Social networking services have become some of the most popular forms of online services. While currently individuals primarily sign up for social networking services for personal use, efforts are underway to leverage social media such as Facebook®, Twitter®, LinkedIn®, etc. for business use. Companies such as Hearsay Social® are developing products for growing businesses using social media, allowing company employees to use their online social presence and connections to market products, maintain customer relationships, etc. The multitude of social media platforms and their intrinsic nature as forums for individual users present a number of issues for corporate users.
One of the issues associated with harnessing social media for business purposes is the ease of use. Due to the number of individual social media platforms, an employee at a company often has to create and manage multiple accounts, resulting in poor ease of use.
Further, since the online presence is usually directly managed by individual employees (e.g., an insurance sales representative would manage his own Facebook® page), should the employee leave the company, the management would have little control over the accounts and may experience difficulties disassociating the company from the former employee's social media presence.
Another issue arises from the identification of online presence to actual individual persons. On a social media platform, there can be many users having the same/similar name. A company's management would want to have the ability to identify those who are actually affiliated with the company to ensure compliance (e.g., no improper advertising of financial services in violation with federal or state law, etc.). Presently, however, this is difficult to achieve.
Another issue is managing permissions to the accounts. The typical social media sites give “all or nothing” permissions; in other words, a user either has full control to all features such as posting, commenting, deleting, etc., or has no access to the account at all. An additional issue involves managing employees at different corporate branches/regions, which is difficult to do on existing social media platforms.
Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
An enterprise social media management platform supporting single sign-on is described. In some embodiments, a user of the enterprise social media management platform performs a one-time setup to link various social media assets to the enterprise social media management platform. In other words, various “social media identities” of the user that are established on various social media platforms are mapped to the user on the enterprise social media management platform. Credential information is stored so that when the user logs on again, he would gain automatic access to the previously configured social media assets. In some embodiments, the data structure used to support single sign-on is also used to allow individual permissions/privilege settings with respect to the social media assets. In some embodiments, hierarchical information with respect to the user is determined to facilitate monitoring, compliance, and content recommendation.
In this example, enterprise social media management platform 150 may be implemented using one or more computing devices such as a computer, a multi-processor system, a microprocessor-based system, a special purpose device, a distributed computing environment including any of the foregoing systems or devices, or other appropriate hardware/software/firmware combination that includes one or more processors, and memory coupled to the processors and configured to provide the processors with instructions. Enterprise social media management platform 150 offers software applications as services. Typically, organizations such as corporations subscribe to the services, and individuals affiliated with the organization are given permission to access the services. As used herein, subscribers refer to organizations subscribing to the services, and users refer to individuals who can access the services.
As will be described in greater detail below, users of the enterprise social media management platform are linked to a variety of social media assets 156 that are made available on various social media platforms 154. As used herein, a social media platform refers to an Internet based service that allows its members to communicate and provides facilities for such communication. Examples of social media platforms include social networking sites such as Facebook®, Twitter®, LinkedIn®, etc. A social media asset refers to content associated with the subscriber and/or its employees/affiliates that is present on various social networking sites or elsewhere. Examples of social media assets include a Facebook® profile of an insurance agent or a page associated with the insurance agent's business, a LinkedIn® profile of the agent, a Twitter® feed by the agent, a Yelp® review of the agent, etc. The social media assets may be created via the social media platforms directly (e.g., by logging on to Facebook® and directly creating a page), using applications provided by the enterprise social media management platform that interacts with the social media platforms via application programming interfaces (APIs) or other appropriate techniques. A social media asset conforms to the requirements of its corresponding social media platform, and is registered with the corresponding social media platform so it is available to others on the same social media platform (i.e., viewable or otherwise accessible by others, in particular by individuals with whom the asset creator has made connections).
The enterprise social media management platform provides a variety of applications for managing social media assets. In some embodiments, the enterprise social media management platform supports web-based applications that may be accessed by its users via a communications network 152 (e.g., the Internet) and offers these applications as services for its subscribers. An example enterprise social media management platform is offered by Hearsay Social, Inc., accessible via http://hearsaysocial.com. The subscribers can be a variety of organizations such as corporations, businesses and the like, and the users of the enterprise social media management platform can be the subscribers' employees or affiliates. For example, the subscribers may include a company (“Insurance Co.”) that employs a number of agents, a financial services company (“Finance Co.”) that employs a number of financial advisors, etc. In this case, the agents and financial advisors are users of the enterprise social media management platform.
User information is stored in a database 160 maintained by the enterprise social media management platform. As will be described in greater detail below, in some embodiments, the user information includes identification information for the user and login credentials (e.g., security tokens, user name/password combinations, etc.) for accessing social media assets associated with the user. In some embodiments, the user information also optionally includes permissions, corporate hierarchical information of the user, etc. In some embodiments, the enterprise social media management platform authenticates the users using their respective corporate accounts via the subscribers' corporate websites 158. For example, Insurance Co. manages its own website/portal for its own users (e.g., agents). When an agent, who is also an authorized user of the enterprise social media management platform, attempts to log on to the enterprise social media management platform, his logon request is redirected to the corporate website/portal for authentication. If authenticated, the user will be automatically authenticated on the enterprise social media management platform. If the user has not previously configured links to various social media assets, he will also be asked to enter authentication information for accessing social media assets on social media platforms. If the user has previously configured links to various social media assets, the enterprise social media management platform will automatically log him on to the social media platforms using the preconfigured information, so that he may access his social media assets via the enterprise social media management platform without having to enter any additional login information. Such a process, referred to as “single sign-on,” allows the user to log on once and gain access to his various accounts at the enterprise social media management platform and at the social media platforms.
