For security or other reasons (e.g., managing loads), a computer system may limit user access to data on the system, or otherwise control user actions or operations on the system. Users may be authenticated and authorized to access only certain data, or may be granted privileges to take only certain actions on the computer systems.
A computer system may use object-oriented technology and may make processes and data available in the form of objects (e.g., file and folder types). The computer system may deploy an access control list (ACL)-based security model to govern authorization processes to grant users access to or privileges to manipulate (e.g., read, write, copy, delete, etc.) objects in the computer system. An ACL, with respect to a computer file system, is a list of permissions or authorizations attached to an object. An ACL specifies which users or system processes are authorized to access the objects and what operations are allowed on given objects. Each “authority” entry for an object in a typical ACL specifies a subject and an operation.
An organization may deploy a large computer system (e.g., an enterprise resource planning system) to integrate diverse business processes (e.g., finance, HR, manufacturing, warehouse, etc.). Considerable effort can go into establishing business object authorities or ACL settings for user access to and user privileges for various actions on the diverse business objects in the large computer system. When a user requests access to or an action on an object in the computer system, the computer system's operating system first checks the ACL for an applicable entry to decide whether the requested access or action is authorized. The user authorities or ACL settings that apply to business objects (e.g., files or folders) are also applicable to business object attachments (a user's travel expense report or invoice) when users seek access to or actions on them directly from the organization's computer system.
With emergence of new technologies such as cloud computing and increasing mobile consumption of computer applications, users can seek access to or actions on business object attachments from computing environments other than the organization's computer system. There is a need is to simplify application of user authorities or ACL settings for user access to and actions on the business object attachments from the other computing environments.
In general, security and authorization mechanisms, which control access to operations or data in the computer systems, can be both direct and indirect. A computing system may conduct direct security checks of user credentials or authorization profiles (e.g., authentication identification codes (IDs) and passwords) at an attachment interface or facility (e.g., a log-in screen, at a firewall etc.)) before users can attach (i.e. gain access) to a resource (e.g., individual files or data objects, computer devices, network connections, computer programs, applications, and functionality provided by computer applications, etc.) of the computing system.