Partner sandboxing in a shared multi-tenant billing system

US 7,921,299 B1
Filed: 12/05/2003
Issued: 04/05/2011
Est. Priority Date: 12/05/2003
Status: Expired due to Fees

First Claim

Patent Images

1. One or more non-transitory computer-readable media having computer-executable instructions embodied thereon that, when executed, provide a system that facilitates access to a plurality of shared software objects by disparate entities, the system comprising:

a platform component executed by a computing device having a processor and a memory, that receives a request from a first entity to access one of the plurality of shared software objects, wherein the first entity is attempting to convert a subscription from a second type of a second entity to a first type of the first entity;

a data store that stores security information on one or more classes of the plurality of shared software objects, wherein the security information on each of the one or more classes is inherited by one or more shared software objects in each class, and wherein the security information includes a security parameter that indicates whether the first entity is permitted to convert the subscription from the second type to the first type; and

a verification component that employs the security information to verify that the first entity has permission to call an Application Programming Interface (API) for the one of the plurality of shared software objects to convert the subscription from the second type to the first type, wherein the verification component prevents the first entity from calling the API when the security parameter indicates that the first entity is not permitted to convert the subscription from the second type to the first type and the verification allows the first entity to call the API when the security parameter indicates that the first entity is permitted to convert the subscription from the second type to the first type.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a system and methodology for interacting with a Subscription Platform Service (SPS) and providing data security between entities that employ such service. The system includes a component that receives a request to access an object by an entity, and a data store that stores security information on classes of the objects. A verification component employs the security information to determine whether the entity has permission to call an Application Programming Interface (API) for the object and/or operate on the object, wherein the verification component exposes the object if permission exists or masks the object if permission does not exist.

Citations

28 Claims

1. One or more non-transitory computer-readable media having computer-executable instructions embodied thereon that, when executed, provide a system that facilitates access to a plurality of shared software objects by disparate entities, the system comprising:
- a platform component executed by a computing device having a processor and a memory, that receives a request from a first entity to access one of the plurality of shared software objects, wherein the first entity is attempting to convert a subscription from a second type of a second entity to a first type of the first entity;
  
  a data store that stores security information on one or more classes of the plurality of shared software objects, wherein the security information on each of the one or more classes is inherited by one or more shared software objects in each class, and wherein the security information includes a security parameter that indicates whether the first entity is permitted to convert the subscription from the second type to the first type; and
  
  a verification component that employs the security information to verify that the first entity has permission to call an Application Programming Interface (API) for the one of the plurality of shared software objects to convert the subscription from the second type to the first type, wherein the verification component prevents the first entity from calling the API when the security parameter indicates that the first entity is not permitted to convert the subscription from the second type to the first type and the verification allows the first entity to call the API when the security parameter indicates that the first entity is permitted to convert the subscription from the second type to the first type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The media of claim 1, wherein the verification component exposes the one of the plurality of shared software objects to the entity if permission exists.
  - 3. The media of claim 1, wherein the verification component masks the one of the plurality of shared software objects from the entity if permission does not exist.
  - 4. The media of claim 1, wherein the platform component further comprises a Subscription Platform Service to facilitate automated billing and provisioning of accounts.
  - 5. The media of claim 1, wherein the verification component facilitates that the entity receive full access to Application Programming Interfaces (APIs) and/or objects for which there is a business need and partial or limited access to other APIs or business objects.
  - 6. The media of claim 1, wherein the data store provides default or determined security information related to a class at least a portion of the one or more classes.
  - 7. The media of claim 6, wherein the system further comprises a component to override the default security information with higher or different security options.
  - 8. The media of claim 1, wherein the system further comprises a proxy tenant component having an intermediate entity that places calls into a subscription platform service on behalf of another entity and achieves access to selected objects of the plurality of shared software objects in order for the another entity to complete a subscription purchase.
  - 9. The media of claim 1, wherein the system further comprises a management portal to facilitate authorization of information.
  - 10. The media of claim 1, wherein the system further comprises a component to provide an explicit security mapping for one of the plurality of shared software objects.
  - 11. The media of claim 1, wherein the system further comprises a component to enable an implicit security mapping from an explicitly mapped one of the plurality of shared software objects or to derive an implied security permission by utilizing related objects of the plurality of shared software objects.
  - 12. The media of claim 1, wherein the verification component employs operating system identities to facilitate security authorization procedures.
  - 13. The media of claim 1, wherein the system further comprises at least one of a sign-up API caller, an account management API caller, and a customer care API caller.
  - 14. The media of claim 13, wherein the system further comprises at least one API related to at least one of a sign-up API group, an account management API group, a customer care API group, and an object designer API group.
  - 15. The media of claim 1, wherein the system further comprises authorization logic that determines whether an API can access one or more of the plurality of shared software objects via an access rights set.
  - 16. The media of claim 1, wherein the system further comprises at least one of a restricted audience offer, a conversion component, and a payment instrument component.

