Provisioning access to customer organization data in a multi-tenant system

US 9,596,246 B2
Filed: 01/20/2015
Issued: 03/14/2017
Est. Priority Date: 10/13/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling access to data for an organization stored in an on-demand database system hosted on a server computer, the method comprising:

enabling access to the data of the organization for a support representative associated with a management organization that maintains the data for the organization stored in an on-demand database system by the server computer generating a Security Assertion Markup Language (SAML) assertion upon a data access request by the support representative, the-SAML assertion establishing an identity of the support representative as a member of a support user class that is granted defined administrative privileges with respect to the data;

initiating a network session to the organization upon the data access request of the support representative, wherein the network session associates the administrative privileges to the support user representative to enable access to the data to the extent of the administrative privileges; and

granting access to an on-demand database application associated with the data to the support representative as an organization user for a limited term, the support representative being different from the organization user, wherein the support representative is granted use privileges of the on-demand database application for a limited term.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are described for providing support representative access to applications deployed in an enterprise network environment. An access provisioning system defines a support user class in a user profile database for an application executed on an organization partition within the network. The support user is granted read only privileges to metadata of the application. An organization administrator can grant support personnel access to the application as a support user, thus the ability to view, analyze, and possibly modify the metadata. The access provisioning system generates a Security Assertion Markup Language (SAML) assertion upon request by the support personnel to enable access to the data to the extent of the granted privileges. The SAML protocol includes authentication of the support representative as an authorized support user within the system.

258 Citations

27 Claims

1. A computer-implemented method for controlling access to data for an organization stored in an on-demand database system hosted on a server computer, the method comprising:
- enabling access to the data of the organization for a support representative associated with a management organization that maintains the data for the organization stored in an on-demand database system by the server computer generating a Security Assertion Markup Language (SAML) assertion upon a data access request by the support representative, the-SAML assertion establishing an identity of the support representative as a member of a support user class that is granted defined administrative privileges with respect to the data;
  
  initiating a network session to the organization upon the data access request of the support representative, wherein the network session associates the administrative privileges to the support user representative to enable access to the data to the extent of the administrative privileges; and
  
  granting access to an on-demand database application associated with the data to the support representative as an organization user for a limited term, the support representative being different from the organization user, wherein the support representative is granted use privileges of the on-demand database application for a limited term.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the data comprises at least one of:
    - metadata related to usage parameters of the organization to resources of the system, and metadata of an application installed for use by the organization.
  - 3. The method of claim 2 wherein the network session comprises a web-based http (hypertext transport protocol) session, the method further comprising:
    - generating a Security Assertion Markup Language (SAML) assertion upon an Internet Protocol request to the organization by the support user initiating a web access to the organization; and
      
      associating the administrative privileges of the support user with the http session for use during access to the organization.
  - 4. The method of claim 3 wherein the server computer supports a on-demand database application maintained by a platform provider, and wherein the application is a hosted application comprising part of a package of one or more programs accessible to the organization through login credentials established by the platform provider.
  - 5. The method of claim 4 wherein the application is provided by an independent software vendor (ISV) that provides the application hosted on the server computer for use by the organization.
  - 6. The method of claim 5 wherein the authorized user comprises an ISV support representative performing maintenance functions for the hosted application, and wherein the ISV support representative is granted privileges allowing the support representative to view and modify the metadata in relation to performing debugging functions on the application.
  - 7. The method of claim 6 comprising:
    - granting access to the application to the ISV as an organization user for a limited term, wherein the organization user is granted use privileges of the application; and
      
      allowing the authorized user to access organization metadata and use the application as the organization user for the limited term if the administrator has granted access to the third party as both a support user and as the organization user.
  - 8. The method of claim 6 wherein the SAML assertion establishes the identity of the ISV support representative and the platform provider serves as an identity provider under a SAML protocol to authorize the ISV support representative as a support user.
  - 9. The method of claim 8 further comprising:
    - providing a user interface allowing the ISV support representative to select a customer organization to access as a support user; and
      
      generating the SAML assertion upon selection of a uniform resource locator on the user interface by the ISV support representative.

10. A system for controlling access to application program data in a computer network, comprising:
- one or more processors; and
  
  a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to;
  
  enable access to the data of the organization for a support representative associated with a management organization that maintains the data for the organization stored in an on-demand database system by the one or more processors generating a Security Assertion Markup Language (SAML) assertion upon a data access request by the support representative, the-SAML assertion establishing an identity of the support representative as a member of a support user class that is granted defined administrative privileges with respect to the data;
  
  initiate a network session to the organization upon the data access request of the support representative, wherein the network session associates the administrative privileges to the support user representative to enable access to the data to the extent of the administrative privileges; and
  
