On-demand authorization management
First Claim
Patent Images
1. A non-transitory computer-readable storage medium containing instructions to configure at least one processor to cause operations comprising:
- receiving a request to authorize at least one user to at least one module of a system;
determining at least one of a role or a work center of the at least one user;
mapping, based on the determining, the received request in a first format to a semantic tag in a common format, wherein the common format indicates the at least one of the role or the work center;
processing, based on the semantic tag in the common format, the request to authorize the at least one user to determine whether to grant the at least one user access to the at least one module; and
detecting, based on at least one segregation of duty rule, whether the request by the at least one user poses a segregation of duty violation, wherein the at least one segregation of duty rule represents a rule to segregate an action indicated by the received request from the determined at least one of the role or the work center of the at least one user; and
authorizing, when the processing grants the access and the segregation of duty violation is not detected, the at least one user access to the at least one module;
sending a first message indicating the authorizing, when the processing grants the access and the segregation of duty violation is not detected;
sending a second message indicating access is not granted, when at least one of the processing does not grant the access or the segregation of duty violation is detected.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus, including computer program products, are provided for authorization management. In one aspect, there is provided a computer-implemented method. The method may include receiving a request to authorize at least one user to at least one module of a system; mapping the received request to a semantic tag; processing, based on the semantic tag, the request to authorize the at least one user to determine whether to grant the at least one user access to the at least one module; and sending a response to the request to authorize the at least one user, wherein the response is in accordance with the result of the processing. Related apparatus, systems, methods, and articles are also described.
56 Citations
9 Claims
-
1. A non-transitory computer-readable storage medium containing instructions to configure at least one processor to cause operations comprising:
-
receiving a request to authorize at least one user to at least one module of a system; determining at least one of a role or a work center of the at least one user; mapping, based on the determining, the received request in a first format to a semantic tag in a common format, wherein the common format indicates the at least one of the role or the work center; processing, based on the semantic tag in the common format, the request to authorize the at least one user to determine whether to grant the at least one user access to the at least one module; and detecting, based on at least one segregation of duty rule, whether the request by the at least one user poses a segregation of duty violation, wherein the at least one segregation of duty rule represents a rule to segregate an action indicated by the received request from the determined at least one of the role or the work center of the at least one user; and authorizing, when the processing grants the access and the segregation of duty violation is not detected, the at least one user access to the at least one module; sending a first message indicating the authorizing, when the processing grants the access and the segregation of duty violation is not detected; sending a second message indicating access is not granted, when at least one of the processing does not grant the access or the segregation of duty violation is detected. - View Dependent Claims (2, 3)
-
-
4. A method comprising:
-
receiving a request to authorize at least one user to at least one module of a system; determining at least one of a role or a work center of the at least one user; mapping, based on the determining, the received request in a first format to a semantic tag in a common format, wherein the common format indicates the at least one of the role or the work center; processing, based on the semantic tag in the common format, the request to authorize the at least one user to determine whether to grant the at least one user access to the at least one module; and detecting, based on at least one segregation of duty rule, whether the request by the at least one user poses a segregation of duty violation, wherein the at least one segregation of duty rule represents a rule to segregate an action indicated by the received request from the determined at least one of the role or the work center of the at least one user; and authorizing, when the processing grants the access and the segregation of duty violation is not detected, the at least one user access to the at least one module; sending a first message indicating the authorizing, when the processing grants the access and the segregation of duty violation is not detected; sending a second message indicating access is not granted, when at least one of the processing does not grant the access or the segregation of duty violation is detected. - View Dependent Claims (5, 6)
-
-
7. A system comprising:
-
at least one processor; and at least one memory including code which when executed by the at least one processor causes operations comprising; receiving a request to authorize at least one user to at least one module of a system; determining at least one of a role or a work center of the at least one user; mapping, based on the determining, the received request in a first format to a semantic tag in a common format, wherein the common format indicates the at least one of the role or the work center; processing, based on the semantic tag in the common format, the request to authorize the at least one user to determine whether to grant the at least one user access to the at least one module; and detecting, based on at least one segregation of duty rule, whether the request by the at least one user poses a segregation of duty violation, wherein the at least one segregation of duty rule represents a rule to segregate an action indicated by the received request from the determined at least one of the role or the work center of the at least one user; and authorizing, when the processing grants the access and the segregation of duty violation is not detected, the at least one user access to the at least one module; sending a first message indicating the authorizing, when the processing grants the access and the segregation of duty violation is not detected; sending a second message indicating access is not granted, when at least one of the processing does not grant the access or the segregation of duty violation is detected. - View Dependent Claims (8, 9)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeSAP SE
-
Original AssigneeSAP SE
-
InventorsSaid, Bare, Eberlein, Peter
-
Primary Examiner(s)MOORTHY, ARAVIND K
-
Application NumberUS13/334,009Publication NumberTime in Patent Office1,287 DaysField of Search726/4, 726/22, 726/27, 713/165, 713/168US Class Current1/1CPC Class CodesG06F 21/10 Protecting distributed prog...G06F 21/6218 to a system of files or obj...H04L 63/08 for authentication of entit...H04L 63/101 Access control lists [ACL]H04L 63/1416 Event detection, e.g. attac...
