Web management authorization and delegation framework
First Claim
1. In a computing environment, a method comprising:
- receiving a request to authorize a non-administrative user to perform an administrative action;
accessing an authorization store, which is configured with information that corresponds to users and specified actions associated with those users, for determining whether the non-administrative user is allowed to perform the administrative action, wherein the authorization store provides a userscope variable that specifies a path for the non-administrative user, and wherein the path specified is automatically substituted for the non-administrative user based on a user login of the non-administrative user;
in response to a determination that the non-administrative user is allowed to perform the administrative action, providing credentials that allow the non-administrative user to perform the administrative action using impersonation, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user;
running the administrative action; and
upon completion of the administrative action, returning the non-administrative user to a set of credentials that were associated with that non-administrative user prior to running the administrative action.
2 Assignments
0 Petitions
Accused Products
Abstract
Described is a technology in which a non-administrator computer/web user is allowed to perform an administrative-level task within a certain context and/or scope. An authorization store is queried based on information (e.g., a provider, a username, and a path) provided with an authorization request, e.g., from an application via an API. The information in the authorization store, set up by an administrator, determines the administrative action is allowed. If so, a credential store provides credentials that allow the action to be runs before reverting the user to the prior set of credentials. Also described is a pluggable provider model through which the authorization store and/or delegation store are accessed, whereby the data maintained therein can be any format and/or at any location known to the associated provider.
-
Citations
19 Claims
-
1. In a computing environment, a method comprising:
-
receiving a request to authorize a non-administrative user to perform an administrative action; accessing an authorization store, which is configured with information that corresponds to users and specified actions associated with those users, for determining whether the non-administrative user is allowed to perform the administrative action, wherein the authorization store provides a userscope variable that specifies a path for the non-administrative user, and wherein the path specified is automatically substituted for the non-administrative user based on a user login of the non-administrative user; in response to a determination that the non-administrative user is allowed to perform the administrative action, providing credentials that allow the non-administrative user to perform the administrative action using impersonation, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user; running the administrative action; and upon completion of the administrative action, returning the non-administrative user to a set of credentials that were associated with that non-administrative user prior to running the administrative action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. In a computing environment, a system comprising:
-
a rules engine configured to receive a request to authorize a non-administrative user to perform an administrative action; an authorization store stored in memory coupled to the rules engine and configured to provide information that corresponds to users and specified actions associated with those users, the information including a userscope variable that specifies a path for the non-administrative user, the rules engine configured to automatically substitute the path specified for the non-administrative user based on a user login of the non-administrative user, the rules engine configured to determine whether the non-administrative user is allowed to perform the administrative action, and in response to a determination that the non-administrative user is allowed to perform the administrative action, the rules engine configured to obtain credentials from a credential store to enable the non-administrative user to perform the administrative action, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. One or more computer-readable storage devices storing computer-executable instructions, which in response to execution by a computer, cause the computer to perform steps, comprising:
-
receiving a request to authorize a non-administrative user to perform an administrative action, the request including a provider, a username, and a path; using the provider to access an authorization store; determining from information in the authorization store and from the request whether the non-administrative user is allowed to perform the administrative action, including identifying a userscope variable that specifies a path for the non-administrative user and automatically substituting the path specified for the non-administrative user based on a user login of the non-administrative user; in response to a determination that the non-administrative user is allowed to perform the administrative action, obtaining credentials that allow the non-administrative user to perform the administrative action, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user; running the administrative action; and returning the non-administrative user to a set of credentials that were associated with that non-administrative user prior to running the administrative action. - View Dependent Claims (17, 18, 19)
-
Specification