  grant access to a on-demand database application associated with the data to the support representative as an organization user for a limited term, the support representative being different from the organization user, wherein the support representative is granted use privileges of the on-demand database application for a limited term.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10 wherein the data comprises at least one of:
    - metadata related to usage parameters of the organization to resources of the system, and metadata of an application installed for use by the organization.
  - 12. The system of claim 11 wherein the network session comprises a web-based http (hypertext transport protocol) session, the method further comprising:
    - generating a Security Assertion Markup Language (SAML) assertion upon an Internet Protocol request to the organization by the support user initiating a web access to the organization; and
      
      associating the administrative privileges of the support user with the http session for use during access to the organization.
  - 13. The system of claim 12 wherein the server computer supports a on-demand database application maintained by a platform provider, and wherein the application is a hosted application comprising part of a package of one or more programs accessible to the organization through login credentials established by the platform provider.
  - 14. The system of claim 13 wherein the application is provided by an independent software vendor (ISV) that provides the application hosted on the server computer for use by the organization.
  - 15. The system of claim 14 wherein the authorized user comprises an ISV support representative performing maintenance functions for the hosted application, and wherein the ISV support representative is granted privileges allowing the support representative to view and modify the metadata in relation to performing debugging functions on the application.
  - 16. The system of claim 15 comprising:
    - granting access to the application to the ISV as an organization user for a limited term, wherein the organization user is granted use privileges of the application; and
      
      allowing the authorized user to access organization metadata and use the application as the organization user for the limited term if the administrator has granted access to the third party as both a support user and as the organization user.
  - 17. The system of claim 16 wherein the SAML assertion establishes the identity of the ISV support representative and the platform provider serves as an identity provider under a SAML protocol to authorize the ISV support representative as a support user.
  - 18. The system of claim 17 further comprising:
    - providing a user interface allowing the ISV support representative to select a customer organization to access as a support user; and
      
      generating the SAML assertion upon selection of a uniform resource locator on the user interface by the ISV support representative.

19. A computer program product comprising machine-readable program code stored on a non-transitory computer-readable medium to be executed by one or more processors, the program code including instructions to:
- enable access to the data of the organization for a support representative associated with a management organization that maintains the data for the organization stored in an on-demand database system by the one or more processors generating a Security Assertion Markup Language (SAML) assertion upon a data access request by the support representative, the-SAML assertion establishing an identity of the support representative as a member of a support user class that is granted defined administrative privileges with respect to the data;
  
  initiate a network session to the organization upon the data access request of the support representative, wherein the network session associates the administrative privileges to the support user representative to enable access to the data to the extent of the administrative privileges; and
  
  grant access to the on-demand database application associated with the data to the support representative as an organization user for a limited term, the support representative being different from the organization user, wherein the support representative is granted use privileges of the on-demand database application for a limited term.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer program product of claim 19 wherein the data comprises at least one of:
    - metadata related to usage parameters of the organization to resources of the system, and metadata of an application installed for use by the organization.
  - 21. The computer program product of claim 20 wherein the network session comprises a web-based http (hypertext transport protocol) session, the method further comprising:
    - generating a Security Assertion Markup Language (SAML) assertion upon an Internet Protocol request to the organization by the support user initiating a web access to the organization; and
      
      associating the administrative privileges of the support user with the http session for use during access to the organization.
  - 22. The computer program product of claim 21 wherein the server computer supports a multi-tenant database application maintained by a platform provider, and wherein the application is a hosted application comprising part of a package of one or more programs accessible to the organization through login credentials established by the platform provider.
  - 23. The computer program product of claim 22 wherein the application is provided by an independent software vendor (ISV) that provides the application hosted on the server computer for use by the organization.
  - 24. The computer program product of claim 23 wherein the authorized user comprises an ISV support representative performing maintenance functions for the hosted application, and wherein the ISV support representative is granted privileges allowing the support representative to view and modify the metadata in relation to performing debugging functions on the application.
  - 25. The computer program product of claim 24 comprising:
    - granting access to the application to the ISV as an organization user for a limited term, wherein the organization user is granted use privileges of the application; and
      
      allowing the authorized user to access organization metadata and use the application as the organization user for the limited term if the administrator has granted access to the third party as both a support user and as the organization user.
  - 26. The computer program product of claim 25 wherein the SAML assertion establishes the identity of the ISV support representative and the platform provider serves as an identity provider under a SAML protocol to authorize the ISV support representative as a support user.
  - 27. The computer program product of claim 26 further comprising:
    - providing a user interface allowing the ISV support representative to select a customer organization to access as a support user; and
      
      generating the SAML assertion upon selection of a uniform resource locator on the user interface by the ISV support representative.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Peddada, Prasad
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US14/600,525
Publication Number

US 20150135281A1
Time in Patent Office

784 Days
Field of Search

726/4, 726/28, 726/1, 726/5, 726/6, 713/176, 713/156, 713/158, 713/172, 713/175
US Class Current

1/1
CPC Class Codes

G06F 21/629   to features or functions of...

H04L 41/28   Restricting access to netwo...

H04L 63/105   Multiple levels of security

Provisioning access to customer organization data in a multi-tenant system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

258 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning access to customer organization data in a multi-tenant system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

258 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links