OPERATING LARGE SCALE SYSTEMS AND CLOUD SERVICES WITH ZERO-STANDING ELEVATED PERMISSIONS

US 20160364576A1
Filed: 08/25/2016
Published: 12/15/2016
Est. Priority Date: 03/06/2012
Status: Active Application

First Claim

Patent Images

1. A method for providing large scale system operation, the method comprising:

receiving an action request from a user;

determining whether the user requires elevated permissions to perform the action request;

in response to determining that the user requires elevated permissions to perform the action request, forwarding the action request to a lockbox; and

receiving a permission response from the lockbox.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Large scale system operation may be provided. Upon receiving an action request from a user, a determination may be made as to whether the user requires elevated permissions to perform the action request. In response to determining that the user requires elevated permissions to perform the action request, the action request may be forwarded to a lockbox for evaluation and a permission response may be received from the lockbox.

31 Citations

View as Search Results

20 Claims

1. A method for providing large scale system operation, the method comprising:
- receiving an action request from a user;
  
  determining whether the user requires elevated permissions to perform the action request;
  
  in response to determining that the user requires elevated permissions to perform the action request, forwarding the action request to a lockbox; and
  
  receiving a permission response from the lockbox.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - determining whether the permission response comprises an approval; and
      
      in response to determining that the permission response comprises the approval, granting the user temporary elevated permission to perform the requested action.
  - 3. The method of claim 2, further comprising:
    - determining, by the lockbox, whether the action request complies with at least one policy; and
      
      in response to determining that the action request complies with the at least one policy, providing the permission response comprising the approval.
  - 4. The method of claim 3, further comprising:
    - in response to determining that the action request does not comply with the at least one policy, forwarding the action request to at least one approval user.
  - 5. The method of claim 3, wherein the at least one policy comprises one of a plurality of pre-defined permission elevation policies.
  - 6. The method of claim 3, wherein the at least one policy comprises a user role evaluation rule.
  - 7. The method of claim 3, wherein the at least one policy comprises a permission elevation expiration rule.
  - 8. The method of claim 3, wherein the at least one policy comprises an action request denial rule.
  - 9. The method of claim 2, further comprising:
    - determining whether a pre-configured interval has elapsed since receiving the permission response from the lockbox; and
      
      in response to determining that the pre-configured interval has elapsed since receiving the permission response from the lockbox, revoking the temporary elevated permission from the user.

10. A system for providing large scale system operation, the system comprising:
- a memory storage; and
  
  a processing unit coupled to the memory storage, wherein the processing unit is operable to;
  
  receive an action request requiring an elevated permission from a user;
  
  determine whether the action request complies with at least one of a plurality of permission policies;
  
  in response to determining that the action request complies with the at least one of the plurality of permission policies, grant the user an elevated permission to perform the requested action; and
  
  in response to determining that the action request does not comply with the at least one of the plurality of permission policies, forward the action request to at least one approval user.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The system of claim 10, wherein the processing unit is further operative to:
    - determine whether at least one of a plurality of users currently granted elevated permissions should have the granted elevated permissions revoked; and
      
      in response to determining that the at least one of the plurality of users currently granted elevated permissions should have the granted elevated permissions revoked, revoke the elevated permissions.
  - 12. The system of claim 11, wherein the processing unit is further operative to determine whether the at least one of the plurality of users currently granted elevated permissions should have the granted elevated permissions revoked on at least one of the following:
    - a configurable time interval, a pre-defined interval, and upon a manual request.
  - 13. The system of claim 10, wherein the at least one of the plurality of permission policies determines whether the user is associated with a security flag.
  - 14. The system of claim 10, wherein the at least one of the plurality of permission policies determines whether the user belongs to a specific user group.
  - 15. The system of claim 14, wherein the specific user group comprises at least one of the following:
    - an administrator group, a security clearance group, an on-call group, and an onsite group.
  - 16. The system of claim 10, wherein the processing unit is further operative to create a log entry comprising the user, the action request, and the granted elevated permissions.
  - 17. The system of claim 16, wherein the processing unit is further operative to create at least one second log entry associated with at least one second action request received from the user while the user is associated with the granted elevated permissions.
  - 18. The system of claim 17, wherein the processing unit is further operative to provide an audit report comprising a plurality of log entries.
  - 19. The system of claim 10, wherein the elevated permission comprises a set of permissions associated with a task.

20. A computer-readable medium which stores a set of instructions which when executed performs a method for providing large scale system operation, the method executed by the set of instructions comprising:
- receiving an action request from a user, wherein the user is associated with at least one user group comprising basic access permissions to at least one software service and wherein the basic access permissions prohibit access to a plurality of user data associated with the at least one software service;
  
  determining whether the requested action requires an elevated permission;
  
  in response to determining that the requested action requires the elevated permission;
  
  determining whether the action request complies with at least one of a plurality of permission policies associated with a lockbox service, wherein the plurality of permission policies comprise at least one of the following;
  
  a user group criterion, a security flag criterion, an action scope criterion, and a schedule criterion,in response to determining that the action request does not comply with the at least one of a plurality of permission policies, forwarding the action request to at least one approval user,in response to determining that the action request complies with the at least one of a plurality of permission policies, granting the elevated permission to the user for a limited duration, wherein the limited duration is defined by at least one of the following;
  
  the at least one permission policy, a configuration setting associated with the software service, and a configuration setting associated with the at least one user group,performing the requested action, andcreating a log entry associated with the user and the requested action;
  
  periodically determining whether at least one second user currently granted at least one second elevated permission should have the at least one second elevated permission revoked;
  
  in response to determining that the at least one second user should have the at least one second elevated permission revoked, revoking the at least one second elevated permission;
  
  periodically determining whether at least one third user is no longer associated with the at least one software service;
  
  in response to determining that the at least one third user is no longer associated with the at least one software service, removing the at least one third user from the at least one user group; and
  
  providing an audit report comprising a plurality of log entries associated with a plurality of requested actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
MacLeod, Alexander, Lukyanov, Andrey, Nash, Colin, Singh, Jaskaran, Rajagopalan, Rajmohan, Sharma, Vivek

Application Number

US15/247,105
Publication Number

US 20160364576A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06Q 10/06   Resources, workflows, human...

OPERATING LARGE SCALE SYSTEMS AND CLOUD SERVICES WITH ZERO-STANDING ELEVATED PERMISSIONS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

OPERATING LARGE SCALE SYSTEMS AND CLOUD SERVICES WITH ZERO-STANDING ELEVATED PERMISSIONS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others