| CPC G06F 21/6227 (2013.01) [G06F 21/31 (2013.01); G06F 21/604 (2013.01); G06N 5/04 (2013.01)] | 12 Claims |
|
1. A computer-implemented method for user authorization in a cloud-based multi-tenant system, comprising:
receiving, from an administrator of a first tenant of the cloud-based multi-tenant system, an authorization model indicating types of objects of the first tenant, and types of relations that those types of objects have with users of the first tenant, the authorization model being expressed with a declarative domain-specific language using Boolean disjunction operators;
receiving relationship tuples indicating respective relations between respective users and respective objects;
receiving a request to determine whether a first user of the first tenant is authorized to perform a first action on a first object;
making a determination of whether the first user is authorized using inferences from the authorization model and the relationship tuples and using the relations and the Boolean disjunction operators of the authorization model received from the administrator;
responding to the request with the determination of whether the first user is authorized;
receiving a revised authorization model different from the authorization model;
storing the authorization model and the revised authorization model;
obtaining, using the authorization model, a first outcome of a first authorization request;
obtaining, using the revised authorization model, a second outcome of the first authorization request; and
comparing the first outcome of the authorization model and the second outcome of the revised authorization model to identify discrepancies between outcomes of the authorization model and the revised authorization model.
|