Object-based access control
First Claim
1. A computer-readable medium or propagated signal having embodied thereon a computer program configured to determine whether a user is permitted to access a business object when executing a software application of an enterprise information technology system, the medium or signal comprising one or more code segments configured to:
- use a permission object to determine whether a user associated with an entry in user information is permitted to access a data object associated with a data object type, wherein;
the entry in the user information associates the user with a user affiliation, the permission object identifies;
a user affiliation to which the permission object applies, a data object type to which the permission object applies such that the data object type is associated with multiple attributes and each data object having the data object type is associated with the multiple attributes, a permission attribute identifying one of the multiple attributes, and a permission value for the permission attribute, and the user is permitted to access the data object when (1) the user affiliation that is associated with the user is the same user affiliation as the user affiliation to which the permission object applies, (2) the data object type of the data object is the same data object type as the data object type to which the permission object applies, and (3) a value of an attribute of the multiple attributes associated with the data object is consistent with the permission value of the permission attribute and the attribute corresponds to the permission attribute.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for using permission data objects to control user access to business data objects. A permission data object identifies a group affiliation associated with a user and a business object type (or family of business data objects) to which the permission object controls access. A permission object includes a permission attribute and a permission value. A user who has the group affiliation that is identified in the permission object is permitted to access a particular business data object of the business object type when the value of the permission attribute in the permission data object is consistent with the value of a corresponding attribute in the particular business data object to which the user seeks access.
67 Citations
19 Claims
-
1. A computer-readable medium or propagated signal having embodied thereon a computer program configured to determine whether a user is permitted to access a business object when executing a software application of an enterprise information technology system, the medium or signal comprising one or more code segments configured to:
-
use a permission object to determine whether a user associated with an entry in user information is permitted to access a data object associated with a data object type, wherein;
the entry in the user information associates the user with a user affiliation, the permission object identifies;
a user affiliation to which the permission object applies, a data object type to which the permission object applies such that the data object type is associated with multiple attributes and each data object having the data object type is associated with the multiple attributes, a permission attribute identifying one of the multiple attributes, and a permission value for the permission attribute, and the user is permitted to access the data object when (1) the user affiliation that is associated with the user is the same user affiliation as the user affiliation to which the permission object applies, (2) the data object type of the data object is the same data object type as the data object type to which the permission object applies, and (3) a value of an attribute of the multiple attributes associated with the data object is consistent with the permission value of the permission attribute and the attribute corresponds to the permission attribute. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for determining whether a user is permitted to access a business object when executing a software application of an enterprise information technology system, the method comprising:
-
using a permission object to determine whether a user associated with an entry in user information is permitted to access a data object associated with a data object type, wherein;
the entry in the user information associates the user with a user affiliation, the permission object identifies;
a user affiliation to which the permission object applies, a data object type to which the permission object applies such that the data object type is associated with multiple attributes and each data object having the data object type is associated with the multiple attributes, a permission attribute identifying one of the multiple attributes, and a permission value for the permission attribute, and the user is permitted to access the data object when (1) the user affiliation that is associated with the user is the same user affiliation as the user affiliation to which the permission object applies, (2) the data object type of the data object is the same data object type as the data object type to which the permission object applies, and (3) a value of an attribute of the multiple attributes associated with the data object is consistent with the permission value of the permission attribute and the attribute corresponds to the permission attribute. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer system for determining whether a user is permitted to access a data object when executing a software application of an enterprise information technology system, the system comprising:
-
a data repository for access control information for software having data objects, each data object (1) being associated with a data object type having multiple attributes, (2) having multiple attributes that are the same as the multiple attributes of the data object type to which the data object is associated, and (3) having a value associated with each attribute of the multiple attributes, the data repository including;
user information that associates a user affiliation with a user of the software application, and permission information having multiple permission objects, each permission object identifying a user affiliation to which the permission object applies, a data object type to which the permission object applies, a permission attribute identifying one of the multiple attributes, and a permission value for the permission attribute; and
an executable software module that causes;
a comparison of a value of an attribute of the multiple attributes associated with a data object to which a user seeks to access such that the attribute corresponds to the permission attribute of a permission object with the permission value of the permission object, and an indication that a user is permitted to access a data object when the value of the attribute associated with the data object is consistent with the permission value of the permission object. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification