| 发明名称 | Role based access management for business object data structures | ||
| 摘要 | A service request from a user is received to execute an operation on an instance of a business object. Thereafter, an access control check is performed to confirm whether the user is allowed to execute the requested operation on a type of business object corresponding to the business object specified and based on an access group associated with the user. Subsequently, the user is either provided with access to the instance of the business object to execute the operation if the access control check confirms that the user is allowed to execute the operation on the instance of the business object, or prevented from accessing the instance of the business object to execute the operation on the instance of the business object. Related apparatus, systems, techniques and articles are also described. Related apparatus, systems, techniques and articles are also described. | ||
| 申请公布号 | US9213856(B2) | 申请公布日期 | 2015.12.15 |
| 申请号 | US201213719063 | 申请日期 | 2012.12.18 |
| 申请人 | SAP SE | 发明人 | Kornmann Tim;Hermanns Marcel;Buchholz Cristina;Hartel Michael;Zoch Daniel |
| 分类号 | G06F17/30;G06F21/62 | 主分类号 | G06F17/30 |
| 代理机构 | Mintz Levin Cohn Ferris Glovsky and Popeo, P.C. | 代理人 | Mintz Levin Cohn Ferris Glovsky and Popeo, P.C. |
| 主权项 | 1. A method for implementation by one or more data processors comprising: receiving, by at least one data processor, a service request from a user to execute an operation on an instance of a business object, the business object comprising a plurality of nodes descending from a root node; performing, by at least one data processor, an access control check to confirm whether the user is allowed to execute the requested operation on a type of business object corresponding to the business object specified and based on an access group associated with the user; and providing, by at least one data processor, the user with access to the instance of the business object to execute the operation if the access control check confirms that the user is allowed to execute the operation on the instance of the business object; or preventing, by at least one data processor, the user from accessing the instance of the business object to execute the operation on the instance of the business object; wherein: metadata associated with the business object identifies one node of the business object as comprising an access control list dependent object (ACL DO),the ACL DO comprises an access control list,the access control list is used as part of the access control check to confirm whether the user is allowed to execute the requested operation,the access control list specifies which nodes of the business object are subject to instance control and which nodes of the business object are not subject to instance control,the access control list further specifies which access groups can perform operations on each node of a business object instance,the ACL DO is updated prior to saving the business object by using a modeled association of the nodes of the business object when one or more nodes of the business object specified as being part of an access control path by the ACL DO are changed. | ||
| 地址 | Walldorf DE | ||