Role-based access control using dynamically shared cloud accounts

US 9,571,479 B1
Filed: 03/31/2014
Issued: 02/14/2017
Est. Priority Date: 05/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a server computer system within a network of an organization, a request from a user to access a cloud account, wherein the request comprises a user identifier of the user;

authenticating, at the server computer system, the user for access to the cloud account based on the user identifier;

identifying one or more predetermined roles associated with the cloud account for the user;

identifying one or more pseudo accounts associated with the cloud account, the pseudo accounts to define one or more slots associated with the one or more predetermined roles for the cloud account, wherein access privileges to the cloud account correspond to the one or more pseudo accounts;

mapping the user to the one or more pseudo accounts, wherein the mapping comprises matching the one or more predetermined roles for the user with the one or more pseudo accounts; and

providing the user access to the cloud account based on the mapping and with the access privileges corresponding to the one or more pseudo accounts.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server computer system within a network of an organization receives a request from a user to access a cloud account. The request includes a user identifier. The server computer system authenticates the user for access to the cloud account based on the user identifier, identifies one or more predetermined roles associated with the cloud account for the user, and identifies one or more pseudo accounts associated with the cloud account. The server computer system further maps the user to the one or more pseudo accounts, and provides user access to the cloud account based on the mapping and with access privileges corresponding to the one or more pseudo accounts.

29 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, at a server computer system within a network of an organization, a request from a user to access a cloud account, wherein the request comprises a user identifier of the user;
  
  authenticating, at the server computer system, the user for access to the cloud account based on the user identifier;
  
  identifying one or more predetermined roles associated with the cloud account for the user;
  
  identifying one or more pseudo accounts associated with the cloud account, the pseudo accounts to define one or more slots associated with the one or more predetermined roles for the cloud account, wherein access privileges to the cloud account correspond to the one or more pseudo accounts;
  
  mapping the user to the one or more pseudo accounts, wherein the mapping comprises matching the one or more predetermined roles for the user with the one or more pseudo accounts; and
  
  providing the user access to the cloud account based on the mapping and with the access privileges corresponding to the one or more pseudo accounts.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the cloud account is a shared Software-as-a-Service (SaaS) account.
  - 3. The method of claim 1, wherein the user identifier further comprises a user password.
  - 4. The method of claim 1, wherein authenticating the user further comprises providing a single sign-on access to at least the cloud account, wherein the single sign-on access uses the user identifier.
  - 5. The method of claim 1, wherein mapping the user to the one or more pseudo accounts comprises a dynamic mapping, wherein the dynamic mapping comprises performing an action in the event the one or more pseudo accounts are unavailable.
  - 6. The method of claim 5, wherein the action comprises at least one of notifying the user of the unavailability of the one or more pseudo accounts;
    - halting the mapping action;
      
      or determining availability of one or more other pseudo accounts of equal or lesser access privileges and mapping the user to the one or more other pseudo accounts.
  - 7. The method of claim 1, further comprising:
    - receiving, at the server computer system, an additional request for access to another cloud account, wherein the request comprises the user identifier;
      
      authenticating, at the server computer system, the user for access to the other cloud account based on a single sign-on access to the other cloud account;
      
      identifying one or more predetermined roles associated with the other cloud account for the user;
      
      identifying one or more pseudo accounts associated with the other cloud account, wherein access privileges to the other cloud account correspond to the one or more pseudo accounts;
      
      mapping the user to the one or more pseudo accounts, wherein the mapping comprises matching the one or more predetermined roles associated with the other cloud account for the user with one or more pseudo accounts associated with the other cloud account; and
      
      providing the user access to the cloud account based on the mapping and with the access privileges to the other cloud account corresponding to the one or more pseudo accounts associated with the other cloud account.

