Adaptive permission token
First Claim
1. A non-transitory computer readable medium having program instructions stored thereon that are capable of causing a first computer system to perform operations comprising:
- storing permission information for a client, wherein the permission information indicates a plurality of permissions for the client for accessing data accessible via a second computer system;
receiving, from a client device, an access request, wherein the access request is a request to permit the client to access the second computer system;
authenticating the client;
creating a first token for the authenticated client, including by selecting one or more permissions from the stored plurality of permissions, wherein the creating is performed such that the first token does not exceed a specified size; and
providing, to the client device, the first token, wherein the first token is usable to determine whether requested actions may be performed on behalf of the client via the second computer system;
subsequently receiving a permission request to determine whether the client is permitted to perform, at the second computer system, an action corresponding to a particular permission that is not indicated in the first token;
determining, based on the particular permission being stored by the first computer system as one of the plurality of permissions for the client, to authorize the permission request; and
creating a subsequent, second token having a set of permissions selected by replacing one of the one or more permissions used in the first token with the particular permission in response to the one or more permissions corresponding to a maximum possible number of permission for a token.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed relating to generating permission tokens. A first computer system may store permission information for a user that indicates a plurality of permissions for the user for accessing data within a database system. The first computer system may receive, from a user device, a permission request for permissions to perform actions at a second computer system. In response to authenticating the user, the first computer system may create a token with one or more permissions for the user by selecting the one or more permissions from the plurality of permissions stored for the user such that the created token does not exceed a specified size and may provide the token to the user device.
24 Citations
8 Claims
-
1. A non-transitory computer readable medium having program instructions stored thereon that are capable of causing a first computer system to perform operations comprising:
-
storing permission information for a client, wherein the permission information indicates a plurality of permissions for the client for accessing data accessible via a second computer system; receiving, from a client device, an access request, wherein the access request is a request to permit the client to access the second computer system; authenticating the client; creating a first token for the authenticated client, including by selecting one or more permissions from the stored plurality of permissions, wherein the creating is performed such that the first token does not exceed a specified size; and providing, to the client device, the first token, wherein the first token is usable to determine whether requested actions may be performed on behalf of the client via the second computer system; subsequently receiving a permission request to determine whether the client is permitted to perform, at the second computer system, an action corresponding to a particular permission that is not indicated in the first token; determining, based on the particular permission being stored by the first computer system as one of the plurality of permissions for the client, to authorize the permission request; and creating a subsequent, second token having a set of permissions selected by replacing one of the one or more permissions used in the first token with the particular permission in response to the one or more permissions corresponding to a maximum possible number of permission for a token. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method, comprising:
-
a security computer system storing permission information for one or more tenants of a database computer system, wherein the one or more tenants includes a particular tenant having a plurality of users; the security computer system receiving, from a particular one of the plurality of users, an access request to the database computer system; the security computer system authenticating the particular user; the security computer system selecting a subset of a full set of permissions for the authenticated particular user; the security computer system creating a first token for the particular user that has the selected subset of permissions, wherein the first token is created such that the first token does not exceed a specified size; the security computer system providing, to the particular user, the first token; the security computer system receiving a permission request to determine whether the particular user is permitted to perform, at the database computer system, an action corresponding to a particular permission not in the subset of permissions included in the first token, wherein the permission request is responsive to an operation request to the database computer system that is associated with the first token; the security computer system determining, based on the full set of permissions including the particular permission, to authorize the permission request; and the security computer system creating a subsequent, second token having an updated set of permissions selected by replacing one of the subset of permissions used in the first token with the particular permission in response to the subset of permissions having a maximum possible number of permissions for a token. - View Dependent Claims (8)
-
Specification