Object-based access control

US 20050114661A1
Filed: 11/25/2003
Published: 05/26/2005
Est. Priority Date: 11/25/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium or propagated signal having embodied thereon a computer program configured to determine whether a user is permitted to access a business object when executing a software application of an enterprise information technology system, the medium or signal comprising one or more code segments configured to:

use a permission object to determine whether a user associated with an entry in user information is permitted to access a data object associated with a data object type, wherein;

the entry in the user information associates the user with a user affiliation, the permission object identifies;

a user affiliation to which the permission object applies, a data object type to which the permission object applies such that the data object type is associated with multiple attributes and each data object having the data object type is associated with the multiple attributes, a permission attribute identifying one of the multiple attributes, and a permission value for the permission attribute, and the user is permitted to access the data object when (1) the user affiliation that is associated with the user is the same user affiliation as the user affiliation to which the permission object applies, (2) the data object type of the data object is the same data object type as the data object type to which the permission object applies, and (3) a value of an attribute of the multiple attributes associated with the data object is consistent with the permission value of the permission attribute and the attribute corresponds to the permission attribute.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for using permission data objects to control user access to business data objects. A permission data object identifies a group affiliation associated with a user and a business object type (or family of business data objects) to which the permission object controls access. A permission object includes a permission attribute and a permission value. A user who has the group affiliation that is identified in the permission object is permitted to access a particular business data object of the business object type when the value of the permission attribute in the permission data object is consistent with the value of a corresponding attribute in the particular business data object to which the user seeks access.

67 Citations

View as Search Results

19 Claims

1. A computer-readable medium or propagated signal having embodied thereon a computer program configured to determine whether a user is permitted to access a business object when executing a software application of an enterprise information technology system, the medium or signal comprising one or more code segments configured to:
- use a permission object to determine whether a user associated with an entry in user information is permitted to access a data object associated with a data object type, wherein;
  
  the entry in the user information associates the user with a user affiliation, the permission object identifies;
  
  a user affiliation to which the permission object applies, a data object type to which the permission object applies such that the data object type is associated with multiple attributes and each data object having the data object type is associated with the multiple attributes, a permission attribute identifying one of the multiple attributes, and a permission value for the permission attribute, and the user is permitted to access the data object when (1) the user affiliation that is associated with the user is the same user affiliation as the user affiliation to which the permission object applies, (2) the data object type of the data object is the same data object type as the data object type to which the permission object applies, and (3) a value of an attribute of the multiple attributes associated with the data object is consistent with the permission value of the permission attribute and the attribute corresponds to the permission attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The medium or signal of claim 1 wherein the one or more code segments are further configured to permit the user to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is the same as the permission value of the permission attribute.
  - 3. The medium or signal of claim 1 wherein the one or more code segments are further configured to permit the user to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is the within a range specified by the permission value of the permission attribute.
  - 4. The medium or signal of claim 1 wherein the one or more code segments are further configured to permit the user to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is one of enumerated values specified by the permission value of the permission attribute.
  - 5. The medium or signal of claim 1 wherein:
    - the permission object identifies an attribute group having one or more attributes of the multiple attributes associated with the data object type, and the one or more code segments are further configured to permit the user to access an attribute of the data object only when the attribute of the data object corresponds to an attribute of the attribute group of the permission object.
  - 6. The medium or signal of claim 5 wherein:
    - the permission object identifies a second attribute group having one or more attributes of the multiple attributes associated with the data object type, a second permission attribute identifying one of the multiple attributes, and a second permission value for the second permission attribute, associates the second permission attribute and the second permission value with the second attribute group, and associates the permission attribute and permission value with the attribute group, and the one or more code segments are further configured to permit the user to access an attribute of the data object only when the attribute of the data object corresponds to an attribute of the second attribute group of the permission object and a value of an attribute of one of the multiple attributes associated with the data object is consistent with the second permission value of the second permission attribute.
  - 7. The medium or signal of claim 1 wherein:
    - the permission object identifies a permitted action, and the one or more code segments are further configured to permit the user to access the data object and perform an action on the data object when the action is consistent with the permitted action identified in the permission object.

