Unified authorization for heterogeneous applications
First Claim
Patent Images
1. A method implemented at least in part by a data store service executing on a computing device, the method comprising:
- receiving, from a first user device, a first user request for an application service of an application, and from a second user device, a second user request for the application service;
determining a first user identifier associated with the first user device, and a second user identifier associated with the second user device;
determining an access right for the first user device to access the application service, based on the first user identifier;
determining a different access right for the second user device to access the application service, based on the second user identifier;
authenticating with the application using a set of credentials associated with the data store service such that the data store service has both the access right for the first device and the different access right for the second user device;
accessing the application service for the first user device by the data store service, provided the first user request is consistent with the access right for the first user device; and
accessing the application service for the second user device by the data store service, provided the second user request is consistent with the access right for the second user device,wherein the credentials associated with the data store service are used by the data store service to access the application service for the first user device and the second user device.
2 Assignments
0 Petitions
Accused Products
Abstract
An enterprise system may separate the executable functionality existing in backend applications, and the separation may be at differing levels of granularity. The separated functions of the application may be registered in a catalog in the form of metadata objects. Once the executable functionality has been registered, the authorization information for each granular functional object may be associated with authorization information. In this manner, the authorization of a service of an application may be made on a feature by feature (or object by object) basis in a unified manner.
55 Citations
22 Claims
-
1. A method implemented at least in part by a data store service executing on a computing device, the method comprising:
-
receiving, from a first user device, a first user request for an application service of an application, and from a second user device, a second user request for the application service; determining a first user identifier associated with the first user device, and a second user identifier associated with the second user device; determining an access right for the first user device to access the application service, based on the first user identifier; determining a different access right for the second user device to access the application service, based on the second user identifier; authenticating with the application using a set of credentials associated with the data store service such that the data store service has both the access right for the first device and the different access right for the second user device; accessing the application service for the first user device by the data store service, provided the first user request is consistent with the access right for the first user device; and accessing the application service for the second user device by the data store service, provided the second user request is consistent with the access right for the second user device, wherein the credentials associated with the data store service are used by the data store service to access the application service for the first user device and the second user device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. One or more computer readable storage media having stored thereon a data structure comprising:
-
a) a first data field containing data representing an object identifier, the object identifier indicating an available service of an application and a security classification for accessing the available service, wherein the security classification identifies a required level of access rights to access the available service that is greater than a level of access rights of an authorized user of the application; b) a second data field, associated with the first data field, containing data representing an access control list identifier; c) a third data field, associated with the second data field, containing data representing an access control entry identifier; d) a fourth data field, associated with the third data field, containing data representing a user identifier associated with the authorized user of the application; and e) a fifth data field, associated with the third data field, containing data representing a right identifier indicating that the authorized user is permitted to access the available service via a data store service having the required level of access rights to access the available service. - View Dependent Claims (12, 13, 14)
-
-
15. One or more computer readable storage media containing computer readable instructions that, when implemented, perform a method comprising:
-
associating a service identifier with a first authorized user identifier and a first access right indicator of the first authorized user identifier, wherein the service identifier is associated with a service of an application; associating the service identifier with a second authorized user identifier and a second access right indicator of the second authorized user identifier, the first access right indicator and the second access right indicator indicating different access rights for the service; receiving a first request for the service from a first user device; verifying that a first user identifier associated with the first user device matches the first authorized user identifier; receiving a second request for the service from a second user device; verifying that a second user identifier associated with the second user device matches the second authorized user identifier; determining, based on the first access right indicator, whether accessing the service is permitted for the first user device; determining, based on the second access right indicator, whether accessing the service is permitted for the second user device; providing credentials to access an account associated with the application, wherein the credentials are associated with an entity other than the first user device and the second user device; and using the account to access the service for both the first user device and the second user device by the entity, provided both the first user device and the second user device are permitted to access the service. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
Specification