Search

US-12627653-B2 - Secured direct access for customer service

US12627653B2US 12627653 B2US12627653 B2US 12627653B2US-12627653-B2

Abstract

Methods, systems, and devices for data management are described. Authorization may be received, from a user of a customer of an operator of a first computing system, to access an instance of a first application running at the first computing system for the customer via a user account for the customer. Based on receiving the authorization, a request from a user of the operator to access a second application associated with generating a one-time credential associated with the user account may be received. The second application may run at the first computing system. Based on authenticating the user of the operator for access to the second application, the one-time credential may be provided to the user of the operator, which may use the one-time credential to gain temporary access to the instance of the first application via the user account.

Inventors

  • Rishabh Tiwari
  • Vyankatesh Sawalapurkar
  • Hao Wu
  • Falak Kansal

Assignees

  • RUBRIK, INC.

Dates

Publication Date
20260512
Application Date
20240104

Claims (20)

  1. 1 . A method, comprising: receiving, at a first computing system that is managed by an operator and separate from a second computing system that is managed by a customer of the operator, from a user of the customer, authorization to access an instance of a first application running at the first computing system for the customer via a user account for the customer; receiving, based at least in part on the authorization, a request from a user of the operator to access a second application associated with generating a one-time credential associated with the user account, the second application running at the first computing system; providing, based at least in part on authenticating the user of the operator for access to the second application, the one-time credential associated with the user account to the user of the operator; and granting, based at least in part on the one-time credential, the user of the operator temporary access to the instance of the first application via the user account.
  2. 2 . The method of claim 1 , further comprising: creating, prior to receiving the authorization to access the instance of the first application, a first user group that has access to the second application and a second user group that is permitted to impersonate users of the customer.
  3. 3 . The method of claim 1 , further comprising: authenticating the user of the operator for access to the second application based at least in part on the user of the operator being included in a first user group that has access to the second application and in a second user group that is permitted to impersonate users of the customer.
  4. 4 . The method of claim 1 , further comprising: determining, based at least in part on authenticating the user of the operator for access to the second application, permissions for accessing the instance of the first application granted to the user of the operator by the user of the customer, wherein the user of the operator is granted temporary access to the instance of the first application via the user account in accordance with the permissions.
  5. 5 . The method of claim 1 , further comprising: generating, based at least in part on authenticating the user of the operator for access to the second application, the one-time credential, wherein the one-time credential comprises a unique string, a time the one-time credential was issued, a time the one-time credential expires, an identifier of the user of the customer, an identifier of the user of the operator, an identifier of the authorization to access the instance of the first application, or any combination thereof.
  6. 6 . The method of claim 1 , wherein the one-time credential is formatted as a JSON web token, the method further comprising: signing the JSON web token with a private key associated with granting users of the operator temporary access to the instance of the first application.
  7. 7 . The method of claim 1 , further comprising: receiving, at a portal that is associated with the instance of the first application, based at least in part on providing the one-time credential to the user of the operator, the one-time credential from the user of the operator, wherein access to the portal is limited to requests originating within a network of the first computing system.
  8. 8 . The method of claim 7 , further comprising: verifying, based at least in part on receiving the one-time credential from the user of the operator, the one-time credential; and generating, based at least in part on verifying the one-time credential, a token associated with accessing the user account.
  9. 9 . The method of claim 8 , wherein: the customer supports a plurality of organizations, and the token comprises a time the token was issued, a time the token expires, an identifier of the user of the customer, an identifier of the user of the operator, an identifier of the user account, an identifier of an organization of the plurality of organizations to which the user of the customer belongs, a connection type associated with accessing the instance of the first application using the token, or any combination thereof.
  10. 10 . The method of claim 1 , further comprising: verifying, based at least in part on receiving the one-time credential from the user of the operator, the one-time credential; and redirecting, based at least in part on verifying the one-time credential, the user of the operator to a landing page of a user portal for the user account, a configuration of the landing page of the user portal for the user account corresponding to a configuration of a landing page of a user portal for a second user account for the customer that is associated with the user of the customer.
