The present application relates generally to an improved data processing apparatus and method and more specifically to mechanisms for performing enterprise application session control and monitoring in a large distributed environment.
Situations in which it is necessary to monitor or terminate user access to applications and other computing resources are not unusual. One such scenario is employee termination. In the majority of cases, it is sufficient to de-provision the user, i.e. perform account revocation or entitlement removal so that the user can no longer access the computing resources and applications. However, circumstances do arise in which de-provisioning alone is not sufficient. These often involve more sensitive employee terminations or similar scenarios in which a user may have existing active application sessions which will not be affected by de-provisioning, e.g., directory lookup operations and entitlement checks may have already taken place.
When a potential risk exists with a specific user's access to enterprise applications and services, account revocation or entitlement removal to prevent future access may be insufficient. This is because the user may have active application sessions which remain unaffected by such de-provisioning operations.
To add to the difficulty in handling such situations, most modern large scale enterprises utilize distributed computing environments with no central control over application sessions. That is, a distributed enterprise computing environment typically includes a plurality of application servers and/or computing devices that independently manage their own application sessions. Thus, the de-provisioning of a user's account in one portion of the distributed enterprise computing environment, e.g., with regard to one application server, may not be propagated to other portions of the distributed enterprise computing environment at all, or at least in sufficiently efficient manner to avoid security issues.