Tenant life cycle management for a software as a service platform
First Claim
1. A method of managing user access to application-specific capabilities of a computer system, comprising:
- maintaining data correlating application-specific capabilities for each of the applications of the computer system, wherein the application-specific capabilities of different applications are independent of each other;
maintaining data correlating user identifiers with user roles;
maintaining data correlating user roles with the application-specific capabilities; and
managing user access to the application-specific capabilities of at least one of the applications of the computer system using a security information source, wherein the security information source includes at least one of;
a security module or a user token, wherein the user token is generated according to credentials of a particular user and is presented to identify access of the particular user to particular ones of the application-specific capabilities of the at least one application for a period of time, and wherein the security module includes a security application programming interface for the computer system, wherein the security information source uses stored correlating data including the data correlating application-specific capabilities, the data correlating user identifiers, and the data correlating user roles, wherein managing user access further includes determining whether to access the security module, the user token or both to control access of the particular user to the application specific capabilities of the at least one application, wherein use of the security module, the user token or both to control the access of the particular user depends on the application specific capabilities being accessed, the determining further including;
(i) when a first particular capability of the application specific capabilities specifies validation using the security module, accessing the security module to determine if the first particular capability is enabled for the particular user, and, if access is not enabled according to the security module, denying access;
(ii) when a second particular capability of the application specific capabilities specifies validation using the user token, accessing the user token to determine if the second particular capability is enabled for the particular user and, if access is not enabled according to the user token, denying access; and
(iii) when a third particular capability of the application specific capabilities is not specified as requiring validation by a specific one of the user token or the security module, accessing a first one of;
the user token or the security module to determine if the third particular capability is enabled for the particular user, and, in response to the first one of;
the user token or the security module indicating that the third particular capability is not enabled, accessing the other one of;
the user token or the security module to determine if the third particular capability is enabled.
9 Assignments
0 Petitions
Accused Products
Abstract
Managing user access to application-specific capabilities of a system includes maintaining data correlating application-specific capabilities for each of the applications of the system, where the application-specific capabilities of different applications are independent of each other. Managing user access also includes maintaining data correlating user identifiers with user roles, maintaining data correlating user roles with application-specific capabilities, and managing the data using a security module that accesses the data correlating application-specific capabilities, data correlating user identifiers, and the data correlating user roles. The system may have a plurality of tenants and wherein each of the tenants subscribes to one or more of the applications. Each of the users may correspond to a particular one of the tenants. Each tenant may subscribe to a particular set of applications/features.
145 Citations
20 Claims
-
1. A method of managing user access to application-specific capabilities of a computer system, comprising:
-
maintaining data correlating application-specific capabilities for each of the applications of the computer system, wherein the application-specific capabilities of different applications are independent of each other; maintaining data correlating user identifiers with user roles; maintaining data correlating user roles with the application-specific capabilities; and managing user access to the application-specific capabilities of at least one of the applications of the computer system using a security information source, wherein the security information source includes at least one of;
a security module or a user token, wherein the user token is generated according to credentials of a particular user and is presented to identify access of the particular user to particular ones of the application-specific capabilities of the at least one application for a period of time, and wherein the security module includes a security application programming interface for the computer system, wherein the security information source uses stored correlating data including the data correlating application-specific capabilities, the data correlating user identifiers, and the data correlating user roles, wherein managing user access further includes determining whether to access the security module, the user token or both to control access of the particular user to the application specific capabilities of the at least one application, wherein use of the security module, the user token or both to control the access of the particular user depends on the application specific capabilities being accessed, the determining further including;(i) when a first particular capability of the application specific capabilities specifies validation using the security module, accessing the security module to determine if the first particular capability is enabled for the particular user, and, if access is not enabled according to the security module, denying access; (ii) when a second particular capability of the application specific capabilities specifies validation using the user token, accessing the user token to determine if the second particular capability is enabled for the particular user and, if access is not enabled according to the user token, denying access; and (iii) when a third particular capability of the application specific capabilities is not specified as requiring validation by a specific one of the user token or the security module, accessing a first one of;
the user token or the security module to determine if the third particular capability is enabled for the particular user, and, in response to the first one of;
the user token or the security module indicating that the third particular capability is not enabled, accessing the other one of;
the user token or the security module to determine if the third particular capability is enabled. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer program product, provided in a non-transitory computer-readable medium, that manages user access to application-specific capabilities of a system, the computer program product comprising:
-
executable code that maintains data correlating application-specific capabilities for each of the applications of the system, wherein the application-specific capabilities of different applications are independent of each other; executable code that maintains data correlating user identifiers with user roles; executable code that maintains data correlating user roles with the application-specific capabilities; and executable code that manages user access to the application-specific capabilities at least one of the applications of the computer system using a security information source, wherein the security information source includes at least one of;
a security module or a user token, wherein the user token is generated according to credentials of a particular user and is presented to identify access of the particular user to particular ones of the application-specific capabilities of the at least one application for a period of time, and wherein the security module includes a security application programming interface for the computer system, wherein the security information source uses stored correlating data including the data correlating application-specific capabilities, the data correlating user identifiers, and the data correlating user roles, wherein the executable code that manages user access further includes executable code that determines whether to access the security module, the user token or both to control access of the particular user to the application specific capabilities of the at least one application, wherein use of the security module, the user token or both to control the access of the particular user depends on the application specific capabilities being accessed, and wherein the executable code that determines further includes;executable code that; (i) when a first particular capability of the application specific capabilities specifies validation using the security module, accesses the security module to determine if the first particular capability is enabled for the particular user, and, if access is not enabled according to the security module, denies access; (ii) when a second particular capability of the application specific capabilities specifies validation using the user token, accesses the user token to determine if the second particular capability is enabled for the particular user and, if access is not enabled according to the user token, denies access; and (iii) when a third particular capability of the application specific capabilities is not specified as requiring validation by a specific one of the user token or the security module, accesses a first one of;
the user token or the security module to determine if a particular capability is enabled for the particular user, and, in response to the first one of;
the user token or the security module, indicating that the particular capability is not enabled, accesses the other one of;
the user token or the security module to determine if the particular capability is enabled. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification