Privileged account plug-in framework—usage policies

US 9,787,657 B2
Filed: 03/20/2014
Issued: 10/10/2017
Est. Priority Date: 09/19/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory storing computer-executable instructions;

a privileged access management module that provides a privileged access management service configured with a plug-in framework for accessing secure network resources; and

a processor that accesses the memory and executes the computer-executable instructions to at least;

receive, from an entity associated with the secure network resources, plug-in code for implementing runtime privileges;

generate instructions for implementing the runtime privileges based at least in part on the received plug-in code;

receive, from a first user, a log-in request to start a session including at least first authentication information, the log-in request corresponding to the privileged access management service;

provide access to at least one secure network resource of the secure network resources through the session when the first user is authenticated with respect to the privileged access management service;

receive, from a computing device of the user, a request to perform an action associated with the at least one secure network resource within the session;

implement the plug-in framework to determine, based at least in part on the runtime privileges and a runtime factor, whether the first user is allowed to perform the action during the session; and

perform the action during the session for the first user if it is determined that the first user is allowed to perform the action and if a second user is authenticated and logged in with the privileged access management service during the session, the first user given access to the at least one secure network resource during the session only if the second user is authenticated and logged in with the privileged access management service during the session, the first user being different from the second user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing privileged accounts via a privileged access management service are provided. In some examples, the service may be configured with a plug-in framework for accessing secure resources. In some aspects, a log-in request that includes authentication information and corresponds to the service may be received. Session access to at least one secure resource may be provided when a user is authenticated. In some examples, a request to perform an action associated with the secure resource may be received during the session. Additionally, in some examples, the plug-in framework may be implemented to determine whether the user is allowed to perform the action. Further, performance of the action may be allowed or denied during the session based on the determination.

88 Citations

View as Search Results

17 Claims

1. A system, comprising:
- a memory storing computer-executable instructions;
  
  a privileged access management module that provides a privileged access management service configured with a plug-in framework for accessing secure network resources; and
  
  a processor that accesses the memory and executes the computer-executable instructions to at least;
  
  receive, from an entity associated with the secure network resources, plug-in code for implementing runtime privileges;
  
  generate instructions for implementing the runtime privileges based at least in part on the received plug-in code;
  
  receive, from a first user, a log-in request to start a session including at least first authentication information, the log-in request corresponding to the privileged access management service;
  
  provide access to at least one secure network resource of the secure network resources through the session when the first user is authenticated with respect to the privileged access management service;
  
  receive, from a computing device of the user, a request to perform an action associated with the at least one secure network resource within the session;
  
  implement the plug-in framework to determine, based at least in part on the runtime privileges and a runtime factor, whether the first user is allowed to perform the action during the session; and
  
  perform the action during the session for the first user if it is determined that the first user is allowed to perform the action and if a second user is authenticated and logged in with the privileged access management service during the session, the first user given access to the at least one secure network resource during the session only if the second user is authenticated and logged in with the privileged access management service during the session, the first user being different from the second user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the runtime factor is associated with the first user or the at least one secure network resource.
  - 3. The system of claim 2, wherein the runtime factor comprises at least one of a time, a locality, a client, a number of requests, a privilege granted to the first user, or another factor.
  - 4. The system of claim 1, wherein the at least one secure network resource is a privileged account of the privileged access management service.
  - 5. The system of claim 1, wherein the privileged access management service is implemented by a first virtual machine and the plug-in framework is implemented by a second virtual machine, the first virtual machine and the second virtual machine being different virtual machines.
  - 6. The system of claim 5, wherein the second virtual machine is sandboxed and separated from the first virtual machine.
  - 7. The system of claim 5, wherein the plug-in framework is implemented to determine whether the first user is allowed to perform the action by executing instructions to at least:
    - transmit the request to perform the action to the second virtual machine;
      
      configure the second virtual machine to execute the plug-in code;
      
      receive, from the second virtual machine, a result of executing the plug-in code; and
      
      process, utilizing the first virtual machine, the result to perform the action within the session if it is determined, by the plug-in code, that the first user is allowed to perform the action.

