Hierarchical entitlement system with integrated inheritance and limit checks

US 8,478,668 B2
Filed: 03/31/2004
Issued: 07/02/2013
Est. Priority Date: 03/12/2004
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computer system for specifying and enforcing entitlements for performance of financial transactions, the method comprising:

in a computer system having at least a processor and memory, providing a hierarchical entitlement structure with inheritance for specifying entitlements for performing financial transactions;

receiving user input for defining a plurality of entitlement groups of said hierarchical entitlement structure, wherein each entitlement group has specified permissions to perform financial transactions, limits on performance of said financial transactions, and membership of each user, said hierarchical entitlement structure proving that a given entitlement group inherits permissions provided to its parent entitlement groups in said hierarchical entitlement structure, and wherein defining a plurality of entitlement groups includes restricting permissions inherited by an entitlement group from its parent entitlement group in said hierarchical entitlement structure;

in response to a particular user request to perform a financial transaction at runtime, identifying the particular user'"'"'s membership in a certain entitlement group; and

determining whether to allow the particular user to perform the financial transaction based on permissions and limits of said hierarchical entitlement structure applicable to the particular user'"'"'s performance of the financial transaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hierarchical entitlement system with integrated inheritance and limit checks is described. In one embodiment, for example, a computer-implemented method is described for specifying and enforcing entitlements for performance of financial transactions, the method comprises steps of: providing a hierarchical entitlement structure with inheritance for specifying entitlements for performing financial transactions; receiving user input for defining a plurality of entitlement groups of the hierarchical entitlement structure, wherein each entitlement group has specified permissions to perform financial transactions, limits on performance of the financial transactions, and membership of each user; in response to a particular user request to perform a financial transaction at runtime, identifying the particular user'"'"'s membership in a certain entitlement group; and determining whether to allow the particular user to perform the financial transaction based on permissions and limits of the hierarchical entitlement structure applicable to the particular user'"'"'s performance of the financial transaction.

43 Citations

View as Search Results

39 Claims

1. A method implemented in a computer system for specifying and enforcing entitlements for performance of financial transactions, the method comprising:
- in a computer system having at least a processor and memory, providing a hierarchical entitlement structure with inheritance for specifying entitlements for performing financial transactions;
  
  receiving user input for defining a plurality of entitlement groups of said hierarchical entitlement structure, wherein each entitlement group has specified permissions to perform financial transactions, limits on performance of said financial transactions, and membership of each user, said hierarchical entitlement structure proving that a given entitlement group inherits permissions provided to its parent entitlement groups in said hierarchical entitlement structure, and wherein defining a plurality of entitlement groups includes restricting permissions inherited by an entitlement group from its parent entitlement group in said hierarchical entitlement structure;
  
  in response to a particular user request to perform a financial transaction at runtime, identifying the particular user'"'"'s membership in a certain entitlement group; and
  
  determining whether to allow the particular user to perform the financial transaction based on permissions and limits of said hierarchical entitlement structure applicable to the particular user'"'"'s performance of the financial transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein said step of defining a plurality of entitlement groups includes defining permissions to access particular objects in a financial application.
  - 3. The method of claim 2, wherein said step of defining a plurality of entitlement groups includes defining permissions to perform functions on said particular objects.
  - 4. The method of claim 2, wherein at least some of said particular objects represent bank accounts.
  - 5. The method of claim 1, wherein said limits comprise limitations on values of financial transactions to be performed.
  - 6. The method of claim 1, wherein said step of defining a plurality of entitlement groups includes defining limits comprising a selected one of per-transaction limits and cumulative limits over a period of time.
  - 7. The method of claim 1, wherein said step of defining a plurality of entitlement groups includes defining permissions applying to a selected one of functions of a financial application and objects of a financial application.
  - 8. The method of claim 1, wherein said step of defining a plurality of entitlement groups includes defining limits applicable to individual users.
  - 9. The method of claim 1, wherein said step of defining a plurality of entitlement groups includes defining limits applicable collectively to members of an entitlement group.
  - 10. The method of claim 1, wherein said step of defining a plurality of entitlement groups includes defining limits applying collectively to a particular entitlement group and children entitlement groups of said particular entitlement group in said hierarchical entitlement structure.
  - 11. The method of claim 1, further comprising:
    - tracking financial transactions performed for purposes of determining compliance with limits.
  - 12. The method of claim 11, wherein said step of tracking financial transactions performed includes maintaining running total values of financial transactions performed in cache for improved performance.
  - 13. The method of claim 12, wherein said step of determining whether to allow the particular user to perform the financial transaction includes determining whether any limits have been exceeded based on the running total values and the value of the financial transaction requested by the particular user.
  - 14. The method of claim 1, further comprising:
    - maintaining permission information for entitlement groups in the hierarchical entitlement structure in cache to improve system performance.
  - 15. The method of claim 14, wherein said permission information is modeled as three-tuples representing negative permissions.
  - 16. The method of claim 1, wherein permissions provided to an entitlement group include permissions to administer a certain other entitlement group.
  - 17. The method of claim 16, wherein permissions to administer a particular entitlement group include modifying permissions of said certain other entitlement group.
  - 18. The method of claim 16, wherein said permissions to administer a certain other entitlement group are subject to limitations defined for the entitlement group having said permissions to administer.
  - 19. The method of claim 1, wherein permissions provided to an entitlement group include permissions to extend a certain other entitlement group.
  - 20. The method of claim 19, wherein permissions to extend a certain other entitlement group include permissions to define a child entitlement group of said particular entitlement group.

