Dynamic role based authorization system and method
First Claim
Patent Images
1. A system, comprising:
- a hardware processor; and
memory storing a plurality of computer executable resources associated with a first authorization domain, the first authorization domain being one of a plurality of root entity data objects of an application and including at least one of an account, a territory, and an opportunity, and which derives protection via control of access to the resources, andthe memory further storing a plurality of computer implementable roles associated with the first authorization domain;
wherein the hardware processor is configured such that access to the resources is controlled utilizing expressions that operate as a function of the roles and the resources;
wherein the hardware processor is configured such that the expressions operate as a function of run-time data;
wherein the hardware processor is configured such that query code is generated using the first authorization domain and the expressions;
wherein the hardware processor is configured such that the expressions are used at run-time to dynamically generate an optimized query;
wherein the hardware processor is configured such that authorization via one of the expressions for a particular one of the roles to access a particular one of the resources associated with the first authorization domain automatically confers authorization for the particular one of the roles to access resources of at least one second authorization domain of the application related to the first authorization domain, the at least one second authorization domain of the application related to the first authorization domain via a hierarchical relationship;
wherein the resources are linked to the first authorization domain utilizing an authorization path;
wherein the resources are associated with a customer relationship management (CRM) application;
wherein the query code generation utilizes dynamic relational information in a customer database of the CRM application.
2 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product are provided for role based authorization. Included is a plurality of resources and roles associated with an authorization domain. In use, access to the resources is controlled utilizing expressions that operate as a function of the roles and the resources.
41 Citations
20 Claims
-
1. A system, comprising:
-
a hardware processor; and memory storing a plurality of computer executable resources associated with a first authorization domain, the first authorization domain being one of a plurality of root entity data objects of an application and including at least one of an account, a territory, and an opportunity, and which derives protection via control of access to the resources, and the memory further storing a plurality of computer implementable roles associated with the first authorization domain; wherein the hardware processor is configured such that access to the resources is controlled utilizing expressions that operate as a function of the roles and the resources; wherein the hardware processor is configured such that the expressions operate as a function of run-time data; wherein the hardware processor is configured such that query code is generated using the first authorization domain and the expressions; wherein the hardware processor is configured such that the expressions are used at run-time to dynamically generate an optimized query; wherein the hardware processor is configured such that authorization via one of the expressions for a particular one of the roles to access a particular one of the resources associated with the first authorization domain automatically confers authorization for the particular one of the roles to access resources of at least one second authorization domain of the application related to the first authorization domain, the at least one second authorization domain of the application related to the first authorization domain via a hierarchical relationship; wherein the resources are linked to the first authorization domain utilizing an authorization path; wherein the resources are associated with a customer relationship management (CRM) application; wherein the query code generation utilizes dynamic relational information in a customer database of the CRM application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 20)
-
-
18. A method, comprising:
-
defining a plurality of roles associated with a first authorization domain; linking, utilizing a hardware processor, the first authorization domain with a plurality of resources, the first authorization domain being one of a plurality of root entity data objects of an application and including at least one of an account, a territory, and an opportunity, and which derives protection via control of access to the resources; and controlling access to the resources utilizing expressions that operate as a function of the roles and the resources, utilizing the hardware processor; wherein the expressions operate as a function of run-time data; wherein query code is generated using the first authorization domain and the expressions; wherein the expressions are used at run-time to dynamically generate an optimized query; wherein authorization via one of the expressions for a particular one of the roles to access a particular one of the resources associated with the first authorization domain automatically confers authorization for the particular one of the roles to access resources of at least one second authorization domain of the application related to the first authorization domain, the at least one second authorization domain of the application related to the first authorization domain via a hierarchical relationship; wherein the resources are linked to the first authorization domain utilizing an authorization path; wherein the resources are associated with a customer relationship management (CRM) application; wherein the query code generation utilizes dynamic relational information in a customer database of the CRM application.
-
-
19. A computer program product embodied on a non-transitory computer readable storage medium, comprising:
-
a data structure for representing a plurality of resources and roles associated with a first authorization domain, the first authorization domain being one of a plurality of root entity data objects of an application and including at least one of an account, a territory, and an opportunity, and which derives protection via control of access to the resources; and computer code for controlling access to the resources utilizing expressions that operate as a function of the roles and the resources; wherein the computer program product is configured such that the expressions operate as a function of run-time data; wherein the computer program product is configured such that query code is generated using the first authorization domain and the expressions; wherein the computer program product is configured such that the expressions are used at run-time to dynamically generate an optimized query; wherein the computer program product is configured such that authorization via one of the expressions for a particular one of the roles to access a particular one of the resources associated with the first authorization domain automatically confers authorization for the particular one of the roles to access resources of at least one second authorization domain of the application related to the first authorization domain, the at least one second authorization domain of the application related to the first authorization domain via a hierarchical relationship; wherein the resources are linked to the first authorization domain utilizing an authorization path; wherein the resources are associated with a customer relationship management (CRM) application; wherein the query code generation utilizes dynamic relational information in a customer database of the CRM application.
-
Specification