Dynamic access policies
First Claim
Patent Images
1. A system, comprising:
- a first set of one or more interfaces configured to transmit one or more requests for a plurality of security policies from a plurality of distributed policy systems;
a second set of one or more interfaces configured to receive the requested plurality of security policies from the plurality of distributed policy systems;
a policy aggregator module configured to, using a set of one or more processors;
prioritize the plurality of security policies;
aggregate the plurality of security policies;
detect a multidimensional conflict among the plurality of security policies;
resolve the conflict pursuant to the prioritized plurality of security policies;
in response to detecting the conflict, determine a temporary grant of access; and
store, in a data store, the determined temporary grant of access;
wherein the temporary grant of access includes an identity of a device to be accessed, an individual authorized to address a problem with the device, and a period of time during which the individual may access the device;
a first memory coupled with the first set of one or more processors and configured to provide the first set of one or more processors with instructions;
an enforcement module configured to, using a second set of one or more processors, implement the temporary access grant for a user;
the enforcement module being further configured to detect that the problem was addressed, and in response to determining that the problem was addressed, closing the temporary grant of access; and
a second memory coupled with the second set of one or more processors and configured to provide the second set of one or more processors with instructions.
3 Assignments
0 Petitions
Accused Products
Abstract
Securely granting access to a target system to a user is disclosed. A plurality of security policies is requested from a plurality of distributed policy systems. A plurality of security policies is obtained from the plurality of distributed policy systems. A temporary grant of access that is an aggregate of the plurality of security policies is granted. The temporary access grant is implemented for the user.
17 Citations
17 Claims
-
1. A system, comprising:
-
a first set of one or more interfaces configured to transmit one or more requests for a plurality of security policies from a plurality of distributed policy systems; a second set of one or more interfaces configured to receive the requested plurality of security policies from the plurality of distributed policy systems; a policy aggregator module configured to, using a set of one or more processors; prioritize the plurality of security policies; aggregate the plurality of security policies; detect a multidimensional conflict among the plurality of security policies; resolve the conflict pursuant to the prioritized plurality of security policies; in response to detecting the conflict, determine a temporary grant of access; and store, in a data store, the determined temporary grant of access; wherein the temporary grant of access includes an identity of a device to be accessed, an individual authorized to address a problem with the device, and a period of time during which the individual may access the device; a first memory coupled with the first set of one or more processors and configured to provide the first set of one or more processors with instructions; an enforcement module configured to, using a second set of one or more processors, implement the temporary access grant for a user; the enforcement module being further configured to detect that the problem was addressed, and in response to determining that the problem was addressed, closing the temporary grant of access; and a second memory coupled with the second set of one or more processors and configured to provide the second set of one or more processors with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of securely granting access to a target system to a user comprising:
-
transmitting, via a first set of one or more interfaces, one or more requests for a plurality of security policies from a plurality of distributed policy systems; receiving, via a second set of one or more interfaces, the requested plurality of security policies from the plurality of distributed policy systems; prioritizing the plurality of security policies; aggregating the plurality of security policies; detecting a multidimensional conflict among the plurality of security policies; resolving the conflict pursuant to the prioritized plurality of security policies; in response to detecting the conflict, determining a temporary grant of access; storing, using the policy aggregator module and the first set of one or more processors, the determined temporary grant of access in a data store; wherein the temporary grant of access includes an identity of a device to be accessed, an individual authorized to address a problem with the device, and a period of time during which the individual may access the device; implementing, using an enforcement module and a second set of one or more processors, the temporary access grant for a user; and detecting that the problem was addressed, and in response to determining that the problem was addressed, closing the temporary grant of access. - View Dependent Claims (15, 16)
-
-
17. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
transmitting, via a first set of one or more interfaces, one or more requests for a plurality of security policies from a plurality of distributed policy systems; receiving, via a second set of one or more interfaces, the requested plurality of security policies from the plurality of distributed policy systems; prioritizing the plurality of security policies; aggregating the plurality of security policies; detecting a multidimensional conflict among the plurality of security policies; resolving the conflict pursuant to the prioritized plurality of security policies; in response to detecting the conflict, determining a temporary grant of access; wherein the temporary grant of access includes an identity of a device to be accessed, an individual authorized to address a problem with the device, and a period of time during which the individual may access the device; storing, using the policy aggregator module and the first set of one or more processors, the determined temporary grant of access in a data store; implementing, using an enforcement module and a second set of one or more processors, the temporary access grant for a user; and detecting that the problem was addressed, and in response to determining that the problem was addressed, closing the temporary grant of access.
-
Specification