Temporary authorizations to access a computing system based on user skills

US 9,774,605 B2
Filed: 08/27/2015
Issued: 09/26/2017
Est. Priority Date: 09/01/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of controlling access to a computing system, the computer-implemented method comprising:

executing, by one or more processors in a distributed computing system, a background service to intercept requests to perform an operation on one or more servers of the distributed computing system, and to determine for each request, whether to grant or deny the request, wherein the service comprises;

intercepting, by the one or more processors, an escalation request for performing a protected activity on the computing system by a user not authorized to perform the protected activity, comprising;

assigning the escalation request to a selected activity category of a plurality of predefined activity categories, each activity category being associated with one or more activity properties, each activity property indicative of a protected operation to be executed for performing each protected activity belonging to the activity category and of at least one operation authorization required to execute the protected operation;

retrieving, by the one or more processors, at least one activity indicator, from a corresponding repository of a server of the one or more servers, being indicative of a skill required to perform the protected activity, comprising;

retrieving at least one property indicator for each activity property, each property indicator being indicative of one of a plurality of predefined skill types and of an activity level thereof required to execute the corresponding protected operation;

retrieving, by the one or more processors, at least one user indicator being indicative of skill possessed by the user, comprising;

retrieving said at least one user indicator, each one being indicative of one of the skill types and of a user level thereof possessed by the user;

retrieving at least one experience indicator being indicative of an experience type and of a possible experience degree thereof being gained by the user;

retrieving at least one experience property for each experience type of said at least one experience indicator, each experience property being indicative of one of the skill types that the experience type contributes to increase and of a skill coefficient measuring a unitary contribution thereto; and

calculating one user indicator of said at least one user indicator for each skill type of said at least one experience property, the one user indicator being calculated according to the skill coefficient of the experience property and to the possible experience degree of each corresponding experience indicator;

determining, by the one or more processors, an indication of a capability of the user to perform the protected activity according to a comparison between said at least one activity indicator and said at least one user indicator; and

granting or denying, by the one or more processors, to the user according to the capability thereof a temporary authorization for performing the protected activity, the temporary authorization lasting for a limited time window, the granting or denying the temporary authorization comprising;

granting said at least one operation authorization required to execute each protected operation of the selected activity category to the user for the limited time window.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Controlling access to a computing system. An escalation request is received for performing a protected activity on the computing system by a user not authorized to perform the protected activity. At least one activity indicator being indicative of a skill required to perform the protected activity is retrieved. At least one user indicator being indicative of the skill possessed by the user is retrieved. An indication of a capability of the user to perform the protected activity according to a comparison between the at least one activity indicator and the at least one user indicator is determined. A temporary authorization for performing the protected activity to the user according to the capability thereof is granted or denied. The temporary authorization lasts for a limited time window.

20 Citations

14 Claims

1. A computer-implemented method of controlling access to a computing system, the computer-implemented method comprising:
- executing, by one or more processors in a distributed computing system, a background service to intercept requests to perform an operation on one or more servers of the distributed computing system, and to determine for each request, whether to grant or deny the request, wherein the service comprises;
  
  intercepting, by the one or more processors, an escalation request for performing a protected activity on the computing system by a user not authorized to perform the protected activity, comprising;
  
  assigning the escalation request to a selected activity category of a plurality of predefined activity categories, each activity category being associated with one or more activity properties, each activity property indicative of a protected operation to be executed for performing each protected activity belonging to the activity category and of at least one operation authorization required to execute the protected operation;
  
  retrieving, by the one or more processors, at least one activity indicator, from a corresponding repository of a server of the one or more servers, being indicative of a skill required to perform the protected activity, comprising;
  
  retrieving at least one property indicator for each activity property, each property indicator being indicative of one of a plurality of predefined skill types and of an activity level thereof required to execute the corresponding protected operation;
  
  retrieving, by the one or more processors, at least one user indicator being indicative of skill possessed by the user, comprising;
  
  retrieving said at least one user indicator, each one being indicative of one of the skill types and of a user level thereof possessed by the user;
  
  retrieving at least one experience indicator being indicative of an experience type and of a possible experience degree thereof being gained by the user;
  
