Methods, systems and computer program products for rule based delegation of administration powers
First Claim
1. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
- defining a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects; and
wherein the following are executed by an administrator application executing on the network environment responsive to the received request;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
obtaining the at least one of the properties of the target one of the entity objects designated by the identified rule;
executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects; and
establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
19 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and computer program products are provided for distributed administration of a network environment having defined administrator authorities. A plurality of rules are defined specifying ones of a plurality of entity objects without administrator authority authorized to invoke administration powers to establish properties of target entity objects. In various embodiments, such rules are based on one or more of the properties of the target ones of the entity. An administrator application identifies one of the rules associated with one of the administration powers for one of the properties to be established and obtains a property of the target entity object designated by the identified rule to determine if the action is authorized. The administrator executes the identified one of the rules to determine if the requesting entity object is authorized to invoke the associated administration power to establish the designated one of the properties of the target entity object and establishes the designated one of the properties of the target entity object if the requesting entity object is so authorized.
57 Citations
32 Claims
-
1. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
-
defining a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects; and
wherein the following are executed by an administrator application executing on the network environment responsive to the received request;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
obtaining the at least one of the properties of the target one of the entity objects designated by the identified rule;
executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects; and
establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 20)
-
-
19. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
-
defining a plurality of entity objects associated with the network environment comprising at least one of account objects , resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment, defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
defining a plurality of policy objects constraining invoking of ones of the plurality of administration powers by authorized ones of the entity objects, at least one of the policy objects being associated with a user defined script;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account object; and
wherein the following are executed by an administrator application executing on the network environment responsive to the received request;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
determining if any of the plurality of policy objects apply to the request based on at least one of the requesting user, the target one of the entity objects and the one of the properties of the target one of the entity objects to be established;
determining if policy objects which apply are satisfied, wherein determining if policy objects which apply are satisfied further comprises invoking the user defined script of one of the policy objects which applies which has an associated user defined script;
executing the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
establishing the one of the properties of the target one of the entity objects if the requesting user is authorized and the policy objects which apply are satisfied.
-
-
21. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
-
defining a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account object; and
wherein the following are executed by an administrator application executing on the network environment responsive to the received request;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
executing the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects;
establishing a plurality of user defined trigger scripts, ones of the user defined trigger scripts comprising at least one of the administrator authorities and at least one other executable action to be invoked; and
establishing the one of the properties of the target one of the entity objects if the requesting user is authorized, wherein establishing the one of the properties includes invoking at least one of the user defined trigger scripts associated with the received request. - View Dependent Claims (22)
-
-
23. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
-
defining a plurality of entity objects including account objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, wherein properties of at least one of the account objects are administered by more than one application program;
defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects; and
wherein the following are executed by a server side administrator application executing on the network environment;
providing virtual property objects linking respective properties from one of the application programs to another of the application programs so as to present properties from the one of the application programs and the another of the application programs to a requesting one of the entity objects without distinguishing the application programs administering the properties;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
-
24. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
a presentation layer that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects and provides information to the requesting one of the entity objects;
a business layer that identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties, obtains the at least one of the properties of the target one of the entity objects designated by the identified rule from a data layer, executes the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects and establishes the one of the properties of the target one of the entity objects through the data layer if the requesting one of the entity objects is authorized; and
a data layer that interfaces the business layer to resources of the network environment and obtains the at least one of the properties of the target one of the entity objects designated by the identified rule responsive to a request from the business layer and establishes the one of the properties of the target one of the entity objects responsive to the business layer.
-
-
25. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
an administrator application executing on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the administrator application comprising;
means for identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
means for means for obtaining the at least one of the properties of the target one of the entity objects designated by the identified rule;
means for executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects; and
means for establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
-
26. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a plurality of policy objects constraining invoking of ones of the plurality of administration powers by authorized ones of the entity objects, at least one of the policy objects being associated with a user defined script;
an administrator application executing on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account object, the administrator application comprising;
means for identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
means for determining if any of the plurality of policy objects apply to the request based on at least one of the requesting user, the target one of the entity objects and the one of the properties of the target one of the entity objects to be established;
means for determining if policy objects which apply are satisfied, wherein the means for determining if policy objects which apply are satisfied further comprises means for invoking the user defined script of one of the policy objects which applies which has an associated user defined script;
means for executing the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
means for establishing the one of the properties of the target one of the entity objects if the requesting user is authorized and the policy objects which apply are satisfied.
-
-
27. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a plurality of user defined trigger scripts, ones of the user defined trigger scripts comprising at least one of the administrator authorities and at least one other executable action to be invoked;
an administrator application executing on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account object, the administrator application comprising;
means for identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
means for executing the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
means for establishing the one of the properties of the target one of the entity objects if the requesting user is authorized, wherein establishing the one of the properties includes invoking at least one of the user defined trigger scripts associated with the received request.
-
-
28. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects including account objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, wherein properties of at least one of the account objects are administered by more than one application program;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a server side administrator application executing on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the administrator application comprising;
means for providing virtual property objects linking respective properties from one of the application programs to another of the application programs so as to present properties from the one of the application programs and the another of the application programs to a requesting one of the entity objects without distinguishing the application programs administering the properties;
means for identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
means for executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
means for establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
-
29. A computer program product for distributed administration of a network environment having defined administrator authorities, the network environment having:
-
a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
wherein the computer program product comprises an administrator application configured to be provided on the network environment so as to receive a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the administrator application comprising;
a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
computer-readable program code which identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
computer-readable program code which obtains the at least one of the properties of the target one of the entity objects designated by the identified rule;
computer-readable program code which executes the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects; and
computer-readable program code which establishes the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
-
30. A computer program product for distributed administration of a network environment having defined administrator authorities, the network environment having:
-
a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a plurality of policy objects constraining invoking of ones of the plurality of administration powers by authorized ones of the entity objects, at least one of the policy objects being associated with a user defined script;
wherein the computer program product comprises an administrator application configured to be provided on the network environment so as to receive a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account, the administrator application comprising;
a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
computer-readable program code which identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
computer-readable program code which determines if any of the plurality of policy objects apply to the request based on at least one of the requesting user, the target one of the entity objects and the one of the properties of the target one of the entity objects to be established;
computer-readable program code which determines if policy objects which apply are satisfied, wherein the computer-readable program code which determines if policy objects which apply are satisfied further comprises computer-readable program code which invokes the user defined script of one of the policy objects which applies which has an associated user defined script;
computer-readable program code which executes the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
computer-readable program code which establishes the one of the properties of the target one of the entity objects if the requesting user is authorized and the policy objects which apply are satisfied.
-
-
31. A computer program product for distributed administration of a network environment having defined administrator authorities, the network environment having:
-
a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a plurality of user defined trigger scripts, ones of the user defined trigger scripts comprising at least one of the administrator authorities and at least one other executable action to be invoked;
wherein the computer program product comprises an administrator application configured to be provided on the network environment so as to receive a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account, the administrator application comprising;
a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
computer-readable program code which identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
computer-readable program code which executes the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
computer-readable program code which establishes the one of the properties of the target one of the entity objects if the requesting user is authorized, wherein establishing the one of the properties includes invoking at least one of the user defined trigger scripts associated with the received request.
-
-
32. A computer program product for distributed administration of a network environment having defined administrator authorities, the network environment having:
-
a plurality of entity objects including account objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, wherein properties of at least one of the account objects are administered by more than one application program;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
wherein the computer program product comprises a server side administrator application configured to be provided on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the administrator application comprising;
a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
computer-readable program code which provides virtual property objects linking respective properties from one of the application programs to another of the application programs so as to present properties from the one of the application programs and the another of the application programs to a requesting one of the entity objects without distinguishing the application programs administering the properties;
computer-readable program code which identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
computer-readable program code which executes the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
computer-readable program code which establishes the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
Specification