Computer implemented methods and apparatus for managing permission sets and validating user assignments

US 9,628,493 B2
Filed: 07/03/2013
Issued: 04/18/2017
Est. Priority Date: 07/03/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at one or more servers, a first request from an authorized administrator associated with a third party application to create a new permission set including one or more permissions for accessing one or more computing resources of a multi-tenant database environment implemented using a database system, the multi-tenant database environment having a plurality of tenant organizations, the new permission set having one or more permissions for accessing resources associated with the third party application, the third party application being one of a plurality of applications being implemented in the multi-tenant database environment;

creating the new permission set;

storing the new permission set in a database of the database system;

receiving, at one or more servers, a second request to assign the new permission set to a first user associated with a first one of the plurality of tenant organizations, the first user being associated with a first user constraint defined by a first one of a plurality of user licenses available to users associated with the first tenant organization, the first user constraint defining a first group of permissions permitted to be assigned to the first user, the first user constraint being applied to other users associated with other tenant organizations of the plurality of tenant organizations;

responsive to receiving the second request, automatically determining that the one or more permissions in the new permission set do not violate the first user constraint by determining that each of the one or more permissions of the new permission set exists in the first group of permissions defined by the first user constraint; and

responsive to determining that the one or more permissions in the new permission set do not violate the first user constraint, automatically assigning the new permission set to the first user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are methods, apparatus, systems, and computer-readable storage media for modifying permission sets and validating permission set assignments to users. In some implementations, a computing device receives a request to create a permission set containing one or more permissions and assign the permission set to a first user. The first user is associated with a first user constraint that defines a first group of permissions available to the first user. The computing device may determine that the permission set to be assigned to the first user does not violate the first user constraint, and may assign the permission set to the first user.

Citations

17 Claims

1. A method comprising:
- receiving, at one or more servers, a first request from an authorized administrator associated with a third party application to create a new permission set including one or more permissions for accessing one or more computing resources of a multi-tenant database environment implemented using a database system, the multi-tenant database environment having a plurality of tenant organizations, the new permission set having one or more permissions for accessing resources associated with the third party application, the third party application being one of a plurality of applications being implemented in the multi-tenant database environment;
  
  creating the new permission set;
  
  storing the new permission set in a database of the database system;
  
  receiving, at one or more servers, a second request to assign the new permission set to a first user associated with a first one of the plurality of tenant organizations, the first user being associated with a first user constraint defined by a first one of a plurality of user licenses available to users associated with the first tenant organization, the first user constraint defining a first group of permissions permitted to be assigned to the first user, the first user constraint being applied to other users associated with other tenant organizations of the plurality of tenant organizations;
  
  responsive to receiving the second request, automatically determining that the one or more permissions in the new permission set do not violate the first user constraint by determining that each of the one or more permissions of the new permission set exists in the first group of permissions defined by the first user constraint; and
  
  responsive to determining that the one or more permissions in the new permission set do not violate the first user constraint, automatically assigning the new permission set to the first user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the new permission set is associated with a permission set constraint, the permission set constraint defining a superset of permission one or more of which are included in the new permission set.
  - 3. The method of claim 2, wherein the permission set constraint defines the superset of permissions as all of the permissions available to the first tenant organization.
  - 4. The method of claim 1, wherein the new permission set is not associated with the first user constraint when the new permission set is created by the one or more servers, and wherein the new permission set is associated with the first user constraint when the new permission set is assigned to the first user.
  - 5. The method of claim 1, wherein the first group of permissions defined by the first user constraint includes one or more permissions associated with one or more of:
    - an online social network, an application, a line of business, a software vendor package, and a logical grouping of metadata having access controls.
  - 6. The method of claim 1, the method further comprising:
    - receiving, at the one or more servers, a third request to modify the new permission set by adding one or more permissions to the new permission set.
  - 7. The method of claim 6, the method further comprising:
    - identifying the first user to whom the new permission set is assigned;
      
      determining whether any of the one or more permissions to be added to the new permission set violate the first user constraint; and
      
      responsive to determining that the one or more permissions to be added violate the first user constraint, transmitting data indicating a first error without modifying the new permission set as requested.
  - 8. The method of claim 7, wherein the one or more servers determine that the one or more permissions to be added violate the first user constraint by:
    - determining that one or more of the one or more permissions to be added is not included in the first group of permissions.
  - 9. The method of claim 7, wherein the transmitted data includes a message that the new permission set was not modified as requested and identifies the one or more permissions to be added as not being included in the first group of permissions.
  - 10. The method of claim 7, wherein the new permission set is assigned to more than one user, the method further comprising:
    - identifying a second user to whom the new permission set is assigned, the second user being associated with a second user constraint defining a second group of permissions permitted to be assigned to the second user;
      
      determining whether any of the one or more permissions to be added to the new permission set violate the second user constraint; and
      
      responsive to determining that the one or more permissions to be added violate the second user constraint, transmitting data indicating a second error without modifying the new permission set as requested.
  - 11. The method of claim 6, the method further comprising:
    - determining that the third request to modify the new permission set does not violate any user constraints; and
      
      modifying the new permission set to include the one or more permissions to be added.
  - 12. The method of claim 11, wherein the one or more servers determine that the third request does not violate any user constraints by:
    - determining that the permission set is not assigned to any users.
  - 13. The method of claim 11, wherein the one or more servers determine that the third request does not violate the user constraint of a user to whom the new permission set is assigned by:
    - identifying one or more users to whom the new permission set is assigned;
      
      identifying one or more user constraints associated with the one or more users;
      
      determining that the one or more permissions to be added are contained in each of the one or more user constraints.

