1. Field of the Invention
The present invention relates generally to data processing systems and in particular to role-based access control. Still more particularly, the present invention relates to a computer implemented method, apparatus, and computer program code for determining roles for automated tasks in a role-based access control environment.
2. Description of the Related Art
In a computer system, an important part of security is controlling user access to computer resources. One common method of controlling user access to computer resources is role-based access control (RBAC), in which each user is assigned one or more roles. Associated with each role are specific resources which the role can access. For example, a sales role may be able to enter and modify orders in an order database, while a fulfillment role may be able to look at orders in the order database and inventory in an inventory database.
In a role-based access control environment, a system administrator defines a set of roles and, for each role, associates a set of access privileges to specific computer resources. A role-based access control environment may restrict the number of roles a user may assume at any given time. For example, a user may be assigned twenty roles, but may only be able to assume five roles at a given time. When the user interacts with the computer system, the user is logged in and can, therefore, specify which subset of roles the user is assuming at any given time. However, the user may not be logged in when the computer system executes a user-created automated task.
An automated task is a set of activities performed on behalf of the user without any further input from the user. The set of activities is performed as if the user was performing the activities, though the user may not be logged in. For example, a user may automate an application to perform a task when a specific event occurs. When the specified event occurs, the application performs the specified task as if the user was performing the task, but without any further interaction with the user. One of the advantages of using automated tasks is that the user need not be logged in when the automated task is performed.
When a user logs in, a login session is created for that user and the user specifies which roles the user is assuming in that session. In a role-based access control environment, any automated tasks the user executes during that session use the roles which the user has assumed during the session. However, if the user is not logged in when an automated task is executed, there is no way of determining which session roles to use when executing the automated task.