Flexible role based authorization model
First Claim
Patent Images
1. A system comprising:
- a processing device; and
a non-transitory, processor-readable storage medium, the non transitory-processor-readable storage medium comprising one or more programming instructions that, when executed, cause the processing device to;
receive a service request comprising a request header specifying a first role and a second role from a set of roles, wherein each role of the set of roles is associated with one or more capabilities,determine that a first set of capabilities from the one or more capabilities allocated to the first role matches a set of required privileges necessary to perform the service request,assign the first role to a first user and the second role to a second user, wherein the second user is acting on behalf of the first user,determine that a second set of capabilities from the one or more capabilities is allocated to the first user, wherein the first user is specified in the request header as acting in the first role by matching a set of required privileges necessary to perform the service request, anddetermining that a third set of capabilities from the one or more capabilities is assigned to the second role and associated with the second user by matching the set of required privileges necessary for the second user to perform the service request on behalf of the first user in the first role.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods described herein relate to role-based authorization systems which allow customization of role templates as well as the ability, using roles, for one user to act on behalf of another user.
13 Citations
20 Claims
-
1. A system comprising:
-
a processing device; and a non-transitory, processor-readable storage medium, the non transitory-processor-readable storage medium comprising one or more programming instructions that, when executed, cause the processing device to; receive a service request comprising a request header specifying a first role and a second role from a set of roles, wherein each role of the set of roles is associated with one or more capabilities, determine that a first set of capabilities from the one or more capabilities allocated to the first role matches a set of required privileges necessary to perform the service request, assign the first role to a first user and the second role to a second user, wherein the second user is acting on behalf of the first user, determine that a second set of capabilities from the one or more capabilities is allocated to the first user, wherein the first user is specified in the request header as acting in the first role by matching a set of required privileges necessary to perform the service request, and determining that a third set of capabilities from the one or more capabilities is assigned to the second role and associated with the second user by matching the set of required privileges necessary for the second user to perform the service request on behalf of the first user in the first role. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
receiving, by a processing device, a service request comprising a request header specifying a first role and a second role from a set of roles, wherein each role of the set of roles is associated with one or more capabilities; determining, by the processing device, that a first set of capabilities from the one or more capabilities allocated to the first role matches a set of required privileges necessary to perform the service request, assigning, by the processing device, the first role to a first user and the second role to a second user, wherein the second user is acting on behalf of the first user, determining, by the processing device, that a second set of capabilities from the one or more capabilities is allocated to the first user, wherein the first user is specified in the request header as acting in the first role by matching a set of required privileges necessary to perform the service request, and determining, by the processing device, that a third set of capabilities from the one or more capabilities is assigned to the second role and associated with the second user by matching the set of required privileges necessary for the second user to perform the service request on behalf of the first user in the first role. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
receiving, by a processing device, a service request comprising a first request header identifying; a first user and a first role, wherein a first set of capabilities associated with the first user are a subset of a second set of capabilities associated with the first role, and a second user and a second role, wherein the second role corresponds to a selected capacity in which the second user is acting; sending, by the processing device to an external device, an authorization request comprising a second request header identifying; the first user and the first role, and the second user and the second role; receiving, by the processing device, an authorization or a denial to perform one or more aspects of the service request wherein the service request may only be granted for a specific set of defined capabilities for both the first user and the first role; and receiving, by the processing device, an authorization or a denial to perform one or more aspects of the service request wherein the service request may only be granted for a specific set of defined capabilities for a combination of the first user and the second user and the first role, and the second role, wherein the second user is acting on behalf of the first user in the first role. - View Dependent Claims (18, 19, 20)
-
Specification