System and method for using policies to support session recording for user account management in a computing environment

US 9,167,047 B1
Filed: 09/24/2014
Issued: 10/20/2015
Est. Priority Date: 09/24/2014
Status: Active Grant

First Claim

Patent Images

1. A method for supporting privileged account management in a computing environment comprising a privileged account manager server and a target system wherein a plurality of users share access to a privileged account on the target system, the method comprising:

providing a privileged account manager operating on the privileged account manager server;

providing a recording agent operating on the target system;

configuring one or more recording policies, using the privileged account manager, wherein said one or more recording policies operates to define detailed information on how user activities on the target system should be recorded;

wherein configuring said one or more recording policies is performed using behavior analytics information that indicates when a suspicious command is input based on past user activities;

receiving at the privileged account manager a request to access said privileged account on the target system from a particular user of the plurality of users which share access to a privileged account on the target system;

providing said particular user with one-time access to a privileged account session for said privileged account on the target system in response to said request wherein said one-time access is terminated when said privileged account session is ended;

detecting establishment of said privileged account session for said privileged account on the target system with the recording agent;

providing said one or more recording policies from the privileged account manager to the recording agent on the target system in response to detecting establishment of said privileged account session;

capturing with the recording agent a plurality of user session screens associated with said privileged account session to create a visual session record of activities of the particular user during the privileged account session on the target system in accordance with said one or more recording policies; and

transmitting the visual session record from the recording agent to the privileged account manager.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method can support user account management in a computing environment. A user account manager can configure one or more recording policies, wherein said one or more recording policies operates to define detailed information on how user activities on a target system should be recorded. Furthermore, the user account manager can provide said one or more recording policies to one or more visual session recording processes associated with the target system. Then, the user account manager can use said one or more visual session recording processes to record activities in a user session on the target system based on said one or more recording policies.

38 Citations

View as Search Results

26 Claims

1. A method for supporting privileged account management in a computing environment comprising a privileged account manager server and a target system wherein a plurality of users share access to a privileged account on the target system, the method comprising:
- providing a privileged account manager operating on the privileged account manager server;
  
  providing a recording agent operating on the target system;
  
  configuring one or more recording policies, using the privileged account manager, wherein said one or more recording policies operates to define detailed information on how user activities on the target system should be recorded;
  
  wherein configuring said one or more recording policies is performed using behavior analytics information that indicates when a suspicious command is input based on past user activities;
  
  receiving at the privileged account manager a request to access said privileged account on the target system from a particular user of the plurality of users which share access to a privileged account on the target system;
  
  providing said particular user with one-time access to a privileged account session for said privileged account on the target system in response to said request wherein said one-time access is terminated when said privileged account session is ended;
  
  detecting establishment of said privileged account session for said privileged account on the target system with the recording agent;
  
  providing said one or more recording policies from the privileged account manager to the recording agent on the target system in response to detecting establishment of said privileged account session;
  
  capturing with the recording agent a plurality of user session screens associated with said privileged account session to create a visual session record of activities of the particular user during the privileged account session on the target system in accordance with said one or more recording policies; and
  
  transmitting the visual session record from the recording agent to the privileged account manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein said recording agent on the target system uses a secure channel to communicate with the privileged account manager.
  - 3. The method according to claim 1, wherein said one or more recording policies to include at least one of a system recorded policy and an administrator configured policy.
  - 4. The method according to claim 1, further comprising:
    - requesting, via said recording agent, an update for said one or more recording policies from the privileged account manager in response to said detecting establishment of said privileged account session.
  - 5. The method according to claim 1, wherein said one or more recording policies to specify one or more included applications, and wherein said recording agent performs steps comprising:
    - starting capturing the plurality of user session screens when at least one of the included applications is running on said target system in said privileged account session; and
      
