US2021173919A1PendingUtilityA1

Systems and methods for controlling privileged operations

Assignee: BEYONDTRUST SOFTWARE INCPriority: May 16, 2017Filed: Feb 12, 2021Published: Jun 10, 2021
Est. expiryMay 16, 2037(~10.8 yrs left)· nominal 20-yr term from priority
G06F 21/6281G06F 21/604G06F 21/53
56
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems and methods are disclosed herein for determining one or more rights for processing of authorization procedures by an authorization system using a computing device. The computing device can create a copy of the one or more rights. The computing device can modify the one or more rights to generate one or more customized rights for processing of the authorization procedures. The computing device can receive a call to perform a particular operation associated with a particular file. The computing device can determine a property associated with the particular file. The computing device can determine whether to authorize the call to perform the particular operation based on the one or more customized rights and the property.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising:
 determining, via a privileged daemon executed by at least one computing device, at least one right for processing of authorization procedures by an authorization system;   creating, via the privileged daemon, a copy of the at least one right;   modifying, via the privileged daemon, the at least one right to generate at least one customized right for processing of the authorization procedures;   receiving, via the authorization system executed by the at least one computing device, a call to perform a particular operation associated with a particular file;   determining, via the authorization system, a property associated with the particular file; and   determining, via the authorization system, whether to authorize the call to perform the particular operation based on the at least one customized right and the property.   
     
     
         2 . The method of  claim 1 , wherein the at least one customized right is associated with a policy, the method further comprising:
 determining that the policy specifies that at least one rule should be applied to authorize the at least one customized right; and   determining whether to authorize the at least one customized right by applying the at least one rule.   
     
     
         3 . The method of  claim 1 , wherein the at least one customized right is associated with a policy, the method further comprising:
 determining that the policy does not specify a rule to apply to authorize the at least one customized right;   retrieving a client user identifier;   determining whether the client user identifier corresponds to a root user and the at least one customized right allows root; and   if the client user identifier corresponds to root user and the at least one customized right allows root, authorizing the at least one customized right.   
     
     
         4 . The method of  claim 1 , wherein determining whether to authorize the call to perform the particular operation is based on whether the at least one customized right is authorized. 
     
     
         5 . The method of  claim 1 , wherein the property comprises a client path. 
     
     
         6 . The method of  claim 1 , wherein the at least one customized right comprises at least one customized mechanism right. 
     
     
         7 . The method of  claim 1 , wherein the call to perform the particular operation is received via a MechanismInvoke callback function. 
     
     
         8 . The method of  claim 1 , wherein an operating system is executed by the at least one computing device and the authorization system is executed on the operating system with root level permissions. 
     
     
         9 . A system comprising:
 at least one computing device comprising a processor and a memory, the at least one computing device configured to execute an operating system;   a privileged daemon that, when executed by the at least one computing device, is configured to:
 create a copy of the at least one right; and 
 modify the at least one right to generate at least one customized right for processing of authorization procedures; and 
   an authorization system that, when executed by the at least one computing device, is configured to:
 receive a call to perform a particular operation associated with a particular file; 
 determine a property associated with the particular file; and 
 determine whether to authorize the call to perform the particular operation based on the at least one customized right and the property. 
   
     
     
         10 . The system of  claim 9 , wherein the particular operation comprises performing an execute action on the particular file. 
     
     
         11 . The system of  claim 9 , wherein the particular operation comprises performing a restricted operation to a running application corresponding to the particular file. 
     
     
         12 . The system of  claim 9 , wherein the property comprises a file name. 
     
     
         13 . The system of  claim 9 , wherein the privileged daemon comprises a process that runs in a background of the operating system with root-user privileges. 
     
     
         14 . The system of  claim 9 , wherein the privileged daemon is further configured to further comprising at least one second computing device configured to:
 generate a list of a plurality of rights to be modified comprising the at least one right; and   modify each of the plurality of rights in the list to generate a plurality of customized rights for processing of the authorization procedures, the plurality of customized rights comprising the at least one customized right.   
     
     
         15 . A method comprising:
 determining, via a privileged daemon executed by at least one computing device, at least one right for processing of authorization procedures by an authorization system;   creating, via the privileged daemon, a copy of the at least one right;   modifying, via the privileged daemon, the at least one right to generate at least one customized right for processing of the authorization procedures;   receiving, via the authorization system executed by the at least one computing device, a request associated with a particular file;   determining that a policy associated with the at least one customized right specifies that at least one rule should be applied to authorize the at least one customized right for the request; and   determining whether to authorize the at least one customized right for the request by applying the at least one rule.   
     
     
         16 . The method of  claim 15 , further comprising:
 storing, in a cache, an authorization result of the determination of whether to authorize the at least one customized right for the request;   receiving, via the authorization system, a second request associated with the particular file;   determining that the authorization result is stored in the cache; and   determining whether to authorize the second request according to the authorization result from the cache.   
     
     
         17 . The method of  claim 15 , further comprising copying, via the privileged daemon, the at least one right to create at least one copied right prior to modifying the at least one right. 
     
     
         18 . The method of  claim 15 , further comprising:
 determining that the at least one rule specifies a requirement of user input; and   launching a message module to display a message in order to retrieve the user input required by the at least one rule.   
     
     
         19 . The method of  claim 15 , further comprising:
 locating, via the privileged daemon, the at least one rule for the at least one customized right;   providing, via the privileged daemon, a success status notification to the authorization system; and   authorizing, by the authorization system, the request associated with the particular file.   
     
     
         20 . The method of  claim 15 , wherein determining that the policy associated with the at least one customized right specifies that the at least one rule should be applied further comprises:
 checking, via the privileged daemon, the policy to determine, based on the policy, whether the at least one rule is applicable;   if the at least one rule is applicable, initializing, via the privileged daemon, a launcher module with at least one parameter identifying the particular file; and   launching the particular file, by the launcher module, with root-user privilege.

Join the waitlist — get patent alerts

Track US2021173919A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.