Adaptive permission token

US 10,223,541 B2
Filed: 01/24/2017
Issued: 03/05/2019
Est. Priority Date: 01/24/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium having program instructions stored thereon that are capable of causing a first computer system to perform operations comprising:

storing permission information for a client, wherein the permission information indicates a plurality of permissions for the client for accessing data accessible via a second computer system;

receiving, from a client device, an access request, wherein the access request is a request to permit the client to access the second computer system;

authenticating the client;

creating a first token for the authenticated client, including by selecting one or more permissions from the stored plurality of permissions, wherein the creating is performed such that the first token does not exceed a specified size; and

providing, to the client device, the first token, wherein the first token is usable to determine whether requested actions may be performed on behalf of the client via the second computer system;

subsequently receiving a permission request to determine whether the client is permitted to perform, at the second computer system, an action corresponding to a particular permission that is not indicated in the first token;

determining, based on the particular permission being stored by the first computer system as one of the plurality of permissions for the client, to authorize the permission request; and

creating a subsequent, second token having a set of permissions selected by replacing one of the one or more permissions used in the first token with the particular permission in response to the one or more permissions corresponding to a maximum possible number of permission for a token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed relating to generating permission tokens. A first computer system may store permission information for a user that indicates a plurality of permissions for the user for accessing data within a database system. The first computer system may receive, from a user device, a permission request for permissions to perform actions at a second computer system. In response to authenticating the user, the first computer system may create a token with one or more permissions for the user by selecting the one or more permissions from the plurality of permissions stored for the user such that the created token does not exceed a specified size and may provide the token to the user device.

24 Citations

View as Search Results

8 Claims

1. A non-transitory computer readable medium having program instructions stored thereon that are capable of causing a first computer system to perform operations comprising:
- storing permission information for a client, wherein the permission information indicates a plurality of permissions for the client for accessing data accessible via a second computer system;
  
  receiving, from a client device, an access request, wherein the access request is a request to permit the client to access the second computer system;
  
  authenticating the client;
  
  creating a first token for the authenticated client, including by selecting one or more permissions from the stored plurality of permissions, wherein the creating is performed such that the first token does not exceed a specified size; and
  
  providing, to the client device, the first token, wherein the first token is usable to determine whether requested actions may be performed on behalf of the client via the second computer system;
  
  subsequently receiving a permission request to determine whether the client is permitted to perform, at the second computer system, an action corresponding to a particular permission that is not indicated in the first token;
  
  determining, based on the particular permission being stored by the first computer system as one of the plurality of permissions for the client, to authorize the permission request; and
  
  creating a subsequent, second token having a set of permissions selected by replacing one of the one or more permissions used in the first token with the particular permission in response to the one or more permissions corresponding to a maximum possible number of permission for a token.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer readable medium of claim 1, wherein the operations further comprise:
    - providing the second token to the client device.
  - 3. The computer readable medium of claim 1, wherein the operations further comprise:
    - using a private key to sign the first token;
      
      formatting the first token as a browser cookie presentable by a web browser of the client device to the second computer system; and
      
      providing a public key associated with the private key to the second computer system for determining that the first computer system signed the first token.
  - 4. The computer readable medium of claim 1, wherein the selected one or more permissions are a subset of the plurality of permissions and are chosen to include in the first token based on which of the plurality of permissions have been most recently used by the client.
  - 5. The computer readable medium of claim 1, wherein the operations further comprise:
    - providing the second computer system with information indicating that the first token is invalid; and
      
      receiving a notification that an operation request supplied to the second computer system that includes the first token was rejected.
  - 6. The computer readable medium of claim 1, wherein the operations further comprise:
    - prior to providing the first token, encoding the first token with a time stamp indicating a time of creation of the first token, wherein the time stamp is usable by the second computer system to determine whether to reject the first token.

7. A method, comprising:
- a security computer system storing permission information for one or more tenants of a database computer system, wherein the one or more tenants includes a particular tenant having a plurality of users;
  
  the security computer system receiving, from a particular one of the plurality of users, an access request to the database computer system;
  
  the security computer system authenticating the particular user;
  
  the security computer system selecting a subset of a full set of permissions for the authenticated particular user;
  
  the security computer system creating a first token for the particular user that has the selected subset of permissions, wherein the first token is created such that the first token does not exceed a specified size;
  
  the security computer system providing, to the particular user, the first token;
  
  the security computer system receiving a permission request to determine whether the particular user is permitted to perform, at the database computer system, an action corresponding to a particular permission not in the subset of permissions included in the first token, wherein the permission request is responsive to an operation request to the database computer system that is associated with the first token;
  
  the security computer system determining, based on the full set of permissions including the particular permission, to authorize the permission request; and
  
  the security computer system creating a subsequent, second token having an updated set of permissions selected by replacing one of the subset of permissions used in the first token with the particular permission in response to the subset of permissions having a maximum possible number of permissions for a token.
- View Dependent Claims (8)
- - 8. The method of claim 7, wherein the selecting includes:
    - the security computer system selecting the subset of the full set of permissions to include in the first token based on which permissions of the full set of permissions have been used most frequently in accessing the database computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Balijepalli, Harish, Michela, Ryan Michael
Primary Examiner(s)
Chen, Shin-Hon (Eric)

Application Number

US15/414,605
Publication Number

US 20180211055A1
Time in Patent Office

770 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06Q 50/26   Government or public servic...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 67/01   Protocols

H04L 9/0819   Key transport or distributi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

Adaptive permission token

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

8 Claims

Specification

Use Cases

Quick Links

Others

Adaptive permission token

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

8 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others