CN110730179A - Method and device for dynamically controlling privilege account number authority - Google Patents
Method and device for dynamically controlling privilege account number authority Download PDFInfo
- Publication number
- CN110730179A CN110730179A CN201910998168.9A CN201910998168A CN110730179A CN 110730179 A CN110730179 A CN 110730179A CN 201910998168 A CN201910998168 A CN 201910998168A CN 110730179 A CN110730179 A CN 110730179A
- Authority
- CN
- China
- Prior art keywords
- account
- authority
- log
- user
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a method and a device for dynamically controlling privilege account authority, wherein the method comprises the following steps: the operation and maintenance personnel need to execute tasks, use the own account number to execute the tasks or instructions on the terminal, and after initiating the tasks or instructions, the executive program is connected to the authority control device; detecting whether a user has authority to access an account and needs to execute a task or execute an instruction, if the executed instruction has corresponding authority to the user in the library authority to execute the task, the authority control device automatically opens a privilege session on the pseudo terminal and does not need the user to input a high-authority user name and a password; when auditing or high-authority passwords are not needed, the input/output of the instruction is redirected to a target resource, the execution process of the instruction is tracked on a terminal of a user, and the authority control device records the whole privilege session. The invention can reduce the harm to the system caused by overhigh authority or the influence of low authority on enterprises or the normal operation of individuals to the maximum extent.
Description
Technical Field
The invention relates to the field of security management of privileged accounts, in particular to a method and a device for dynamically controlling privilege of privileged accounts.
Background
For each attacker, there are typically the following typical attack patterns: collecting the information of the attack object, sniffing and finding the attack path, attacking the target and acquiring the access authority, and giving the right to the own access account, certainly, if the privileged account can be directly acquired, the method is double with half the effort. Therefore, for an attacker, in the initial attack, the target is to acquire an account with the highest possible authority, so that various operations can be performed in the target system without limitation, and the purpose of the attacker can be achieved. At the same time, security experts also estimate that, in the event of a severe network attack they investigate, 80% to almost all of them utilize privileged accounts in some part of the attack process. Therefore, a method and a device for dynamically controlling the privilege account authority are needed.
The traditional tool or system mostly controls the authority of the privileged account by only giving the lowest authority to the user, so that the defects that the authority is insufficient when the privileged authority is used and the authority cannot be controlled after the high-privileged account authority is leaked are caused, and great potential safety hazards of privilege management are caused to enterprises.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for dynamically controlling privilege account permissions, which can minimize the harm to the system due to too high permissions or influence of low permissions on enterprises or normal operations of individuals.
The technical scheme adopted by the invention for solving the technical problems is as follows: a method for dynamically controlling privilege account authority is constructed and applied to a privilege account security management system, and comprises the following steps:
A) the operation and maintenance personnel need to execute the task and execute the step B);
B) the operation and maintenance personnel use the own account number to execute a task or an instruction on the terminal, and after the task or the instruction is initiated, an execution program is connected to the authority control device;
C) the authority control device detects whether the user has authority to access the account and needs to execute the task or execute the instruction, if so, the step E is executed); otherwise, executing step D);
D) the task cannot be executed or run, and the return authority is insufficient;
E) if the operated instruction has the corresponding authority for the user in the library authority to operate the task, the authority control device automatically opens the privilege session on the pseudo terminal, and does not need the user to input a high-authority user name and a password, and executes the step F) or the step F');
F) judging whether an audit exists, if so, executing the step G);
f') judging whether a high-authority password is needed, if not, executing the step G);
G) redirecting the input/output of the instruction to a target resource, tracking the execution process of the instruction on a terminal of a user, and recording the whole privileged session by the authority control device.
In the method for dynamically controlling privilege account authority described in the present invention, the privilege account security management system includes:
a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;
an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;
an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;
a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;
an audit management unit: the system comprises a log query module, a log query module and a log query module, wherein the log query module is used for providing log query for an auditing department, and the log query at least comprises the use and management of an account number and the log query of the change of a platform;
an approval management unit: the account use process approval capability is used for providing a transaction audit for the user;
a system setting unit: the system comprises a server, a client and a server, wherein the server is used for providing account strategy, connection strategy, portal setting and self-editing attribute parameters of a full platform for a user;
the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.