  retrieving at least one experience property for each experience type of said at least one experience indicator, each experience property being indicative of one of the skill types that the experience type contributes to increase and of a skill coefficient measuring a unitary contribution thereto; and
  
  calculating one user indicator of said at least one user indicator for each skill type of said at least one experience property, the one user indicator being calculated according to the skill coefficient of the experience property and to the possible experience degree of each corresponding experience indicator;
  
  determining, by the one or more processors, an indication of a capability of the user to perform the protected activity according to a comparison between said at least one activity indicator and said at least one user indicator; and
  
  granting or denying, by the one or more processors, to the user according to the capability thereof a temporary authorization for performing the protected activity, the temporary authorization lasting for a limited time window, the granting or denying the temporary authorization comprising;
  
  granting said at least one operation authorization required to execute each protected operation of the selected activity category to the user for the limited time window.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method according to claim 1, wherein said receiving the escalation request comprises:
    - retrieving at least one user authorization of the user; and
      
      discarding each activity property of the selected activity category having the corresponding at least one operation authorization comprised in said at least one user authorization.
  - 3. The computer-implemented method according to claim 1, further comprising in response to the granting of the temporary authorization:
    - receiving an execution exception being due to at least one missing authorization for performing the protected activity;
      
      granting said at least one missing authorization to the user for the limited time window; and
      
      adding a new activity property to the selected activity category for said at least one missing authorization.
  - 4. The computer-implemented method according to claim 1, further comprising in response to the granting of the temporary authorization:
    - monitoring the performing of the protected activity; and
      
      updating at least one skill indicator of the user according to the monitored performing of the protected activity.
  - 5. The computer-implemented method according to claim 4, wherein said monitoring the performing of the protected activity comprises performing at least one of:
    - registering each execution exception in performing the protected activity not being due to any missing authorization therefore;
      
      orregistering a duration of the performing of the protected activity.
  - 6. The computer-implemented method according to claim 1, further comprising in response to the denying of the temporary authorization:
    - determining at least one learning action required by the user to improve the skill thereof for reaching the skill required to perform the protected activity; and
      
      providing an indication of said at least one learning action to the user.

7. A computer system for controlling access to a computing system, the computer system comprising:
- a memory; and
  
  a processor in communication with the memory, wherein the computer system is configured to perform a method, said method comprising;
  
  executing, by one or more processors in a distributed computing system, a background service to intercept requests to perform an operation on one or more servers of the distributed computing system, and to determine for each request, whether to grant or deny the request, wherein the service comprises;
  
  intercepting, by the one or more processors, an escalation request for performing a protected activity on the computing system by a user not authorized to perform the protected activity, comprising;
  
  assigning the escalation request to a selected activity category of a plurality of predefined activity categories, each activity category being associated with one or more activity properties, each activity property indicative of a protected operation to be executed for performing each protected activity belonging to the activity category and of at least one operation authorization required to execute the protected operation;
  
  retrieving, by the one or more processors, at least one activity indicator, from a corresponding repository of a server of the one or more servers, being indicative of a skill required to perform the protected activity, comprising;
  
  retrieving at least one property indicator for each activity property, each property indicator being indicative of one of a plurality of predefined skill types and of an activity level thereof required to execute the corresponding protected operation;
  
  retrieving, by the one or more processors, at least one user indicator being indicative of skill possessed by the user, comprising;
  
  retrieving said at least one user indicator, each one being indicative of one of the skill types and of a user level thereof possessed by the user;
  
  retrieving at least one experience indicator being indicative of an experience type and of a possible experience degree thereof being gained by the user;
  
  retrieving at least one experience property for each experience type of said at least one experience indicator, each experience property being indicative of one of the skill types that the experience type contributes to increase and of a skill coefficient measuring a unitary contribution thereto; and
  
  calculating one user indicator of said at least one user indicator for each skill type of said at least one experience property, the one user indicator being calculated according to the skill coefficient of the experience property and to the possible experience degree of each corresponding experience indicator;
  
  determining, by the one or more processors, an indication of a capability of the user to perform the protected activity according to a comparison between said at least one activity indicator and said at least one user indicator; and
  
  granting or denying, by the one or more processors, to the user according to the capability thereof a temporary authorization for performing the protected activity, the temporary authorization lasting for a limited time window, the granting or denying the temporary authorization comprising;
  