14. One or more computing devices comprising:
- one or more physical processors operable to execute one or more instructions to cause;
  
  creating, responsive to a first request from an authorized administrator associated with a third party application, a new permission set including one or more permissions for accessing one or more computing resources of a multi-tenant database environment implemented using a database system, the multi-tenant database environment having a plurality of tenant organizations, the new permission set having one or more permissions for accessing resources associated with the third party application, the third party application being one of a plurality of applications being implemented in the multi-tenant database environment;
  
  storing the new permission set in a database of the database system;
  
  processing a second request to assign the new permission set to a first user associated with a first one of the plurality of tenant organizations, the first user being associated with a first user constraint defined by a first one of a plurality of user licenses available to users associated with the first tenant organization, the first user constraint defining a first group of permissions permitted to be assigned to the first user, the first user constraint being applied to other users associated with other tenant organizations of the plurality of tenant organizations;
  
  automatically determining, responsive to processing the second request, that the one or more permissions in the new permission set do not violate the first user constraint by determining that each of the one or more permissions of the new permission set exists in the first group of permissions defined by the first user constraint; and
  
  automatically assigning, responsive to determining that the one or more permissions in the new permission set do not violate the first user constraint, the new permission set to the first user.

15. A non-transitory computer-readable storage medium storing instructions executable by a computing device to perform a method comprising:
- receiving, at one or more servers, a first request from an authorized administrator associated with a third party application to create a new permission set including one or more permissions for accessing one or more computing resources of a multi-tenant database environment implemented using a database system, the multi-tenant database environment having a plurality of tenant organizations, the new permission set having one or more permissions for accessing resources associated with the third party application, the third party application being one of a plurality of applications being implemented in the multi-tenant database environment;
  
  creating the new permission set;
  
  storing the new permission set in a database of the database system;
  
  receiving, at one or more servers, a second request to assign the new permission set to a first user associated with a first one of the plurality of tenant organizations, the first user being associated with a first user constraint defined by a first one of a plurality of user licenses available to users associated with the first tenant organization, the first user constraint defining a first group of permissions permitted to be assigned to the first user, the first user constraint being applied to other users associated with other tenant organizations of the plurality of tenant organizations;
  
  responsive to receiving the second request, automatically determining that the one or more permissions in the new permission set do not violate the first user constraint by determining that each of the one or more permissions of the new permission set exists in the first group of permissions defined by the first user constraint; and
  
  responsive to determining that the one or more permissions in the new permission set do not violate the first user constraint, automatically assigning the new permission set to the first user.

16. A method comprising:
- receiving, at one or more servers, a first request from an authorized administrator associated with a third party application to assign a permission set to a first user associated with a first one of a plurality of tenant organizations of a multi-tenant database environment implemented using a database system, the permission set including one or more permissions for accessing one or more computing resources of the multi-tenant database environment, the new permission set having one or more permissions for accessing resources associated with the third party application, the third party application being one of a plurality of applications being implemented in the multi-tenant database environment, the first user being associated with a first user constraint defined by a first one of a plurality of user licenses available to users associated with the first tenant organization, the first user constraint defining a first group of permissions permitted to be assigned to the first user, the first user constraint being applied to other users associated with other tenant organizations of the plurality of tenant organizations;
  
  responsive to receiving the first request, automatically determining that the one or more permissions in the permission set do not violate the first user constraint by determining that each of the one or more permissions of the new permission set exists in the first group of permissions defined by the first user constraint; and
  
  responsive to determining that the one or more permissions in the permission set do not violate the first user constraint, automatically assigning the permission set to the first user.
- View Dependent Claims (17)
- - 17. The method of claim 16, the method further comprising:
    - receiving, at the one or more servers, a second request to modify the permission set by adding one or more permissions to the permission set;
      
      identifying the first user to whom the permission set is assigned;
      
      determining whether any of the one or more permissions to be added to the permission set violate the first user constraint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Warshavsky, Alex, Bitting, Doug, Torman, Adam, Damania, Bhumi, Franger, Carol, Kwong, Herman, Pesenson, Igor, Hua, Jimmy
Primary Examiner(s)
Abyaneh, Ali
Assistant Examiner(s)
WADE, SHAQUEAL D

Application Number

US13/935,074
Publication Number

US 20140013400A1
Time in Patent Office

1,385 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

Computer implemented methods and apparatus for managing permission sets and validating user assignments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Computer implemented methods and apparatus for managing permission sets and validating user assignments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links