In the method for dynamically controlling privilege account permission of the present invention, the audit management unit further includes:
an account log module: the system is used for recording logs related to the privileged account and providing user query related logs; the log related to the privileged account at least comprises account life cycle management events, user use conditions and operation command records;
password box log module: the system is used for recording the log related to the account number password box; the log related to the account number password box at least comprises a password box content change event and a password box authorization change event;
a node log module: for recording node-related logs; the log related to the node at least comprises a node content change event and a node authorization change event;
the account log module, the password box log module and the node log module are connected with each other.
The invention also relates to a device for realizing the method for dynamically controlling the privilege account number authority, which is applied to a privilege account number security management system and comprises the following steps:
the task needs an execution unit: the system is used for the operation and maintenance personnel to execute the task and transfer to a task instruction execution unit;
the task instruction execution unit: the operation and maintenance personnel use the own account number to execute a task or an instruction on the terminal, and after the task or the instruction is initiated, an execution program is connected to the authority control device;
a detection unit: the authority control device is used for detecting whether a user has authority to access an account and needs to execute the task or execute the instruction;
a return unit: the system is used for failing to execute or run the task and returning the insufficient authority;
privileged session opening unit: if the operated instruction has corresponding authority for the user in the library authority to operate the task, the authority control device automatically opens the privilege session on the pseudo terminal and does not need the user to input a high-authority user name and a password;
an audit judgment unit: used for judging whether an audit exists;
high authority password judgement unit: used for judging whether a high-authority password is needed;
the privileged session recording unit: for redirecting the input/output of the instruction to the target resource, the user traces the execution process of the instruction on his terminal, the right control device records the whole privileged session.
In the apparatus of the present invention, the privileged account security management system includes:
a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;
an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;
an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;
a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;
an audit management unit: the system comprises a log query module, a log query module and a log query module, wherein the log query module is used for providing log query for an auditing department, and the log query at least comprises the use and management of an account number and the log query of the change of a platform;
an approval management unit: the account use process approval capability is used for providing a transaction audit for the user;
a system setting unit: the system comprises a server, a client and a server, wherein the server is used for providing account strategy, connection strategy, portal setting and self-editing attribute parameters of a full platform for a user;
the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.
In the apparatus of the present invention, the audit management unit further includes:
an account log module: the system is used for recording logs related to the privileged account and providing user query related logs; the log related to the privileged account at least comprises account life cycle management events, user use conditions and operation command records;
password box log module: the system is used for recording the log related to the account number password box; the log related to the account number password box at least comprises a password box content change event and a password box authorization change event;
a node log module: for recording node-related logs; the log related to the node at least comprises a node content change event and a node authorization change event;
the account log module, the password box log module and the node log module are connected with each other.
The method and the device for dynamically controlling the privilege account authority have the following beneficial effects: the operation and maintenance personnel need to execute the task, use the own account number to execute the task or the instruction on the terminal, and after initiating the task or the instruction, the executive program is connected to the authority control device; when the authority control device detects that the user has the authority to execute a task or operate an instruction, if the operated instruction has the corresponding authority for the user to operate the task in the library authority, the authority control device automatically opens the privilege session on the pseudo terminal, does not need the user to input a high-authority user name and a password, redirects the input/output of the instruction to a target resource, tracks the execution process of the instruction on the terminal of the user, and records the whole privilege session; the invention can reduce the harm to the system caused by overhigh authority or the influence of low authority on enterprises or the normal operation of individuals to the maximum extent.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of an embodiment of a method and apparatus for dynamically controlling privilege account permissions according to the present invention;
fig. 2 is a schematic structural diagram of a security management system for privileged accounts in the embodiment;
FIG. 3 is a schematic structural diagram of an audit management unit in the embodiment;
fig. 4 is a schematic structural diagram of the device in the embodiment.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the embodiments of the method and apparatus for dynamically controlling privilege account permissions of the present invention, a flowchart of the method for dynamically controlling privilege account permissions is shown in fig. 1. The method for dynamically controlling the privilege account number authority is applied to a privilege account number security management system. Fig. 2 is a schematic structural diagram of a privileged account security management system in this embodiment, and in fig. 2, the privileged account security management system includes a node management unit 1, an account management unit 2, an access control unit 3, a session monitoring unit 4, an audit management unit 5, an approval management unit 6, and a system setting unit 7, which are connected to each other; the node management unit 1 is used for constructing a directory tree conforming to an enterprise organization architecture, and allows different entitled users to independently manage respective directories.
