The following invention relates generally to defining user access to computer systems, and in particular, to the ability to define selectively and flexibly the limits of each of a plurality of users"" access to the features of one or more applications capable of being run on a computer system.
In an environment such as a shared-resource service bureau environment, where many employees and/or clients have access to a computer system capable of running numerous applications, it is often desirable to have the ability to restrict access by certain users or classes of users to one or more features of such applications. As used herein, the term xe2x80x9cfeaturesxe2x80x9d includes any of the nearly infinite possible application functions such as, by way of example, accessing data from database tables, generating, viewing and printing reports, and sending and/or receiving e-mail.
Presently, such flexibility in restricting user access is unavailable. With respect to restricting access to data, one method presently employed by Oracle(copyright) Corporation in its database programs is to limit, at the database level, a user""s ability to access particular data tables. Oracle(copyright) Corporation accomplishes this by providing for the assignment of xe2x80x9crolesxe2x80x9d to users which restrict access, not specifically to the data itself, but to the tables holding the data.
The need for more flexibility in restricting access to application features, including the data access feature restricted by the Oracle(copyright) roles, can be illustrated by a simple example. The following is a hypothetical data table of confidential financial transactions made by clients A, B and C on the morning of Jun. 15, 1998, where WDRWL indicates a withdrawal, DPST indicates a deposit, and PYMNT indicates a payment.
In order to prepare a report regarding the confidential transactions of only client A for the month of June, one needs access to the data in rows 1, 4 and 6, but not rows 2, 3, 5 and 7. Since this data is highly sensitive, restriction of access to the data pertinent only to the assignment (i.e., reporting of client A""s transactions) is highly desirable.
In addition, the application used to prepare a report of A""s past transactions may have the ability to generate several different types of reports, including reports projecting future performance in addition to showing past performance. Depending on who is given the assignment, it may not be desirable to permit access to both types of report-generating abilities. It may also be undesirable to permit printing of the reports generated.
In accordance with the present invention, one or more xe2x80x9cattributesxe2x80x9d are assigned to users of a computer system capable of running numerous applications. Each attribute is a name-value pair wherein the name designates the application feature or features to which access is being defined (e.g., accessing data, generating reports) and the value sets the limits of access (e.g., all or some data). Attributes may be assigned in groups to eliminate the burden of preparing individual attribute assignments for each user.
In accordance with the invention, a system and method are provided for defining a user""s ability to run at least one feature of an application. According to the system and method, a user is assigned at least one attribute. The attributes are stored in a table in a database. An application is run by the user and the attributes assigned to the user are retrieved. The attributes are enforced by the application such that the user""s access to the features of the application is defined in accordance with the retrieved attributes.
In accordance with a further aspect of the invention, a system and method for defining a user""s ability to run at least one feature of an application are provided wherein a group is assigned at least one attribute, and the group is assigned to a user. The group is stored in a table in a database. An application is run by the user and the group assigned to the user is retrieved. The attributes assigned to the group are enforced by the application such that the user""s access to the features of the application is defined in accordance with the retrieved attributes.
It is therefore an object of the present invention to provide the ability to selectively define access to application features available to a given user or group of users of a computer system.
It is a further object of the present invention to provide greater flexibility than is presently available in the ability to restrict user access to data contained in table-oriented databases.
For a better understanding of the present invention, together with other and further objects, reference is made to the following description, taken in conjunction with the accompanying drawings and its scope will be pointed out in the appended claims.