Managing access control information

US 7,350,237 B2
Filed: 08/18/2003
Issued: 03/25/2008
Est. Priority Date: 08/18/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for generating access control information, the method comprising:

receiving an access control rule that identifies a characteristic, the characteristic identifying an attribute from which attribute values of at least one user data entry and at least one object data entry are to be accessed and compared to generate access control information;

programmatically identifying at least one user data entry in user information that includes the attribute identified by the identified characteristic;

programmatically accessing, from the at least one user data entry, a first attribute value for the attribute identified by the identified characteristic and included in the at least one user data entry;

programmatically identifying at least one object data entry in data object information that includes the attribute identified by the identified characteristic;

programmatically accessing, from the at least one object data entry, a second attribute value for the attribute identified by the identified characteristic and included in the at least one object data entry;

programmatically comparing the first attribute value with the second attribute value;

based on comparison results, programmatically determining whether the first attribute value corresponds to the second attribute value;

conditioned on determining that the first attribute value corresponds to the second attribute value, generating access control information that permits at least one user associated with the at least one user data entry in the user information to access the at least one object data entry in the data object information; and

storing the generated access control information in electronic storage.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for automating the generation of access control information that identifies users that are permitted to access particular business objects used by a computer application. The generation of access control information is based on a characteristic that is shared by the user and the business object to be accessed. The characteristic may be an attribute. The characteristic also may be the identification of a process to determine a characteristic of a user and/or a characteristic of a business object.

217 Citations

26 Claims

1. A computer-implemented method for generating access control information, the method comprising:
- receiving an access control rule that identifies a characteristic, the characteristic identifying an attribute from which attribute values of at least one user data entry and at least one object data entry are to be accessed and compared to generate access control information;
  
  programmatically identifying at least one user data entry in user information that includes the attribute identified by the identified characteristic;
  
  programmatically accessing, from the at least one user data entry, a first attribute value for the attribute identified by the identified characteristic and included in the at least one user data entry;
  
  programmatically identifying at least one object data entry in data object information that includes the attribute identified by the identified characteristic;
  
  programmatically accessing, from the at least one object data entry, a second attribute value for the attribute identified by the identified characteristic and included in the at least one object data entry;
  
  programmatically comparing the first attribute value with the second attribute value;
  
  based on comparison results, programmatically determining whether the first attribute value corresponds to the second attribute value;
  
  conditioned on determining that the first attribute value corresponds to the second attribute value, generating access control information that permits at least one user associated with the at least one user data entry in the user information to access the at least one object data entry in the data object information; and
  
  storing the generated access control information in electronic storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 23, 24, 25, 26)
- - 2. The method of claim 1 wherein:
    - the identified characteristic is indirectly associated with the at least one user data entry in the user information, andprogrammatically identifying at least one user data entry in user information that includes the attribute identified by the identified characteristic comprises programmatically identifying at least one user data entry in user information that is indirectly associated with the identified characteristic.
  - 3. The method of claim 1 wherein:
    - the identified characteristic is directly associated with the at least one user data entry in the user information, andprogrammatically identifying at least one user data entry in user information that includes the attribute identified by the identified characteristic comprises programmatically identifying at least one user data entry in user information that is directly associated with the identified characteristic.
  - 4. The method of claim 1 wherein generating access control information comprises:
    - generating user access control information that identifies the at least one entry in the user information that is associated with the identified characteristic,generating object access control information that identifies the at least one entry in the data object information that is associated with the identified characteristic, andassociating at least one entry in the user access control information with at least one entry in the data object access control information.
  - 5. The method of claim 4 further comprising storing the association of the at least one entry in the user access control information with the at least one entry in the data object access control information.
  - 6. The method of claim 4 further comprising:
    - storing the data object access control information, andstoring the user access control information.
  - 7. The method of claim 4 further comprising determining whether a particular user associated with the at least one entry in the user access control information is permitted access to a particular data object that is associated with the at least one entry in the data object access control information wherein the determination is based on the association of the at least one entry in the user access control information with the at least one entry in the data object access control information.
  - 8. The method of claim 1 further comprising receiving a filter condition, wherein generating access control information further comprises generating access control information by eliminating at least one entry in the user information that corresponds to the received filter condition such that access control information does not include the eliminated at least one entry in the user information.
  - 9. The method of claim 1 further comprising receiving a filter condition, wherein generating access control information further comprises generating access control information by eliminating at least one entry in the data object information that corresponds to the received filter condition such that access control information does not include the eliminated at least one entry in the data object information.
  - 23. The method of claim 1 wherein programmatically identifying at least one user data entry in user information that includes the attribute identified by the identified characteristic, programmatically identifying at least one object data entry in data object information that includes the attribute identified by the identified characteristic, and generating access control information that permits at least one user associated with the at least one user data entry in the user information to access the at least one object data entry in the data object information occurs automatically without human intervention.
  - 24. The method of claim 1 wherein:
    - programmatically identifying at least one user data entry in user information that includes the attribute identified by the identified characteristic comprises;
      
