Tenant life cycle management for a software as a service platform

US 8,291,490 B1
Filed: 06/30/2008
Issued: 10/16/2012
Est. Priority Date: 06/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method of managing user access to application-specific capabilities of a computer system, comprising:

maintaining data correlating application-specific capabilities for each of the applications of the computer system, wherein the application-specific capabilities of different applications are independent of each other;

maintaining data correlating user identifiers with user roles;

maintaining data correlating user roles with the application-specific capabilities; and

managing user access to the application-specific capabilities of at least one of the applications of the computer system using a security information source, wherein the security information source includes at least one of;

a security module or a user token, wherein the user token is generated according to credentials of a particular user and is presented to identify access of the particular user to particular ones of the application-specific capabilities of the at least one application for a period of time, and wherein the security module includes a security application programming interface for the computer system, wherein the security information source uses stored correlating data including the data correlating application-specific capabilities, the data correlating user identifiers, and the data correlating user roles, wherein managing user access further includes determining whether to access the security module, the user token or both to control access of the particular user to the application specific capabilities of the at least one application, wherein use of the security module, the user token or both to control the access of the particular user depends on the application specific capabilities being accessed, the determining further including;

(i) when a first particular capability of the application specific capabilities specifies validation using the security module, accessing the security module to determine if the first particular capability is enabled for the particular user, and, if access is not enabled according to the security module, denying access;

(ii) when a second particular capability of the application specific capabilities specifies validation using the user token, accessing the user token to determine if the second particular capability is enabled for the particular user and, if access is not enabled according to the user token, denying access; and

(iii) when a third particular capability of the application specific capabilities is not specified as requiring validation by a specific one of the user token or the security module, accessing a first one of;

the user token or the security module to determine if the third particular capability is enabled for the particular user, and, in response to the first one of;

the user token or the security module indicating that the third particular capability is not enabled, accessing the other one of;

the user token or the security module to determine if the third particular capability is enabled.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Managing user access to application-specific capabilities of a system includes maintaining data correlating application-specific capabilities for each of the applications of the system, where the application-specific capabilities of different applications are independent of each other. Managing user access also includes maintaining data correlating user identifiers with user roles, maintaining data correlating user roles with application-specific capabilities, and managing the data using a security module that accesses the data correlating application-specific capabilities, data correlating user identifiers, and the data correlating user roles. The system may have a plurality of tenants and wherein each of the tenants subscribes to one or more of the applications. Each of the users may correspond to a particular one of the tenants. Each tenant may subscribe to a particular set of applications/features.

145 Citations

20 Claims

1. A method of managing user access to application-specific capabilities of a computer system, comprising:
- maintaining data correlating application-specific capabilities for each of the applications of the computer system, wherein the application-specific capabilities of different applications are independent of each other;
  
  maintaining data correlating user identifiers with user roles;
  
  maintaining data correlating user roles with the application-specific capabilities; and
  
  managing user access to the application-specific capabilities of at least one of the applications of the computer system using a security information source, wherein the security information source includes at least one of;
  
  a security module or a user token, wherein the user token is generated according to credentials of a particular user and is presented to identify access of the particular user to particular ones of the application-specific capabilities of the at least one application for a period of time, and wherein the security module includes a security application programming interface for the computer system, wherein the security information source uses stored correlating data including the data correlating application-specific capabilities, the data correlating user identifiers, and the data correlating user roles, wherein managing user access further includes determining whether to access the security module, the user token or both to control access of the particular user to the application specific capabilities of the at least one application, wherein use of the security module, the user token or both to control the access of the particular user depends on the application specific capabilities being accessed, the determining further including;
  
  (i) when a first particular capability of the application specific capabilities specifies validation using the security module, accessing the security module to determine if the first particular capability is enabled for the particular user, and, if access is not enabled according to the security module, denying access;
  
  (ii) when a second particular capability of the application specific capabilities specifies validation using the user token, accessing the user token to determine if the second particular capability is enabled for the particular user and, if access is not enabled according to the user token, denying access; and
  
  (iii) when a third particular capability of the application specific capabilities is not specified as requiring validation by a specific one of the user token or the security module, accessing a first one of;
  
  the user token or the security module to determine if the third particular capability is enabled for the particular user, and, in response to the first one of;
  
  the user token or the security module indicating that the third particular capability is not enabled, accessing the other one of;
  
  the user token or the security module to determine if the third particular capability is enabled.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method, according to claim 1, wherein the system has a plurality of tenants and wherein each of the tenants subscribes to one or more of the applications.
  - 3. A method, according to claim 2, wherein each of the users corresponds to a particular one of the tenants.
  - 4. A method, according to claim 3, wherein each tenant subscribes to a particular set of applications/features.
  - 5. A method, according to claim 4, wherein each user subscribes to applications/features that are a subset of the particular set of application/features to which the corresponding tenant is subscribed.
  - 6. A method, according to claim 3, wherein users are assigned quotas for particular applications/features and wherein a sum of quotas for all users of a tenant for a particular application/feature does not exceed a quota for the tenant.
  - 7. A method, according to claim 1, wherein the data is provided in tables.
  - 8. A method, according to claim 1, wherein application-specific capabilities include quotas.
  - 9. A method, according to claim 1, further comprising:
    - accessing the user token to determine if a particular capability is enabled for the particular user; and
      
