Provisioning access to customer organization data in a multi-tenant system

摘要

Methods and systems are described for providing support representative access to applications deployed in an enterprise network environment. An access provisioning system defines a support user class in a user profile database for an application executed on an organization partition within the network. The support user is granted read only privileges to metadata of the application. An organization administrator can grant support personnel access to the application as a support user, thus the ability to view, analyze, and possibly modify the metadata. The access provisioning system generates a Security Assertion Markup Language (SAML) assertion upon request by the support personnel to enable access to the data to the extent of the granted privileges. The SAML protocol includes authentication of the support representative as an authorized support user within the system.