METHODS AND SYSTEMS FOR PROVISIONING ACCESS TO CUSTOMER ORGANIZATION DATA IN A MULTI-TENANT SYSTEM
First Claim
1. A computer-implemented method for controlling access to data for an organization stored on a server computer accessible over a network, the method comprising:
- defining administrative privileges for a support user within a management organization that maintains the data for the organization, wherein the support user is authorized to access the data of the organization stored on the server computer;
defining a support user class of users in an interface to the organization, wherein a support user is granted limited privileges with respect to the data; and
initiating a network session to the organization upon request of the support user, wherein the network session associates the administrative privileges to the support user class to enable access to the data to the extent of the administrative privileges.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are described for providing support representative access to applications deployed in an enterprise network environment. An access provisioning system defines a support user class in a user profile database for an application executed on an organization partition within the network. The support user is granted read only privileges to metadata of the application. An organization administrator can grant support personnel access to the application as a support user, thus the ability to view, analyze, and possibly modify the metadata. The access provisioning system generates a Security Assertion Markup Language (SAML) assertion upon request by the support personnel to enable access to the data to the extent of the granted privileges. The SAML protocol includes authentication of the support representative as an authorized support user within the system.
-
Citations
19 Claims
-
1. A computer-implemented method for controlling access to data for an organization stored on a server computer accessible over a network, the method comprising:
-
defining administrative privileges for a support user within a management organization that maintains the data for the organization, wherein the support user is authorized to access the data of the organization stored on the server computer; defining a support user class of users in an interface to the organization, wherein a support user is granted limited privileges with respect to the data; and initiating a network session to the organization upon request of the support user, wherein the network session associates the administrative privileges to the support user class to enable access to the data to the extent of the administrative privileges. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
11. A system for controlling access to application program data in a computer network, comprising:
-
license management means for allowing a support person to access resources utilized by a tenant organization in a multi-tenant system hosted by a server computer; an index of users listing users that are authorized to access the data of the organization stored on the server computer, wherein a support user class defines users allowed to access the data, wherein a support user is granted limited privileges with respect to the data; and a data access component configured to generate a Security Assertion Markup Language (SAML) assertion upon request of an authorized user to enable access to the data to the extent of the granted privileges. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-volatile, machine-readable medium containing one or more sequences of instructions for controlling access to an application program on a computer network comprising a plurality of coupled computers, the instructions configured to cause a processor to:
-
define administrative privileges for a support user within a management organization that maintains the data for the organization, wherein the support user is authorized to access the data of the organization stored on a server computer; define a support user class of users in an interface to the organization, wherein a support user is granted limited privileges with respect to the data; and initiate a network session to the organization upon request of the support user, wherein the network session associates the administrative privileges to the support user class to enable access to the data to the extent of the administrative privileges. - View Dependent Claims (18, 19)
-
Specification