JUST-IN-TIME USER PROVISIONING FRAMEWORK IN A MULTITENANT ENVIRONMENT

US 20130091171A1
Filed: 06/01/2012
Published: 04/11/2013
Est. Priority Date: 10/05/2011
Status: Active Grant

First Claim

Patent Images

1. A method of provisioning organization users in a multi-tenant database system, including:

receiving a request via a single sign-on protocol from an organization user to create a new multi-tenant database user account for access to the multi-tenant database system;

retrieving rules that specify how to derive user permissions for access to the multi-tenant database system from stored user attributes of the organization user;

applying the rules to the stored user attributes to determine permissions for the user to access particular objects in the multi-tenant database system; and

creating the new user account with the determined user permissions for access to the multi-tenant database system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of provisioning organization users in a multi-tenant database system includes receiving a request via a single sign-on protocol from an organization user to create a new multi-tenant database user account for access to the multi-tenant database system. The method retrieves rules that specify how to derive user permissions for access to the multi-tenant database system from stored user attributes of the organization user. The method continues with applying the rules to the stored user attributes to determine permissions for the users to access particular objects in the multi-tenant database system, and creating the new user account with the determined user permissions for access to the multi-tenant database system.

52 Citations

View as Search Results

21 Claims

1. A method of provisioning organization users in a multi-tenant database system, including:
- receiving a request via a single sign-on protocol from an organization user to create a new multi-tenant database user account for access to the multi-tenant database system;
  
  retrieving rules that specify how to derive user permissions for access to the multi-tenant database system from stored user attributes of the organization user;
  
  applying the rules to the stored user attributes to determine permissions for the user to access particular objects in the multi-tenant database system; and
  
  creating the new user account with the determined user permissions for access to the multi-tenant database system.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the single sign-on protocol includes one or more SAML (Security Assertion Markup Language), OAuth (Open standard for Authorization), OpenID, EmpowerID Federation Services, Oracle Access Manager, and Tivoli Identity Manager.
  - 3. The method of claim 1, further including requesting user attributes that are required but not included in the request.
  - 4. The method of claim 1, wherein the creating further includes:
    - creating a management account object at least based on an account identifier attribute;
      
      creating a contact object at least based on a contact identifier attribute and the management account object; and
      
      creating a new portal user account at least based on the management account object and the contact object.

5. A method of initializing rules for provisioning organization users in a multi-tenant database system, including:
- receiving data specifying rules to apply when setting up an organization user as a new multi-tenant database user, wherein the rules specify how to derive user permissions to access particular objects in the multi-tenant database system from attributes of the organization user stored in an organization directory; and
  
  storing the rules with a system user profile, wherein the profiled system user has limited rights to create new multi-tenant database users and to determine the new multi-tenant database user'"'"'s permissions to access the particular objects based on applying the rules to the attributes of the organization user as stored in the organization directory.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5, wherein the attributes include role attributes based on a role hierarchy.
  - 7. The method of claim 6, wherein the rules include particular rules that specify how to derive user permissions to access particular objects in the multi-tenant database system based on the role attributes.

8. A computer system for provisioning organization users in a multi-tenant database system, the computer system including one or more processors configured to perform operations including:
- receiving a request via a single sign-on protocol from an organization user to create a new multi-tenant database user account for access to the multi-tenant database system;
  
  retrieving rules that specify how to derive user permissions for access to the multi-tenant database system from stored user attributes of the organization user;
  
  applying the rules to the stored user attributes to determine permissions for the user to access particular objects in the multi-tenant database system; and
  
  creating the new user account with the determined user permissions for access to the multi-tenant database system.
- View Dependent Claims (9, 10, 11)
- - 9. The computer system of claim 8, wherein the single sign-on protocol includes one or more of SAML (Security Assertion Markup Language), OAuth (Open standard for Authorization), OpenID, EmpowerID Federation Services, Oracle Access Manager, and Tivoli Identity Manager.
  - 10. The computer system of claim 8, wherein the processors configured to further perform operations including requesting user attributes that are required but not included in the request.
  - 11. The computer system of claim 8, wherein the creating further includes:
    - creating a management account object at least based on an account identifier attribute;
      
      creating a contact object at least based on a contact identifier attribute and the management account object; and
      
      creating a new portal user account at least based on the management account object and the contact object.

