Methods and systems for provisioning access to customer organization data in a multi-tenant system

US 8,949,939 B2
Filed: 08/29/2011
Issued: 02/03/2015
Est. Priority Date: 10/13/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling access to data for an organization stored in a multi-tenant system hosted on a server computer accessible over a network, the method comprising:

defining administrative privileges for a support user within a management organization that maintains the data for the organization stored in the multi-tenant system on the server computer, wherein the support user is authorized to access the data of the organization according to the defined administrative privileges;

defining a support user class of users in an interface to the organization that includes representatives of an independent software vendor (ISV) that provided a multi-tenant database application maintained by a platform provider, wherein a member of the support user class is granted limited privileges with respect to the data;

generating a Security Assertion Markup Language (SAML) assertion upon request of an ISV support representative to enable access to the data to the extent of the granted limited privileges, the SAML assertion establishing the identity of the ISV support representative and the platform provider serves as an identity provider under a SAML protocol to authorize the ISV support representative to perform maintenance functions for the multi-tenant database application;

initiating a network session to the organization upon request of the ISV support representative, wherein the network session associates the administrative privileges to the support user class to enable access to the data to the extent of the administrative privileges;

granting access to the multi-tenant database application to the ISV support representative as an organization user for a limited term, wherein the ISV support representative is granted use privileges of the multi-tenant database application; and

allowing the ISV support representative to use the multi-tenant database application as an organization user for the limited term.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are described for providing support representative access to applications deployed in an enterprise network environment. An access provisioning system defines a support user class in a user profile database for an application executed on an organization partition within the network. The support user is granted read only privileges to metadata of the application. An organization administrator can grant support personnel access to the application as a support user, thus the ability to view, analyze, and possibly modify the metadata. The access provisioning system generates a Security Assertion Markup Language (SAML) assertion upon request by the support personnel to enable access to the data to the extent of the granted privileges. The SAML protocol includes authentication of the support representative as an authorized support user within the system.

Citations

14 Claims

1. A computer-implemented method for controlling access to data for an organization stored in a multi-tenant system hosted on a server computer accessible over a network, the method comprising:
- defining administrative privileges for a support user within a management organization that maintains the data for the organization stored in the multi-tenant system on the server computer, wherein the support user is authorized to access the data of the organization according to the defined administrative privileges;
  
  defining a support user class of users in an interface to the organization that includes representatives of an independent software vendor (ISV) that provided a multi-tenant database application maintained by a platform provider, wherein a member of the support user class is granted limited privileges with respect to the data;
  
  generating a Security Assertion Markup Language (SAML) assertion upon request of an ISV support representative to enable access to the data to the extent of the granted limited privileges, the SAML assertion establishing the identity of the ISV support representative and the platform provider serves as an identity provider under a SAML protocol to authorize the ISV support representative to perform maintenance functions for the multi-tenant database application;
  
  initiating a network session to the organization upon request of the ISV support representative, wherein the network session associates the administrative privileges to the support user class to enable access to the data to the extent of the administrative privileges;
  
  granting access to the multi-tenant database application to the ISV support representative as an organization user for a limited term, wherein the ISV support representative is granted use privileges of the multi-tenant database application; and
  
  allowing the ISV support representative to use the multi-tenant database application as an organization user for the limited term.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the data of the organization comprises at least one of:
    - metadata related to usage parameters of the organization to resources of the system, and metadata of the multi-tenant database application installed for use by the organization.
  - 3. The method of claim 2 wherein the multi-tenant database application is a hosted application comprising part of a package of one or more programs accessible to the organization through login credentials established by the platform provider.
  - 4. The method of claim 3 wherein the ISV support representative is granted privileges allowing the support representative to view and modify the metadata in relation to performing debugging functions on the multi-tenant database application.
  - 5. The method of claim 4 comprising:
    - allowing the support user to access organization metadata as the organization user for the limited term.
  - 6. The method of claim 1 further comprising:
    - providing a user interface allowing the ISV support representative to select a customer organization to access as a support user; and
      
      generating the SAML assertion upon selection of a uniform resource locator on the user interface by the ISV support representative.

