes identification of the provisioned user accounts used to access the software applications using the first role selection, and wherein the recording further comprises gathering the audit data based on the first audit level.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - wherein the provisioning further comprises associating a first set of one or more user accounts with the first role and a second set of one or more user accounts with a second role; and
      
      grouping the provisioned user accounts by the corresponding roles so that the first role includes the first set of user accounts and the second role includes the second set of user accounts.
  - 3. The method of claim 1 further comprising:
    - after the authenticating;
      
      detecting an initial access by the client device of a selected one of the software applications;
      
      retrieving a first set of credential data corresponding to the selected software application, wherein the first set of retrieved credential data retrieved is based on the first role selection received from the client device; and
      
      submitting the retrieved first set of credential data to the selected software application so that the client device receives a first set of usage privileges to the selected software application.
  - 4. The method of claim 3 further comprising:
    - receiving a role context switch from the client device, wherein the role context switch includes a second role selected from the plurality of roles;
      
      receiving a second authentication challenge and a second audit level, from the authentication service, wherein the second authentication challenge and the second audit level are based upon the second role selection,transmitting the second authentication challenge to the client device;
      
      receiving a second authentication submission from the client device;
      
      authenticating the second authentication submission; and
      
      in response to authenticating the second authentication submission;
      
      granting the client device access to the software applications using the provisioned user accounts included in the second role selection; and
      
      recording audit data of usage of the software applications by the client device, wherein the audit data includes identification of the provisioned user accounts used to access the software applications using the second role selection, and wherein the recording further comprises gathering the audit data based on the second audit level.
  - 5. The method of claim 4 wherein the granting further comprises:
    - revoking the previous grant to the software applications using the provisioned user accounts included in the first role selection.
  - 6. The method of claim 4 further comprising:
    - after the authentication of the second authentication submission;
      
      detecting a subsequent access by the client device of the selected software application;
      
      retrieving a second set of credential data corresponding to the selected software application, wherein the second set of retrieved credential data retrieved is based on the second role selection received from the client device; and
      
      submitting the retrieved second set of credential data to the selected software application so that the client device receives a second set of usage privileges to the selected software application, wherein the first and second sets of user privileges are different from each other.

7. An information handling system comprising:
- one or more processors;
  
  a memory accessible by at least one of the processors;
  
  a nonvolatile storage medium accessible by at least one of the processors;
  
  a network adapter that connects the information handling system to a client devicea set of instructions stored in the memory and executed by at least one of the processors in order to perform steps of;
  
  provisioning a plurality of user accounts to access one or more software applications, wherein the provisioning comprises associating a set of one or more user accounts, selected from the plurality of user accounts, with a corresponding role, selected from a plurality of roles;
  
  receiving, at the network adapter, a first role selection from the client device, wherein the first role selection is selected from the plurality of roles;
  
  receiving a first authentication challenge and a first audit level, from an authentication service, wherein the first authentication challenge and the first audit level are based upon the first role selection received from the client device;
  
  transmitting the first authentication challenge to the client device;
  
  receiving a first authentication submission from the client device;
  
  authenticating the first authentication submission; and
  
  in response to authenticating the first authentication submission;
  
  granting the client device access to one or more of the software applications using the provisioned user accounts included in the first role selection; and
  
  recording audit data of usage of the software applications by the client device, wherein the audit data includes identification of the provisioned user accounts used to access the software applications using the first role selection, and wherein the recording further comprises gathering the audit data based on the first audit level.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The information handling system of claim 7 wherein the actions further comprise:
    - wherein the provisioning further comprises associating a first set of one or more user accounts with the first role and a second set of one or more user accounts with a second role; and
      
      grouping the provisioned user accounts by the corresponding roles so that the first role includes the first set of user accounts and the second role includes the second set of user accounts.
  - 9. The information handling system of claim 7 wherein the actions further comprise:
    - after the authenticating;
      
      detecting an initial access by the client device of a selected one of the software applications;
      
      retrieving a first set of credential data corresponding to the selected software application, wherein the first set of retrieved credential data retrieved is based on the first role selection received from the client device; and
      
      submitting the retrieved first set of credential data to the selected software application so that the client device receives a first set of usage privileges to the selected software application.
  - 10. The information handling system of claim 9 wherein the actions further comprise:
    - receiving a role context switch from the client device, wherein the role context switch includes a second role selected from the plurality of roles;
      
      receiving a second authentication challenge and a second audit level, from the authentication service, wherein the second authentication challenge and the second audit level are based upon the second role selection,transmitting the second authentication challenge to the client device;
      
      receiving a second authentication submission from the client device;
      
      authenticating the second authentication submission; and
      
      in response to authenticating the second authentication submission;
      
