The present disclosure relates to data processing by digital computer, and more particularly to relationship-based authorization.
In general, information may be stored at a directory of a computer system, such as a personal computer or server computer system of a landscape of computers. A directory may store information about principals, such as users, organizations and systems, and computer-based resources. The scope of directory may be such that the directory may account for resources across an enterprise. For example, a company may implement a directory to store entries for first and second principal accounts, where an entry for the first account includes an electronic mailing address, telephone number, and the like for a first account and an entry for the second account includes similar information for that account. The electronic mailing address and telephone number may be considered attributes for those principals and the entries for those principals may be associated with the company that has implemented the directory.
A directory may store credentials used to authenticate a principal with the enterprise implementing the directory. Credentials may be in the form of a password, an issued authentication token (e.g., two-factor authentication token), biometric authentication characteristic data (e.g., data characterizing or summarizing the expected result of a biometric authentication of a principal), or other information that can be referenced to identify a principal desiring authentication by the implementing enterprise as known and, therefore, trusted.
Services may be used to perform authentication or authorization, or otherwise retrieve information from a directory regarding mentioned entity in accordance with a protocol. For example, Lightweight Directory Access Protocol (LDAP) is a protocol for accessing information from a directory of enterprise information. In general, accounts and associated information are organized hierarchically. For example, a company may set up a directory of its employees where the company might be considered a parent to the employees. In addition, information associated with each employee account may be organized hierarchically for each employee.