OPERATING LARGE SCALE SYSTEMS AND CLOUD SERVICES WITH ZERO-STANDING ELEVATED PERMISSIONS
First Claim
Patent Images
1. A method for providing large scale system operation, the method comprising:
- receiving an action request from a user;
determining whether the user requires elevated permissions to perform the action request;
in response to determining that the user requires elevated permissions to perform the action request, forwarding the action request to a lockbox; and
receiving a permission response from the lockbox.
2 Assignments
0 Petitions
Accused Products
Abstract
Large scale system operation may be provided. Upon receiving an action request from a user, a determination may be made as to whether the user requires elevated permissions to perform the action request. In response to determining that the user requires elevated permissions to perform the action request, the action request may be forwarded to a lockbox for evaluation and a permission response may be received from the lockbox.
31 Citations
20 Claims
-
1. A method for providing large scale system operation, the method comprising:
-
receiving an action request from a user; determining whether the user requires elevated permissions to perform the action request; in response to determining that the user requires elevated permissions to perform the action request, forwarding the action request to a lockbox; and receiving a permission response from the lockbox. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for providing large scale system operation, the system comprising:
-
a memory storage; and a processing unit coupled to the memory storage, wherein the processing unit is operable to; receive an action request requiring an elevated permission from a user; determine whether the action request complies with at least one of a plurality of permission policies; in response to determining that the action request complies with the at least one of the plurality of permission policies, grant the user an elevated permission to perform the requested action; and in response to determining that the action request does not comply with the at least one of the plurality of permission policies, forward the action request to at least one approval user. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-readable medium which stores a set of instructions which when executed performs a method for providing large scale system operation, the method executed by the set of instructions comprising:
-
receiving an action request from a user, wherein the user is associated with at least one user group comprising basic access permissions to at least one software service and wherein the basic access permissions prohibit access to a plurality of user data associated with the at least one software service; determining whether the requested action requires an elevated permission; in response to determining that the requested action requires the elevated permission; determining whether the action request complies with at least one of a plurality of permission policies associated with a lockbox service, wherein the plurality of permission policies comprise at least one of the following;
a user group criterion, a security flag criterion, an action scope criterion, and a schedule criterion,in response to determining that the action request does not comply with the at least one of a plurality of permission policies, forwarding the action request to at least one approval user, in response to determining that the action request complies with the at least one of a plurality of permission policies, granting the elevated permission to the user for a limited duration, wherein the limited duration is defined by at least one of the following;
the at least one permission policy, a configuration setting associated with the software service, and a configuration setting associated with the at least one user group,performing the requested action, and creating a log entry associated with the user and the requested action; periodically determining whether at least one second user currently granted at least one second elevated permission should have the at least one second elevated permission revoked; in response to determining that the at least one second user should have the at least one second elevated permission revoked, revoking the at least one second elevated permission; periodically determining whether at least one third user is no longer associated with the at least one software service; in response to determining that the at least one third user is no longer associated with the at least one software service, removing the at least one third user from the at least one user group; and providing an audit report comprising a plurality of log entries associated with a plurality of requested actions.
-
Specification