Multiple entity authorization model
First Claim
1. A computer-implemented method of securing data records in a service-based web platform, the computer-implemented method comprising:
- storing, by the service-based web platform, one or more data records associated with an owner entity that is authorized to access the service-based web platform and the one or more data records;
exposing, by the service-based web platform, web methods for accessing data records stored by the service-based web platform, wherein authorization to call certain web methods is granted by the service-based web platform to authorized users of the service-based web platform according to user context;
receiving, by the service-based web platform, a call to an exposed web method from an application requesting access to a stored data record associated with the owner entity on behalf of a user;
verifying, by the service-based web platform, authorization of the application to call the exposed web method based at least on whether the user is authorized to access the service-based web platform and has been granted authorization to call the exposed web method by the service-based web platform; and
denying, by the service-based web platform, access of the application to the stored data record associated with the owner entity upon verifying authorization of the application to call the exposed web method unless;
the user is at least one of the owner entity or a user that has been explicitly granted access by the owner entity to the stored data record or a set of data records that includes the stored data record;
the application is registered with the service-based web platform;
the owner entity has explicitly granted the application access to a minimum required data record set that was specified by the application during registration; and
the stored data record is within the minimum required data record set.
2 Assignments
0 Petitions
Accused Products
Abstract
An authorization framework is provided that protects data records in a platform, such as a service-based platform, by requiring multiple level entities to be authorized with respect to the data records. For example, the data records can have an associated owner user that can grant access to other users with respect to the data. Additionally, however, the user can also grant access to certain applications that access the platform such that the data records can be initially closed for a user requiring the user to explicitly grant desired access to applications and/or users. In this regard, applications can be forbidden from accessing the data, even on behalf of the user, unless expressly authorized to do so by the user. Thus, the user can make informed decisions regarding who is to have access to its data.
85 Citations
20 Claims
-
1. A computer-implemented method of securing data records in a service-based web platform, the computer-implemented method comprising:
-
storing, by the service-based web platform, one or more data records associated with an owner entity that is authorized to access the service-based web platform and the one or more data records; exposing, by the service-based web platform, web methods for accessing data records stored by the service-based web platform, wherein authorization to call certain web methods is granted by the service-based web platform to authorized users of the service-based web platform according to user context; receiving, by the service-based web platform, a call to an exposed web method from an application requesting access to a stored data record associated with the owner entity on behalf of a user; verifying, by the service-based web platform, authorization of the application to call the exposed web method based at least on whether the user is authorized to access the service-based web platform and has been granted authorization to call the exposed web method by the service-based web platform; and denying, by the service-based web platform, access of the application to the stored data record associated with the owner entity upon verifying authorization of the application to call the exposed web method unless; the user is at least one of the owner entity or a user that has been explicitly granted access by the owner entity to the stored data record or a set of data records that includes the stored data record; the application is registered with the service-based web platform; the owner entity has explicitly granted the application access to a minimum required data record set that was specified by the application during registration; and the stored data record is within the minimum required data record set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable storage medium that does not consist of a signal, the computer-readable storage medium having instructions stored thereon that, when executed by a computing device, cause the computing device to perform operations comprising:
-
storing, by a service-based web platform, one or more data records associated with an owner entity that is authorized to access the service based web platform and the one or more data records; exposing, by the service-based web platform, web methods for accessing data records stored by the service-based web platform, wherein authorization to call certain web methods is granted by the service-based web platform to authorized users of the service-based web platform according to user context; receiving, by the service-based web platform, a call to an exposed web method from an application requesting access to a stored data record associated with the owner entity on behalf of a user; verifying, by the service-based web platform, authorization of the application to call the exposed web method based at least on whether the user is authorized to access the service-based web platform and has been granted authorization to call the exposed web method by the service-based web platform; and denying, by the service-based web platform, access of the application to the stored data record associated with owner entity upon verifying authorization of the application to call the exposed web method unless; the user is at least one of the owner entity or a user that has been explicitly granted access by the owner entity to the stored data record or a set of data records that includes the stored data record; the application is registered with the service-based web platform; the owner entity has explicitly granted the application access to a minimum required data record set that was specified by the application during registration; and the stored data record is within the minimum required data record set. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer system comprising:
-
a processor configured to execute computer-executable instructions; and memory storing computer-executable instructions for; storing, by a service-based web platform, one or more data records associated with an owner entity that is authorized to access the service-based web platform and the one or more data records; exposing, by the service-based web platform, web methods for accessing data records stored by the service-based web platform, wherein authorization to call certain web methods is granted by the service-based web platform to authorized users of the service-based web platform according to user context; receiving, by the service-based web platform, a call to an exposed web method from an application requesting access to a stored data record associated with the owner entity on behalf of a user; verifying, by the service-based web platform, authorization of the application to call the exposed web method based at least on whether the user is authorized to access the service-based web platform and has been granted authorization to call the exposed web method by the service-based web platform; and denying, by the service-based web platform, access of the application to the stored data record associated with owner entity upon verifying authorization of the application to call the exposed web method unless; the user is at least one of the owner entity or a user that has been explicitly granted access by the owner entity to the stored data record or a set of data records that includes the stored data record; the application is registered with the service-based web platform; the owner entity has explicitly granted the application access to a minimum required data record set that was specified by the application during registration; and the stored data record is within the minimum required data record set. - View Dependent Claims (17, 18, 19, 20)
-
Specification