Role-based authorization management framework
First Claim
1. A method implemented by an authorization management system to determine, based on data stored in a role-based authorization policy store, whether a user is authorized to perform a requested operation of an application, the method comprising:
- receiving an authorization request comprising;
an operation identifier that indicates the requested operation; and
a scope identifier that indicates a scope of the application, wherein;
the scope of the application represents a collection of operations associated with the application;
the collection includes less than all of the operations associated with the application; and
the requested operation is associated with the indicated scope of the application;
identifying in the authorization policy store, an application object that represents the application, wherein the authorization policy store comprises an object-based hierarchical data structure, comprising;
an application object that represents the application;
an application group object that represents a group of users;
a scope object that represents a collection of objects that together represent a portion, less than the whole, of the application;
an operation object that represents a particular operation available in the application;
a task object that represents a collection of operations available in the application; and
a role object that represents a relationship between users and operations;
wherein;
an application group object is not a parent object to any other objects;
a task object is not a parent object to any other objects; and
a role object is not a parent object to any other objects;
identifying, in the authorization policy store, a scope object that, according to the object-based hierarchical data structure, is a child object of the application object and that represents the scope of the application indicated by the scope identifier;
identifying a role object that, according to the object-based hierarchical data structure, is a child object of the scope object, wherein the role object comprises a members attribute that identifies one or more entities that are members of the role;
determining whether the user is represented by any one of the one or more entities that are members of the role;
in an event that the user is represented by at least one of the one or more entities that are members of the role, determining that the user is authorized to perform the requested operation of the application; and
in an event that the user is not represented by at least one of the one or more entities that are members of the role, determining that the user is not authorized to perform the requested operation of the application.
2 Assignments
0 Petitions
Accused Products
Abstract
A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications.
48 Citations
18 Claims
-
1. A method implemented by an authorization management system to determine, based on data stored in a role-based authorization policy store, whether a user is authorized to perform a requested operation of an application, the method comprising:
-
receiving an authorization request comprising; an operation identifier that indicates the requested operation; and a scope identifier that indicates a scope of the application, wherein; the scope of the application represents a collection of operations associated with the application; the collection includes less than all of the operations associated with the application; and the requested operation is associated with the indicated scope of the application; identifying in the authorization policy store, an application object that represents the application, wherein the authorization policy store comprises an object-based hierarchical data structure, comprising; an application object that represents the application; an application group object that represents a group of users; a scope object that represents a collection of objects that together represent a portion, less than the whole, of the application; an operation object that represents a particular operation available in the application; a task object that represents a collection of operations available in the application; and a role object that represents a relationship between users and operations; wherein; an application group object is not a parent object to any other objects; a task object is not a parent object to any other objects; and a role object is not a parent object to any other objects; identifying, in the authorization policy store, a scope object that, according to the object-based hierarchical data structure, is a child object of the application object and that represents the scope of the application indicated by the scope identifier; identifying a role object that, according to the object-based hierarchical data structure, is a child object of the scope object, wherein the role object comprises a members attribute that identifies one or more entities that are members of the role; determining whether the user is represented by any one of the one or more entities that are members of the role; in an event that the user is represented by at least one of the one or more entities that are members of the role, determining that the user is authorized to perform the requested operation of the application; and in an event that the user is not represented by at least one of the one or more entities that are members of the role, determining that the user is not authorized to perform the requested operation of the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An authorization management system comprising:
-
an authorization policy store comprising a hierarchical structure of authorization objects, wherein; the hierarchical structure of authorization objects represents role-based user permissions associated with one or more applications; and each of the authorization objects is selected from a group of authorization objects comprising; an authorization store object that is a root object of the hierarchical structure and represents the authorization policy store; an application object that is a child object of the authorization store object and represents a particular application; an application group object that represents a group of users; a scope object that represents a collection of authorization objects that together represent a portion, less than the whole, of a particular application; an operation object that represents a particular operation available in a particular application; a task object that represents a collection of operations available in a particular application; and a role object that represents a relationship between users and operations, wherein the role object comprises; a members attribute that identifies one or more users; an operations attribute that references one or more operation objects; and a task attribute that references one or more task objects; wherein the role object indicates that users identified in the members attribute are;
authorized to access operations represented by operation objects identified in the operations attribute and
authorized to access operations represented by task objects identified in the tasks attribute;wherein; an application group object is a child object of an authorization store object, an application object, or a scope object; an application group object is not a parent object to any other objects; a scope object is a child object of an application object or another scope object; an operation object is a child object of an application object; a task object is a child of an application object or a scope object; a task object is not a parent object to any other objects; a role object is a child object of an application object, or a scope object; a role object is not a parent object to any other objects; and an authorization interface that provides a mechanism for a particular one of the one or more applications to access the authorization management system to verify the role-based user permissions. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
means for storing hierarchically related data objects that represent a role based user authorization policy, the hierarchically related data objects comprising; an application object that represents an application; an application group object that represents a group of users; a scope object that represents a collection of objects that together represent a portion, less than the whole, of the application; an operation object that represents a particular operation available in the application; a task object that represents a collection of operations available in the application; and a role object that represents a relationship between users and operations; wherein; an application group object is not a parent object to any other objects; a task object is not a parent object to any other objects; and a role object is not a parent object to any other objects; means for receiving from an application, an indication of a client request to perform an application operation; and means for verifying that the client is authorized to perform the application operation based on the authorization policy by; determining an application scope associated with the client request, wherein the application scope comprises a portion, less than the whole, of the application; subsequent to determining the application scope, determining a role associated with the application scope that was determined; and subsequent to determining the role associated with the application scope that was determined, determining whether the client is identified as a member of the role. - View Dependent Claims (17)
-
-
18. One or more computer storage media encoded with instructions that, when executed, direct a computing system to perform a method, the method comprising:
-
receiving an indication of a user request to perform an operation associated with an application, wherein the user request is from a user of the application; and accessing a role-based authorization policy to; determine an application scope associated with the user request, wherein the application scope comprises a portion, less than the whole, of the application; subsequent to determining the application scope, determine a role associated with the application scope that was determined; and subsequent to determining the role associated with the application scope that was determined, determine whether the user is identified as a member of the role; wherein the role-based authorization policy comprises a hierarchical data structure comprising; an application object that represents the application; an application group object that represents a group of users; a scope object that represents a collection of objects that together represent a portion, less than the whole, of the application; a task object that represents a collection of operations available in the application; and a role object that represents a relationship between users and operations; wherein; an application group object is not a parent object to any other objects; a task object is not a parent object to any other objects; and a role object is not a parent object to any other objects.
-
Specification