8. A system comprising:
- a memory; and
  
  a processor coupled to the memory to;
  
  receive a request from a user to access a cloud account, wherein the request comprises a user identifier of the user;
  
  authenticate the user for access to the cloud account based on the identifier;
  
  identify one or more predetermined roles associated with the cloud account for the user;
  
  identify one or more pseudo accounts associated with the cloud account, the pseudo accounts to define one or more slots associated with the one or more predetermined roles for the cloud account, wherein access privileges to the cloud account correspond to the one or more pseudo accounts;
  
  map the user to the one or more pseudo accounts, wherein the mapping comprises matching the one or more predetermined roles for the user with the one or more pseudo accounts; and
  
  provide the user access to the cloud account based on the mapping and with the access privileges corresponding to the one or more pseudo accounts.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the cloud account is a shared Software-as-a-Service (SaaS) account.
  - 10. The system of claim 8, wherein the user identifier further comprises a user password.
  - 11. The system of claim 8, wherein to authenticate the user the processor further to provide a single sign-on access to at least the cloud account, wherein the single sign-on access uses the user identifier.
  - 12. The system of claim 8, wherein to map the user to the one or more pseudo accounts further comprises a dynamic mapping, wherein the dynamic mapping the processor further to perform an action in the event the one or more pseudo accounts are unavailable.
  - 13. The system of claim 12, wherein to perform the action, the processor is to perform at least one of notify the user of the unavailability of the one or more pseudo accounts;
    - halt the mapping action;
      
      or determine availability of one or more other pseudo accounts of equal or lesser access privileges and map the user to the one or more other pseudo accounts.
  - 14. The system of claim 8, the processor further to:
    - receive, at the server computer system, an additional request for access to another cloud account, wherein the request comprises the user identifier;
      
      authenticate, at the server computer system, the user for access to the other cloud account based on a single sign-on access to the other cloud account;
      
      identify one or more predetermined roles associated with the other cloud account for the user;
      
      identify one or more pseudo accounts associated with the other cloud account, wherein access privileges to the other cloud account correspond to the one or more pseudo accounts;
      
      map the user to the one or more pseudo accounts, wherein the mapping comprises matching the one or more predetermined roles associated with the other cloud account for the user with one or more pseudo accounts associated with the other cloud account; and
      
      provide the user access to the cloud account based on the mapping and with the access privileges to the other cloud account corresponding to the one or more pseudo accounts associated with the other cloud account.

15. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform a method comprising:
- receiving, at a server computer system within a network of an organization, a request from a user to access a cloud account, wherein the request comprises a user identifier of the user;
  
  authenticating, at the server computer system, the user for access to the cloud account based on the identifier;
  
  identifying one or more predetermined roles associated with the cloud account for the user;
  
  identifying one or more pseudo accounts associated with the cloud account, the pseudo accounts to define one or more slots associated with the one or more predetermined roles for the cloud account, wherein access privileges to the cloud account correspond to the one or more pseudo accounts;
  
  mapping the user to the one or more pseudo accounts, wherein the mapping comprises matching the one or more predetermined roles for the user with the one or more pseudo accounts; and
  
  providing the user access to the cloud account based on the mapping and with the access privileges corresponding to the one or more pseudo accounts.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage medium of claim 15, wherein the cloud account is a shared Software-as-a-Service (SaaS) account.
  - 17. The non-transitory computer readable storage medium of claim 15, wherein the user identifier further comprises a user password.
  - 18. The non-transitory computer readable storage medium of claim 15, wherein authenticating the user further comprises providing a single sign-on access to at least the cloud account, wherein the single sign-on access uses the user identifier.
  - 19. The non-transitory computer readable storage medium of claim 15, wherein mapping the user to the one or more pseudo accounts comprises a dynamic mapping, wherein the dynamic mapping comprises performing an action in the event the one or more pseudo accounts are unavailable.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein the action comprises at least one of notifying the user of the unavailability of the one or more pseudo accounts;
    - halting the mapping action;
      
      or determining availability of one or more other pseudo accounts of equal or lesser access privileges and mapping the user to the one or more other pseudo accounts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sundaram, Sharada, Sawhney, Sanjay, Koeten, Robert
Primary Examiner(s)
Jacobs, Lashonda

Application Number

US14/231,617
Time in Patent Office

1,051 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 21/00   Security arrangements for p...

G06F 21/50   Monitoring users, programs ...

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 9/5061   Partitioning or combining o...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 67/10   in which an application is ...

H04L 9/32   including means for verifyi...

Role-based access control using dynamically shared cloud accounts

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based access control using dynamically shared cloud accounts

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links