Operating large scale systems and cloud services with zero-standing elevated permissions

US 9,460,303 B2
Filed: 03/06/2012
Issued: 10/04/2016
Est. Priority Date: 03/06/2012
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a computing device for providing large scale system operation, the method comprising:

receiving an action request from a user;

determining, by the computing device, whether the user requires elevated permissions to perform the action request;

in response to determining that the user requires elevated permissions to perform the action request, forwarding the action request to a lockbox; and

receiving a permission response from the lockbox, wherein receiving the permission response from the lockbox comprises;

determining, by the lockbox, a current role and a requested role of the user;

determining whether elevation to the requested role from the current role complies with at least one of a plurality of policies associated with the lockbox;

wherein the at least one of the plurality of policies determines whether the user belongs to a specific user group;

wherein the specific user group comprises at least one of;

an administrator group, a security clearance group, an on-call group, and an onsite group; and

wherein determining whether the elevation complies with the at least one of the plurality of policies comprises checking an action request scope evaluation rule to determine whether the action request violates a privacy policy; and

providing, in response to determining that the elevation to the requested role complies with the at least one of the plurality of policies and that the action request does not violate the privacy policy, the permission response, wherein providing the permission response further comprises stamping an attribute in a user object with an expiry time of the granted elevated permissions; and

determining, by the computing device at a configurable interval, whether any of the granted elevated permissions should be revoked, andrevoking at least one of the granted elevated permissions based on the determination of at least one of the following;

the user is no longer associated with an organization, expiration of the expiry time, and inactivity for a predetermined length of time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Large scale system operation may be provided. Upon receiving an action request from a user, a determination may be made as to whether the user requires elevated permissions to perform the action request. In response to determining that the user requires elevated permissions to perform the action request, the action request may be forwarded to a lockbox for evaluation and a permission response may be received from the lockbox.

180 Citations

20 Claims

1. A method implemented by a computing device for providing large scale system operation, the method comprising:
- receiving an action request from a user;
  
  determining, by the computing device, whether the user requires elevated permissions to perform the action request;
  
  in response to determining that the user requires elevated permissions to perform the action request, forwarding the action request to a lockbox; and
  
  receiving a permission response from the lockbox, wherein receiving the permission response from the lockbox comprises;
  
  determining, by the lockbox, a current role and a requested role of the user;
  
  determining whether elevation to the requested role from the current role complies with at least one of a plurality of policies associated with the lockbox;
  
  wherein the at least one of the plurality of policies determines whether the user belongs to a specific user group;
  
  wherein the specific user group comprises at least one of;
  
  an administrator group, a security clearance group, an on-call group, and an onsite group; and
  
  wherein determining whether the elevation complies with the at least one of the plurality of policies comprises checking an action request scope evaluation rule to determine whether the action request violates a privacy policy; and
  
  providing, in response to determining that the elevation to the requested role complies with the at least one of the plurality of policies and that the action request does not violate the privacy policy, the permission response, wherein providing the permission response further comprises stamping an attribute in a user object with an expiry time of the granted elevated permissions; and
  
  determining, by the computing device at a configurable interval, whether any of the granted elevated permissions should be revoked, andrevoking at least one of the granted elevated permissions based on the determination of at least one of the following;
  
  the user is no longer associated with an organization, expiration of the expiry time, and inactivity for a predetermined length of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - determining whether the permission response comprises an approval; and
      
      in response to determining that the permission response comprises the approval, granting the user temporary elevated permission to perform the action request.
  - 3. The method of claim 2, further comprising:
    - determining whether a pre-configured interval has elapsed since receiving the permission response from the lockbox; and
      
      in response to determining that the pre-configured interval has elapsed since receiving the permission response from the lockbox, revoking the temporary elevated permission from the user.
  - 4. The method of claim 1, further comprising:
    - in response to determining that the action request complies with the at least one of the plurality of policies, providing the permission response comprising an approval.
  - 5. The method of claim 1, further comprising:
    - in response to determining that the action request does not comply with the at least one of the plurality of policies, forwarding the action request to at least one approval user.
  - 6. The method of claim 1, wherein the at least one of the plurality of policies comprises one of a plurality of pre-defined permission elevation policies.
  - 7. The method of claim 1, wherein the at least one of the plurality of policies comprises a user role evaluation rule.
  - 8. The method of claim 1, wherein the at least one of the plurality of policies comprises a permission elevation expiration rule.
  - 9. The method of claim 1, wherein the at least one of the plurality of policies comprises an action request denial rule.
  - 10. The method of claim 1, further comprising:
    - checking a user group membership rule, wherein checking the user group membership rule comprises determining whether the user is an on-site operator or an off-site operator andchecking a security flag rule, wherein checking the security flag rule comprises determining whether the user has undergone a security clearance.