The account management unit 2 is used for importing and hosting the privileged account, and realizes the life cycle management work of the account by taking the privileged account body as the center. In particular, the privileged account number which needs to be automatically checked, changed or even reset (finding the password) is various in types, and is embedded into a DevOps tool, codes and programs are often difficult to manage at the same time. For example, a Jenkins tool which is a continuous integration tool embeds a development access key of a cloud platform, which means that the key is easily exposed in the tool configuration, difficult to audit the use condition and not beneficial to the maintenance work of regularly rotating the key. The account management unit 2 can solve the above difficulties well. In addition, when the user, i.e. human, needs to use these new account credentials, the secure use that the credentials do not fall to the ground can be implemented through the single sign-on connection module of the account management unit 2.
The access control unit 3 is responsible for subdividing the use permission of the account, so that different users have different use permissions for different accounts. The account number password box of the access control unit 3 provides the capacity of adding, modifying and managing the account number password box, and provides a logic independent space and a password box for account number storage. And also provides access usage authorization for the user based on the set of lockboxes.
The session monitoring unit 4 is used for conveniently realizing video recording, monitoring, intercepting and auditing for the single sign-on process of the account of the user. The functions of quickly inquiring conversation, positioning operation records, realizing conversation intervention, operation interception and the like can be provided.
The audit management unit 5 is used for providing log query for the audit department, wherein the log query at least comprises log query of account use and management and platform self change. In other words, the audit management unit 5 provides log query of dimensions such as account use and management, platform self change and the like for the audit department. The log content meets the requirements of account operation track backtracking and user behavior analysis.
The approval management unit 6 is used for providing an approval capability of an account use process in a single examination for the user. The approval process may specify the approver, the content of the operation, a time window, a reason, and the like. And the approval management unit has plug-in expansion capability and meets the requirement of butting an external work order system platform.
The system setting unit 7 is used for providing the capabilities of account strategy, connection strategy, portal setting, self-editing attribute parameters and the like of the whole platform for the user. The system setting unit 7 is mainly interconnected with the account management unit 2.
According to the invention, by setting the node management unit 1, the account management unit 2, the access control unit 3, the session monitoring unit 4, the audit management unit 5, the approval management unit 6 and the system setting unit 7, the privileged account of an enterprise can be automatically managed, a user can perform single-point login on the premise of not contacting with a password, and flexible and plug-in account management can be performed on the privileged account in environments such as cloud, DevOps, containerization and the like.
Fig. 3 is a schematic structural diagram of an audit management unit in this embodiment, and in fig. 3, the audit management unit 5 further includes an account log module 51, a password box log module 52, and a node log module 53 that are connected to each other; the account log module 51 is used for recording logs related to privileged accounts and providing user query related logs; the log related to the privileged account at least includes account life cycle management events, user usage situations and operation command records, in other words, the log related to the privileged account includes but is not limited to the account life cycle management events, the user usage situations, the operation command records and the like.
The password box log module 52 is used for recording logs related to the account password box; the account lockbox related log includes at least a lockbox content change event and a lockbox authorization change event, in other words, the account lockbox related log includes but is not limited to a lockbox content change event, a lockbox authorization change event.
The node log module 53 is responsible for recording logs related to nodes; the node-related log includes at least a node content change event and a node authorization change event, in other words, the node-related log includes, but is not limited to, a node content change event, a node authorization change event.
In fig. 1, the method for dynamically controlling the privilege account authority includes the following steps:
step S01 requires the operation and maintenance personnel to perform the task: in this step, when the operation and maintenance staff needs to perform the task, step S02 is executed.
Step S02, the operation and maintenance personnel use the own account number to execute the task or instruction on the terminal, and after the task or instruction is initiated, the executive program is connected to the authority control device: in this step, the operation and maintenance personnel use their own account number to execute a task or an instruction on the terminal, and after initiating the task or the instruction, the executive program is connected to the authority control device.
Step S03 the authorization control device detects whether the user has authorization to access the account and needs to execute the task or execute the command: in this step, the authority control device detects whether the user has authority to access the account and needs to execute the task or the operation instruction, if the result of the judgment is yes, step S05 is executed; otherwise, step S04 is executed.
Step S04 fails to execute or run the task, returns insufficient permissions: if the judgment result of the above step S03 is no, the present step is executed. In this step, the task cannot be executed or run, and the return authority is insufficient.
