Methods, systems and computer program products for rule based delegation of administration powers
First Claim
1. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
- defining a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects; and
wherein the following are executed by an administrator application executing on the network environment responsive to the received request;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
obtaining the at least one of the properties of the target one of the entity objects designated by the identified rule;
executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects; and
establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
19 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and computer program products are provided for distributed administration of a network environment having defined administrator authorities. A plurality of rules are defined specifying ones of a plurality of entity objects without administrator authority authorized to invoke administration powers to establish properties of target entity objects. In various embodiments, such rules are based on one or more of the properties of the target ones of the entity. An administrator application identifies one of the rules associated with one of the administration powers for one of the properties to be established and obtains a property of the target entity object designated by the identified rule to determine if the action is authorized. The administrator executes the identified one of the rules to determine if the requesting entity object is authorized to invoke the associated administration power to establish the designated one of the properties of the target entity object and establishes the designated one of the properties of the target entity object if the requesting entity object is so authorized.
-
Citations
32 Claims
-
1. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
-
defining a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects; and
wherein the following are executed by an administrator application executing on the network environment responsive to the received request;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
obtaining the at least one of the properties of the target one of the entity objects designated by the identified rule;
executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects; and
establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
determining if any of the plurality of policy objects apply to the request based on at least one of the requesting one of the entity objects, the target one of the entity objects and the one of the properties of the target one of the entity objects to be established;
determining if policy objects which apply are satisfied; and
wherein establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized further comprises establishing the one of the properties of the target one of the entity objects if the policy objects which apply are satisfied.
-
-
9. The method of claim 8 wherein at least one of the policy objects is associated with a user defined script and wherein determining if policy objects which apply are satisfied comprises invoking the user defined script if the at least one of the policy objects applies.
-
10. The method of claim 9 wherein the user defined script populates the request to allow establishing the one of the properties of the target one of the entity objects.
-
11. The method of claim 4 further comprising establishing a plurality of trigger scripts, ones of the trigger scripts comprising at least one of the administrator authorities and at least one other executable action to be invoked and wherein the step of establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized comprises invoking at least one of the trigger scripts associated with the received request.
-
12. The method of claim 11 wherein the trigger scripts are revokable and wherein the method further comprises revoking actions performed by the invoked trigger script if an error is encountered during execution of the invoked trigger script.
-
13. The method of claim 1 wherein defining a plurality of rules comprises defining a plurality of rules providing constraints on invoking associated ones of the administration powers based on a requesting one of the entity objects.
-
14. The method of claim 13 wherein the entity objects comprise file objects and wherein one of the administration powers comprises establishing permissions for files and wherein defining a plurality of rules providing constraints comprises defining at least one rule authorizing requesting entity objects to establish permissions over one of the files for at least one of the target entity objects for at least one of only a subset of user entity objects or only a subset of file permission characteristics.
-
15. The method of claim 13 wherein the entity objects further comprise account objects including users and wherein one of the administration powers comprises establishing a user storage quota and wherein defining a plurality of rules providing constraints comprises defining a least one rule establishing limitations on a range of values which may be provided as a user storage quota by a requesting entity object.
-
16. The method of claim 1 wherein the entity objects comprise account objects and wherein properties of at least one of the account objects are administered by more than one application program and wherein defining a plurality of entity objects further comprises providing virtual property objects linking respective properties from one of the application programs to another of the application programs so as to present properties from the one of the application programs and the another of the application programs to a requesting one of the account objects without distinguishing the application programs administering the properties and wherein providing virtual property objects is executed by an administrator application executing as a server application on the network environment.
-
17. The method of claim 8 wherein establishing the one of the properties of the target one of the entity objects if the policy objects which apply are satisfied further comprises establishing the one of the properties of the target one of the entity objects if all of the policy objects which apply are satisfied.
-
18. The method of claim 8 wherein establishing the one of the properties of the target one of the entity objects if the policy objects which apply are satisfied further comprises establishing the one of the properties of the target one of the entity objects if any of the policy objects which apply are satisfied.
-
19. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
-
defining a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
defining a plurality of policy objects constraining invoking of ones of the plurality of administration powers by authorized ones of the entity objects, at least one of the policy objects being associated with a user defined script;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account object; and
wherein the following are executed by an administrator application executing on the network environment responsive to the received request;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
determining if any of the plurality of policy objects apply to the request based on at least one of the requesting user, the target one of the entity objects and the one of the properties of the target one of the entity objects to be established;
determining if policy objects which apply are satisfied, wherein determining if policy objects which apply are satisfied further comprises invoking the user defined script of one of the policy objects which applies which has an associated user defined script;
executing the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
establishing the one of the properties of the target one of the entity objects if the requesting user is authorized and the policy objects which apply are satisfied. - View Dependent Claims (20)
-
-
21. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
-
defining a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account object; and
wherein the following are executed by an administrator application executing on the network environment responsive to the received request;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
executing the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects;
establishing a plurality of user defined trigger scripts, ones of the user defined trigger scripts comprising at least one of the administrator authorities and at least one other executable action to be invoked; and
establishing the one of the properties of the target one of the entity objects if the requesting user is authorized, wherein establishing the one of the properties includes invoking at least one of the user defined trigger scripts associated with the received request. - View Dependent Claims (22)
-
-
23. A method for distributed administration of a network environment having defined administrator authorities, the method comprising:
-
defining a plurality of entity objects including account objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, wherein properties of at least one of the account objects are administered by more than one application program;
defining a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
defining a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
receiving a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects; and
wherein the following are executed by a server side administrator application executing on the network environment;
providing virtual property objects linking respective properties from one of the application programs to another of the application programs so as to present properties from the one of the application programs and the another of the application programs to a requesting one of the entity objects without distinguishing the application programs administering the properties;
identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
-
24. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
a presentation layer that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects and provides information to the requesting one of the entity objects;
a business layer that identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties, obtains the at least one of the properties of the target one of the entity objects designated by the identified rule from a data layer, executes the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects and establishes the one of the properties of the target one of the entity objects through the data layer if the requesting one of the entity objects is authorized; and
a data layer that interfaces the business layer to resources of the network environment and obtains the at least one of the properties of the target one of the entity objects designated by the identified rule responsive to a request from the business layer and establishes the one of the properties of the target one of the entity objects responsive to the business layer.
