Entities often employ a variety of different applications in connection with their operations. In general, any given user may need access to some, but not all, of those applications. Accordingly, entities typically authorize a user to access only the applications needed by that user. These limitations on access can be imposed for a variety of reasons. For example, data and system security may be enhanced by limiting user access only to the applications needed by the user.
Although such restrictions on access have been generally effective, typical schemes for limiting access to selected applications have proven cumbersome and inefficient in their implementation and administration. For example, at least some authorization models are tied to a single application, that is, these authorization models are each application-specific and therefore lack flexibility. Thus, and depending upon how many applications are employed by an entity, the administrators in the entity may have to spend significant time and resources implementing and administering numerous different authorization models, one for each different application.
Another problem with the application-specific approach to access is that these types of authorization models are typically associated with inefficient internal design and architecture. Such inefficiency, in turn, can lead to poor performance and code workflows as access control evaluation processes may involve complex lookups and matches to the access privileges of a particular user, or users.
One further problem with many known authorization models is that they do not enable the definition and use of an environment where one or more users, sometimes referred to as tenants, may have access only to selected portions or elements of an application. Moreover, these models do not enable a tenant to exercise control over its environment.
In light of problems and shortcomings such as those noted above, it would be useful to be able to implement and utilize a generic user-centric authorization framework that is applicable across multiple applications and/or versions of applications. It would also be useful to be able to dynamically modify the framework in response to, or anticipation of, changes in authorization needs.