      pausing from capturing the plurality of user session screens when none of the included applications is running on said target system in said privileged account session.
  - 6. The method according to claim 1, further wherein said one or more recording policies to specify one or more excluded applications, and wherein said recording agent performs steps comprising:
    - avoiding recording session content associated with said one or more excluded applications.
  - 7. The method according to claim 1, further wherein said one or more recording policies to specify one or more constraints, and wherein said recording agent performs steps comprising:
    - avoiding recording session content if said one or more constraints are not satisfied.
  - 8. The method according to claim 1, further wherein said one or more recording policies to specify one or more users and groups, and wherein said recording agent performs steps comprising:
    - recording session content based on an individual accessing of said privileged account by said one or more users and groups.
  - 9. The method according to claim 1, wherein:
    - said capturing with the recording agent the plurality of user session screens associated with said privileged account session comprises capturing the plurality of user session screens at a predetermined interval as defined by the one or more recording policies.
  - 10. The method according to claim 9, wherein:
    - said capturing with the recording agent the plurality of user session screens associated with said privileged account session comprises capturing the plurality of user session screens using a dynamic frame rate supported by said one or more recording policies.
  - 11. The method according to claim 9, wherein:
    - said capturing with the recording agent a plurality of user session screens associated with said privileged account session to create a visual session record of activities of the particular user comprises encoding the plurality of recorded user session screens into a video, wherein the video is associated with a searchable metadata and is stored in a database associated with the privileged account manager server.
  - 12. The method according to claim 11, further comprising:
    - allowing an administrator to replay the video stored in the database for monitoring said privileged account session.

13. A system for supporting privileged account management in a computing environment, the system comprising:
- a privileged account manager server comprising one or more microprocessors;
  
  a target system comprising one or more microprocessors;
  
  a privileged account on the target system wherein the privileged account is shared by a plurality of users;
  
  a recording agent associated with the target system;
  
  a privileged account manager, running on said privileged account manager server, wherein said privileged account manager is configured toconfigure one or more recording policies, wherein said one or more recording policies define detailed information on how user activities on the target system should be recorded, and wherein said one or more policies are configured using behavior analytics information that indicates when a suspicious command is input based on past user activities,receive a request to access said privileged account on the target system from a particular user of the plurality of users which share access to a privileged account on the target system,provide said particular user with one-time access to a privileged account session for said privileged account on the target system in response to said request wherein said one-time access is terminated when said privileged account session is ended, andprovide said one or more recording policies to said recording agent associated with the target system; and
  
  wherein said recording agent is configured todetect establishment of said privileged account session for said privileged account on the target system,receive said one or more recording policies from the privileged account manager in response to detecting establishment of said privileged account session,capture a plurality of user session screens associated with said privileged account session to create a visual session record of activities of the particular user during the privileged account session on the target system in accordance with said one or more recording policies, andtransmit the visual session record from the recording agent to the privileged account manager.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The system according to claim 13, wherein said recording agent comprises at least one of an agent on the target system which use a secure channel to communicate with the user account manager and a proxy server.
  - 15. The system according to claim 13, wherein:
    - said one or more recording policies includes at least one of a system recorded policy and an administrator configured policy.
  - 16. The system according to claim 13, wherein:
    - said recording agent is configured to request an update for said one or more recording policies from the privileged account manager in response to detecting establishment of said privileged account session for said privileged account on the target system.
  - 17. The system according to claim 13, wherein:
    - said one or more recording policies specify one or more included applications, and wherein said recording agent is configured to start capturing the plurality of user session screens associated with said privileged account session when at least one of the included applications specified in said one or more recording policies is running, and pause from capturing the plurality of user session screens associated with said privileged account session when none of the included applications specified in said one or more recording policies is running.
  - 18. The system according to claim 13, wherein:
    - said one or more recording policies specify one or more excluded applications, and wherein said recording agent is configured to avoid recording session content that is associated with said one or more excluded applications.
  - 19. The system according to claim 13, wherein:
    - said one or more recording policies specify one or more constraints, and wherein said recording agent is configured to avoid recording session content if said one or more constraints specified in said one or more recording policies are not satisfied.
  - 20. The system according to claim 13, wherein:
    - said one or more recording policies specify one or more users and groups, and wherein said recording agent is configured to record session content based on an individual accessing of a shared account by said one or more users and groups specified in said one or more recording policies.
  - 21. The system according to claim 13, wherein:
    - said recording agent is configured to capture the plurality of user session screens at a predetermined interval as defined by the one or more recording policies.
  - 22. The system according to claim 13, wherein:
    - said recording agent is configured to capture the plurality of user session screens at a dynamic frame rate as specified in said one or more recording policies.
  - 23. The system according to claim 21, wherein:
    - said recording agent is configured to encode the plurality of captured user session screens into a video, wherein the video is associated with a searchable metadata and is stored in a database associated with the privileged account manager server; and
      
      wherein the privileged account manager is configured to replay the video stored in the database to an administrator for monitoring said privileged account session.