Step S05, if the executed instruction has the corresponding authority for the user in the library authority to execute the task, the authority control device automatically opens the privileged session on the pseudo terminal, and does not require the user to input the high authority user name and password: if the judgment result of the above step S03 is yes, i.e., executed by the authority, the present step is executed. In this step, if the executed instruction has the corresponding authority for the user in the library authority to execute the task, the authority control device automatically opens the privilege session on the pseudo terminal, and the user does not need to input a high-authority user name and a password. After the present step is performed, step S06 or step S06' is performed.
Step S06 judges whether there is an audit: in this step, it is determined whether or not an audit is performed, and if the determination result is yes, step S07 is executed.
Step S06' determines whether a high-authority password is required: in this step, it is determined whether a high-authority password is required, and if the determination result is no, step S07 is executed.
Step S07 redirects the input/output of the command to the target resource, the user tracks the execution process of the command on his terminal, and the right control device records the whole privileged session: in this step, the input/output of the instruction is redirected to the target resource, the user can track the execution process of the instruction on the terminal of the user, and the authority control device can record the whole privilege session.
The method for dynamically controlling the privilege account number authority can reduce the influence of harm to a system or low authority on an enterprise or normal operation of an individual to the maximum extent due to overhigh authority.
The embodiment also relates to a device for implementing the method for dynamically controlling the privilege of the privileged account, which is applied to a security management system of the privileged account, and a schematic structural diagram of the device is shown in fig. 4. In fig. 4, the apparatus includes a task required execution unit 10, a task instruction execution unit 20, a detection unit 30, a return unit 40, a privileged session opening unit 50, an audit determination unit 60, a high-authority password determination unit 60', and a privileged session recording unit 70; the task-needed execution unit 10 is used for the operation and maintenance personnel to execute the task and then transfer to the task instruction execution unit 20; the task instruction execution unit 20 is used for the operation and maintenance personnel to execute a task or an instruction on the terminal by using the own account number, and after the task or the instruction is initiated, an execution program is connected to the authority control device; the detecting unit 30 is used for the authority control device to detect whether the user has authority to access the account and needs to execute the task or execute the instruction; the return unit 40 is used for failing to execute or run the task and returning the insufficient authority; the privilege session opening unit 50 is used for automatically opening the privilege session on the pseudo terminal by the privilege control device if the operated instruction has corresponding privilege for the user in the library privilege to operate the task, and the user does not need to input a high-privilege user name and a password; the audit judging unit 60 is used for judging whether an audit exists; the high-authority password determination unit 60' is configured to determine whether a high-authority password is required; the privileged session recording unit 70 is used to redirect the input/output of the instruction to the target resource, the user tracks the execution process of the instruction on his terminal, and the authority control device records the whole privileged session.
The device can reduce the harm to the system caused by overhigh authority or influence to enterprises caused by low authority or normal operation of individuals to the maximum extent.
In a word, the invention can reduce the influence on the enterprise caused by the harm of the system or the low authority caused by the over-high authority or the normal operation of the individual to the maximum extent, and enhance the privilege management safety of the enterprise.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (6)
1. A method for dynamically controlling privilege account authority is applied to a privilege account security management system and comprises the following steps:
A) the operation and maintenance personnel need to execute the task and execute the step B);
B) the operation and maintenance personnel use the own account number to execute a task or an instruction on the terminal, and after the task or the instruction is initiated, an execution program is connected to the authority control device;
C) the authority control device detects whether the user has authority to access the account and needs to execute the task or execute the instruction, if so, the step E is executed); otherwise, executing step D);
D) the task cannot be executed or run, and the return authority is insufficient;
E) if the operated instruction has the corresponding authority for the user in the library authority to operate the task, the authority control device automatically opens the privilege session on the pseudo terminal, and does not need the user to input a high-authority user name and a password, and executes the step F) or the step F');
F) judging whether an audit exists, if so, executing the step G);
f') judging whether a high-authority password is needed, if not, executing the step G);
G) redirecting the input/output of the instruction to a target resource, tracking the execution process of the instruction on a terminal of a user, and recording the whole privileged session by the authority control device.
2. The method of dynamically controlling privilege account permissions according to claim 1, wherein the privilege account security management system comprises:
a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;
an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;
an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;
a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;
an audit management unit: the system comprises a log query module, a log query module and a log query module, wherein the log query module is used for providing log query for an auditing department, and the log query at least comprises the use and management of an account number and the log query of the change of a platform;
an approval management unit: the account use process approval capability is used for providing a transaction audit for the user;
a system setting unit: the system comprises a server, a client and a server, wherein the server is used for providing account strategy, connection strategy, portal setting and self-editing attribute parameters of a full platform for a user;
the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.