  11. 11 . An apparatus, comprising: one or more memories; and one or more processors, wherein the one or more memories store code comprising instructions executable, individually or collectively, by the one or more processors to cause the apparatus to: receive, at a first computing system that is managed by an operator and separate from a second computing system that is managed by a customer of the operator, from a user of the customer, authorization to access an instance of a first application running at the first computing system for the customer via a user account for the customer; receive, based at least in part on the authorization, a request from a user of the operator to access a second application associated with generating a one-time credential associated with the user account, the second application running at the first computing system; provide, based at least in part on authenticating the user of the operator for access to the second application, the one-time credential associated with the user account to the user of the operator; and grant, based at least in part on the one-time credential, the user of the operator temporary access to the instance of the first application via the user account.
  12. 12 . The apparatus of claim 11 , wherein the instructions are further executable, individually or collectively, by the one or more processors to cause the apparatus to: create, prior to receiving the authorization to access the instance of the first application, a first user group that has access to the second application and a second user group that is permitted to impersonate users of the customer.
  13. 13 . The apparatus of claim 11 , wherein the instructions are further executable, individually or collectively, by the one or more processors to cause the apparatus to: authenticate the user of the operator for access to the second application based at least in part on the user of the operator being included in a first user group that has access to the second application and in a second user group that is permitted to impersonate users of the customer.
  14. 14 . The apparatus of claim 11 , wherein the instructions are further executable, individually or collectively, by the one or more processors to cause the apparatus to: determine, based at least in part on authenticating the user of the operator for access to the second application, permissions for accessing the instance of the first application granted to the user of the operator by the user of the customer, wherein the user of the operator is granted temporary access to the instance of the first application via the user account in accordance with the permissions.
  15. 15 . The apparatus of claim 11 , wherein the instructions are further executable, individually or collectively, by the one or more processors to cause the apparatus to: generate, based at least in part on authenticating the user of the operator for access to the second application, the one-time credential, wherein the one-time credential comprises a unique string, a time the one-time credential was issued, a time the one-time credential expires, an identifier of the user of the customer, an identifier of the user of the operator, an identifier of the authorization to access the instance of the first application, or any combination thereof.
  16. 16 . A non-transitory, computer readable medium storing code that comprises instructions that are executable, individually or collectively, by one or more processors of a device to cause the device to: receive, at a first computing system that is managed by an operator and separate from a second computing system that is managed by a customer of the operator, from a user of the customer, authorization to access an instance of a first application running at the first computing system for the customer via a user account for the customer; receive, based at least in part on the authorization, a request from a user of the operator to access a second application associated with generating a one-time credential associated with the user account, the second application running at the first computing system; provide, based at least in part on authenticating the user of the operator for access to the second application, the one-time credential associated with the user account to the user of the operator; and grant, based at least in part on the one-time credential, the user of the operator temporary access to the instance of the first application via the user account.
  17. 17 . The non-transitory, computer readable medium of claim 16 , wherein the instructions are further executable, individually or collectively, by the one or more processors to cause the device to: create, prior to receiving the authorization to access the instance of the first application, a first user group that has access to the second application and a second user group that is permitted to impersonate users of the customer.
  18. 18 . The non-transitory, computer readable medium of claim 16 , wherein the instructions are further executable, individually or collectively, by the one or more processors to cause the device to: authenticate the user of the operator for access to the second application based at least in part on the user of the operator being included in a first user group that has access to the second application and in a second user group that is permitted to impersonate users of the customer.
  19. 19 . The non-transitory, computer readable medium of claim 16 , wherein the instructions are further executable, individually or collectively, by the one or more processors to cause the device to: determine, based at least in part on authenticating the user of the operator for access to the second application, permissions for accessing the instance of the first application granted to the user of the operator by the user of the customer, wherein the user of the operator is granted temporary access to the instance of the first application via the user account in accordance with the permissions.
  20. 20 . The non-transitory, computer readable medium of claim 16 , wherein the instructions are further executable, individually or collectively, by the one or more processors to cause the device to: generate, based at least in part on authenticating the user of the operator for access to the second application, the one-time credential, wherein the one-time credential comprises a unique string, a time the one-time credential was issued, a time the one-time credential expires, an identifier of the user of the customer, an identifier of the user of the operator, an identifier of the authorization to access the instance of the first application, or any combination thereof.

