Temporary authorizations to access a computing system based on user skills
First Claim
1. A computer-implemented method of controlling access to a computing system, the computer-implemented method comprising:
- executing, by one or more processors in a distributed computing system, a background service to intercept requests to perform an operation on one or more servers of the distributed computing system, and to determine for each request, whether to grant or deny the request, wherein the service comprises;
intercepting, by the one or more processors, an escalation request for performing a protected activity on the computing system by a user not authorized to perform the protected activity, comprising;
assigning the escalation request to a selected activity category of a plurality of predefined activity categories, each activity category being associated with one or more activity properties, each activity property indicative of a protected operation to be executed for performing each protected activity belonging to the activity category and of at least one operation authorization required to execute the protected operation;
retrieving, by the one or more processors, at least one activity indicator, from a corresponding repository of a server of the one or more servers, being indicative of a skill required to perform the protected activity, comprising;
retrieving at least one property indicator for each activity property, each property indicator being indicative of one of a plurality of predefined skill types and of an activity level thereof required to execute the corresponding protected operation;
retrieving, by the one or more processors, at least one user indicator being indicative of skill possessed by the user, comprising;
retrieving said at least one user indicator, each one being indicative of one of the skill types and of a user level thereof possessed by the user;
retrieving at least one experience indicator being indicative of an experience type and of a possible experience degree thereof being gained by the user;
retrieving at least one experience property for each experience type of said at least one experience indicator, each experience property being indicative of one of the skill types that the experience type contributes to increase and of a skill coefficient measuring a unitary contribution thereto; and
calculating one user indicator of said at least one user indicator for each skill type of said at least one experience property, the one user indicator being calculated according to the skill coefficient of the experience property and to the possible experience degree of each corresponding experience indicator;
determining, by the one or more processors, an indication of a capability of the user to perform the protected activity according to a comparison between said at least one activity indicator and said at least one user indicator; and
granting or denying, by the one or more processors, to the user according to the capability thereof a temporary authorization for performing the protected activity, the temporary authorization lasting for a limited time window, the granting or denying the temporary authorization comprising;
granting said at least one operation authorization required to execute each protected operation of the selected activity category to the user for the limited time window.
1 Assignment
0 Petitions
Accused Products
Abstract
Controlling access to a computing system. An escalation request is received for performing a protected activity on the computing system by a user not authorized to perform the protected activity. At least one activity indicator being indicative of a skill required to perform the protected activity is retrieved. At least one user indicator being indicative of the skill possessed by the user is retrieved. An indication of a capability of the user to perform the protected activity according to a comparison between the at least one activity indicator and the at least one user indicator is determined. A temporary authorization for performing the protected activity to the user according to the capability thereof is granted or denied. The temporary authorization lasts for a limited time window.
-
Citations
14 Claims
-
1. A computer-implemented method of controlling access to a computing system, the computer-implemented method comprising:
executing, by one or more processors in a distributed computing system, a background service to intercept requests to perform an operation on one or more servers of the distributed computing system, and to determine for each request, whether to grant or deny the request, wherein the service comprises; intercepting, by the one or more processors, an escalation request for performing a protected activity on the computing system by a user not authorized to perform the protected activity, comprising; assigning the escalation request to a selected activity category of a plurality of predefined activity categories, each activity category being associated with one or more activity properties, each activity property indicative of a protected operation to be executed for performing each protected activity belonging to the activity category and of at least one operation authorization required to execute the protected operation; retrieving, by the one or more processors, at least one activity indicator, from a corresponding repository of a server of the one or more servers, being indicative of a skill required to perform the protected activity, comprising; retrieving at least one property indicator for each activity property, each property indicator being indicative of one of a plurality of predefined skill types and of an activity level thereof required to execute the corresponding protected operation; retrieving, by the one or more processors, at least one user indicator being indicative of skill possessed by the user, comprising; retrieving said at least one user indicator, each one being indicative of one of the skill types and of a user level thereof possessed by the user; retrieving at least one experience indicator being indicative of an experience type and of a possible experience degree thereof being gained by the user; retrieving at least one experience property for each experience type of said at least one experience indicator, each experience property being indicative of one of the skill types that the experience type contributes to increase and of a skill coefficient measuring a unitary contribution thereto; and calculating one user indicator of said at least one user indicator for each skill type of said at least one experience property, the one user indicator being calculated according to the skill coefficient of the experience property and to the possible experience degree of each corresponding experience indicator; determining, by the one or more processors, an indication of a capability of the user to perform the protected activity according to a comparison between said at least one activity indicator and said at least one user indicator; and granting or denying, by the one or more processors, to the user according to the capability thereof a temporary authorization for performing the protected activity, the temporary authorization lasting for a limited time window, the granting or denying the temporary authorization comprising; granting said at least one operation authorization required to execute each protected operation of the selected activity category to the user for the limited time window. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A computer system for controlling access to a computing system, the computer system comprising:
-
a memory; and a processor in communication with the memory, wherein the computer system is configured to perform a method, said method comprising; executing, by one or more processors in a distributed computing system, a background service to intercept requests to perform an operation on one or more servers of the distributed computing system, and to determine for each request, whether to grant or deny the request, wherein the service comprises; intercepting, by the one or more processors, an escalation request for performing a protected activity on the computing system by a user not authorized to perform the protected activity, comprising; assigning the escalation request to a selected activity category of a plurality of predefined activity categories, each activity category being associated with one or more activity properties, each activity property indicative of a protected operation to be executed for performing each protected activity belonging to the activity category and of at least one operation authorization required to execute the protected operation; retrieving, by the one or more processors, at least one activity indicator, from a corresponding repository of a server of the one or more servers, being indicative of a skill required to perform the protected activity, comprising; retrieving at least one property indicator for each activity property, each property indicator being indicative of one of a plurality of predefined skill types and of an activity level thereof required to execute the corresponding protected operation; retrieving, by the one or more processors, at least one user indicator being indicative of skill possessed by the user, comprising; retrieving said at least one user indicator, each one being indicative of one of the skill types and of a user level thereof possessed by the user; retrieving at least one experience indicator being indicative of an experience type and of a possible experience degree thereof being gained by the user; retrieving at least one experience property for each experience type of said at least one experience indicator, each experience property being indicative of one of the skill types that the experience type contributes to increase and of a skill coefficient measuring a unitary contribution thereto; and calculating one user indicator of said at least one user indicator for each skill type of said at least one experience property, the one user indicator being calculated according to the skill coefficient of the experience property and to the possible experience degree of each corresponding experience indicator; determining, by the one or more processors, an indication of a capability of the user to perform the protected activity according to a comparison between said at least one activity indicator and said at least one user indicator; and granting or denying, by the one or more processors, to the user according to the capability thereof a temporary authorization for performing the protected activity, the temporary authorization lasting for a limited time window, the granting or denying the temporary authorization comprising; granting said at least one operation authorization required to execute each protected operation of the selected activity category to the user for the limited time window. - View Dependent Claims (8, 9, 10)
-
-
11. A computer program product for controlling access to a computing system, the computer program product comprising:
a non-transitory computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising; executing, by one or more processors in a distributed computing system, a background service to intercept requests to perform an operation on one or more servers of the distributed computing system, and to determine for each request, whether to grant or deny the request, wherein the service comprises; intercepting, by the one or more processors, an escalation request for performing a protected activity on the computing system by a user not authorized to perform the protected activity, comprising; assigning the escalation request to a selected activity category of a plurality of predefined activity categories, each activity category being associated with one or more activity properties, each activity property indicative of a protected operation to be executed for performing each protected activity belonging to the activity category and of at least one operation authorization required to execute the protected operation; retrieving, by the one or more processors, at least one activity indicator, from a corresponding repository of a server of the one or more servers, being indicative of a skill required to perform the protected activity, comprising; retrieving at least one property indicator for each activity property, each property indicator being indicative of one of a plurality of predefined skill types and of an activity level thereof required to execute the corresponding protected operation; retrieving, by the one or more processors, at least one user indicator being indicative of skill possessed by the user, comprising; retrieving said at least one user indicator, each one being indicative of one of the skill types and of a user level thereof possessed by the user; retrieving at least one experience indicator being indicative of an experience type and of a possible experience degree thereof being gained by the user; retrieving at least one experience property for each experience type of said at least one experience indicator, each experience property being indicative of one of the skill types that the experience type contributes to increase and of a skill coefficient measuring a unitary contribution thereto; and calculating one user indicator of said at least one user indicator for each skill type of said at least one experience property, the one user indicator being calculated according to the skill coefficient of the experience property and to the possible experience degree of each corresponding experience indicator; determining, by the one or more processors, an indication of a capability of the user to perform the protected activity according to a comparison between said at least one activity indicator and said at least one user indicator; and granting or denying, by the one or more processors, to the user according to the capability thereof a temporary authorization for performing the protected activity, the temporary authorization lasting for a limited time window, the granting or denying the temporary authorization comprising; granting said at least one operation authorization required to execute each protected operation of the selected activity category to the user for the limited time window. - View Dependent Claims (12, 13, 14)
Specification