Dynamic access policies

US 9,838,429 B1
Filed: 07/15/2014
Issued: 12/05/2017
Est. Priority Date: 10/05/2007
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a first set of one or more interfaces configured to transmit one or more requests for a plurality of security policies from a plurality of distributed policy systems;

a second set of one or more interfaces configured to receive the requested plurality of security policies from the plurality of distributed policy systems;

a policy aggregator module configured to, using a set of one or more processors;

prioritize the plurality of security policies;

aggregate the plurality of security policies;

detect a multidimensional conflict among the plurality of security policies;

resolve the conflict pursuant to the prioritized plurality of security policies;

in response to detecting the conflict, determine a temporary grant of access; and

store, in a data store, the determined temporary grant of access;

wherein the temporary grant of access includes an identity of a device to be accessed, an individual authorized to address a problem with the device, and a period of time during which the individual may access the device;

a first memory coupled with the first set of one or more processors and configured to provide the first set of one or more processors with instructions;

an enforcement module configured to, using a second set of one or more processors, implement the temporary access grant for a user;

the enforcement module being further configured to detect that the problem was addressed, and in response to determining that the problem was addressed, closing the temporary grant of access; and

a second memory coupled with the second set of one or more processors and configured to provide the second set of one or more processors with instructions.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securely granting access to a target system to a user is disclosed. A plurality of security policies is requested from a plurality of distributed policy systems. A plurality of security policies is obtained from the plurality of distributed policy systems. A temporary grant of access that is an aggregate of the plurality of security policies is granted. The temporary access grant is implemented for the user.

17 Citations

View as Search Results

17 Claims

1. A system, comprising:
- a first set of one or more interfaces configured to transmit one or more requests for a plurality of security policies from a plurality of distributed policy systems;
  
  a second set of one or more interfaces configured to receive the requested plurality of security policies from the plurality of distributed policy systems;
  
  a policy aggregator module configured to, using a set of one or more processors;
  
  prioritize the plurality of security policies;
  
  aggregate the plurality of security policies;
  
  detect a multidimensional conflict among the plurality of security policies;
  
  resolve the conflict pursuant to the prioritized plurality of security policies;
  
  in response to detecting the conflict, determine a temporary grant of access; and
  
  store, in a data store, the determined temporary grant of access;
  
  wherein the temporary grant of access includes an identity of a device to be accessed, an individual authorized to address a problem with the device, and a period of time during which the individual may access the device;
  
  a first memory coupled with the first set of one or more processors and configured to provide the first set of one or more processors with instructions;
  
  an enforcement module configured to, using a second set of one or more processors, implement the temporary access grant for a user;
  
  the enforcement module being further configured to detect that the problem was addressed, and in response to determining that the problem was addressed, closing the temporary grant of access; and
  
  a second memory coupled with the second set of one or more processors and configured to provide the second set of one or more processors with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1 wherein the plurality of distributed policy systems include an Active Directory system.
  - 3. The system of claim 1 wherein the plurality of distributed policy systems include an LDAP system.
  - 4. The system of claim 1 wherein the plurality of distributed policy systems include a change management system.
  - 5. The system of claim 1 wherein the plurality of distributed policy systems include a business service management system.
  - 6. The system of claim 1 wherein the plurality of security policies includes a user policy.
  - 7. The system of claim 1 wherein the plurality of security policies includes a device policy.
  - 8. The system of claim 1 wherein the plurality of security policies include a business policy.
  - 9. The system of claim 1 wherein the plurality of security policies is requested in response to the detection of a trigger action.
  - 10. The system of claim 9 wherein the trigger action includes the receipt of a user credential.
  - 11. The system of claim 10 wherein the user credential includes a password.
  - 12. The system of claim 10 wherein the user credential includes a user identifier.
  - 13. The system of claim 1 further comprising a third interface configured to contact an administrator.

14. A method of securely granting access to a target system to a user comprising:
- transmitting, via a first set of one or more interfaces, one or more requests for a plurality of security policies from a plurality of distributed policy systems;
  
  receiving, via a second set of one or more interfaces, the requested plurality of security policies from the plurality of distributed policy systems;
  
  prioritizing the plurality of security policies;
  
  aggregating the plurality of security policies;
  
  detecting a multidimensional conflict among the plurality of security policies;
  
  resolving the conflict pursuant to the prioritized plurality of security policies;
  
  in response to detecting the conflict, determining a temporary grant of access;
  
  storing, using the policy aggregator module and the first set of one or more processors, the determined temporary grant of access in a data store;
  
  wherein the temporary grant of access includes an identity of a device to be accessed, an individual authorized to address a problem with the device, and a period of time during which the individual may access the device;
  
  implementing, using an enforcement module and a second set of one or more processors, the temporary access grant for a user; and
  
  detecting that the problem was addressed, and in response to determining that the problem was addressed, closing the temporary grant of access.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 wherein the plurality of security policies is requested in response to the detection of a trigger action.
  - 16. The method of claim 15 wherein the trigger action includes the elapse of an amount of time.

17. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- transmitting, via a first set of one or more interfaces, one or more requests for a plurality of security policies from a plurality of distributed policy systems;
  
  receiving, via a second set of one or more interfaces, the requested plurality of security policies from the plurality of distributed policy systems;
  
  prioritizing the plurality of security policies;
  
  aggregating the plurality of security policies;
  
  detecting a multidimensional conflict among the plurality of security policies;
  
  resolving the conflict pursuant to the prioritized plurality of security policies;
  
  in response to detecting the conflict, determining a temporary grant of access;
  
  wherein the temporary grant of access includes an identity of a device to be accessed, an individual authorized to address a problem with the device, and a period of time during which the individual may access the device;
  
  storing, using the policy aggregator module and the first set of one or more processors, the determined temporary grant of access in a data store;
  
  implementing, using an enforcement module and a second set of one or more processors, the temporary access grant for a user; and
  
  detecting that the problem was addressed, and in response to determining that the problem was addressed, closing the temporary grant of access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Cheung, David W., Van, David
Primary Examiner(s)
Sholeman, Abu

Application Number

US14/332,176
Time in Patent Office

1,239 Days
Field of Search

726 1, 726 22, 726 23, 726 24, 726 25, 726 26
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Dynamic access policies

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic access policies

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links