8. A non-transitory computer-readable storage memory storing a plurality of instructions executed by one or more processors to :
- manage a privileged access management service configured with a plug-in framework for accessing secure network resources;
  
  receive, from an entity associated with the secure network resources, plug-in code for implementing runtime privileges;
  
  receive, from a first user, a log-in request to start a session including at least first authentication information, the log-in request corresponding to the privileged access management service;
  
  provide access to at least one secure network resource of the secure network resources through the session when the first user is authenticated with respect to the privileged access management service;
  
  receive, from a computing device of the first user, a request to perform an action associated with the at least one secure network resource within the session;
  
  implement the plug-in framework to determine, based at least in part on the runtime privileges and a runtime factor, whether the first user is allowed to perform the action during the session; and
  
  perform the action during the session for the first user if it is determined that the first user is allowed to perform the action and if a second user is authenticated and logged in with the privileged access management service during the session, the first user given access to the at least one secure network resource during the session only if the second user is authenticated and logged in with the privileged access management service during the session, the first user being different from the second user.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The non-transitory computer-readable storage memory of claim 8, wherein the runtime factor includes at least one of a time, a locality, a client, a number of requests, or a privilege granted to the first user.
  - 10. The non-transitory computer-readable storage memory of claim 8, wherein the privileged access management service is implemented by a first virtual machine and the plug-in framework is implemented by a second virtual machine, the first virtual machine and the second virtual machine being different virtual machines.
  - 11. The non-transitory computer-readable storage memory of claim 10, wherein the second virtual machine is sandboxed and separated from the first virtual machine.
  - 12. The non-transitory computer-readable storage memory of claim 10, wherein the plug-in framework is implemented to determine whether the first user is allowed to perform the action by further implementing the plurality of instructions to:
    - transmit the request to perform the action to the second virtual machine;
      
      instruct the second virtual machine to execute the plug-in code;
      
      receive, from the second virtual machine, a result of executing the plug-in code; and
      
      process the result to perform the action if it is determined, by the plug-in code, that the user is allowed to perform the action.

13. A computer-implemented method, comprising:
- managing, by a computer system, a privileged access management service configured with a plug-in framework for accessing secure network resources;
  
  receiving, from a first user, a log-in request to start a session including at least first authentication information, the log-in request corresponding to the privileged access management service;
  
  providing session access corresponding to the session to at least one secure network resource of the secure network resources when the first user is authenticated with respect to the privileged access management service;
  
  receiving while in the session, from a computing device of the first user, a request to perform an action associated with the at least one secure network resource;
  
  implementing the plug-in framework to determine, based at least in part on the runtime privileges and a runtime factor, whether the first user is allowed to perform the action; and
  
  denying performance of the action during the session if it is determined that the first user is not allowed to perform the action or if a second user that was authenticated and logged in with the privileged access management service during the session logs out of the privileged access management service, the first user given access to the at least one secure network resource only if the second user is authenticated and logged in with the privileged access management service during the session, the first user being different from the second user.

14. The computer-implemented method of 13, wherein the runtime factor includes at least one of a time, a locality, a client, a number of requests, or a privilege granted to the first user.

15. The computer-implemented method of 13, wherein the privileged access management service is implemented by a first virtual machine and the plug-in framework is implemented by a second virtual machine, the first virtual machine and the second virtual machine being different virtual machines.
- View Dependent Claims (16, 17)
- - 16. The computer-implemented method of claim 15, wherein the second virtual machine is sandboxed and separated from the first virtual machine.
  - 17. The computer-implemented method of claim 15, wherein the plug-in framework is implemented to determine whether the first user is allowed to perform the action by:
    - transmitting the request to perform the action to the second virtual machine;
      
      instructing the second virtual machine to execute the plug-in code;
      
      receiving, from the second virtual machine, a result of executing the plug-in code; and
      
      processing, during the session, the result to deny performance the action if it is determined, by the plug-in code, that the first user is not allowed to perform the action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kottahachchi, Buddhika, Sharma, Himanshu, Sathyanarayan, Ramaprakash Hosalli, Ho, Fannie, Theebaprakasam, Arun, Tirumalai, Srikant Krishnapuram, Stullich, Olaf
Primary Examiner(s)
CHOUDHURY, AZIZUL Q

Application Number

US14/221,217
Publication Number

US 20150082373A1
Time in Patent Office

1,300 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/604   Tools and structures for ma...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 67/562   Brokering proxy services

Privileged account plug-in framework—usage policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

88 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Privileged account plug-in framework—usage policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links