Method and system for managing object level security using an object definition hierarchy

US 8,887,271 B2
Filed: 06/15/2009
Issued: 11/11/2014
Est. Priority Date: 06/15/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a computer system, a request from a user to perform an action on a first object in a plurality of objects in a software application;

accessing, by the computer system, a predefined hierarchy of a plurality of different object definitions, wherein said first object is an instance of a first object definition in the predefined hierarchy;

determining, by the computer system, an attribute of the first object comprising a second object, wherein the second object is a particular instance of a second object definition, wherein said second object definition is an ancestor of said first object definition in the predefined hierarchy, and wherein the attribute defines an association between the first object and the second object that is independent of the predefined hierarchy;

accessing, by the computer system, user authorization data;

determining, by the computer system, permission of the user to perform said action; and

granting, by the computer system, the user permission to perform the action on said first object,wherein the permission is determined from the predefined hierarchy of the plurality of different object definitions, the attribute, and the user authorization data, andwherein the user is granted permission to perform the action on said first object if the user authorization data grants the user permission to perform the action on the first object based on the first object definition and the attribute.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment the present invention includes a computer-implemented method comprising receiving a request from a user to perform an action on a first object in a software application, accessing a predefined hierarchy of a plurality of different object definitions, accessing user authorization data, and granting the user permission to perform the action on said first object, wherein the permission is determined from the predefined hierarchy and the user authorization data, wherein determining the permission includes traversing the predefined hierarchy.

37 Citations

18 Claims

1. A computer-implemented method comprising:
- receiving, by a computer system, a request from a user to perform an action on a first object in a plurality of objects in a software application;
  
  accessing, by the computer system, a predefined hierarchy of a plurality of different object definitions, wherein said first object is an instance of a first object definition in the predefined hierarchy;
  
  determining, by the computer system, an attribute of the first object comprising a second object, wherein the second object is a particular instance of a second object definition, wherein said second object definition is an ancestor of said first object definition in the predefined hierarchy, and wherein the attribute defines an association between the first object and the second object that is independent of the predefined hierarchy;
  
  accessing, by the computer system, user authorization data;
  
  determining, by the computer system, permission of the user to perform said action; and
  
  granting, by the computer system, the user permission to perform the action on said first object,wherein the permission is determined from the predefined hierarchy of the plurality of different object definitions, the attribute, and the user authorization data, andwherein the user is granted permission to perform the action on said first object if the user authorization data grants the user permission to perform the action on the first object based on the first object definition and the attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein said first object includes information specifying said second object.
  - 3. The method of claim 1 wherein determining the permission from the predefined hierarchy and the user authorization data includes:
    - determining the ancestor object definitions of said first object definition at a particular level in the predefined hierarchy;
      
      for each ancestor object definition, checking the permission to perform the action based on an instance of the ancestor object definition, wherein the order of checking the ancestor object definitions is based on a predetermined order; and
      
      traversing to the next level if the user has not been granted permission to perform the action on said first object, and not traversing to the next level if the user has been granted permission to perform the action on said first object.
  - 4. The method of claim 3 wherein the maximum number of levels that can be traversed is based on a predetermined value.
  - 5. The method of claim 1 wherein the predefined hierarchy of the plurality of object definitions is stored in a database.
  - 6. The method of claim 1 wherein the user authorization data comprises a list of permissions, and wherein an entry in the list of permissions specifies at least one user, a permissible action that may be performed on a specified object definition, and an object instance of an ancestor object definition.
  - 7. The method of claim 1 wherein an object in the software application includes information specifying one or more different objects in the software application, wherein each of the one or more different objects in the software application is an instance of an ancestor object definition in the predefined hierarchy.
  - 8. The method of claim 1 wherein the plurality of object definitions in the predefined object definition hierarchy is configured as a directed graph.
  - 9. The method of claim 8 wherein the directed graph is configured in a multi-parent unbalanced non-binary tree form.

10. A non-transitory computer-readable medium containing instructions for controlling a computer system to perform a method, the method comprising:
- receiving a request from a user to perform an action on a first object in a plurality of objects in a software application;
  
  accessing a predefined hierarchy of a plurality of different object definitions, wherein said first object is an instance of a first object definition in the predefined hierarchy;
  
  determining an attribute of the first object comprising a second object, wherein the second object is a particular instance of a second object definition, wherein said second object definition is an ancestor of said first object definition in the predefined hierarchy, and wherein the attribute defines an association between the first object and the second object that is independent of the predefined hierarchy;
  
  accessing user authorization data; and
  
  determining permission of the user to perform said action; and
  
  granting the user permission to perform the action on said first object,wherein the permission is determined from the predefined hierarchy of the plurality of different object definitions, the attribute, and the user authorization data, andwherein the user is granted permission to perform the action on said first object if the user authorization data grants the user permission to perform the action on the first object based on the first object definition and the attribute.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable medium of claim 10 wherein said first object is associated with said second object if said first object includes information specifying said second object.
  - 12. The non-transitory computer-readable medium of claim 10 wherein determining the permission from the predefined hierarchy and the user authorization data includes:
    - determining the ancestor object definitions of said first object definition at a particular level in the predefined hierarchy;
      
      for each ancestor object definition, checking the permission to perform the action based on an instance of the ancestor object definition, wherein the order of checking the ancestor object definitions is based on a predetermined order; and
      
      traversing to the next level if the user has not been granted permission to perform the action on said first object, and not traversing to the next level if the user has been granted permission to perform the action on said first object.
  - 13. The non-transitory computer-readable medium of claim 12 wherein the maximum number of levels that can be traversed is based on a predetermined value.
  - 14. The non-transitory computer-readable medium of claim 10 wherein the predefined hierarchy of the plurality of object definitions is stored in a database.
  - 15. The non-transitory computer-readable medium of claim 10 wherein the user authorization data comprises a list of permissions, and wherein an entry in the list of permissions specifies at least one user, a permissible action that may be performed on a specified object definition, and an object instance of an ancestor object definition.
  - 16. The non-transitory computer-readable medium of claim 10 wherein an object in the software application includes information specifying one or more different objects in the software application, wherein each of the one or more different objects in the software application is an instance of an ancestor object definition in the predefined hierarchy.
  - 17. The non-transitory computer-readable medium of claim 10 wherein the plurality of object definitions in the predefined object definition hierarchy is configured as a directed graph.
  - 18. The non-transitory computer-readable medium of claim 17 wherein the directed graph is configured in a multi-parent unbalanced non-binary tree form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Mohanty, Bhanu P., Agarwal, Sanjeev K.
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US12/484,814
Publication Number

US 20100319067A1
Time in Patent Office

1,975 Days
Field of Search

726/6, 726 16- 21, 726 27- 30
US Class Current

726/21
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/101   Access control lists [ACL]

Method and system for managing object level security using an object definition hierarchy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and system for managing object level security using an object definition hierarchy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others