      programmatically identifying a first user data entry in user information that includes the attribute identified by the identified characteristic, andprogrammatically identifying a second user data entry in user information that includes the attribute identified by the identified characteristic comprises, the first user data entry being associated with a first user and the second user data entry being associated with a second user that is different than the first user,programmatically accessing, from the at least one user data entry, a first attribute value for the attribute identified by the identified characteristic and included in the at least one user data entry comprises;
      
      programmatically accessing, from the first user data entry, a first attribute value for the attribute identified by the identified characteristic and included in the first user data entry, andprogrammatically accessing, from the second user data entry, a third attribute value for the attribute identified by the identified characteristic and included in the second user data entry,programmatically identifying at least one object data entry in data object information that includes the attribute identified by the identified characteristic comprises programmatically identifying a first data object in data object information that includes the attribute identified by the identified characteristic,programmatically accessing, from the at least one object data entry, a second attribute value for the attribute identified by the identified characteristic and included in the at least one object data entry comprises programmatically accessing, from the first data object, a second attribute value for the attribute identified by the identified characteristic and included in the first data object,programmatically comparing the first attribute value with the second attribute value comprises programmatically comparing the first attribute value with the second attribute value and the third attribute value with the second attribute value,based on comparison results, programmatically determining whether the first attribute value corresponds to the second attribute value comprises programmatically determining whether the first attribute value corresponds to the second attribute value and whether the third attribute value corresponds to the second attribute value,conditioned on determining that the first attribute value corresponds to the second attribute value, generating access control information that permits at least one user associated with the at least one user data entry in the user information to access the at least one object data entry in the data object information comprises, conditioned on determining that the first attribute value corresponds to the second attribute value and the third attribute value corresponds to the second attribute value, generating first access control rule information that enables the first user to access the first data object and second access control rule information different than the first access control rule information that enables the second user to access the first data object.
  - 25. The method of claim 24 further comprising:
    - storing the generated access control information in electronic storage.
  - 26. The method of claim 25 wherein storing the generated access control information in electronic storage comprises:
    - storing a first access control information data record that includes a first user identifier that identifies the first user and a first data object identifier that identifies the first data object, andstoring a second access control information data record that includes a second user identifier that identifies the second user and a second data object identifier that identifies the first data object.

10. A computer system for managing access control information for software operating on the computer system, the system comprising:
- a data repository for access control information for software, the data repository including user information identifying a user characteristic for at least one entry in the user information, data object information identifying a data object characteristic for at least one entry in the data object information, and access control rule information identifying a shared characteristic for at least one entry in the access control rule information; and
  
  an executable software module when executed by a processor configured to;
  
  programmatically identify at least one user data entry in user information that includes an attribute identified by the user characteristic;
  
  programmatically access, from the at least one user data entry, a first attribute value for the attribute identified by the user characteristic and included in the at least one user data entry;
  
  programmatically identify at least one object data entry in data object information that includes an attribute identified by the data object characteristic;
  
  programmatically access, from the at least one object data entry, a second, attribute value for the attribute identified by the data object characteristic and included in the at least one object data entry;
  
  programmatically compare the first attribute value, the second attribute value, and an attribute value identified by the shared characteristic;
  
  based on comparison results, programmatically determine whether the first attribute value corresponds to the second attribute value;
  
  generate access control information for use in determining whether a user that is associated with the at least one user data entry in the user information is permitted to access the at least one object data entry in the data object information, generation of access control information comprises;
  
  generating access control information that allows the user associated with the at least one user entry in the user information to access the at least one object data entry conditioned on determining that the first attribute value corresponds to the second attribute value, andgenerating access control information that prevents the user associated with the at least one user entry in the user information from accessing the at least one object data entry conditioned on determining that the first attribute value does not correspond to the second attribute value; and
  