  granting said at least one operation authorization required to execute each protected operation of the selected activity category to the user for the limited time window.
- View Dependent Claims (8, 9, 10)
- - 8. The computer system according to claim 7, wherein said receiving the escalation request comprises:
    - retrieving at least one user authorization of the user; and
      
      discarding each activity property of the selected activity category having the corresponding at least one operation authorization comprised in said at least one user authorization.
  - 9. The computer system according to claim 7, wherein the method further comprises in response to the granting of the temporary authorization:
    - monitoring the performing of the protected activity; and
      
      updating at least one skill indicator of the user according to the monitored performing of the protected activity.
  - 10. The computer system according to claim 7, wherein the method further comprises in response to the denying of the temporary authorization:
    - determining at least one learning action required by the user to improve the skill thereof for reaching the skill required to perform the protected activity; and
      
      providing an indication of said at least one learning action to the user.

11. A computer program product for controlling access to a computing system, the computer program product comprising:
- a non-transitory computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  executing, by one or more processors in a distributed computing system, a background service to intercept requests to perform an operation on one or more servers of the distributed computing system, and to determine for each request, whether to grant or deny the request, wherein the service comprises;
  
  intercepting, by the one or more processors, an escalation request for performing a protected activity on the computing system by a user not authorized to perform the protected activity, comprising;
  
  assigning the escalation request to a selected activity category of a plurality of predefined activity categories, each activity category being associated with one or more activity properties, each activity property indicative of a protected operation to be executed for performing each protected activity belonging to the activity category and of at least one operation authorization required to execute the protected operation;
  
  retrieving, by the one or more processors, at least one activity indicator, from a corresponding repository of a server of the one or more servers, being indicative of a skill required to perform the protected activity, comprising;
  
  retrieving at least one property indicator for each activity property, each property indicator being indicative of one of a plurality of predefined skill types and of an activity level thereof required to execute the corresponding protected operation;
  
  retrieving, by the one or more processors, at least one user indicator being indicative of skill possessed by the user, comprising;
  
  retrieving said at least one user indicator, each one being indicative of one of the skill types and of a user level thereof possessed by the user;
  
  retrieving at least one experience indicator being indicative of an experience type and of a possible experience degree thereof being gained by the user;
  
  retrieving at least one experience property for each experience type of said at least one experience indicator, each experience property being indicative of one of the skill types that the experience type contributes to increase and of a skill coefficient measuring a unitary contribution thereto; and
  
  calculating one user indicator of said at least one user indicator for each skill type of said at least one experience property, the one user indicator being calculated according to the skill coefficient of the experience property and to the possible experience degree of each corresponding experience indicator;
  
  determining, by the one or more processors, an indication of a capability of the user to perform the protected activity according to a comparison between said at least one activity indicator and said at least one user indicator; and
  
  granting or denying, by the one or more processors, to the user according to the capability thereof a temporary authorization for performing the protected activity, the temporary authorization lasting for a limited time window, the granting or denying the temporary authorization comprising;
  
  granting said at least one operation authorization required to execute each protected operation of the selected activity category to the user for the limited time window.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product according to claim 11, wherein said receiving the escalation request comprises:
    - retrieving at least one user authorization of the user; and
      
      discarding each activity property of the selected activity category having the corresponding at least one operation authorization comprised in said at least one user authorization.
  - 13. The computer program product according to claim 11, wherein the method further comprises in response to the granting of the temporary authorization:
    - monitoring the performing of the protected activity; and
      
      updating at least one skill indicator of the user according to the monitored performing of the protected activity.
  - 14. The computer program product according to claim 11, wherein the method further comprises in response to the denying of the temporary authorization:
    - determining at least one learning action required by the user to improve the skill thereof for reaching the skill required to perform the protected activity; and
      
      providing an indication of said at least one learning action to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Della Corte, Gianluca, Donatelli, Alessandro, Sgro, Antonio M.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Lakhia, Viral

Application Number

US14/837,365
Publication Number

US 20160065585A1
Time in Patent Office

761 Days
Field of Search

726 4- 7, 705 54, 718100
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

Temporary authorizations to access a computing system based on user skills

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Temporary authorizations to access a computing system based on user skills

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links