Unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Embodiments relate to software security, and in particular, to a catalog authorizing user access to multiple grouped software applications.
Enterprises increasingly rely upon software programs to perform a number of complex tasks. Example functions performed by various such software programs, can include but are not limited to Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), and a host of others.
While different software applications may be utilized in these roles, they often share one or more functions and/or underlying data structures (e.g., business objects) stored in a database. And, separate security mechanisms are typically required to ensure secure user access to each such software application.
However, fine-grained checks and checks on business objects and functions called internally (secondary authorizations), can result in large and potentially confusing authorization profiles. Moreover, as such authorization profiles can be globally valid and compound cumulatively, it may become difficult to control exactly what a particular user actually can (or cannot) do within the system.
In particular, customer administrators may be forced to maintain a large number of different roles with static, manual definition of authorization values for each tuple of organizational and functional aspects. And, instance-based authority checks may be performed on the application server. This calls for a superset of available records to be loaded into the application server. Record-by-record processing is thus needed to determine if a record should be accessible to a user.