Relationship-based authorization
First Claim
1. A non-transitory computer program product, tangibly embodied in a computer-readable media, the computer program product comprising instructions configured to cause at least one data processor forming part of at least one computing system to perform operations comprising:
- receiving data characterizing a request for authorization to access a computer-based resource by a principal;
determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structure containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;
determining whether the requesting principal has an explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship; and
determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; and
providing authorization for the requesting principal to the computer-based resource.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus, including computer program products, related to relationship-based authorization. In general, data characterizing a request for authorization to a computer-based resource is received, and the authorization may be provided based on one or more relationships of a requesting principal. A determination may be made as to whether a requesting principal is authorized, which may include determining whether the requesting user has a relationship with a principal that has management rights of the computer-based resource and determining whether the relationship allows for an access, such as a use of the computer-based resource, if the requesting principal has a relationship with the other principal. If there is no such relationship, a determination may be made as to whether an organization of the requesting principal has a relationship with the other principal that allows for the access.
-
Citations
26 Claims
-
1. A non-transitory computer program product, tangibly embodied in a computer-readable media, the computer program product comprising instructions configured to cause at least one data processor forming part of at least one computing system to perform operations comprising:
-
receiving data characterizing a request for authorization to access a computer-based resource by a principal; determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structure containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising; determining whether the requesting principal has an explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship; and determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; andproviding authorization for the requesting principal to the computer-based resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 21, 24)
-
-
12. A computer-implemented method comprising:
-
receiving data characterizing a request for authorization to access a computer-based resource by a principal; determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising; determining whether the requesting principal has an explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship; and determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; andproviding authorization for the requesting principal to the computer-based resource. - View Dependent Claims (13, 14, 15, 16, 22, 25)
-
-
17. A non-transitory computer program product, tangibly embodied in a computer-readable media, the computer program product comprising instructions configured to cause at least one data processor forming part of at least one computing system to perform operations comprising:
-
receiving data characterizing a request for access to a computer-based resource by a first principal; determining whether the first principal is authorized for the access to the computer-based resource, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising; determining whether the first principal has a first relationship at the time of the request with a second principal that has management rights of access to the computer-based resource, the determining whether the first principal has the first relationship with the second principal based on a query of one or more data structures comprising user to user relationships between principals being users; and determining whether the first relationship allows for the access to the computer-based resource based on properties of the first relationship if the first principal has the first relationship;
otherwise, determining whether an organization of the first principal has a second relationship, with the second principal, that allows for the access, the determining whether the organization has the second relationship based on user to organization relationships and organization to user relationships of the data structures; andproviding authorization for the requesting principal to the computer-based resource. - View Dependent Claims (18, 19, 20, 23, 26)
-
Specification