Data driven role based security
First Claim
1. A method for use at a computer system, the computer system including a processor and system memory, the method for controlling access to a computing object, the method comprising the processor:
- obtaining a user context for a user identity during user input activity entered into the computer system through a running application;
defining a derived role for the user identity relative to the computing object, the derived role defined from data context for accessing the computing object by the computer system on behalf of the user identity, the data context accessed based on the user context;
accessing a control expression governing access to the computing object for the derived role;
forming a set of permissions for the user identity in system memory by evaluating the control expression in the system memory based on the current version of the computing object and the data context; and
determining the user identity'"'"'s access to the computing object in accordance with the set of permissions.
1 Assignment
0 Petitions
Accused Products
Abstract
Data driven role based security is provided. At login, the system queries for a data context in connection with access to computing objects of a computing system. When a request for access to computing objects is received by the computing system, one or more control expressions specified for the computing object being accessed are evaluated. The evaluation of the control expressions may reference the user context or the data context previously established, and returns a set of effective permissions. Access to the computing object is then granted if the set of permissions includes an appropriate permission for the request for access.
-
Citations
20 Claims
-
1. A method for use at a computer system, the computer system including a processor and system memory, the method for controlling access to a computing object, the method comprising the processor:
-
obtaining a user context for a user identity during user input activity entered into the computer system through a running application; defining a derived role for the user identity relative to the computing object, the derived role defined from data context for accessing the computing object by the computer system on behalf of the user identity, the data context accessed based on the user context; accessing a control expression governing access to the computing object for the derived role; forming a set of permissions for the user identity in system memory by evaluating the control expression in the system memory based on the current version of the computing object and the data context; and determining the user identity'"'"'s access to the computing object in accordance with the set of permissions. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product for use a computer system, the computer program product for implementing a method for controlling runtime access to a computing object, the computer program product comprising one or more computer storage devices having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
-
detect a user context for a user identity during user input activity entered into the computer system through a running application; retrieve a data context based on the detected user context, the data context for accessing the computing object by the computer system on behalf of the user identity; define a derived role for the user identity relative to the computing object, the derived role defined from data context; access a control expression governing access to the computing object for the derived role, form a set of permissions for the user identity in system memory by evaluating the control expression in the system memory based on the current version of the computing object and the data context; and determine the user identity'"'"'s access to the computing object in accordance with the set of permissions. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system, the computer system comprising:
-
one or more processors; system memory coupled to one or more processors, the system memory storing instructions that are executable by the processor; and the one or more processors configured to execute the instructions stored in the system memory to control access to a computing object, including the following; detect a user context for a user identity during user input activity entered into the computer system through a running application; define a derived role for a user identity relative to the computing object in system memory, the derived role defined from data context the data context accessed based on the detected user context; access a control expression governing access to the computing object for the derived role, form a set of permissions for the user identity in system memory by evaluating the control expression in the system memory based on the current version of the computing object and the data context; and determine the user identity'"'"'s access to the computing object in accordance with the set of permissions. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification