A user associated with a user device may request access, such as administrator-level access or the like, to a target device. The target device may utilize an administrator-level credential, such as an administrator password, an administrator identifier, an administrator public key certificate, or the like, for access control.
The following detailed description of example implementations refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements.
An administrator for a target device may utilize an administrator-level credential, such as a password, a user identifier, or the like, for gaining administrator-level access to the target device. A user of a user device, such as a troubleshooting engineer, an escalation engineer, or the like, may utilize access (e.g., administrator-level access) to the target device to perform maintenance, to adjust a configuration, to perform troubleshooting, or the like. However, the administrator may not desire to expose the administrator-level credential to the user of the user device. Implementations described herein may facilitate establishing a connection granting administrator-level access for a target device, to a user of a user device, without exposing an administrator-level credential to the user and/or the user device.
As further shown in
As shown in
In this way, an approval device may provide a user temporary access to a target device without exposing an administrator-level credential associated with the target device.
User device 210 may include one or more devices capable of receiving, generating, processing, storing, and/or providing information associated with access to target device 240. For example, user device 210 may include a computer (e.g., a desktop computer, a laptop computer, a tablet computer, etc.), a mobile phone (e.g., a smart phone), a radiotelephone, a personal communications systems (PCS) terminal (e.g., that may combine a cellular radiotelephone with data processing and data communications capabilities), a personal digital assistant (PDA) (e.g., that may include a radiotelephone, a pager, Internet/intranet access, etc.), or a similar type of device. In some implementations, user device 210 may be associated with a particular location (e.g., identified by a network address, a location identifier, or the like). In some implementations, user device 210 may communicate with approval device 220 and/or target device 240 via network 250.
Approval device 220 may include one or more devices capable of receiving, generating, processing, storing, and/or providing information associated with establishing a connection between user device 210 and target device 240. For example, approval device 220 may include a computer (e.g., a desktop computer, a laptop computer, a tablet computer, etc.), a server, or a similar type of device capable of processing a credential, such as a user-level credential, an administrator-level credential, or the like, and establishing the connection using the credential. In some implementations, approval device 220 may be associated with a terminal device (e.g., a computer) for receiving user input (e.g., user input associated with a supervisory authority, such as a supervisory user, an administrator, or the like).
Credential storage device 230 may include one or more devices capable of receiving, generating, processing, storing, and/or providing credential information associated with validating an access request. For example, credential storage device 230 may include a server, a storage device, or another similar device with access to information associated with user device 210, a user associated with user device 210, target device 240, or the like. In some implementations, credential storage device 230 may include a credential store (e.g., a set of data structures, such as a user credential data structure, a server access data structure, or the like) associated with providing information validating that a user is authorized to request a particular level of access, information indicating that a supervisory authority is to be utilized for approving the particular level of access, or the like. In some implementations, credential storage device 230 may communicate with approval device 220 via network 250.
Target device 240 may include one or more devices capable of receiving, generating, processing, storing, and/or providing information via a connection. For example, target device 240 may include a server (e.g., a terminal server, a domain server, etc.), a computer (e.g., a desktop computer, a laptop computer, a tablet computer, etc.), a load balancer, a network device (e.g., a router, a gateway, a base station, etc.), or a similar type of device capable of having the connection (e.g., an administrator-level access connection) established with user device 210. In some implementations, target device 240 may be associated with a set of geographic restrictions (e.g., a set of geographic locations between which the connection may be established). In some implementations, target device 240 may be associated with an issue tracking system identifier, such as a trouble ticket identifier, a bug tracking system identifier, a request management identifier, or the like. For example, when an error is detected regarding a functionality of target device 240, a particular trouble ticket identifier may be issued to indicate that approval device 220 is permitted to provide a user (e.g., associated with user device 210) access to target device 240 to restore the functionality of target device 240.
Network 250 may include one or more wired and/or wireless networks. For example, network 250 may include a cellular network (e.g., a long term evolution (LTE) network, a code division multiple access (CDMA) network, etc.), a public land mobile network (PLMN), a Wi-Fi network, a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a telephone network (e.g., the Public Switched Telephone Network (PSTN)), an ad hoc network, an intranet, the Internet, a fiber optic-based network, and/or a combination of these or other types of networks.
The number of devices and networks shown in
Bus 310 may include a path that permits communication among the components of device 300. Processor 320 may include a processor (e.g., a central processing unit, a graphics processing unit, an accelerated processing unit), a microprocessor, and/or any processing component (e.g., a field-programmable gate array (FPGA), an application-specific integrated circuit (ASIC), etc.) that interprets and/or executes instructions. Memory 330 may include a random access memory (RAM), a read only memory (ROM), and/or another type of dynamic or static storage device (e.g., a flash, magnetic, or optical memory) that stores information and/or instructions for use by processor 320.
