SYSTEM, METHOD, AND COMPUTER-READABLE MEDIUM FOR JUST IN TIME ACCESS THROUGH DYNAMIC GROUP MEMBERSHIPS

Abstract

A system, method, and computer-readable medium for enabling a user account in a network system are provided.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

Aspects of the present disclosure are best understood from the following detailed description when read with the accompanying figures, in which:

FIG. 1 is a diagrammatic representation of a network system in which embodiments disclosed herein may be implemented;

FIG. 2 is a diagrammatic representation of an exemplary computer system that may be configured for delegation of conditional time-based permissions and conditional permission authorizations in accordance with embodiments disclosed herein;

FIG. 3 is a diagrammatic representation of an embodiment of an exemplary computer system that may be configured as a client in a network system;

FIG. 4A is a diagrammatic representation of an embodiment of a change administrator server configuration that facilitates entitlement delegation and configuration in accordance with embodiments disclosed herein;

FIG. 4B is a diagrammatic representation of an embodiment of a operator console server software configuration that facilitates receipt, processing, and authorization of operator access requests;

FIG. 5 depicts a diagrammatic representation of a table in which entitlements implemented in accordance with embodiments disclosed herein may be maintained;

FIG. 6 is a diagrammatic illustration of an authentication directory in which proxy accounts may be created, enabled, and disabled according to conditional entitlements in accordance with embodiments disclosed herein;

FIG. 7 is a flowchart depicting processing steps of an authorization routine for authorizing explicit operator access requests in accordance with embodiments disclosed herein;

FIG. 8 is a flowchart of a schedule evaluation subroutine for evaluating an entitlement schedule in accordance with embodiments disclosed herein;

FIG. 9 is a flowchart depicting an embodiment of processing steps of a proxy account enablement routine that facilitates dynamic account enablement; and

FIG. 10 is a flowchart depicting an embodiment of processing steps of a proxy account disablement routine that facilitates disablement of dynamically enabled accounts.

Claims

1. A method of enabling a user account in a network system, comprising: receiving a request for access to a network server from an operator at an operator console;evaluating the request with a conditional entitlement including a schedule that defines an active period during which the operator has operational privileges on the network server; andenabling a user account assigned to the operator in an authentication directory in response to determining the request is authorized.

2. The method of claim 1, further comprising: determining the user account is not included in the authentication directory; andadding the user account to the authentication directory.

3. The method of claim 2, wherein adding the user account further comprises adding a property set to a members property of a group object in the authentication directory.

4. The method of claim 1, wherein enabling the user account further comprises modifying an enabled property of the user account to indicate the user account is enabled.

5. The method of claim 1, further comprising adding an identifier of the operator to a user group managed by the network server.

6. The method of claim 5, further comprising establishing a remote session between the operator console and the network server.

7. The method of claim 1, further comprising executing, by a network server, a password reset command on the user account.

8. The method of claim 1, further comprising modifying an enabled property of the user account in response to determining a remote session between the operator console and the network server has been terminated.

9. The method of claim 1, wherein determining the request is authorized comprises determining the request was issued during the active period.

10. A computer-readable medium having computer-executable instructions for execution by a processing system, the computer-executable instructions for enabling a user account in a network system, comprising: instructions that receive a request for access to a network server from an operator at an operator console;instructions that evaluate the request with a conditional entitlement including a schedule that defines an active period during which the operator has operational privileges on the network server; andinstructions that enable a user account assigned to the operator in an authentication directory in response to determining the request is authorized.

11. The computer-readable medium of claim 10, further comprising: instructions that determine the user account is not included in the authentication directory; andinstructions that add the user account to the authentication directory.

12. The computer-readable medium of claim 11, wherein the instructions that add the user account further comprise instructions that add a property set to a members property of a group object in the authentication directory.

13. The computer-readable medium of claim 10, wherein the instructions that enable the user account further comprise instructions that modify an enabled property of the user account to indicate the user account is enabled.

14. The computer-readable medium of claim 10, further comprising instructions that add an identifier of the operator to a user group managed by the network server.

15. The computer-readable medium of claim 14, further comprising instructions that establish a remote session between the operator console and the network server.

16. The computer-readable medium of claim 10, further comprising instructions that execute, by a network server, a password reset command on the user account.

17. The computer-readable medium of claim 10, further comprising instructions that modify an enabled property of the user account in response to determining a remote session between the operator console and the network server has been terminated.

18. The computer-readable medium of claim 10, wherein the instructions that determine the request is authorized comprise instructions that determine the request was issued during the active period.

19. A system for enabling a user account in a network system, comprising: an authentication directory adapted to store user accounts;a database that stores an entitlement that includes an identifier of an operator and a schedule defining an active period during which the operator has access rights to a network entity;a server interfaced with the authentication directory and the database that is adapted to enable an account assigned to the operator in the authentication directory in response to determining an access request issued by the operator was issued during the active period.