12. A computer system for initializing rules for provisioning organization users in a multi-tenant database system, the computer system including one or more processors configured to perform operations including:
- receiving data specifying rules to apply when setting up an organization user as a new multi-tenant database user, wherein the rules specify how to derive user permissions to access particular objects in the multi-tenant database system from attributes of the organization user stored in an organization directory; and
  
  storing the rules with a system user profile, wherein the profiled system user has limited rights to create new multi-tenant database users and to determine the new multi-tenant database user'"'"'s permissions to access the particular objects based on applying the rules to the attributes of the organization user as stored in the organization directory.
- View Dependent Claims (13, 14)
- - 13. The computer system of claim 12, wherein the attributes include role attributes based on a role hierarchy.
  - 14. The computer system of claim 13, wherein the rules include particular rules that specify how to derive user permissions to access particular objects in the multi-tenant database system based on the role attributes.

15. A computer readable storage medium has instructions stored for provisioning organization users in a multi-tenant database system thereon which, when executed by one or more computers, cause the one or more computers to perform operations including:
- receiving a request via a single sign-on protocol from an organization user to create a new multi-tenant database user account for access to the multi-tenant database system;
  
  retrieving rules that specify how to derive user permissions for access to the multi-tenant database system from stored user attributes of the organization user;
  
  applying the rules to the stored user attributes to determine permissions for the user to access particular objects in the multi-tenant database system; and
  
  creating the new user account with the determined user permissions for access to the multi-tenant database system.
- View Dependent Claims (16, 17, 18)
- - 16. The computer readable storage medium of claim 15, wherein the single sign-on protocol includes one or more of SAML (Security Assertion Markup Language), OAuth (Open standard for Authorization), OpenID, EmpowerID Federation Services, Oracle Access Manager, and Tivoli Identity Manager.
  - 17. The computer readable storage medium of claim 15, wherein the operations further including requesting user attributes that are required but not included in the request.
  - 18. The computer readable storage medium of claim 15, wherein the creating further includes:
    - creating a management account object at least based on an account identifier attribute;
      
      creating a contact object at least based on a contact identifier attribute and the management account object; and
      
      creating a new portal user account at least based on the management account object and the contact object.

19. A computer readable storage medium has instructions stored for initializing rules for provisioning organization users in a multi-tenant database system thereon which, when executed by one or more computers, cause the one or more computers to perform operations including:
- receiving data specifying rules to apply when setting up an organization user as a new multi-tenant database user, wherein the rules specify how to derive user permissions to access particular objects in the multi-tenant database system from attributes of the organization user stored in an organization directory; and
  
  storing the rules with a system user profile, wherein the profiled system user has limited rights to create new multi-tenant database users and to determine the new multi-tenant database user'"'"'s permissions to access the particular objects based on applying the rules to the attributes of the organization user as stored in the organization directory.
- View Dependent Claims (20, 21)
- - 20. The computer readable storage medium of claim 19, wherein the attributes include role attributes based on a role hierarchy.
  - 21. The computer readable storage medium of claim 20, wherein the rules include particular rules that specify how to derive user permissions to access particular objects in the multi-tenant database system based on the role attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Lee, Jong

Granted Patent

US 10,885,179 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/784
CPC Class Codes

G06F 16/20   of structured data, e.g. re...

G06F 21/41   where a single sign-on prov...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0815   providing single-sign-on or...

JUST-IN-TIME USER PROVISIONING FRAMEWORK IN A MULTITENANT ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

JUST-IN-TIME USER PROVISIONING FRAMEWORK IN A MULTITENANT ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others