摘要:
An authorization data model factors roles into generic roles and responsibilities, using these attributes at run-time to complete an authorization process based on non-static privileges associated with currently defined roles and responsibilities. Multiple applications collect current variable authorization information at run-time, when prompted by a user request to access a protected resource, from an external central repository that maintains updated generic role and responsibility information independent of user identity, thus replacing a fixed authorization structure with a flexible wild-card based model.
摘要:
An authorization data model factors roles into generic roles and responsibilities, using these attributes at run-time to complete an authorization process based on non-static privileges associated with currently defined roles and responsibilities. Multiple applications collect current variable authorization information at run-time, when prompted by a user request to access a protected resource, from an external central repository that maintains updated generic role and responsibility information independent of user identity, thus replacing a fixed authorization structure with a flexible wild-card based model.
摘要:
An authorization data model factors roles into generic roles and responsibilities, using these attributes at run-time to complete an authorization process based on non-static privileges associated with currently defined roles and responsibilities. Multiple applications collect current variable authorization information at run-time, when prompted by a user request to access a protected resource, from an external central repository that maintains updated generic role and responsibility information independent of user identity, thus replacing a fixed authorization structure with a flexible wild-card based model.
摘要:
Embodiments of the present invention may provide a system and method for business data provisioning for a pre-emptive security audit. In one aspect, a method embodiment may comprise the steps of identifying the business resources as expressed in business terms, ensuring that applications dealing with (parts of) the business resources are aware of the link to the resource, transmitting the information about the used business resources throughout the call stack up to the UI, making use of the highest access enforcement point possible where it can be ensured that access to the protected resource is only done through either authorized users or trusted code, and having this access enforcement point taken over by a framework to ensure adequate protection even in extensibility scenarios.
摘要:
According to one general aspect, a method of retrieving data entities from a backend data device may include maintaining a data model of data entities employed by a user interface. The data model may include a hierarchical relationship between a leading data entity and at least one child data entity. The method may also include authorizing, with an authorization device, when retrieving the leading data entity. The method may include instructing the authorization device that data retrievals of subsequent data entities are to be authorized based upon the authorization of the leading data entity. The method may also include retrieving at least one child data entity of the leading data entity without providing additional authorization credentials.
摘要:
A system may include a database comprising stored data and a business process platform including business object metadata defining business objects representing the stored data. The business process platform may receive a query from a user to retrieve data from a first business object node of a business object, the business object representing stored data, determine whether the user is authorized to traverse all associations of a SELECT list of the query, determine whether the user is authorized to traverse all associations of a WHERE clause of the query, determine whether the user is authorized to retrieve any instances of each business object node of column specifications of the SELECT list of the query, and, if the determinations are affirmative, executing the query to retrieve a first result set.
摘要:
Access to information instances is administered using selectively activatable rules. A computer program product includes rules establishing authorizations to information instances in a computer system, each of the rules authorizing a predefined subject to perform a predefined action on a predefined object. The computer program product includes an activation function for an administrator to selectively activate at least one of the rules, the activated rule to be applied upon a user seeking to perform an action on any of the information instances.
摘要:
A system includes a first non-transitory computer-readable storage medium and a second non-transitory computer-readable storage medium each having stored thereon computer executable program code which, when executed on a computer system, causes the computer system to perform steps. The steps associated with the first non-transitory computer readable medium include generating a Service Adaptation Definition Language (SADL) definition for each of a plurality of business entity types, the SADL definition being based on an intermediate representation of each of the plurality of business entities, and publishing the SADL definition as a service of a SADL engine. The steps associated with the second non-transitory computer-readable storage include discovering the SADL definition and displaying, on a user interface, a representation of the SADL definition, the user interface configured to enable selection of two or more business entity types each associated with a different model layer framework.
摘要:
A query engine for integrating authorization conditions within a database query statement. The query engine may include an authorization handler configured to receive authorization parameters related to one or more authorization objects for data relevant to a query for performing an authority check, and obtain at least one user authorization profile for a current user based on the authorization parameters. The at least one user authorization profile may include an activity value and one or more authorization conditions associated with the activity value. The query engine may further include a query generator configured to receive query parameters related to the query and integrate the query parameters with the one or more authorization conditions to obtain a database query statement, and a database selector configured to obtain authorized data from an in-memory database based on the database query statement.
摘要:
A service request from a user is received to execute an operation on an instance of a business object. Thereafter, an access control check is performed to confirm whether the user is allowed to execute the requested operation on a type of business object corresponding to the business object specified and based on an access group associated with the user. Subsequently, the user is either provided with access to the instance of the business object to execute the operation if the access control check confirms that the user is allowed to execute the operation on the instance of the business object, or prevented from accessing the instance of the business object to execute the operation on the instance of the business object. Related apparatus, systems, techniques and articles are also described. Related apparatus, systems, techniques and articles are also described.