3. The method of dynamically controlling privileged account permissions according to claim 2, wherein the audit administration unit further comprises:
an account log module: the system is used for recording logs related to the privileged account and providing user query related logs; the log related to the privileged account at least comprises account life cycle management events, user use conditions and operation command records;
password box log module: the system is used for recording the log related to the account number password box; the log related to the account number password box at least comprises a password box content change event and a password box authorization change event;
a node log module: for recording node-related logs; the log related to the node at least comprises a node content change event and a node authorization change event;
the account log module, the password box log module and the node log module are connected with each other.
4. An apparatus for implementing the method for dynamically controlling the privilege account as claimed in claim 1, applied to a security management system of a privilege account, includes:
the task needs an execution unit: the system is used for the operation and maintenance personnel to execute the task and transfer to a task instruction execution unit;
the task instruction execution unit: the operation and maintenance personnel use the own account number to execute a task or an instruction on the terminal, and after the task or the instruction is initiated, an execution program is connected to the authority control device;
a detection unit: the authority control device is used for detecting whether a user has authority to access an account and needs to execute the task or execute the instruction;
a return unit: the system is used for failing to execute or run the task and returning the insufficient authority;
privileged session opening unit: if the operated instruction has corresponding authority for the user in the library authority to operate the task, the authority control device automatically opens the privilege session on the pseudo terminal and does not need the user to input a high-authority user name and a password;
an audit judgment unit: used for judging whether an audit exists;
high authority password judgement unit: used for judging whether a high-authority password is needed;
the privileged session recording unit: for redirecting the input/output of the instruction to the target resource, the user traces the execution process of the instruction on his terminal, the right control device records the whole privileged session.
5. The apparatus of claim 4, wherein the privileged account security management system comprises:
a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;
an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;
an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;
a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;
an audit management unit: the system comprises a log query module, a log query module and a log query module, wherein the log query module is used for providing log query for an auditing department, and the log query at least comprises the use and management of an account number and the log query of the change of a platform;
an approval management unit: the account use process approval capability is used for providing a transaction audit for the user;
a system setting unit: the system comprises a server, a client and a server, wherein the server is used for providing account strategy, connection strategy, portal setting and self-editing attribute parameters of a full platform for a user;
the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.
6. The apparatus of claim 5, wherein the audit management unit further comprises:
an account log module: the system is used for recording logs related to the privileged account and providing user query related logs; the log related to the privileged account at least comprises account life cycle management events, user use conditions and operation command records;
password box log module: the system is used for recording the log related to the account number password box; the log related to the account number password box at least comprises a password box content change event and a password box authorization change event;
a node log module: for recording node-related logs; the log related to the node at least comprises a node content change event and a node authorization change event;
the account log module, the password box log module and the node log module are connected with each other.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910998168.9A CN110730179A (en) | 2019-10-21 | 2019-10-21 | Method and device for dynamically controlling privilege account number authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910998168.9A CN110730179A (en) | 2019-10-21 | 2019-10-21 | Method and device for dynamically controlling privilege account number authority |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110730179A true CN110730179A (en) | 2020-01-24 |
Family
ID=69221626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910998168.9A Pending CN110730179A (en) | 2019-10-21 | 2019-10-21 | Method and device for dynamically controlling privilege account number authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110730179A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116821866A (en) * | 2023-08-29 | 2023-09-29 | 北京轻松致远科技有限责任公司 | Role authority control method of application program |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360121A (en) * | 2007-07-31 | 2009-02-04 | 华为技术有限公司 | Authority control method, system and terminal in apparatus management |