-
-
25. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
an administrator application executing on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the administrator application comprising;
means for identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
means for means for obtaining the at least one of the properties of the target one of the entity objects designated by the identified rule;
means for executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects; and
means for establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
-
26. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a plurality of policy objects constraining invoking of ones of the plurality of administration powers by authorized ones of the entity objects, at least one of the policy objects being associated with a user defined script;
an administrator application executing on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account object, the administrator application comprising;
means for identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
means for determining if any of the plurality of policy objects apply to the request based on at least one of the requesting user, the target one of the entity objects and the one of the properties of the target one of the entity objects to be established;
means for determining if policy objects which apply are satisfied, wherein the means for determining if policy objects which apply are satisfied further comprises means for invoking the user defined script of one of the policy objects which applies which has an associated user defined script;
means for executing the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
means for establishing the one of the properties of the target one of the entity objects if the requesting user is authorized and the policy objects which apply are satisfied.
-
-
27. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a plurality of user defined trigger scripts, ones of the user defined trigger scripts comprising at least one of the administrator authorities and at least one other executable action to be invoked;
an administrator application executing on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account object, the administrator application comprising;
means for identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
means for executing the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
means for establishing the one of the properties of the target one of the entity objects if the requesting user is authorized, wherein establishing the one of the properties includes invoking at least one of the user defined trigger scripts associated with the received request.
-
-
28. A system for distributed administration of a network environment having defined administrator authorities, the system comprising:
-
a plurality of entity objects including account objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, wherein properties of at least one of the account objects are administered by more than one application program;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a server side administrator application executing on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the administrator application comprising;
means for providing virtual property objects linking respective properties from one of the application programs to another of the application programs so as to present properties from the one of the application programs and the another of the application programs to a requesting one of the entity objects without distinguishing the application programs administering the properties;
means for identifying one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
means for executing the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
means for establishing the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
-
29. A computer program product for distributed administration of a network environment having defined administrator authorities, the network environment having:
-
a plurality of entity objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects based on at least one of the properties of the target ones of the entity object;
wherein the computer program product comprises an administrator application configured to be provided on the network environment so as to receive a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the administrator application comprising;
a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
computer-readable program code which identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
computer-readable program code which obtains the at least one of the properties of the target one of the entity objects designated by the identified rule;
computer-readable program code which executes the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects; and
computer-readable program code which establishes the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
-
30. A computer program product for distributed administration of a network environment having defined administrator authorities, the network environment having:
-
a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a plurality of policy objects constraining invoking of ones of the plurality of administration powers by authorized ones of the entity objects, at least one of the policy objects being associated with a user defined script;
wherein the computer program product comprises an administrator application configured to be provided on the network environment so as to receive a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account, the administrator application comprising;
a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
computer-readable program code which identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
computer-readable program code which determines if any of the plurality of policy objects apply to the request based on at least one of the requesting user, the target one of the entity objects and the one of the properties of the target one of the entity objects to be established;
computer-readable program code which determines if policy objects which apply are satisfied, wherein the computer-readable program code which determines if policy objects which apply are satisfied further comprises computer-readable program code which invokes the user defined script of one of the policy objects which applies which has an associated user defined script;
computer-readable program code which executes the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
computer-readable program code which establishes the one of the properties of the target one of the entity objects if the requesting user is authorized and the policy objects which apply are satisfied.
-
-
31. A computer program product for distributed administration of a network environment having defined administrator authorities, the network environment having:
-
a plurality of entity objects associated with the network environment comprising at least one of account objects, resource objects or exchange objects, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
a plurality of user defined trigger scripts, ones of the user defined trigger scripts comprising at least one of the administrator authorities and at least one other executable action to be invoked;
wherein the computer program product comprises an administrator application configured to be provided on the network environment so as to receive a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the requesting one of the entity objects comprising a user account, the administrator application comprising;
a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
computer-readable program code which identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
computer-readable program code which executes the identified one of the plurality of rules to determine if the requesting user is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
computer-readable program code which establishes the one of the properties of the target one of the entity objects if the requesting user is authorized, wherein establishing the one of the properties includes invoking at least one of the user defined trigger scripts associated with the received request.
-
-
32. A computer program product for distributed administration of a network environment having defined administrator authorities, the network environment having:
-
a plurality of entity objects including account objects associated with the network environment, the entity objects having an identifier and properties, the entity objects not having the administrator authorities of the network environment, wherein properties of at least one of the account objects are administered by more than one application program;
a plurality of administration powers for the network environment, the administration powers establishing the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment;
a plurality of rules specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects;
wherein the computer program product comprises a server side administrator application configured to be provided on the network environment that receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects, the administrator application comprising;
a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
computer-readable program code which provides virtual property objects linking respective properties from one of the application programs to another of the application programs so as to present properties from the one of the application programs and the another of the application programs to a requesting one of the entity objects without distinguishing the application programs administering the properties;
computer-readable program code which identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties;
computer-readable program code which executes the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects; and
computer-readable program code which establishes the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
-
Specification