Dynamic runtime field-level access control using a hierarchical permission context structure
First Claim
1. A system for dynamically determining field-level access control using a hierarchical permission context structure, the system comprising:
- a machine-readable medium storing computer-executable instructions; and
at least one hardware processor communicatively coupled to the machine-readable medium that, when the computer-executable instructions are executed, the at least one hardware processor is configured to;
receive one or more user credentials, the one or more user credentials corresponding to a user;
identify a plurality of fields in an electronic document to be communicated to a client device;
select a first field from the plurality of fields, the first field having a label portion and a data portion, wherein the selected first field is associated with a second user, the second user being different than the first user; and
determine whether the one or more user credentials provide authorization for viewing data associated with the data portion of the selected first field by;
referencing a hierarchical permission context structure, the hierarchical permission context structure defining a hierarchy of assignable user roles; and
comparing one or more of the user roles assigned to the second user with one or more user roles assigned to the first user;
in response to a determination that the received one or more user credentials do not provide authorization, replace the data of the data portion of the selected first field with a predetermined restriction identifier prior to communicating the electronic document to the client device, the predetermined restriction identifier informing the user that the user is not authorized to view the data;
in response to a determination that the received one or more user credentials provide authorization, add the data to the data portion of the selected first field; and
communicate the electronic document to the client device.
1 Assignment
0 Petitions
Accused Products
Abstract
This disclosure provides for a system, method, and machine-readable medium for performing dynamic runtime field-level access control using a hierarchical permission context structure. The hierarchical permission context structure includes various levels of roles, where each role is assigned one or more permissions. The one or more permissions assigned to the one or more roles indicate the amount of control a given user has over data displayable in an electronic document. The electronic document includes one or more fields having corresponding records in one or more databases. A record includes metadata about the data for a corresponding field. When an electronic document is requested, the fields of the electronic document are generated from the data stored in their corresponding records. An evaluation is performed that determines whether the user requesting the electronic document is authorized to view the data for one or more of the fields based on their corresponding metadata.
56 Citations
17 Claims
-
1. A system for dynamically determining field-level access control using a hierarchical permission context structure, the system comprising:
-
a machine-readable medium storing computer-executable instructions; and at least one hardware processor communicatively coupled to the machine-readable medium that, when the computer-executable instructions are executed, the at least one hardware processor is configured to; receive one or more user credentials, the one or more user credentials corresponding to a user; identify a plurality of fields in an electronic document to be communicated to a client device; select a first field from the plurality of fields, the first field having a label portion and a data portion, wherein the selected first field is associated with a second user, the second user being different than the first user; and determine whether the one or more user credentials provide authorization for viewing data associated with the data portion of the selected first field by; referencing a hierarchical permission context structure, the hierarchical permission context structure defining a hierarchy of assignable user roles; and comparing one or more of the user roles assigned to the second user with one or more user roles assigned to the first user; in response to a determination that the received one or more user credentials do not provide authorization, replace the data of the data portion of the selected first field with a predetermined restriction identifier prior to communicating the electronic document to the client device, the predetermined restriction identifier informing the user that the user is not authorized to view the data; in response to a determination that the received one or more user credentials provide authorization, add the data to the data portion of the selected first field; and communicate the electronic document to the client device. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for dynamically determining field-level access control using a hierarchical permission context structure, the method comprising:
-
receiving, by at least one hardware processor, one or more user credentials, the one or more user credentials corresponding to a user; identifying, by the at least one hardware processor, a plurality of fields in an electronic document to be communicated to a client device; selecting, by the at least one hardware processor, a first field from the plurality of fields, the first field having a label portion and a data portion, wherein the selected first field is associated with a second user, the second user being different than the first user; determining, by the at least one hardware processor, whether the one or more user credentials provide authorization for viewing data associated with the data portion of the selected first field by; referencing a hierarchical permission context structure, the hierarchical permission context structure defining a hierarchy of assignable user roles; and comparing one or more user roles assigned to the second user with one or more user roles assigned to the first user; in response to a determination that the received one or more user credentials do not provide authorization;
replacing, by the at least one hardware processor, the data of the data portion of the selected first field with a predetermined restriction identifier prior to communicating the electronic document to the client device, the predetermined restriction identifier informing the user that the user is not authorized to view the data;in response to a determination that the received one or more user credentials provide authorization;
adding;
by the at least one hardware processor, the data to the data portion of the selected first field; andcommunicating, by the at least one hardware processor, the electronic document to the client device. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory;
- machine-readable medium having computer-executable instructions stored thereon that, when executed by at least one hardware processor, configure the at least one hardware processor to perform a plurality of operations for dynamically determining field-level access control using a hierarchical permission context structure, the operations comprising;
receiving one or more user credentials;
the one or more user credentials corresponding to a user;identifying a plurality of fields in an electronic document to be communicated to a client device; selecting a first field from the plurality of fields, the first field having a label portion and a data portion, wherein the selected first field is associated with a second user, the second user being different than the first user; and determining whether the one or more user credentials provide authorization for viewing data associated with the data portion of the selected first field by; referencing a hierarchical permission context structure, the hierarchical permission context structure defining a hierarchy of assignable user roles; and comparing one or more user roles assigned to the second user with one or more user roles assigned to the first user; in response to a determination that the received one or more user credentials do not provide authorization, replacing the data portion of the selected first field with a predetermined restriction identifier prior to communicating the electronic document to the client device, the predetermined restriction identifier informing the user that the user is not authorized to view the data; in response to a determination that the received one or more user credentials provide authorization, adding the data to the data portion of the selected first field; and communicating the electronic document to the client device. - View Dependent Claims (14, 15, 16, 17)
- machine-readable medium having computer-executable instructions stored thereon that, when executed by at least one hardware processor, configure the at least one hardware processor to perform a plurality of operations for dynamically determining field-level access control using a hierarchical permission context structure, the operations comprising;
Specification