1. Technical Field
The present invention relates in general to a system and method for integrating security roles across application boundaries. More particularly, the present invention relates to a system and method for expanding a security role by mapping an upstream security role to a downstream security role.
2. Description of the Related Art
Computer systems use various techniques for user authorization. A computer system typically authenticates and authorizes a user when the computer system receives a request from the user. For example, a user may access his bank account information and a banking application proceeds through a series of steps to authenticate and authorize the user, such as requesting a user identifier and a password from the user. The computer system may also require authorization to access downstream applications. Using the example described above, the banking application (i.e. upstream application) may call a downstream application to retrieve account information corresponding to the user's request whereby the downstream application requires user identification information in order to grant access.
Java 2 Enterprise Edition (J2EE) includes a security role-based access control mechanism for user request authorizations. A security role may be viewed as a collection of Enterprise Java Bean (EJB) method permissions along with read/write access permissions to URL pages. EJB beans and URL pages are packaged together into a J2EE application in order to build a functionality set that solves a business problem. System administrators map individual user identifiers as well as group identifiers to each security role in order to provide each user and group with required permissions to access business functions.
A challenge found with mapping users to applications, however, is that different developers or vendors create separate J2EE applications that are integrated into a larger business application. Security roles are typically defined within an application's boundary that, in turn, allows business applications to be developed in a modular fashion. For example, a business operation may be partitioned into a set of components and different groups may develop the components separately. A group that develops a particular module may not be aware of users that require access from other modules.
Furthermore, a challenge found with manually managing user-to-role mapping in a modular system for downstream applications is that it becomes non-trivial and complex. For example, a workflow user request may be handled by a number of J2EE applications. When this occurs, the user's identity is mapped to security roles corresponding to each application in order to provide the user with access.
What is needed, therefore, is a system and method that automatically maps an upstream application's security roles to a downstream application's required security role and, conversely, maps downstream application security roles to upstream security roles. Moreover, what is needed is a system and method to more effectively provide users with access across application boundaries.