| CPC H04L 63/102 (2013.01) [G06F 9/451 (2018.02); H04L 63/08 (2013.01); H04L 63/108 (2013.01)] | 20 Claims |
|
1. A system, comprising:
a server for providing an application to users;
an access permission database accessible by the server for storing permanent access permissions for the users, wherein the permanent access permissions are role-based authorizations that determine a level of access the users have within the application, and the users are assigned to roles that align with their roles in an organization's hierarchy or the application; and
a memory that stores temporary access permissions for a first user while the application is executing, the memory being accessible by the server;
wherein the application is configured to:
retrieve the permanent access permissions for the first user from the access permission database;
provide a user interface for the first user, wherein the user interface includes a user management process that provides tools for adding, updating, and deleting users, and the management process changes the permanent access permissions in the access permission database;
provide the user interface including only actions that are permitted for the first user, and at least one of the actions is modified on the user interface based on a temporal limitation;
determine a set of default access permissions for the first user based on the permanent access permissions, after an authentication of the first user, wherein the set of default access permissions are role-based authorizations;
store the set of default access permissions as the temporary access permissions in the memory;
provide an event handler that dynamically modifies at least one temporary access permission for the first user by applying to the first user at least one selected access permission from a group of a scope limited access permission or a temporally limited access permission, wherein the selected access permission is an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application, wherein the one or more policies include a policy based on a business rule that the first user is not allowed to edit product descriptions during a specific time, access, and the one or more policies fit into a pattern for the application and logic is used to make determinations about a user's access permission based on the pattern; and
provide an authorization process that determines whether a request from the user interface is authorized before processing the request using the permanent access permissions from an administrator, the temporary access permissions, and the at least one selected access permission, wherein:
the attribute-based authorization provides a level of authority that is tied to the one or more policies associated with the application and is independent of the user roles within the organization's hierarchy or application,
the level of authority determines what authorization the first user has within the application, and
the application comprises an administration application configured to expand, create, or limit role-based access permissions without having to add new roles or updates to a front end application, which allows configurable permutations of roles per user and per component as the application evolves over time.
|