20. The system of claim 19, wherein the server is adapted to create the user account in the authentication directory after determining the user account does not exist in the authentication directory.

21. The system of claim 20, wherein the sever creates the user account by adding a property set to a members property of a group object in the authentication directory, wherein the property set includes a name assigned to the operator.

22. The system of claim 19, wherein the server enables the user account by modifying an enabled property of the user account to indicate the user account is enabled.

23. The system of claim 19, wherein the entity comprises a managed server that includes a users group, wherein the server adds an identifier of the operator to the users group.

24. The system of claim 19, wherein the operator accesses the system by an operator console, wherein a remote session is established between the operator console and the network entity after the account is enabled by the server.

25. A network system, comprising: means for receiving a request for access to a network server from an operator at an operator console;means for evaluating the request with a conditional entitlement including a schedule that defines an active period during which the operator has operational privileges on the network server; andmeans for enabling a user account assigned to the operator in an authentication directory in response to determining the request is authorized.

26. The system of claim 25, further comprising: means for determining the user account is not included in the authentication directory; andmeans for adding the user account to the authentication directory.

27. The system of claim 26, wherein the means for adding the user account further comprise means for adding a property set to a members property of a group object in the authentication directory.

28. The system of claim 25, wherein the means for enabling the user account further comprise means for modifying an enabled property of the user account to indicate the user account is enabled.

29. The system of claim 25, further comprising means for adding an identifier of the operator to a user group managed by the network server.

30. The system of claim 29, further comprising means for establishing a remote session between the operator console and the network server.

31. The system of claim 25, further comprising means for resetting a password on the user account.

32. The system of claim 25, further comprising means for modifying an enabled property of the user account in response to determining a remote session between the operator console and the network server has been terminated.

33. The system of claim 25, wherein the means for determining the request is authorized comprises means for determining the request was issued during the active period

34. A data structure tangibly embodied on a computer-readable medium that facilitates enabling a user account in a network system, comprising: a root object; andone or more objects disposed hierarchically below the root object, wherein a first object of the one or more objects defines a user account assigned to an operator and wherein the user account is enabled responsive to a determination that an access request issued by the operator is issued during an active period defined in a schedule associated with the operator.

35. The data structure of claim 34, wherein the first object comprises an object defining a user group, and wherein the user account is defined by a property set included in the first object.

36. The data structure of claim 35, wherein the user account is enabled by setting an enabled property of the property set to a value indicating the user account is enabled.

37. The data structure of claim 35, wherein the property set is created in response to the determination.

38. The data structure of claim 34, wherein the first object is created in response to the determination.

39. A method of enabling a user account in a network system, comprising: receiving a request for access to a network server from an operator at an operator console;determining the request was issued within an active period defined by a conditional entitlement associated with the operator;evaluating an authentication directory containing user accounts to determine if a user account associated with the operator is included in the authentication directory;modifying an enabled property of the user account associated with the operator to a value that indicates the user account is enabled;adding an identifier of the operator to a user group of the network server; andestablishing a remote session between the operator console and the network server.

40. A data structure tangibly embodied on a computer-readable medium that facilitates user account enablement, comprising: a root object; andone or more objects disposed hierarchically below the root object, wherein a first object of the one or more objects defines a user account assigned to an operator, wherein the user account includes a name property that is set to a name of the operator and an enabled property, and wherein the user account is enabled by setting the enabled property to a value indicating the user account is enabled in response to a determination that an access request issued by the operator is issued during an active period defined in a schedule associated with the operator.

41. A computer-readable medium having computer-executable instructions for execution by a processing system, the computer-executable instructions for enabling user accounts in a network system, comprising: instructions that receive a request for access to a network server from an operator at an operator console;instructions that determine the request was issued within an active period defined by a conditional entitlement associated with the operator;instructions that evaluate an authentication directory containing user accounts to determine if a user account associated with the operator is included in the authentication directory;instructions that modify an enabled property of the user account associated with the operator to a value that indicates the user account is enabled;instructions that add an identifier of the operator to a user group of the network server; andinstructions that establish a remote session between the operator console and the network server.

42. A user account enablement system, comprising: means for receiving a request for access to a network server from an operator at an operator console;means for determining the request was issued within an active period defined by a conditional entitlement associated with the operator;means for evaluating an authentication directory containing user accounts to determine if a user account associated with the operator is included in the authentication directory;means for modifying an enabled property of the user account associated with the operator to a value that indicates the user account is enabled;means for adding an identifier of the operator to a user group of the network server; andmeans for establishing a remote session between the operator console and the network server.

43. A system for enabling user accounts in a network system, comprising: a database that includes entitlements that define time-based privileges for respective operators;an authentication directory that has one or more objects that define user accounts;a managed network server;an operator console adapted to issue a request for access by an operator to the managed network server;an administrator server adapted to connect with the authentication directory in response to a determination that the request is compliant with a time-based privilege of an entitlement assigned to the operator and modify an enabled property of an account assigned to the operator in the authentication directory.