Authorizing a requesting entity to operate upon data structures
First Claim
1. In a computer network that includes different types of data structures of one or more specific entities, a method for authorizing a requesting entity to operate upon data structures in a standard manner, the method comprising:
- an act of maintaining a plurality of role templates that define basic access permissions with respect to one or more command methods, wherein at least some of the role templates define the basic access permissions in a manner that is independent of the type of data structure being operated upon, and wherein the plurality of role templates are contained within a plurality of role map documents, each role map document being specific to a particular computerized service that is configured to perform computerized operations on data structures;
an act of maintaining a plurality of role definitions that define access permissions for requesting entities by using one or more of the role templates;
an act of receiving a request from the requesting entity to perform at least one of the command methods, the request identifying the requesting entity as well as an application-platform identifier corresponding to an application of the computerized service;
an act of identifying a role definition corresponding to the requesting entity; and
an act of determining access permissions for the requesting entity with respect to the command method using the role definition corresponding to the requesting entity.
2 Assignments
0 Petitions
Accused Products
Abstract
Authorizing a requesting entity to have a service perform a particular action in a manner that is at least partially independent of the underlying target data structure. An authorization station maintains a number of role templates that each define basic access permissions with respect to a number of command methods. The authorization station also maintains a number of role definitions that each define access permissions for specific requesting entities by using one or more of the role templates. When the authorization station receives a request from the requesting entity, the authorization station then identifies the appropriate role definition. Using this role definition, the authorization station determines access permissions for the requesting entity with respect to the requested action.
230 Citations
40 Claims
-
1. In a computer network that includes different types of data structures of one or more specific entities, a method for authorizing a requesting entity to operate upon data structures in a standard manner, the method comprising:
-
an act of maintaining a plurality of role templates that define basic access permissions with respect to one or more command methods, wherein at least some of the role templates define the basic access permissions in a manner that is independent of the type of data structure being operated upon, and wherein the plurality of role templates are contained within a plurality of role map documents, each role map document being specific to a particular computerized service that is configured to perform computerized operations on data structures; an act of maintaining a plurality of role definitions that define access permissions for requesting entities by using one or more of the role templates; an act of receiving a request from the requesting entity to perform at least one of the command methods, the request identifying the requesting entity as well as an application-platform identifier corresponding to an application of the computerized service; an act of identifying a role definition corresponding to the requesting entity; and an act of determining access permissions for the requesting entity with respect to the command method using the role definition corresponding to the requesting entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 34, 35, 36, 37, 38, 39, 40)
-
-
29. In a computer network that includes different types of data structures of one or more specific entities, a method for authorizing a requesting entity to operate upon data structures in a standard manner, the method comprising:
-
an act of maintaining a number of role templates within a plurality of role map documents that are each specific to a computerized service that is configured to perform computerized operations on data structures, the role templates defining basic access permissions with respect to a number of command methods, wherein at least some of the role templates define the basic access permissions in a manner that is independent of the type of data structure being operated upon; and a step for authorizing a requesting entity using the role templates in a manner that is independent of the type of data structure being accessed. - View Dependent Claims (30, 31)
-
-
32. A computer program product for use in a computer network that includes different types of data structures of one or more specific entities, the computer program product for implementing a method for authorizing a requesting entity to operate upon data structures in a standard manner, the computer program product comprising one or more computer-readable storage media have stored thereon the following:
-
computer-executable instructions for maintaining a plurality of role templates that define basic access permissions with respect to one or more command methods, wherein at least some of the role templates define the basic access permissions in a manner that is independent of the type of data structure being operated upon, and wherein the plurality of role templates are contained within a plurality of role map documents, each role map document being specific to a particular computerized service that is configured to perform computerized operations on data structures; computer-executable instructions for maintaining a plurality of role definitions that define access permissions for receiving entities by using one or more of the role templates; computer-executable instructions for detecting the receipt of a request from the requesting entity to perform at least one of the command methods, the request identifying the requesting entity as well as an application-platform identifier corresponding to an application of the computerized service; computer-executable instructions for identifying a role definition corresponding to the requesting entity; and computer-executable instructions for determining access permissions for the requesting entity with respect to the command method using the role definition corresponding to the requesting entity.
-
-
33. In a computer network that includes different services, applications, and an authorization station, the applications submitting requests to perform operations on different data structures managed by the different services, a system for isolating the authorization process from the services so that the services need not independently authorize each request they receive from the number of applications, the system comprising:
-
a plurality of computerized services that are configured to perform computerized operations on data structures; an authorization station configured to receive requests from a number of applications to operate upon data structures managed by any of the number of services, the authorization station configured to perform the following; receive a request from a requesting entity to perform a target operation upon a target data structure managed by a target service, wherein the request includes an application-platform identifier corresponding to an application of the computerized service; access a role template that defines basic authorizations with respect to one or more operations, including at least the target operation, wherein the role template defines the basic authorizations in a manner that is independent of the target data structure desired to be operated upon, and wherein the role template is contained within a role map document that is specific to one of the plurality of services and accessed from among a plurality of role map documents each specific to one of the plurality of services; determine that the corresponding requesting entity is authorized to perform the target operation on the target data structure; and communicate to the target service that the requesting entity is authorized to perform the target operation on the target data structure.
-
Specification