This invention generally relates to managing user access to computer applications; and more specifically, to methods and systems for creating access definitions.
In many situations, computer applications are often designed for limited or restricted access. Present procedures for managing access to applications are not completely satisfactory for a number of reasons. For instance, when developing applications, developers must build functions within each application that manage access to the applications. Many times this entails duplicating the same functions regarding identifying users and groups of users, and mapping these to what access they can perform.
Also, when administrators want to provide user access to a group of applications, those administrators must work with each application individually to define that access. In addition, with typical applications, access constructs such as groups and roles cannot be shared across applications, and these constructs must be defined within each application in the proprietary manner that the application supports.
An object of this invention is to improve methods and systems for managing access to computer applications.
Another object of the present invention is to manage access to several applications using one controlling application that receives, through a defined protocol, the data elements needed to provide that access.
A further object of this invention is to create single definitions for access constructs such as groups and roles that can be used across many applications.
A still another object of the present invention is to manage access control from one controlling application, with that controlling application sharing these access definitions back to the application being controlled via a defined protocol and format.
These and other objectives are attained with a method and system for controlling access to a source application. The method comprises the steps of providing a controlling application, and binding the source application to the controlling application to allow the controlling application to change access to the source application. Information is passed from the source application to the controlling application to identify the source application and reference data to define access to the source application, and group and role definitions are constructed within the controlling application. An access definition is created by assigning a user access to the source application based on the group and role definitions and the reference data, and that access definition is exported to the source application.
The preferred embodiment of this invention provides a single controlling application and set of protocols whose functions, among others, allow for the binding of a source application with the controlling application so as to form a handshake or agreement that the controlling application has the ability to change access to the source application. Also, with this preferred embodiment, the source application provides what reference data it wants to the controlling application to use in defining access definitions. This reference data are passed via a defined protocol that allows the source application to define and enumerate reference data that it wants to use in controlling access.