11. A system for providing large scale system operation, the system comprising:
- a memory storage; and
  
  a processing unit coupled to the memory storage, wherein the processing unit is operable to;
  
  receive an action request requiring an elevated permission from a user;
  
  communicate with a lockbox, wherein the lockbox segregates duties associated with a action request;
  
  determine whether the action request complies with at least one of a plurality of permission policies, wherein at least one of the plurality of permission policies determines whether the user is associated with a security flag, the determining comprising the processing unit operable to;
  
  determine a current role and a requested role of the user, andevaluate whether elevation from the current role to the requested role complies with the at least one of the plurality of permission policies by checking at least an action request scope evaluation rule to determine whether the action request violates a privacy policy;
  
  in response to determining that the action request complies with the at least one of the plurality of permission policies, grant the user an elevated permission to perform a requested action for a temporary period and stamp an attribute in a user object with an expiry time marking an end of the temporary period;
  
  when the granted elevated permission to perform the requested action grants the user access to user data;
  
  log the user'"'"'s activity associated with the action request in at least one log entry,receive a request to modify the at least one log entry,deny the request to modify the at least one log entry,log the denial of the request to modify the at least one log entry, anddetermine, at a configurable interval, whether any of the granted elevated permissions should be revoked, andrevoke at least one of the granted elevated permissions based on the determination of at least one of the following;
  
  the user is no longer associated with an organization, expiration of the expiry time, and inactivity for a predetermined length of time.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the configurable time interval comprises a pre-define interval upon a manual request.
  - 13. The system of claim 11, wherein the at least one of the plurality of permission policies determines whether the user belongs to a specific user group.
  - 14. The system of claim 13, wherein the specific user group comprises at least one of the following:
    - an administrator group, a security clearance group, an on-call group, and an onsite group.
  - 15. The system of claim 11, wherein the processing unit is further operative to create a log entry comprising the user, the action request, and the granted elevated permissions.
  - 16. The system of claim 15, wherein the processing unit is further operative to create at least one second log entry associated with at least one second action request received from the user while the user is associated with the granted elevated permissions.
  - 17. The system of claim 16, wherein the processing unit is further operative to provide an audit report comprising a plurality of log entries.
  - 18. The system of claim 11, wherein the elevated permission comprises a set of permissions associated with a task.
  - 19. The system of claim 11, wherein the at least one of the plurality of permissions policies comprises a permission elevation expiration rule defining the expiry time.

20. A computer-readable storage device which stores a set of instructions which when executed performs a method for providing large scale system operation, the method executed by the set of instructions comprising:
- receiving an action request from a user, wherein the user is associated with at least one user group comprising basic access permissions to at least one software service, and wherein the basic access permissions prohibit access to a plurality of user data associated with the at least one software service;
  
  determining whether the action request requires an elevated permission;
  
  in response to determining that the action request requires the elevated permission;
  
  providing a lockbox, wherein the lockbox segregates duties associated with the requested action,determining whether the action request complies with at least one of a plurality of permission policies associated with a lockbox service, wherein the plurality of permission policies comprise at least one of the following;
  
  a user group criterion, a security flag criterion, an action scope criterion, and a schedule criterion, and wherein determining whether the action request complies with at least one of the plurality of permission policies comprises;
  
  determining a current role and a requested role of the user; and
  
  determining whether elevation from the current role to the requested role complies with the plurality of permission policies by checking at least the action request scope criterion to determine whether the action request violates a privacy policy;
  
  in response to determining that the action request complies with the at least one of a plurality of permission policies, granting the elevated permission to the user for a limited duration, wherein the limited duration is defined by at least one of the following;
  
  the at least one permission policy, a configuration setting associated with the software service, and a configuration setting associated with the at least one user group, wherein granting the elevated permission for the limited duration further comprises stamping an attribute in a user object with an expiry time marking an end of the limited duration;
  
  permitting the user to perform the requested action; and
  
  creating a log entry associated with the user and the requested action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
MacLeod, Alexander, Lukyanov, Andrey, Nash, Colin, Singh, Jaskaran, Rajagopalan, Rajmohan, Sharma, Vivek
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US13/413,078
Publication Number

US 20130239166A1
Time in Patent Office

1,673 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06Q 10/06   Resources, workflows, human...

Operating large scale systems and cloud services with zero-standing elevated permissions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

180 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Operating large scale systems and cloud services with zero-standing elevated permissions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links