  store the generated access control information in electronic storage.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer system of claim 10 further comprising a second executable software module that causes a determination whether a user associated with an entry in the user information is permitted to access a data object associated with an entry in the data object information such that the determination is based on the generated access control information.
  - 12. The computer system of claim 11 wherein the second executable software module is the same executable software module as the first executable software module.
  - 13. The computer system of claim 10 wherein the executable software module stores the generated access control information in electronic storage such that the generated access control rule information may be accessed to determine whether the user is permitted to access the data object when the user requests access to the data object subsequent to generation of the access control information.
  - 14. The computer system of claim 10 wherein the executable software module causes an association between at least one entry in the user information and at least one entry in the access control information when the user characteristic corresponds to the shared characteristic.
  - 15. The computer system of claim 14 wherein the executable software module causes an association between at least one entry in the data object information and at least one entry in the access control information when the data object characteristic corresponds to the shared characteristic.
  - 16. The computer system of claim 15 wherein the executable software module causes a determination whether the user is permitted access to the data object based on the association of the user information to the shared characteristic and the association between the data object information and the shared characteristic.
  - 17. The computer system of claim 10 wherein:
    - the data repository includes;
      
      user group information that associates a user group with at least one entry in the user information, andaccess control rule information that identifies action that a user who is associated with group of users is permitted to perform on a data object, andthe executable software module causes a determination to be made, based on an association of the at least one entry in the user information with the user group, as to whether the user associated with the at least one entry in the user information is permitted to perform a particular action on a particular data object.

18. A computer-readable medium having embodied thereon a computer program configured to generate access control information, the medium comprising one or more code segments configured to:
- receive an access control rule that identifies a characteristic, the characteristic identifying an attribute from which attribute values of at least one user data entry and at least one object data entry are to be accessed and compared to generate access control information;
  
  programmatically identify at least one user data entry in user information that includes the attribute identified by the identified characteristic;
  
  programmatically access, from the at least one user data entry, a first attribute value for the attribute identified by the identified characteristic and included in the at least one user data entry;
  
  programmatically identify at least one object data entry in data object information that includes the attribute identified by the identified characteristic;
  
  programmatically access, from the at least one object data entry, a second attribute value for the attribute identified by the identified characteristic and included in the at least one object data entry;
  
  programmatically compare the first attribute value with the second attribute value;
  
  based on comparison results, programmatically determine whether the first attribute value corresponds to the second attribute value;
  
  conditioned on determining that the first attribute value corresponds to the second attribute value, generate access control information that permits at least one user associated with the at least one user data entry in the user information to access the at least one object data entry in the data object information; and
  
  store the generated access control information in electronic storage.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The medium of claim 18 wherein the one or more code segments configured to generate access control information comprise one or more code segments configured to:
    - generate user access control information that identifies the at least one entry in the user information that is associated with the identified characteristic,generate object access control information that identifies the at least one entry in the data object information that is associated with the identified characteristic, andassociate at least one entry in the user access control information with at least one entry in the data object access control information.
  - 20. The medium of claim 19 wherein the one or more code segments are further configured to determine whether a particular user associated with the at least one entry in the user access control information is permitted access to a particular data object that is associated with the at least one entry in the data object access control information wherein the determination is based on the association of the at least one entry in the user access control information with the at least one entry in the data object access control information.
  - 21. The medium of claim 18 wherein the one or more code segments are further configured to:
    - receive a filter condition, andgenerate access control information by eliminating at least one entry in the user information that corresponds to the received filter condition such that access control information does not include the eliminated at least one entry in the user information.
  - 22. The medium of claim 18 wherein the one or more code segments are further configured to:
    - receive a filter condition, andgenerate access control information further comprises generating access control information by eliminating at least one entry in the data object information that corresponds to the received filter condition such that access control information does not include the eliminated at least one entry in the data object information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Kupke, Markus, Vogel, Matthias, Drittler, Bernhard
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Dada; Beemnet W

Application Number

US10/642,500
Publication Number

US 20050044396A1
Time in Patent Office

1,681 Days
Field of Search

726/1, 726/4, 726/17, 726/21, 726 27- 30, 707/9, 713164-167
US Class Current

726/27
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2141   Access rights, e.g. capabil...

Managing access control information

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

217 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Managing access control information

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links