System and method for policy based privileged user access management

摘要

Embodiments dynamically manage privileged access to a computer system according to policies enforced by rule engine. User input to the rule engine may determine an extent of system access, as well as other features such as intensity of user activity logging (including logging supplemental to a system activity log). Certain embodiments may provide access based upon user selection of a pre-configured ID at a dashboard, while other embodiments may rely upon direct user input to the rule engine to generate an ID at a policy enforcement point. Embodiments of methods and apparatuses may be particularly useful in granting and/or logging broad temporary access rights allowed based upon emergency conditions.

主权项

1. A computer implemented method comprising:
providing a Policy Enforcement Point (PEP) comprising a rule engine; causing the PEP to recognize an emergency based upon a condition level of a first target system or application; providing to the PEP, an identification (ID), that is specific to the first target system or application, to gain access to the first target system or application according to the condition level, wherein the provided identification is different than an identification to gain access to the first target system or application when there is no emergency based upon the condition level; creating an authentication assertion of the ID; and in response to receipt of the authentication assertion, causing the first target system or application to invoke the PEP such that the rule engine grants a user an emergency access session, tagged with the provided ID, to the first target system or application according to a parameter determined by a policy; wherein the parameter comprises a logging level of activity of the user in the emergency access session that is recorded in a first activity log supplemental to a second activity log of the first target system or application, wherein during the emergency access session the first activity log comprises session data tagged with the provided ID, the first activity log is available for review, and access to the second activity log is disrupted as a result of the condition level of the first target system or application.