24. A non-transitory machine readable storage medium having instructions stored thereon for supporting privileged account management in a computing environment comprising a privileged account manager server and a target system wherein a plurality of users share access to a privileged account on the target system, which instructions, when executed cause the computing environment to perform steps comprising:
- providing a privileged account manager operating on the privileged account manager server;
  
  providing a recording agent operating on the target system;
  
  configuring one or more recording policies, using the privileged account manager, wherein said one or more recording policies operates to define detailed information on how user activities on the target system should be recorded;
  
  wherein configuring said one or more recording policies is performed using behavior analytics information that indicates when a suspicious command is input based on past user activities;
  
  receiving at the privileged account manager a request to access said privileged account on the target system from a particular user of the plurality of users which share access to a privileged account on the target system;
  
  providing said particular user with one-time access to a privileged account session for said privileged account on the target system in response to said request wherein said one-time access is terminated when said privileged account session is ended;
  
  detecting establishment of said privileged account session for said privileged account on the target system with the recording agent;
  
  providing said one or more recording policies from the privileged account manager to the recording agent on the target system in response to detecting establishment of said privileged account session;
  
  capturing with the recording agent a plurality of user session screens associated with said privileged account session to create a visual session record of activities of the particular user during the privileged account session on the target system in accordance with said one or more recording policies; and
  
  transmitting the visual session record from the recording agent to the privileged account manager.

25. A method for supporting privileged account management in a computing environment comprising a privileged account manager server and a target system wherein a plurality of users share access to a privileged account on the target system, the method comprising:
- providing a privileged account manager operating on the privileged account manager server;
  
  providing a recording agent associated with the target system;
  
  configuring one or more recording policies, using the privileged account manager, wherein said one or more recording policies operates to define detailed information on how user activities on the target system should be recorded;
  
  wherein configuring said one or more recording policies is performed using behavior analytics information that indicates when a suspicious command is input based on past user activities;
  
  receiving at the privileged account manager a request to access said privileged account on the target system from a particular user of the plurality of users which share access to a privileged account on the target system;
  
  providing said particular user with one-time access to a privileged account session for said privileged account on the target system in response to said request wherein said one-time access is terminated when said privileged account session is ended;
  
  detecting establishment of said privileged account session for said privileged account on the target system with the recording agent;
  
  providing said one or more recording policies from the privileged account manager to the recording agent on the target system in response to detecting establishment of said privileged account session;
  
  capturing with the recording agent a plurality of user session screens associated with said privileged account session to create a visual session record of activities of the particular user during the privileged account session on the target system in accordance with said one or more recording policies;
  
  encoding the plurality of recorded user session screens into a video associated with a searchable metadata; and
  
  storing the video in a database associated with the privileged account manager server.
- View Dependent Claims (26)
- - 26. The method according to claim 25, further comprising:
    - using a pull model to provide one or more updates for said one or more recording policies to said recording agent from the privileged account manager; and
      
      using a push model to provide an update for said one or more recording policies to said recording agent from the privileged account manager, when said one or more visual session recording processes are initially deployed and after said recording agent has been in a dormant status.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sharma, Himanshu, Srinivasan, Sudhir Kumar, Sathyanarayan, Ramaprakash, Shih, Kuang-Yu, Ho, Fannie, Stullich, Olaf, Theebaprakasam, Arun Samipillaipudur, Mao, Zhuoxing
Primary Examiner(s)
DAILEY, THOMAS J

Application Number

US14/494,732
Time in Patent Office

391 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/5054   Automatic deployment of ser...

H04L 43/04   Processing captured monitor...

H04L 43/14   using software, i.e. softwa...

H04L 67/14   Session management for real...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

System and method for using policies to support session recording for user account management in a computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using policies to support session recording for user account management in a computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links