8. A method for determining whether a user is permitted to access a business object when executing a software application of an enterprise information technology system, the method comprising:
- using a permission object to determine whether a user associated with an entry in user information is permitted to access a data object associated with a data object type, wherein;
  
  the entry in the user information associates the user with a user affiliation, the permission object identifies;
  
  a user affiliation to which the permission object applies, a data object type to which the permission object applies such that the data object type is associated with multiple attributes and each data object having the data object type is associated with the multiple attributes, a permission attribute identifying one of the multiple attributes, and a permission value for the permission attribute, and the user is permitted to access the data object when (1) the user affiliation that is associated with the user is the same user affiliation as the user affiliation to which the permission object applies, (2) the data object type of the data object is the same data object type as the data object type to which the permission object applies, and (3) a value of an attribute of the multiple attributes associated with the data object is consistent with the permission value of the permission attribute and the attribute corresponds to the permission attribute.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8 further comprising permitting the user to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is the same as the permission value of the permission attribute.
  - 10. The method of claim 8 further comprising permitting the user to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is the within a range specified by the permission value of the permission attribute.
  - 11. The method of claim 8 further comprising permitting the user to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is one of enumerated values specified by the permission value of the permission attribute.
  - 12. The method of claim 8 wherein the permission object identifies an attribute group having one or more attributes of the multiple attributes associated with the data object type, the method further comprising permitting the user to access an attribute of the data object only when the attribute of the data object corresponds to an attribute of the attribute group of the permission object.

13. A computer system for determining whether a user is permitted to access a data object when executing a software application of an enterprise information technology system, the system comprising:
- a data repository for access control information for software having data objects, each data object (1) being associated with a data object type having multiple attributes, (2) having multiple attributes that are the same as the multiple attributes of the data object type to which the data object is associated, and (3) having a value associated with each attribute of the multiple attributes, the data repository including;
  
  user information that associates a user affiliation with a user of the software application, and permission information having multiple permission objects, each permission object identifying a user affiliation to which the permission object applies, a data object type to which the permission object applies, a permission attribute identifying one of the multiple attributes, and a permission value for the permission attribute; and
  
  an executable software module that causes;
  
  a comparison of a value of an attribute of the multiple attributes associated with a data object to which a user seeks to access such that the attribute corresponds to the permission attribute of a permission object with the permission value of the permission object, and an indication that a user is permitted to access a data object when the value of the attribute associated with the data object is consistent with the permission value of the permission object.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13 wherein the executable software module causes an indication that a user is permitted to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is the same as the permission value of the permission attribute.
  - 15. The system of claim 13 wherein the executable software module causes an indication that a user is permitted to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is the within a range specified by the permission value of the permission attribute.
  - 16. The system of claim 13 wherein the executable software module causes an indication that a user is permitted to access the data object when the value of the attribute of one of the multiple attributes associated with the data object is one of enumerated values specified by the permission value of the permission attribute.
  - 17. The system of claim 13 wherein:
    - the permission object identifies an attribute group having one or more attributes of the multiple attributes associated with the data object type, and the executable software module causes an indication that a user is permitted to access an attribute of the data object only when the attribute of the data object corresponds to an attribute of the attribute group of the permission object.
  - 18. The system of claim 17 wherein:
    - the permission object identifies a second attribute group having one or more attributes of the multiple attributes associated with the data object type, a second permission attribute identifying one of the multiple attributes, and a second permission value for the second permission attribute, associates the second permission attribute and the second permission value with the second attribute group, and associates the permission attribute and permission value with the attribute group, and the executable software module causes an indication that a user is permitted to access an attribute of the data object only when the attribute of the data object corresponds to an attribute of the second attribute group of the permission object and a value of an attribute of one of the multiple attributes associated with the data object is consistent with the second permission value of the second permission attribute.
  - 19. The system of claim 13 wherein:
    - the permission object identifies a permitted action, and the executable software module causes an indication that a user is permitted to access the data object and perform an action on the data object when the action is consistent with the permitted action identified in the permission object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Kaufmann, Malte Christian, Cheng, Tom, Nagar, Amit

Granted Patent

US 7,650,644 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/167
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06Q 10/00   Administration; Management

G06Q 10/10   Office automation; Time man...

Object-based access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Object-based access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links