Relationship-based authorization
First Claim
1. A non-transitory computer readable storage medium comprising computer-readable instructions configured to cause a data processor coupled to one or more memory devices to perform operations comprising:
- receiving data characterizing a request for authorization to access a computer-based resource by a principal;
determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;
determining whether the requesting principal has an implicit or explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship, wherein determining an implicit relationship includes inferring an implicit relationship based on a combination of explicit relationships; and
determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; and
providing authorization for the requesting principal to the computer-based resource.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus, including computer program products, related to relationship-based authorization. In general, data characterizing a request for authorization to a computer-based resource is received, and the authorization may be provided based on one or more relationships of a requesting principal. A determination may be made as to whether a requesting principal is authorized, which may include determining whether the requesting user has a relationship with a principal that has management rights of the computer-based resource and determining whether the relationship allows for an access, such as a use of the computer-based resource, if the requesting principal has a relationship with the other principal. If there is no such relationship, a determination may be made as to whether an organization of the requesting principal has a relationship with the other principal that allows for the access.
-
Citations
20 Claims
-
1. A non-transitory computer readable storage medium comprising computer-readable instructions configured to cause a data processor coupled to one or more memory devices to perform operations comprising:
-
receiving data characterizing a request for authorization to access a computer-based resource by a principal; determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising; determining whether the requesting principal has an implicit or explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship, wherein determining an implicit relationship includes inferring an implicit relationship based on a combination of explicit relationships; and determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; andproviding authorization for the requesting principal to the computer-based resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method comprising:
-
receiving data characterizing a request for authorization to access a computer-based resource by a principal; determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising; determining whether the requesting principal has an implicit or explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship, wherein determining an implicit relationship includes inferring an implicit relationship based on a combination of explicit relationships; and determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; andproviding authorization for the requesting principal to the computer-based resource. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A non-transitory computer readable storage medium comprising computer-readable instructions configured to cause a data processor coupled to one or more memory devices to perform operations comprising:
-
receiving data characterizing a request for access to a computer-based resource by a first principal; determining whether the first principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising; determining whether the first principal has a first implicit or explicit relationship with a second principal that has management rights of access to the computer-based resource, the determining whether the first principal has the first relationship with the second principal based on a query of one or more data structures comprising user to user relationships between principals being users, and wherein determining an implicit relationship includes inferring an implicit relationship based on a combination of explicit relationships; and determining whether the first relationship allows for the access to the computer-based resource based on properties of the first relationship if the first principal has the first relationship;
otherwise, determining whether an organization of the first principal has a second relationship, with the second principal, that allows for the access, the determining whether the organization has the second relationship based on user to organization relationships and organization to user relationships of the data structures; andproviding authorization for the requesting principal to the computer-based resource. - View Dependent Claims (18, 19, 20)
-
Specification