Managing access control information
First Claim
Patent Images
1. A computer-implemented method for generating access control information, the method comprising:
- receiving an access control rule that identifies a characteristic, the characteristic identifying an attribute from which attribute values of at least one user data entry and at least one object data entry are to be accessed and compared to generate access control information;
programmatically identifying at least one user data entry in user information that includes the attribute identified by the identified characteristic;
programmatically accessing, from the at least one user data entry, a first attribute value for the attribute identified by the identified characteristic and included in the at least one user data entry;
programmatically identifying at least one object data entry in data object information that includes the attribute identified by the identified characteristic;
programmatically accessing, from the at least one object data entry, a second attribute value for the attribute identified by the identified characteristic and included in the at least one object data entry;
programmatically comparing the first attribute value with the second attribute value;
based on comparison results, programmatically determining whether the first attribute value corresponds to the second attribute value;
conditioned on determining that the first attribute value corresponds to the second attribute value, generating access control information that permits at least one user associated with the at least one user data entry in the user information to access the at least one object data entry in the data object information; and
storing the generated access control information in electronic storage.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for automating the generation of access control information that identifies users that are permitted to access particular business objects used by a computer application. The generation of access control information is based on a characteristic that is shared by the user and the business object to be accessed. The characteristic may be an attribute. The characteristic also may be the identification of a process to determine a characteristic of a user and/or a characteristic of a business object.
217 Citations
26 Claims
-
1. A computer-implemented method for generating access control information, the method comprising:
-
receiving an access control rule that identifies a characteristic, the characteristic identifying an attribute from which attribute values of at least one user data entry and at least one object data entry are to be accessed and compared to generate access control information; programmatically identifying at least one user data entry in user information that includes the attribute identified by the identified characteristic; programmatically accessing, from the at least one user data entry, a first attribute value for the attribute identified by the identified characteristic and included in the at least one user data entry; programmatically identifying at least one object data entry in data object information that includes the attribute identified by the identified characteristic; programmatically accessing, from the at least one object data entry, a second attribute value for the attribute identified by the identified characteristic and included in the at least one object data entry; programmatically comparing the first attribute value with the second attribute value; based on comparison results, programmatically determining whether the first attribute value corresponds to the second attribute value; conditioned on determining that the first attribute value corresponds to the second attribute value, generating access control information that permits at least one user associated with the at least one user data entry in the user information to access the at least one object data entry in the data object information; and storing the generated access control information in electronic storage. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 23, 24, 25, 26)
-
-
10. A computer system for managing access control information for software operating on the computer system, the system comprising:
-
a data repository for access control information for software, the data repository including user information identifying a user characteristic for at least one entry in the user information, data object information identifying a data object characteristic for at least one entry in the data object information, and access control rule information identifying a shared characteristic for at least one entry in the access control rule information; and an executable software module when executed by a processor configured to; programmatically identify at least one user data entry in user information that includes an attribute identified by the user characteristic; programmatically access, from the at least one user data entry, a first attribute value for the attribute identified by the user characteristic and included in the at least one user data entry; programmatically identify at least one object data entry in data object information that includes an attribute identified by the data object characteristic; programmatically access, from the at least one object data entry, a second, attribute value for the attribute identified by the data object characteristic and included in the at least one object data entry; programmatically compare the first attribute value, the second attribute value, and an attribute value identified by the shared characteristic; based on comparison results, programmatically determine whether the first attribute value corresponds to the second attribute value; generate access control information for use in determining whether a user that is associated with the at least one user data entry in the user information is permitted to access the at least one object data entry in the data object information, generation of access control information comprises; generating access control information that allows the user associated with the at least one user entry in the user information to access the at least one object data entry conditioned on determining that the first attribute value corresponds to the second attribute value, and generating access control information that prevents the user associated with the at least one user entry in the user information from accessing the at least one object data entry conditioned on determining that the first attribute value does not correspond to the second attribute value; and store the generated access control information in electronic storage. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer-readable medium having embodied thereon a computer program configured to generate access control information, the medium comprising one or more code segments configured to:
-
receive an access control rule that identifies a characteristic, the characteristic identifying an attribute from which attribute values of at least one user data entry and at least one object data entry are to be accessed and compared to generate access control information; programmatically identify at least one user data entry in user information that includes the attribute identified by the identified characteristic; programmatically access, from the at least one user data entry, a first attribute value for the attribute identified by the identified characteristic and included in the at least one user data entry; programmatically identify at least one object data entry in data object information that includes the attribute identified by the identified characteristic; programmatically access, from the at least one object data entry, a second attribute value for the attribute identified by the identified characteristic and included in the at least one object data entry; programmatically compare the first attribute value with the second attribute value; based on comparison results, programmatically determine whether the first attribute value corresponds to the second attribute value; conditioned on determining that the first attribute value corresponds to the second attribute value, generate access control information that permits at least one user associated with the at least one user data entry in the user information to access the at least one object data entry in the data object information; and store the generated access control information in electronic storage. - View Dependent Claims (19, 20, 21, 22)
-
Specification