| US20130086628A1 (en) * | 2011-09-29 | 2013-04-04 | Oracle International Corporation | Privileged account manager, application account management |
| CN104615916A (en) * | 2014-12-12 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Account management method and device and account permission control method and device |
| CN104702415A (en) * | 2015-03-31 | 2015-06-10 | 北京奇艺世纪科技有限公司 | Account number permission control method and device |
| CN104820791A (en) * | 2015-05-19 | 2015-08-05 | 新华瑞德(北京)网络科技有限公司 | Application software authority control method and system |
| US20190028514A1 (en) * | 2017-07-24 | 2019-01-24 | Cyberark Software Ltd. | Providing privileged access to non-privileged accounts |
| CN109992619A (en) * | 2019-03-28 | 2019-07-09 | 杭州云毅网络科技有限公司 | A kind of data query method, system, electronic equipment and storage medium |
| CN110197058A (en) * | 2019-04-15 | 2019-09-03 | 杭州恩牛网络技术有限公司 | Unified internal control method for managing security, system, medium and electronic equipment |
-
2019
- 2019-10-21 CN CN201910998168.9A patent/CN110730179A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360121A (en) * | 2007-07-31 | 2009-02-04 | 华为技术有限公司 | Authority control method, system and terminal in apparatus management |
| US20130086628A1 (en) * | 2011-09-29 | 2013-04-04 | Oracle International Corporation | Privileged account manager, application account management |
| CN104615916A (en) * | 2014-12-12 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Account management method and device and account permission control method and device |
| CN104702415A (en) * | 2015-03-31 | 2015-06-10 | 北京奇艺世纪科技有限公司 | Account number permission control method and device |
| CN104820791A (en) * | 2015-05-19 | 2015-08-05 | 新华瑞德(北京)网络科技有限公司 | Application software authority control method and system |
| US20190028514A1 (en) * | 2017-07-24 | 2019-01-24 | Cyberark Software Ltd. | Providing privileged access to non-privileged accounts |
| CN109992619A (en) * | 2019-03-28 | 2019-07-09 | 杭州云毅网络科技有限公司 | A kind of data query method, system, electronic equipment and storage medium |
| CN110197058A (en) * | 2019-04-15 | 2019-09-03 | 杭州恩牛网络技术有限公司 | Unified internal control method for managing security, system, medium and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| GZHARDSHELL: "海颐特权账号安全管理系统白皮书", 《HTTPS://WENKU.BAIDU.COM/VIEW/EA199AC8F121DD36A32D82B1.HTML》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116821866A (en) * | 2023-08-29 | 2023-09-29 | 北京轻松致远科技有限责任公司 | Role authority control method of application program |
| CN116821866B (en) * | 2023-08-29 | 2023-11-10 | 北京轻松致远科技有限责任公司 | Role authority control method of application program |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10325095B2 (en) | Correlating a task with a command to perform a change ticket in an it system | |
| CN105139139B (en) | Data processing method and device and system for O&M audit | |
| CN110661831B (en) | Big data test field security initialization method based on trusted third party | |
| US20110126197A1 (en) | System and method for controlling cloud and virtualized data centers in an intelligent workload management system | |
| US9509672B1 (en) | Providing seamless and automatic access to shared accounts | |
| WO2010069682A1 (en) | Method and system for impersonating a user | |
| US11206269B1 (en) | Managing non-persistent privileged and non-privileged operator access to infrastructure systems hosted in a cloud computing environment | |
| US7690036B2 (en) | Special group logon tracking | |
| US11647026B2 (en) | Automatically executing responsive actions based on a verification of an account lineage chain | |
| CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
| US20210256152A1 (en) | Code access management | |
| CN103970540B (en) | Key Functions secure calling method and device | |
| KR20080057917A (en) | Method for real-time integrity check and audit trail connected with the security kernel | |
| US11778048B2 (en) | Automatically executing responsive actions upon detecting an incomplete account lineage chain | |
| Kinkelin et al. | Trustworthy configuration management for networked devices using distributed ledgers | |
| US8495730B2 (en) | Dynamically constructed capability for enforcing object access order | |
| CN110717176A (en) | Method and device for changing application embedded privileged account on line | |
| CN110474916A (en) | Web oriented application provides the method and device of franchise account | |
| CN109902497A (en) | A kind of access authority management method and system towards big data cluster | |
| CN110730179A (en) | Method and device for dynamically controlling privilege account number authority | |
| CN110572279A (en) | Security management system for privileged account | |
| CN110708299A (en) | Method and device for privilege centralized management and realization of dynamic host mutual trust authentication | |
| US9396314B2 (en) | Method for remotely locking/unlocking a machine | |
| Purba et al. | Assessing Privileged Access Management (PAM) using ISO 27001: 2013 Control | |
| CN105518663A (en) | Automatic blocking of bad actors |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200124 |
|
| RJ01 | Rejection of invention patent application after publication |