1. Field of the Invention
The present invention pertains to computer-implemented methods and systems for controlling access and authorization rights with respect to enterprise data, applications and other objects across users' authorization levels.
2. Description of the Related Art
Oftentimes, controlling users' rights to access enterprise data and/or other electronic resources (data and programs with diverse privileges and access rights, including all subdivisions) relies entirely on user authentication (verifying the user's identity to insure that the person or mechanism is who or what he, she or it purports to be). There are several means of securing authentication, including passwords, smart cards, certificates, and even biometric measurements such as retinal scans or voice recognition. Of these, the use of certificates and digital signatures, smart cards, and biometrics are referred to as “strong” levels of security, while the ordinary password-protected access is deemed “weak” by typical financial institutions and security experts. Although current authentication protocols are robust and allow for little or no ambiguity, authentication alone is not sufficient to define and enforce the rights that individuals may have with respect to such resources. In contrast, authorization is not handled sufficiently well to keep applications from frequently contradicting one other or working at cross purposes as to a given user's authorization with respect to a company's security protocol for given data or other program resources.
Moreover, users' authorization levels are not static. Often, such authorization levels change as a result of promotions, demotions, suspensions or terminations or a result of an employee's “need to know” while working on a specific project. Authentication and authorization are not only important within the context of authorizing payments or making contracts that act to bind the company. Indeed, the more mundane day-to-day access to data, programs and other electronic resources should follow a user's role and hierarchical position within the company. That is, companies often want to limit access to selected data resources to a predetermined user or to a predetermined class of users. For example, users that may have a legitimate need to access data concerning their assigned product line or clients may have no such legitimate need to access data relating to product lines and/or customers that are outside of their sphere of responsibility. Moreover, even properly authenticated users that may have a legitimate need to access particular data resources may have a legitimate interest only in viewing the data, but may not have a commensurate legitimate interest to enter new data or to change existing data. Finally, individual users may very well have characteristics, such as either a long tenure with the company or a short one, which would lead the company's security protocol to require different authorization levels. A very important example of this is security clearance, which may not be inferred from other authorization element values.
What are needed, therefore, are methods and systems for insuring strong authorization. In particular, what are needed are methods and systems to insure that those who seek to access such electronic resources are, in fact, authorized to originate such actions and to access such resources and that such access is appropriate, according to the company's security protocols. What are also needed are methods and systems for strong and quantifiable authorization that are operable in a distributed networked computing environment.