Description

FIELD OF TECHNOLOGY The present disclosure relates generally to data management, including techniques for secured direct access for customer service. BACKGROUND A data management system (DMS) may be employed to manage data associated with one or more computing systems. The data may be generated, stored, or otherwise used by the one or more computing systems, examples of which may include servers, databases, virtual machines, cloud computing systems, file systems (e.g., network-attached storage (NAS) systems), or other data storage or processing systems. The DMS may provide data backup, data recovery, data classification, or other types of data management services for data of the one or more computing systems. Improved data management may offer improved performance with respect to reliability, speed, efficiency, scalability, security, or ease-of-use, among other possible aspects of performance. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates an example of a computing environment that supports secured direct access for customer service in accordance with aspects of the present disclosure. FIG. 2 shows an example of a set of operations for secured direct access for customer service in accordance with aspects of the present disclosure. FIG. 3 shows an example of a set of operations for secured direct access for customer service in accordance with aspects of the present disclosure. FIG. 4 shows a block diagram of an apparatus that supports secured direct access for customer service in accordance with aspects of the present disclosure. FIG. 5 shows a block diagram of a data manager that supports secured direct access for customer service in accordance with aspects of the present disclosure. FIG. 6 shows a diagram of a system including a device that supports secured direct access for customer service in accordance with aspects of the present disclosure. FIG. 7 shows a flowchart illustrating methods that support secured direct access for customer service in accordance with aspects of the present disclosure. DETAILED DESCRIPTION When providing support to a user of a software-as-a-service (SaaS) application, a support entity may be unable to observe, first-hand, the instance of the SaaS application (e.g., the user interface, the configurations of the instance of the SaaS application tailored to the computing system of the customer, etc.) being interacted with by a user of a customer. Moreover, in some cases, the description provided by the user may suffer inaccuracies or omit important details. Accordingly, to understand the issues being seen by a particular customer with a particular instance of a SaaS application, troubleshooting may involve using communication means that are limited to providing a support entity with an incomplete understanding of the issue being experienced by the user, which may significantly extend a time used to resolve a customer issue and may consume excessive amounts of engineering time. Thus, mechanisms (e.g., methods, systems, apparatuses, techniques, configurations, components) that support providing a support entity with the complete and accurate details of the issue being experienced by a customer with the particular instance of the SaaS application may be desired. To provide a support entity of a provider of a SaaS application with the complete and accurate details of an issue being experienced by a customer with an instance of the SaaS application running for the customer, this disclosure describes a procedure that enables the support entity of the provider to temporarily access the instance of the SaaS application. The disclosure further describes a procedure that enables the support entity to impersonate a user of the customer that is requesting the support while accessing the instance of the SaaS application such that the support entity is provided access to a mirrored version of the instance of the SaaS application experienced by the user—e.g., a copy that reflects the configurations (e.g., user interface (UI) and internal configurations) of the customer and the computing environment of the customer. In some examples, this disclosure describes a procedure for creating a system-level user account (which may be referred to as a support user account) of the customer through which a support entity can temporarily access (e.g., from a device external to the computing environment of the customer) the instance of the SaaS application running for the customer in accordance with the permissions, configurations, or both, of the user requesting support such that requests sent by the support entity (via the support user) are processed by the SaaS application as though the support entity is the user requesting support. To support providing a support entity of a provider of a SaaS application with the ability to access an instance of the SaaS application running for a customer (e.g., while fully impersonating a user of the customer), this disclosure further describes robust security measu