Input component 340 may include a component that permits a user to input information to device 300 (e.g., a touch screen display, a keyboard, a keypad, a mouse, a button, a switch, etc.). Output component 350 may include a component that outputs information from device 300 (e.g., a display, a speaker, one or more light-emitting diodes (LEDs), etc.).
Communication interface 360 may include a transceiver-like component, such as a transceiver and/or a separate receiver and transmitter, that enables device 300 to communicate with other devices, such as via a wired connection, a wireless connection, or a combination of wired and wireless connections. For example, communication interface 360 may include an Ethernet interface, an optical interface, a coaxial interface, an infrared interface, a radio frequency (RF) interface, a universal serial bus (USB) interface, a Wi-Fi interface, a cellular network interface, or the like.
Device 300 may perform one or more processes described herein. Device 300 may perform these processes in response to processor 320 executing software instructions included in a computer-readable medium, such as memory 330. A computer-readable medium is defined herein as a non-transitory memory device. A memory device includes memory space within a single physical storage device or memory space spread across multiple physical storage devices.
Software instructions may be read into memory 330 from another computer-readable medium or from another device via communication interface 360. When executed, software instructions stored in memory 330 may cause processor 320 to perform one or more processes described herein. Additionally, or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein. Thus, implementations described herein are not limited to any specific combination of hardware circuitry and software.
The number of components shown in
As shown in
Access may be associated with a particular hierarchy of levels of access (e.g., a user-level access may include a particular set of actions that may be performed, a manager-level access may include the particular set of actions of the user-level access and another set of actions that may be performed, an administrator-level access may include the particular set of actions of the manager-level access and yet another set of actions that may be performed, etc.). For example, the user may utilize a user-level access to view a set of data structures associated with target device 240. Additionally, or alternatively, the user may utilize a manager-level access to view the set of data structures and/or add a new data structure to the set of data structures. Additionally, or alternatively, the user may utilize an administrator-level access to view the set of data structures, add a new data structure to the set of data structures, and/or modify file contents of the set of data structures. Although the levels of access are described in terms of a user-level, a manager-level, and/or an administrator-level, other levels of access different from, or including the user-level, the manager-level, and/or the administrator-level may be utilized.
In some implementations, approval device 220 may receive the access request via a particular interface. For example, a user associated with user device 210 may utilize the particular interface (e.g., a system application interface, a web browser interface, a web application interface, etc.) to transmit the access request to approval device 220. In some implementations, approval device 220 may provide information associated with configuring the particular interface for user device 210. For example, approval device 220 may provide information indicating information that is to be provided when transmitting the access request, such as identity information, location information, or the like.
In some implementations, approval device 220 may receive identification information from user device 210 when receiving the access request. For example, user device 210 may provide information identifying the user (e.g., a user name identifier, a user account identifier, etc.), a user credential (e.g., a user qualification for requesting access, such as an operational role identifier, a user password, a user security clearance identifier, etc.), a user location (e.g., a country identifier, a city identifier, a facility identifier, a network identifier, a device identifier associated with user device 210, etc.), or the like.
In some implementations, approval device 220 may receive the access request based on generation of a trouble ticket. A trouble ticket may refer to an issue tracking system indication of an error associated with target device 240. For example, a particular user utilizing target device 240 may detect the error associated with target device 240, and may request a trouble ticket be generated to identify maintenance associated with rectifying the error. In this case, the trouble ticket may be provided to another particular user (e.g., a maintenance engineer, an escalation engineer, or the like) associated with user device 210, and approval device 220 may receive the access request to provide the particular user with administrator-level access for rectifying the error.
As further shown in
In some implementations, approval device 220 may validate the access request based on determining that user device 210 is associated with a particular user level. For example, when approval device 220 determines that a threshold user level (e.g., associated with a hierarchical set of operational roles) is required for access (e.g., administrator-level access), approval device 220 may validate the access request based on determining that the user level associated with user device 210 satisfies the threshold.
Additionally, or alternatively, approval device 220 may validate the access request based on determining that user device 210 is associated with a particular location for access. For example, when approval device 220 determines that target device 240 may provide access to users associated with one or more geographic locations, approval device 220 may validate the access request based on determining that the location associated with user device 210 is one of the one or more geographic locations.