      granting the client device access to the software applications using the provisioned user accounts included in the second role selection; and
      
      recording audit data of usage of the software applications by the client device, wherein the audit data includes identification of the provisioned user accounts used to access the software applications using the second role selection, and wherein the recording further comprises gathering the audit data based on the second audit level.
  - 11. The information handling system of claim 10 wherein the granting further comprises performing actions comprising:
    - revoking the previous grant to the software applications using the provisioned user accounts included in the first role selection.
  - 12. The information handling system of claim 10 wherein the actions further comprise:
    - after the authentication of the second authentication submission;
      
      detecting a subsequent access by the client device of the selected software application;
      
      retrieving a second set of credential data corresponding to the selected software application, wherein the second set of retrieved credential data retrieved is based on the second role selection received from the client device; and
      
      submitting the retrieved second set of credential data to the selected software application so that the client device receives a second set of usage privileges to the selected software application, wherein the first and second sets of user privileges are different from each other.

13. A computer program product stored in a computer readable storage device, comprising functional descriptive material that, when executed by an information handling system, causes the information handling system to perform actions comprising:
- provisioning a plurality of user accounts to access one or more software applications, wherein the provisioning comprises associating a set of one or more user accounts, selected from the plurality of user accounts, with a corresponding role, selected from a plurality of roles;
  
  receiving a first role selection from a client device, wherein the first role selection is selected from the plurality of roles;
  
  receiving a first authentication challenge and a first audit level, from an authentication service, wherein the first authentication challenge and the first audit level are based upon the first role selection received from the client device;
  
  transmitting the first authentication challenge to the client device;
  
  receiving a first authentication submission from the client device;
  
  authenticating the first authentication submission; and
  
  in response to authenticating the first authentication submission;
  
  granting the client device access to one or more of the software applications using the provisioned user accounts included in the first role selection; and
  
  recording audit data of usage of the software applications by the client device, wherein the audit data includes identification of the provisioned user accounts used to access the software applications using the first role selection, and wherein the recording further comprises gathering the audit data based on the first audit level.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13 wherein the actions further comprise:
    - wherein the provisioning further comprises associating a first set of one or more user accounts with the first role and a second set of one or more user accounts with a second role; and
      
      grouping the provisioned user accounts by the corresponding roles so that the first role includes the first set of user accounts and the second role includes the second set of user accounts.
  - 15. The computer program product of claim 14 wherein the actions further comprise:
    - after the authenticating;
      
      detecting an initial access by the client device of a selected one of the software applications;
      
      retrieving a first set of credential data corresponding to the selected software application, wherein the first set of retrieved credential data retrieved is based on the first role selection received from the client device; and
      
      submitting the retrieved first set of credential data to the selected software application so that the client device receives a first set of usage privileges to the selected software application.
  - 16. The computer program product of claim 15 wherein the actions further comprise:
    - receiving a role context switch from the client device, wherein the role context switch includes a second role selected from the plurality of roles;
      
      receiving a second authentication challenge and a second audit level, from the authentication service, wherein the second authentication challenge and the second audit level are based upon the second role selection,transmitting the second authentication challenge to the client device;
      
      receiving a second authentication submission from the client device;
      
      authenticating the second authentication submission; and
      
      in response to authenticating the second authentication submission;
      
      granting the client device access to the software applications using the provisioned user accounts included in the second role selection; and
      
      recording audit data of usage of the software applications by the client device, wherein the audit data includes identification of the provisioned user accounts used to access the software applications using the second role selection, and wherein the recording further comprises gathering the audit data based on the second audit level.
  - 17. The computer program product of claim 16 wherein the granting further comprises:
    - revoking the previous grant to the software applications using the provisioned user accounts included in the first role selection.
  - 18. The computer program product of claim 16 wherein the actions further comprise:
    - after the authentication of the second authentication submission;
      
      detecting a subsequent access by the client device of the selected software application;
      
      retrieving a second set of credential data corresponding to the selected software application, wherein the second set of retrieved credential data retrieved is based on the second role selection received from the client device; and
      
      submitting the retrieved second set of credential data to the selected software application so that the client device receives a second set of usage privileges to the selected software application, wherein the first and second sets of user privileges are different from each other.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Forster, Craig Robert William, Hockings, Christopher John
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US13/593,013
Publication Number

US 20120324546A1
Time in Patent Office

789 Days
Field of Search

726/3, 726/4, 726/5
US Class Current

726/5
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

H04L 9/3226   using a predetermined code,...

H04L 9/3271   using challenge-response

Providing secure dynamic role selection and managing privileged user access from a client device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Providing secure dynamic role selection and managing privileged user access from a client device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links