1. Field of the Invention
The present invention is in the field of systems for managing access to protected computing resources. In particular, the present invention provides a system and method for ensuring that if a user's authorized level of access to a protected resource changes while the user is using the resource, the change will be imposed on the user in substantially real time.
2. Description of the Related Art
Identity management, access management, and shared data repositories are known in the art. There are suppliers in the field, such as Oracle of Redwood Shores, Calif., that provide products for each of these functions. Other suppliers may also provide products for one or more of these functions. An enterprise can often choose solutions from a single vendor or can mix and match products from multiple vendors in order to obtain a custom solution.
In general, an identity management solution provides a unified, integrated platform to manage user identities, provision resources to users, secure access to resources, including computer resources, and support compliance processes. In a simple implementation, identity management may comprise a simple directory of all users in an organization. Additional features are provisioned as needed. For example, the directory can be expanded to include a list of protected resources to which a user should be granted access. A protected resource may be a computing system to which not everyone should be given access. For example, access to an organizations payroll system should be limited to select users.
Identity management systems can help facilitate the management of user privileges. For example, all employees in the human resources department of an organization may only need read access to payroll systems. An identity management system may store a record for each employee in the human resources department, and indicate that they should have read only access. In a somewhat more refined approach, rather than storing privileges assigned to each user individually, each user may be assigned one or more roles and the roles themselves can determine the privileges granted. Continuing with the above example, each employee of the human resources department could be assigned to the role “HR Employee” and then the “HR Employee” role could be assigned the privilege of read only access to the payroll system. A second role of “HR Manager” could be defined, and the privilege of write access could be assigned to the “HR Manager” role.
In this way, managing privileges assigned to each user becomes less complicated. For example, if a new system is added, and human resources employees need access to the new system, it is simply a matter of changing the privileges granted to the “HR Employee” role, without having to update each individual employee. Likewise, if an HR employee is promoted to manager, the employee can simply have the “HR Manager” role added to his record. The newly promoted employee will then be granted all the privileges that go along with being a “HR Manager” without having to individually add each of those privileges.
Shared data repositories, such as databases are also known. Shared databases can be accessed by any number of different applications and different users. Databases come in many forms. A database can be as simple as a flat file or more complex, such as a relational database. Centralizing storage of data that is important to an organization in a database provides many benefits. One benefit is that the data can be more secure, as there is a single repository that is responsible for maintaining the data. Another benefit is that central storage of the data can facilitate data sharing among different applications. For example, the identity management system discussed above can store the roles and privileges of each user in a database. An access management system can then use those roles to restrict access to protected systems, as will be further explained below.
Access management systems, as the name implies, are used to manage access to systems. As described above, an enterprise may have a payroll system. Some employees may need one level of access, such as read only access, to the system. Others may need a greater degree of access. Access to the system may be completely prohibited for yet another group of users. An access gate may be associated with a protected resource. Any attempt to access the protected resource may first be intercepted by the access gate. The access gate may then notify an access management system about the attempted access and provide identification of the user that is attempting to access to the protected resource. The access management system may then query the shared data repository to determine which privileges should be granted to the user. If the privileges previously populated in the data repository by the identity management system indicate the user should be given access to the protected resource, this information can be sent from the access manager back to the access gate. The access gate can then allow the user to access the protected resource at the level of access as determined by the access manager, data repository, and identity management system.
Because each piece of the solution described above may be provided by a different vendor, problems can arise due to a lack of coordination and cooperation between the pieces of the solution. For example, the access management system may grant a user access to a protected resource based on the role the user is assigned in the database. As the user is accessing the resource, the identity management system may later alter the role assigned to the user, such that the user should no longer be allowed access to the protected resource. Unfortunately, unless the identity management system notifies the access management system of this change, there is no way for the access management system to immediately revoke the user's access privileges. Because the identity management system and the access management system may be supplied by different vendors, there is no way to enforce proper notification of changes between the systems.
Access management systems have attempted to solve this problem by only granting users access to a protected resource for a finite period of time. For example, the access management system may grant a user a certificate that defines the user's access privileges to a protected resource and that certificate will expire in half an hour. After the certificate expires, the access management system repeats the process of granting access, thus the latest privileges are retrieved from the database and any changes made by the identity management system can be enforced.
Although monitoring changes through the expiration of a certificate is an improvement, it still leaves a large security gap. The time period between the change in a user's access privileges and the expiration of the certificate creates a security gap wherein the user may have access to a protected resource that he should not have. For example, an employee who is about to be terminated may currently be granted access to a highly sensitive system, such as an accounting system. The identity management system may lock the employee as part of the termination process, but until the employee's certificate expires, the access management system will be unaware that access to the accounting system for the user has been locked. A terminated employee having access to a protected resource for even a short period of time is clearly problematic.
There is therefore a problem in the art when dealing with identity and access management systems that may not be fully integrated, thus allowing security gaps to be created wherein users have privileges to access protected resources that are different than those that the users should have. There is a need for a solution to this problem that is independent of direct communication between identity management and access management systems. The solution should allow an access management system to limit access to protected resources in accordance with the access privileges that are stored in a database. Any changes to those access privileges should become effective as soon as possible without waiting for an independent event, such as the expiration of a certificate. Embodiments of the invention solve these and other problems, individually and collectively.