As further shown in
As further shown in
As further shown in
Approval device 220 may approve the access request based on receiving approval for the access request from a supervisory authority, in some implementations. A supervisory authority may refer to a supervising user authorized to approve a particular access request. For example, approval device 220 may provide information associated with the access request, such as information identifying user device 210, information identifying a user associated with user device 210, information identifying a location associated with user device 210, justification information provided by user device 210, or the like, to the supervisory authority (e.g., via a terminal console, via an email message, etc.). In this case, approval device 220 may approve the request based on receiving a response from the supervisory authority. In some implementations, the response from the supervisory authority may include connection limitation information, such as time limitation information (e.g., information associated with a quantity of time for which the connection is to be established), access limitation information (e.g., information associated with determining a subset of systems associated with target device 240 for which access is to be approved, such as a subset of data structures, a subset of storage devices, a subset of processors, etc.), or the like. Additionally, or alternatively, the response from the supervisory authority may include a particular credential (e.g., an administrator-level credential) for configuring a connection facilitating access to target device 240.
As further shown in
Approval device 220 may configure a connection termination when configuring the connection, in some implementations. For example, approval device 220 may establish one or more parameters associated with terminating the connection, such as a time parameter (e.g., a threshold quantity of time after which the connection is to be severed), a disconnect parameter (e.g., a threshold quantity of disconnects after which the connection is to be severed), or the like. In some implementations, approval device 220 may determine the one or more parameters associated with terminating the connection based on receiving information from the supervisory authority. For example, the supervisory authority may provide information to approval device 220 indicating that the connection is to be provided for a particular quantity of time.
As further shown in
Approval device 220 may provide forensic information when providing information associated with the connection, in some implementations. For example, approval device 220 may generate forensic information, such as authorization information (e.g., user identification information, user location information, etc.), justification information (e.g., trouble ticket identification information, etc.), supervisory authority information (e.g., supervisory user identification information, etc.), connection information (e.g., connection type information, connection duration information, etc.), or the like, and may provide the forensic information for quality control, for storage, or the like.
In this way, an approval device may provide, to a user device, administrator-level access to a target device without exposing an administrator-level credential to the user device.
Although
As shown in
As shown in
As shown in
As shown in
As indicated above,
Implementations described herein may assist an approval device in granting a particular level of access to a user without revealing, to the user, a credential associated with the particular level of access.
The foregoing disclosure provides illustration and description, but is not intended to be exhaustive or to limit the implementations to the precise form disclosed. Modifications and variations are possible in light of the above disclosure or may be acquired from practice of the implementations.
As used herein, the term component is intended to be broadly construed as hardware, firmware, or a combination of hardware and software.
Some implementations are described herein in conjunction with thresholds. As used herein, satisfying a threshold may refer to a value being greater than the threshold, more than the threshold, higher than the threshold, greater than or equal to the threshold, less than the threshold, fewer than the threshold, lower than the threshold, less than or equal to the threshold, equal to the threshold, etc.
It will be apparent that systems and/or methods, as described herein, may be implemented in many different forms of software, firmware, and hardware in the implementations illustrated in the figures. The actual software code or specialized control hardware used to implement these systems and/or methods is not limiting of the implementations. Thus, the operation and behavior of the systems and/or methods were described without reference to the specific software code—it being understood that software and hardware can be designed to implement the systems and/or methods based on the description herein.
To the extent the aforementioned implementations collect, store, or employ personal information provided by individuals, it should be understood that such information shall be used in accordance with all applicable laws concerning protection of personal information. Storage and use of personal information may be in an appropriately secure manner reflective of the type of information, for example, through various encryption and anonymization techniques for particularly sensitive information.
Even though particular combinations of features are recited in the claims and/or disclosed in the specification, these combinations are not intended to limit the disclosure of possible implementations. In fact, many of these features may be combined in ways not specifically recited in the claims and/or disclosed in the specification. Although each dependent claim listed below may directly depend on only one claim, the disclosure of possible implementations includes each dependent claim in combination with every other claim in the claim set.
No element, act, or instruction used herein should be construed as critical or essential unless explicitly described as such. Also, as used herein, the articles “a” and “an” are intended to include one or more items, and may be used interchangeably with “one or more.” Furthermore, as used herein, the term “set” is intended to include one or more items, and may be used interchangeably with “one or more.” Where only one item is intended, the term “one” or similar language is used. Also, as used herein, the terms “has,” “have,” “having,” or the like are intended to be open-ended terms. Further, the phrase “based on” is intended to mean “based, at least in part, on” unless explicitly stated otherwise.