      following accessing the user token, accessing, using the security module, the stored correlating data in response to the user token indicating that the particular capability is not enabled.
  - 10. A method, according to claim 1, wherein a first user is granted access to a first subset of the application-specific capabilities for at least one of the applications of the computer system according to the stored correlating data, and wherein a second user is granted access to a second subset, different from the first subset, of the application-specific capabilities for at least one of the applications of the computer system according to the stored correlating data.
  - 11. A method, according to claim 10, wherein the first subset of application-specific capabilities corresponds to a first version of an application, and wherein the second subset of application-specific capabilities corresponds to a second version of the application, the second version of the application having different capabilities from that of the first version of the application.

12. A computer program product, provided in a non-transitory computer-readable medium, that manages user access to application-specific capabilities of a system, the computer program product comprising:
- executable code that maintains data correlating application-specific capabilities for each of the applications of the system, wherein the application-specific capabilities of different applications are independent of each other;
  
  executable code that maintains data correlating user identifiers with user roles;
  
  executable code that maintains data correlating user roles with the application-specific capabilities; and
  
  executable code that manages user access to the application-specific capabilities at least one of the applications of the computer system using a security information source, wherein the security information source includes at least one of;
  
  a security module or a user token, wherein the user token is generated according to credentials of a particular user and is presented to identify access of the particular user to particular ones of the application-specific capabilities of the at least one application for a period of time, and wherein the security module includes a security application programming interface for the computer system, wherein the security information source uses stored correlating data including the data correlating application-specific capabilities, the data correlating user identifiers, and the data correlating user roles, wherein the executable code that manages user access further includes executable code that determines whether to access the security module, the user token or both to control access of the particular user to the application specific capabilities of the at least one application, wherein use of the security module, the user token or both to control the access of the particular user depends on the application specific capabilities being accessed, and wherein the executable code that determines further includes;
  
  executable code that;
  
  (i) when a first particular capability of the application specific capabilities specifies validation using the security module, accesses the security module to determine if the first particular capability is enabled for the particular user, and, if access is not enabled according to the security module, denies access;
  
  (ii) when a second particular capability of the application specific capabilities specifies validation using the user token, accesses the user token to determine if the second particular capability is enabled for the particular user and, if access is not enabled according to the user token, denies access; and
  
  (iii) when a third particular capability of the application specific capabilities is not specified as requiring validation by a specific one of the user token or the security module, accesses a first one of;
  
  the user token or the security module to determine if a particular capability is enabled for the particular user, and, in response to the first one of;
  
  the user token or the security module, indicating that the particular capability is not enabled, accesses the other one of;
  
  the user token or the security module to determine if the particular capability is enabled.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. A computer program product, according to claim 12, wherein the system has a plurality of tenants and wherein each of the tenants subscribes to one or more of the applications.
  - 14. A computer program product, according to claim 13, wherein each of the users corresponds to a particular one of the tenants.
  - 15. A computer program product, according to claim 14, wherein each tenant subscribes to a particular set of applications/features.
  - 16. A computer program product, according to claim 15, wherein each user subscribes to applications/features that are a subset of the particular set of application/features to which the corresponding tenant is subscribed.
  - 17. A computer program product, according to claim 14, wherein users are assigned quotas for particular applications/features and wherein a sum of quotas for all users of a tenant for a particular application/feature does not exceed a quota for the tenant.
  - 18. A computer program product, according to claim 12, further comprising:
    - executable code that accesses the user token to determine if a particular capability is enabled for the particular user; and
      
      executable code that, following accessing the user token, accesses, using the security module, the stored correlating data in response to the user token indicating that the particular capability is not enabled.
  - 19. A computer program product, according to claim 12, wherein a first user is granted access to a first subset of the application-specific capabilities for at least one of the applications of the computer system according to the stored correlating data, and wherein a second user is granted access to a second subset, different from the first subset, of the application-specific capabilities for at least one of the applications of the computer system according to the stored correlating data.
  - 20. A computer program product, according to claim 19, wherein the first subset of application-specific capabilities corresponds to a first version of a particular application, and wherein the second subset of application-specific capabilities corresponds to a second version of the particular application, the second version of the application having different capabilities from that of the first version of the particular application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Ahmed, Zahid N., Sahagian, David Victor, Homer, Andrew Wilson, Jensen, Jonathan M., Saiyed, Juniad, Bozeman, Patrick E., Perkett, Richard
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
Zaidi, S. Ali

Application Number

US12/217,005
Time in Patent Office

1,569 Days
Field of Search

726/17
US Class Current

726/17
CPC Class Codes

G06F 21/604 Tools and structures for ma...

Tenant life cycle management for a software as a service platform

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Tenant life cycle management for a software as a service platform

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others