Role-based authorization management framework
First Claim
Patent Images
1. A method comprising:
- initializing an authorization policy store to maintain an application object that represents an application;
associating with the application object an operation object that represents an operation that can be performed using the application;
associating with the application object an application group object that represents a user that can be granted access to the application; and
associating a role object with the operation object and the application group object to represent authorization for the user to perform the operation.
2 Assignments
0 Petitions
Accused Products
Abstract
A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications.
-
Citations
47 Claims
-
1. A method comprising:
-
initializing an authorization policy store to maintain an application object that represents an application;
associating with the application object an operation object that represents an operation that can be performed using the application;
associating with the application object an application group object that represents a user that can be granted access to the application; and
associating a role object with the operation object and the application group object to represent authorization for the user to perform the operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
initializing an authorization policy store to maintain an application object that represents an application;
associating with the application object a task object that represents an operation that can be performed using the application when a dynamic condition is met;
associating with the application object an application group object that represents a user that can be granted access to the application; and
associating a role object with the task object and the application group object to represent authorization for the user to perform the operation provided that the dynamic condition is met. - View Dependent Claims (11, 12, 13)
-
-
14. A method comprising:
-
receiving a user request to perform a function associated with an application;
determining whether the user is authorized to perform the function based on data stored in a role-based authorization policy store associated with the application; and
in an event that it is determined that the user is authorized to perform the function, transmitting a user authorization notification to the application. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. An authorization management system comprising:
-
an authorization policy store that stores role-based user permissions associated with an application; and
an authorization interface that provides a mechanism for the application to verify the role-based user permissions. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. An authorization management system comprising:
-
an authorization policy store that stores role-based user permissions associated with an application; and
an authorization manager that provides a mechanism for creating, modifying, or deleting the role-based user permissions. - View Dependent Claims (32)
-
-
33. A system comprising:
-
means for storing hierarchically related data objects that represent a role-based user authorization policy, the data objects being selected from a group of data objects that represent at least one of a user, an operation, and authorization for the user to perform the operation;
means for receiving a client request to perform an application operation; and
means for verifying that the client is authorized to perform the application operation based on the authorization policy. - View Dependent Claims (34)
-
-
35. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to:
-
represent an application with an application object;
represent an operation available through the application with an operation object;
represent one or more users of the application with an application group object; and
represent authorization for the one or more users to perform the operation with a role object that is associated with the application object, the operation object, and the application group object. - View Dependent Claims (36, 37)
-
-
38. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to:
-
receive a user request to perform an application operation; and
verify that the user is authorized to perform the application operation based on a user role-based authorization policy.
-
-
39. An application server comprising:
-
a processor;
a memory; and
an authorization interface that is stored in the memory and executed on the processor to receive a request from a user to perform an operation and examine a role-based authorization policy to determine whether or not the user is authorized to perform the operation. - View Dependent Claims (40, 41, 42, 43)
-
-
44. An authorization interface comprising:
-
an application class for accessing authorization objects associated with an application object, the application objects representing applications;
an operation class for accessing operation objects, the operation objects representing operations associated with the applications;
an application group class for accessing application group objects, the application group objects representing groups of users associated with the applications; and
a role class for accessing role objects, the role objects representing associations between application group objects and operation objects that define user authorization to perform one or more operations. - View Dependent Claims (45, 46, 47)
-
Specification