17. A method to facilitate security for subscription objects, comprising:
- storing one or more security options in a database, at least a portion of the one or more security options being related to an automated billing and provisioning system, wherein at least a portion of the one or more security options includes at least conversion of a subscription from a first type associated with a first tenant to a second type associated with a second tenant, and wherein one or more of the security options indicate allowability of the second tenant to convert the subscription type from the first type to the second type;
  
  assigning one or more of the security options to a class;
  
  inheriting the one or more security options assigned to the class by object members of the class;
  
  verifying that the second tenant has permission to call an Application Program Interface (API) for one or more of the object members of the class to convert the subscription type from the first type to the second type; and
  
  preventing the second tenant from calling the API when the security options indicate that the second entity is not permitted to convert the subscription type from the first type to the second type;
  
  orallowing the second tenant to call the API when the security options indicate that the second tenant is permitted to convert the subscription type from the first type to the second type.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The method of claim 17, further comprising at least one of explicitly and implicitly assigning one or more of the security options to the object members of the class.
  - 19. The method of claim 17, further comprising automatically authorizing the API.
  - 20. The method of claim 19, further comprising returning an error code if an authorization procedure fails.
  - 21. The method of claim 19, further comprising analyzing a simple object access protocol request.
  - 22. The method of claim 19, further comprising analyzing one or more security credentials.
  - 23. The method of claim 22, further comprising employing a cache to process the credentials.
  - 24. The method of claim 17, wherein the automated billing and provisioning system further comprises a Subscription Platform Service.
  - 25. The method of claim 17, wherein at least a portion of the one or more security options is associated with default security parameters.
  - 26. The method of claim 17, further comprising overriding the default security parameters with other security options of the one or more security options.
  - 27. The method of claim 17, further comprising employing an intermediate proxy that places calls into a subscription platform service on behalf of another tenant.

28. One or more non-transitory computer-readable media having computer-executable instructions embodied thereon that, when executed, provide a system to facilitate business object security, comprising:
- an authentication component executing on a computing device having a memory and a processor that authenticates a first entity attempting to access an online billing and service system, wherein the first entity is attempting to convert a subscription from a second type of a second entity to a first type of the first entity;
  
  an authorization component that authorizes the first entity to convert the subscription from the second type of the second entity to the first type of the first entity upon verifying at least one security parameter, wherein the at least one security parameter is assigned to a class of objects and is inherited by objects of the class by one or more of explicitly and implicitly assigning the security parameter to the objects of the class, wherein the at least one security parameter is stored in a database and is accessible via an application program interface that is automatically authorized by analyzing one or more security credentials, and wherein the at least one security parameter indicates allowability of the first entity to convert the subscription from the second type to the first type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Brennan, David J., Anantha, Anoop
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Traore; Fatoumata

Application Number

US10/729,515
Time in Patent Office

2,678 Days
Field of Search

None
US Class Current

713/187
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2113   Multi-level security, e.g. ...

H04N 21/2543   Billing , e.g. for subscrip...

H04N 21/25875   involving end-user authenti...

Partner sandboxing in a shared multi-tenant billing system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Partner sandboxing in a shared multi-tenant billing system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links