-
公开(公告)号:US09760734B2
公开(公告)日:2017-09-12
申请号:US14752417
申请日:2015-06-26
Applicant: SAP SE
Inventor: Bernhard Drabant , Bernhard Drittler , Roland Lucius , Martin Schmid
CPC classification number: G06F21/6236
Abstract: Embodiments manage user authorization to access multiple grouped software applications, via a catalog mechanism. Functionality of related software is divided into semantically meaningful catalogs, representing tasks or sub-processes within a business scenario. These catalogs represent a unit of functionality utilized to structure work and authorization. Functionality and authorizations are associated to system entry points, and assigned to catalogs bundling applications and services. Responsibilities may be defined statically or dynamically in terms of rule-based access restrictions to data structure (e.g., business object) instances. Catalogs may be assigned to business roles, and business roles assigned to users. Based on such assignments, corresponding authorizations are generated and linked to users at compile or deployment time. At run time, access decision and enforcement is granted based on these authorizations and restrictions. Decision and enforcement points are associated with the system entry points within software applications belonging to catalog(s).
-
Patent Agency Ranking
公开(公告)号:US20190014120A1
公开(公告)日:2019-01-10
申请号:US15643362
申请日:2017-07-06
Applicant: SAP SE
Inventor: Bernhard Drabant
Abstract: In one respect, there is provided a system a data processor and a memory. The system can be configured to receive, from a first user associated with a first tenant, a request to access a resource associated with a second tenant. The first tenant and the second tenant can be tenants of a multi-tenant cloud-computing platform. The resource can be accessible via the multi-tenant cloud-computing platform. The first user can be authorized to access the resource associated with the second tenant based on a sharing relationship that allows the first user to access the resource. In response to determining that the first user is authorized to access the resource associated with the second tenant, access to the resource can be provided to the first user. Related methods and articles of manufacture, including computer program products, are also provided.
-
公开(公告)号:US20180144150A1
公开(公告)日:2018-05-24
申请号:US15358176
申请日:2016-11-22
Applicant: SAP SE
Inventor: Michael Aakolk , Bernhard Drabant , Andrea Waldi
CPC classification number: G06F21/6218 , G06F16/2282 , G06F16/245 , G06F16/282 , G06F16/289 , G06F21/604
Abstract: A data model is defined to describe objects. Attributes from the data model are associated with providing authorization right for executing actions on object instances of the objects. A hierarchy of object groups is declared. Objects group collections are defined on top of the hierarchy. A vocabulary including definitions of attributes of objects and including definitions of assignments of objects to object groups is created. The vocabulary is related to determining authorization rights for executing actions based on attributes and hierarchy organization of objects. A capability to determine authorization to perform an action by a user on a set of objects is defined based on the vocabulary. When a request for performing an action by a user on object instances is received, a filtering expression based on the capability is generated to be included in a where clause of a query.
-
公开(公告)号:US10740483B2
公开(公告)日:2020-08-11
申请号:US15358176
申请日:2016-11-22
Applicant: SAP SE
Inventor: Michael Aakolk , Bernhard Drabant , Andrea Waldi
Abstract: A data model is defined to describe objects. Attributes from the data model are associated with providing authorization right for executing actions on object instances of the objects. A hierarchy of object groups is declared. Objects group collections are defined on top of the hierarchy. A vocabulary including definitions of attributes of objects and including definitions of assignments of objects to object groups is created. The vocabulary is related to determining authorization rights for executing actions based on attributes and hierarchy organization of objects. A capability to determine authorization to perform an action by a user on a set of objects is defined based on the vocabulary. When a request for performing an action by a user on object instances is received, a filtering expression based on the capability is generated to be included in a where clause of a query.
-
公开(公告)号:US10560458B2
公开(公告)日:2020-02-11
申请号:US15643362
申请日:2017-07-06
Applicant: SAP SE
Inventor: Bernhard Drabant
Abstract: In one respect, there is provided a system a data processor and a memory. The system can be configured to receive, from a first user associated with a first tenant, a request to access a resource associated with a second tenant. The first tenant and the second tenant can be tenants of a multi-tenant cloud-computing platform. The resource can be accessible via the multi-tenant cloud-computing platform. The first user can be authorized to access the resource associated with the second tenant based on a sharing relationship that allows the first user to access the resource. In response to determining that the first user is authorized to access the resource associated with the second tenant, access to the resource can be provided to the first user. Related methods and articles of manufacture, including computer program products, are also provided.
-
公开(公告)号:US20160379002A1
公开(公告)日:2016-12-29
申请号:US14752417
申请日:2015-06-26
Applicant: SAP SE
Inventor: Bernhard Drabant , Bernhard Drittler , Roland Lucius , Martin Schmid
CPC classification number: G06F21/6236
Abstract: Embodiments manage user authorization to access multiple grouped software applications, via a catalog mechanism. Functionality of related software is divided into semantically meaningful catalogs, representing tasks or sub-processes within a business scenario. These catalogs represent a unit of functionality utilized to structure work and authorization. Functionality and authorizations are associated to system entry points, and assigned to catalogs bundling applications and services. Responsibilities may be defined statically or dynamically in terms of rule-based access restrictions to data structure (e.g., business object) instances. Catalogs may be assigned to business roles, and business roles assigned to users. Based on such assignments, corresponding authorizations are generated and linked to users at compile or deployment time. At run time, access decision and enforcement is granted based on these authorizations and restrictions. Decision and enforcement points are associated with the system entry points within software applications belonging to catalog(s).
Abstract translation: 实施例通过目录机制管理用户授权以访问多个分组的软件应用。 相关软件的功能分为语义有意义的目录,表示业务场景中的任务或子进程。 这些目录是用于构建工作和授权的功能单位。 功能和授权与系统入口点相关联,并分配给捆绑应用程序和服务的目录。 可以根据对数据结构(例如,业务对象)实例的基于规则的访问限制来静态地或动态地定义责任。 目录可以分配给业务角色和分配给用户的业务角色。 基于这样的分配,在编译或部署时,生成相应的授权并链接到用户。 在运行时,根据这些授权和限制授予访问决策和执行。 决策和执行点与属于目录的软件应用程序中的系统入口点相关联。
-
-
-
-
-
Search Results
6
records
(took 0.015 seconds)