7. A system for controlling access to application program data in a computer network, comprising:
- a central processing unit (CPU); and
  
  a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the central processing unit to;
  
  define administrative privileges for a support user within a management organization that maintains the data for the organization stored in the multi-tenant system on the server computer, wherein the support user is authorized to access the data of the organization according to the defined administrative privileges;
  
  define a support user class of users in an interface to the organization that includes representatives of an independent software vendor (ISV) that provided a multi-tenant database application maintained by a platform provider, wherein a member of the support user class is granted limited privileges with respect to the data;
  
  generate a Security Assertion Markup Language (SAML) assertion upon request of an ISV support representative to enable access to the data to the extent of the granted limited privileges, the SAML assertion establishing the identity of the ISV support representative and the platform provider serves as an identity provider under a SAML protocol to authorize the ISV support representative to perform maintenance functions for the multi-tenant database application;
  
  initiate a network session to the organization upon request of the ISV support representative, wherein the network session associates the administrative privileges to the support user class to enable access to the data to the extent of the administrative privileges;
  
  grant access to the multi-tenant database application to the ISV support representative as an organization user for a limited term, wherein the ISV support representative is granted use privileges of the multi-tenant database application;
  
  allow the ISV support representative to use the multi-tenant database application as an organization user for the limited term.
- View Dependent Claims (8, 9, 10)
- - 8. The system of claim 7 wherein a hosted application comprises a package of one or more programs accessible to the organization through login credentials established by the platform provider.
  - 9. The system of claim 7 wherein the data comprises metadata of the multi-tenant database application installed for use by the organization.
  - 10. The system of claim 9, wherein instructions, when executed, further cause one or more processors to:
    - define administrative privileges of the ISV support representative within the platform;
      
      generate a SAML assertion upon an http request to the organization by the support user initiating a web access to the organization; and
      
      associate the administrative privileges of the ISV support representative with the http request for use during the web access to the organization.

11. A computer program product comprising machine-readable program code stored on a non-transitory computer-readable medium to be executed by one or more processors, the program code including instructions to:
- define administrative privileges for a support user within a management organization that maintains the data for the organization stored in the multi-tenant system on the server computer, wherein the support user is authorized to access the data of the organization according to the defined administrative privileges;
  
  define a support user class of users in an interface to the organization that includes representatives of an independent software vendor (ISV) that provided a multi-tenant database application maintained by a platform provider, wherein a member of the support user class is granted limited privileges with respect to the data;
  
  generate a Security Assertion Markup Language (SAML) assertion upon request of an ISV support representative to enable access to the data to the extent of the granted limited privileges, the SAML assertion establishing the identity of the ISV support representative and the platform provider serves as an identity provider under a SAML protocol to authorize the ISV support representative to perform maintenance functions for the application;
  
  initiate a network session to the organization upon request of the ISV support representative, wherein the network session associates the administrative privileges to the support user class to enable access to the data to the extent of the administrative privileges;
  
  grant access to the multi-tenant database application to the ISV support representative as an organization user for a limited term, wherein the ISV support representative is granted use privileges of the application; and
  
  allow the ISV support representative to use the multi-tenant database application as an organization user for the limited term.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product of claim 11 wherein the data comprises one of:
    - metadata related to system resource usage by the organization, and metadata of the multi-tenant database application installed for use by the organization.
  - 13. The computer program product of claim 12, wherein the multi-tenant database application is a hosted application comprising part of a package of one or more programs accessible to the organization through login credentials established by the platform provider.
  - 14. The method of claim 13 wherein the ISV support representative is granted privileges allowing the support representative to view and modify the metadata in relation to performing debugging functions on the multi-tenant database application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Peddada, Prasad
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US13/220,486
Publication Number

US 20120096521A1
Time in Patent Office

1,254 Days
Field of Search

726/4, 726/5, 726/6, 726/1.3, 726/7, 726/28, 709/225, 709/223, 709/229, 705/51, 713/168, 713/169, 713/170
US Class Current

726/4
CPC Class Codes

G06F 21/629   to features or functions of...

H04L 41/28   Restricting access to netwo...

H04L 63/105   Multiple levels of security

Methods and systems for provisioning access to customer organization data in a multi-tenant system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for provisioning access to customer organization data in a multi-tenant system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links