US2016364576A1PendingUtilityA1
Operating large scale systems and cloud services with zero-standing elevated permissions
Assignee: MICROSOFT TECHNOLOGY LICENSING LLCPriority: Mar 6, 2012Filed: Aug 25, 2016Published: Dec 15, 2016
Est. expiryMar 6, 2032(~5.6 yrs left)· nominal 20-yr term from priority
G06F 21/604G06Q 10/06G06F 21/6218
49
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
Large scale system operation may be provided. Upon receiving an action request from a user, a determination may be made as to whether the user requires elevated permissions to perform the action request. In response to determining that the user requires elevated permissions to perform the action request, the action request may be forwarded to a lockbox for evaluation and a permission response may be received from the lockbox.
Claims
exact text as granted — not AI-modifiedWe claim:
1 . A method for providing large scale system operation, the method comprising:
receiving an action request from a user; determining whether the user requires elevated permissions to perform the action request; in response to determining that the user requires elevated permissions to perform the action request, forwarding the action request to a lockbox; and receiving a permission response from the lockbox.
2 . The method of claim 1 , further comprising:
determining whether the permission response comprises an approval; and in response to determining that the permission response comprises the approval, granting the user temporary elevated permission to perform the requested action.
3 . The method of claim 2 , further comprising:
determining, by the lockbox, whether the action request complies with at least one policy; and in response to determining that the action request complies with the at least one policy, providing the permission response comprising the approval.
4 . The method of claim 3 , further comprising:
in response to determining that the action request does not comply with the at least one policy, forwarding the action request to at least one approval user.
5 . The method of claim 3 , wherein the at least one policy comprises one of a plurality of pre-defined permission elevation policies.
6 . The method of claim 3 , wherein the at least one policy comprises a user role evaluation rule.
7 . The method of claim 3 , wherein the at least one policy comprises a permission elevation expiration rule.
8 . The method of claim 3 , wherein the at least one policy comprises an action request denial rule.
9 . The method of claim 2 , further comprising:
determining whether a pre-configured interval has elapsed since receiving the permission response from the lockbox; and in response to determining that the pre-configured interval has elapsed since receiving the permission response from the lockbox, revoking the temporary elevated permission from the user.
10 . A system for providing large scale system operation, the system comprising:
a memory storage; and a processing unit coupled to the memory storage, wherein the processing unit is operable to:
receive an action request requiring an elevated permission from a user;
determine whether the action request complies with at least one of a plurality of permission policies;
in response to determining that the action request complies with the at least one of the plurality of permission policies, grant the user an elevated permission to perform the requested action; and
in response to determining that the action request does not comply with the at least one of the plurality of permission policies, forward the action request to at least one approval user.
11 . The system of claim 10 , wherein the processing unit is further operative to:
determine whether at least one of a plurality of users currently granted elevated permissions should have the granted elevated permissions revoked; and in response to determining that the at least one of the plurality of users currently granted elevated permissions should have the granted elevated permissions revoked, revoke the elevated permissions.
12 . The system of claim 11 , wherein the processing unit is further operative to determine whether the at least one of the plurality of users currently granted elevated permissions should have the granted elevated permissions revoked on at least one of the following: a configurable time interval, a pre-defined interval, and upon a manual request.
13 . The system of claim 10 , wherein the at least one of the plurality of permission policies determines whether the user is associated with a security flag.
14 . The system of claim 10 , wherein the at least one of the plurality of permission policies determines whether the user belongs to a specific user group.
15 . The system of claim 14 , wherein the specific user group comprises at least one of the following: an administrator group, a security clearance group, an on-call group, and an onsite group.
16 . The system of claim 10 , wherein the processing unit is further operative to create a log entry comprising the user, the action request, and the granted elevated permissions.
17 . The system of claim 16 , wherein the processing unit is further operative to create at least one second log entry associated with at least one second action request received from the user while the user is associated with the granted elevated permissions.
18 . The system of claim 17 , wherein the processing unit is further operative to provide an audit report comprising a plurality of log entries.
19 . The system of claim 10 , wherein the elevated permission comprises a set of permissions associated with a task.
20 . A computer-readable medium which stores a set of instructions which when executed performs a method for providing large scale system operation, the method executed by the set of instructions comprising:
receiving an action request from a user, wherein the user is associated with at least one user group comprising basic access permissions to at least one software service and wherein the basic access permissions prohibit access to a plurality of user data associated with the at least one software service; determining whether the requested action requires an elevated permission; in response to determining that the requested action requires the elevated permission:
determining whether the action request complies with at least one of a plurality of permission policies associated with a lockbox service, wherein the plurality of permission policies comprise at least one of the following: a user group criterion, a security flag criterion, an action scope criterion, and a schedule criterion,
in response to determining that the action request does not comply with the at least one of a plurality of permission policies, forwarding the action request to at least one approval user,
in response to determining that the action request complies with the at least one of a plurality of permission policies, granting the elevated permission to the user for a limited duration, wherein the limited duration is defined by at least one of the following: the at least one permission policy, a configuration setting associated with the software service, and a configuration setting associated with the at least one user group,
performing the requested action, and
creating a log entry associated with the user and the requested action;
periodically determining whether at least one second user currently granted at least one second elevated permission should have the at least one second elevated permission revoked; in response to determining that the at least one second user should have the at least one second elevated permission revoked, revoking the at least one second elevated permission; periodically determining whether at least one third user is no longer associated with the at least one software service; in response to determining that the at least one third user is no longer associated with the at least one software service, removing the at least one third user from the at least one user group; and providing an audit report comprising a plurality of log entries associated with a plurality of requested actions.Join the waitlist — get patent alerts
Track US2016364576A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.