21. A system for specifying and enforcing entitlements for performance of financial transactions, the system comprising:
- a computer having at least a processor and memory;
  
  a hierarchical entitlement structure with inheritance for specifying entitlements for performing financial transactions;
  
  a user input module for specifying a plurality of entitlement groups of said hierarchical entitlement structure, wherein each entitlement group has specified permissions to perform financial transactions, limits on performance of said financial transactions, and user membership, said hierarchical entitlement structure providing that a given entitlement group inherits permissions provided to its parent entitlement group in said hierarchical entitlement structure, and wherein said plurality of entitlement groups includes a child entitlement group inheriting permissions from its parent entitlement group in said hierarchical entitlement structure;
  
  wherein;
  
  restrictions are applied to the permissions inherited by such child inheritance andan enforcement module for determining, in response to a particular user'"'"'s request to perform a given financial transaction at runtime, whether to allow the particular user to perform the financial transaction based on permissions and limits of said hierarchical entitlement structure applicable to the entitlement group of which the particular user is a member.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 22. The system of claim 21, wherein said permissions to perform financial transactions include permissions to access particular objects in a financial application.
  - 23. The system of claim 22, wherein said step wherein said permissions to perform financial transactions include permissions to perform functions on said particular objects.
  - 24. The system of claim 22, wherein at least some of said particular objects represent bank accounts.
  - 25. The system of claim 21, wherein said limits comprise limitations on values of financial transactions to be performed.
  - 26. The system of claim 25, wherein limitations on values of financial transactions to be performed comprise a selected one of per-transaction limits and cumulative limits over a period of time.
  - 27. The system of claim 21, wherein said permissions to perform financial transactions include permissions applying to a selected one of functions of a financial application and objects of a financial application.
  - 28. The system of claim 21, wherein said specifying a plurality of entitlement groups includes specifying limits applicable to individual users.
  - 29. The system of claim 21, wherein said specifying a plurality of entitlement groups includes specifying limits applicable collectively to members of an entitlement group.
  - 30. The system of claim 21, wherein said specifying a plurality of entitlement groups includes specifying limits applying collectively to a particular entitlement group and children entitlement groups of said particular entitlement group in said hierarchical entitlement structure.
  - 31. The system of claim 21, further comprising:
    - a module for tracking financial transactions performed for purposes of determining compliance with limits.
  - 32. The system of claim 31, wherein said module for tracking financial transactions performed maintains running total values of financial transactions performed in cache memory of the computer.
  - 33. The system of claim 32, wherein said enforcement module determines whether to allow the particular user to perform the financial transaction based, at least in part, on said running total values and the value of the financial transaction requested by the particular user.
  - 34. The system of claim 21, further comprising:
    - a module for maintaining permission information for entitlement groups in the hierarchical entitlement structure in cache memory of the computer.
  - 35. The system of claim 34, wherein said permission information is modeled as three-tuples representing negative permissions.
  - 36. The system of claim 21, wherein permissions provided to an entitlement group include permissions to administer a certain other entitlement group.
  - 37. The system of claim 36, wherein permissions to administer a particular entitlement group include modifying permissions of said certain other entitlement group.
  - 38. The system of claim 36, wherein said permissions to administer a certain other entitlement group are subject to limitations defined for the entitlement group having said permissions to administer.

39. A method for defining and enforcing permissions and limits on performance of financial transactions in a banking system, the method comprising:
- in a banking system implemented in a computer system having at least a processor and memory, receiving user input defining a plurality of entitlement groups, wherein each entitlement group has specified users, permissions to perform financial transactions and limits on performance said financial transactions;
  
  organizing said plurality of entitlement groups into a hierarchical structure with inheritance specifying permissions and limits for performing financial transactions, said hierarchical entitlement structure providing that a given entitlement group inherits permissions provided to its parent entitlement group in said hierarchical entitlement structure, and wherein defining a plurality of entitlement groups includes restricting permissions inherited by an entitlement map from its parent entitlement group in said hierarchical entitlement structure;
  
  in response to a particular user request to perform a financial transaction in the banking system at runtime, identifying the particular user'"'"'s membership in a certain entitlement group; and
  
  determining whether to allow the particular user to perform the financial transaction based on permissions and limits of said hierarchical entitlement structure applicable to the particular user'"'"'s performance of the financial transaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sybase Incorporated (SAP SE)
Original Assignee
Sybase Incorporated (SAP SE)
Inventors
Woodward, Bruce G., Smith, Debra, Pledereder, Richard
Primary Examiner(s)
Felten, Daniel
Assistant Examiner(s)
MADAMBA, CLIFFORD B

Application Number

US10/708,920
Publication Number

US 20050203836A1
Time in Patent Office

3,380 Days
Field of Search

705 35- 45
US Class Current

705/35
CPC Class Codes

G06Q 10/10   Office automation; Time man...

G06Q 20/10   specially adapted for elect...

G06Q 40/02   Banking, e.g. interest calc...

Hierarchical entitlement system with integrated inheritance and limit checks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical entitlement system with integrated inheritance and limit checks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links