1. Field of the Invention
This invention relates generally to software and data access rights, and more particularly to securely granting access rights to unattended software.
2. Description of the Related Art
Various computer applications, which perform some specified function for a user or program, are well known. Applications include those that provide databases, spreadsheets, word processing, and many others. Typically, a document or file made using an application will include some user data. For example, a financial services application allows a user to develop and maintain a database for their various financial activities.
Some conventional applications reside entirely in a desktop computer, and process data found on the same computer and on a network. Others operate in a network environment, and reside on workstations, servers or both, with access to applications being well controlled by a network administrator.
Online (e.g., web based) applications reside on servers that may be variously accessed by users, who may also be referred to as subscribers. These servers may also store subscriber data, or communicate with related servers that store such data. One advantage of online applications is access flexibility. That is, a client computer having conventional web browsing capability can be used to access an online application. This allows businesses to set up applications that various employees can access, without requiring the business to set up elaborate computer networks. For example, a business can establish a database, allowing employees from multiple disconnected offices, from home offices, and/or from the field to access the database, without requiring the employees to be on the same private network, and without requiring specialized hardware. Any employee accessing a web-enabled device could theoretically access the common database. Also, if there are updates to the configuration of the database, or application upgrades, the business owner does not need to be considered with updating numerous computers according to the upgrade. Thus, online applications have been found to be very desirable.
Some applications are used by other, related applications, to provide a necessary foundation for a functionality that they provide, or for other reasons. This may be referred to in terms of a client-server relationship, wherein a client application is a requestor of some functionality provided by a server application.
Application service providers are companies that host on their own servers various applications and store data for corporate subscribers. The subscribers use a local client application (e.g., a generic browser or specific lightweight client interface) to access the server based applications and data. This existing model is a two party transaction model between the local client and the server application.
However, the two party ASP model can be extended to a three-party transaction. In this model, a third party “client” application exists separately and independently of the server applications and subscriber data. The subscriber separately subscribes to the client application in order to obtain its functionality. For example, a subscriber may use a server-based accounting application provided by accounting firm, and may store all of its data at the accounting firm's data server. In addition, the subscriber may have a separate relationship with a third party payroll provider, which hosts a payroll application. The subscriber may desire to have the payroll application access the subscriber's data at the accounting data server, thereby acting as a client application to the accounting server. There are several advantages to this architecture. For one, it is modular, and therefore flexible in terms of building and enhancing applications. It also provides an environment in which software developers can be encouraged to create different uses of the application, expanding existing markets and allowing penetration into new markets for the server application. The subscriber is free to choose different applications from different application providers, and yet keep its corporate data or information resident in a limited number of locations.
One continuing need with online applications is subscriber data management. In the two party transaction model, data management is relatively straightforward. The server application is configured to provide access only to authorized subscribers (users) who sign in through names and passwords. Because the service provider's applications are the only ones that can programmatically access the subscriber's data, there is little or no need for application level data security or management, since it is assumed that the service provider's applications are trusted.
Such is not the case in a three party model, where an independent, third party client application is attempting to access a subscriber's data at the service provider. Continuing the above example, first it is necessary for the server based accounting application to validate that the third party payroll application is authorized to access the subscriber's data. Even if the third party payroll application is authorized by a subscriber to communicate with the server based accounting application that controls the subscriber's corporate data, the subscriber might want to control the specific details of the payroll application's access to accounting data, and may further want to control access to such data in different ways for different users. Third, there is the converse problem of the third party application ensuring that its use by the subscriber on the server data is authorized, that is, that the subscriber is in fact a legitimate subscriber of the server application's functionality and data hosting services. These various distinct types of control and management are currently not met by conventional client-server systems.
Thus, while online applications allow great flexibility and other advantages, it would be desirable to allow subscribers improved control over the granting of access rights corresponding to their applications and underlying subscriber data.