Processor 102 is coupled bi-directionally with memory 110, which can include a first primary storage, typically a random access memory (RAM), and a second primary storage area, typically a read-only memory (ROM). As is well known in the art, primary storage can be used as a general storage area and as scratch-pad memory, and can also be used to store input data and processed data. Primary storage can also store programming instructions and data, in the form of data objects and text objects, in addition to other data and instructions for processes operating on processor 102. Also as is well known in the art, primary storage typically includes basic operating instructions, program code, data, and objects used by the processor 102 to perform its functions (e.g., programmed instructions). For example, memory 110 can include any suitable computer readable storage media, described below, depending on whether, for example, data access needs to be bi-directional or uni-directional. For example, processor 102 can also directly and very rapidly retrieve and store frequently needed data in a cache memory (not shown).
A removable mass storage device 112 provides additional data storage capacity for the computer system 100, and is coupled either bi-directionally (read/write) or uni-directionally (read only) to processor 102. For example, storage 112 can also include computer readable media such as magnetic tape, flash memory, PC-CARDS, portable mass storage devices, holographic storage devices, and other storage devices. A fixed mass storage device 120 can also, for example, provide additional data storage capacity. The most common example of mass storage 120 is a hard disk drive. Mass storage 112 and 120 generally store additional programming instructions, data, and the like that typically are not in active use by the processor 102. It will be appreciated that the information retained within mass storage 112 and 120 can be incorporated, if needed, in standard fashion as part of memory 110 (e.g., RAM) as virtual memory.
In addition to providing processor 102 access to storage subsystems, bus 114 can also be used to provide access to other subsystems and devices. As shown, these can include a display monitor 118, a network interface 116, a keyboard 104, and a pointing device 106, as well as an auxiliary input/output device interface, a sound card, speakers, and other subsystems as needed. For example, the pointing device 106 can be a mouse, stylus, track ball, or tablet, and is useful for interacting with a graphical user interface.
The network interface 116 allows processor 102 to be coupled to another computer, computer network, or telecommunications network using a network connection as shown. For example, through the network interface 116, the processor 102 can receive information (e.g., data objects or program instructions) from another network or output information to another network in the course of performing method/process steps. Information, often represented as a sequence of instructions to be executed on a processor, can be received from and outputted to another network. An interface card or similar device and appropriate software implemented by (e.g., executed/performed on) processor 102 can be used to connect the computer system 100 to an external network and transfer data according to standard protocols. For example, various process embodiments disclosed herein can be executed on processor 102, or can be performed across a network such as the Internet, intranet networks, or local area networks, in conjunction with a remote processor that shares a portion of the processing. Additional mass storage devices (not shown) can also be connected to processor 102 through network interface 116.
An auxiliary I/O device interface (not shown) can be used in conjunction with computer system 100. The auxiliary I/O device interface can include general and customized interfaces that allow the processor 102 to send and, more typically, receive data from other devices such as microphones, touch-sensitive displays, transducer card readers, tape readers, voice or handwriting recognizers, biometrics readers, cameras, portable mass storage devices, and other computers.
In addition, various embodiments disclosed herein further relate to computer storage products with a computer readable medium that includes program code for performing various computer-implemented operations. The computer readable medium is any data storage device that can store data which can thereafter be read by a computer system. Examples of computer readable media include, but are not limited to, all the media mentioned above: magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROM disks; magneto-optical media such as optical disks; and specially configured hardware devices such as application-specific integrated circuits (ASICs), programmable logic devices (PLDs), and ROM and RAM devices. Examples of program code include both machine code, as produced, for example, by a compiler, or files containing higher level code (e.g., script) that can be executed using an interpreter.
The computer system shown in
At 202, an initial user access request is received at the enterprise social media management platform. In this example, the user access request (e.g., logon request) is sent by software running on the user's device (e.g., a browser or other client software) and is encoded as a Universal Resource Locator (URL) request that includes identification information about the particular subscriber organization with which he/she is affiliated (also referred to as the employer organization). In some embodiments, the request includes a subscriber identifier in the domain name or the path. For example, the request from an insurance agent at Insurance Co. may be directed to the URL of “insuranceco.hearsaysocial.com” or “hearsaysocial.com/insuranceco,” and the request from a financial advisor at Finance Co. may be directed to the URL of “financeco.hearsaysocial.com” or “hearsaysocial.com/financeco.” Any other appropriate ways for including identification information of the organization may also be used; for example, the identification information may also be encoded as a string or a parameter in the user request.
At 204, the server at the enterprise social media management platform redirects the user access request to the subscriber's server for authentication. In this example, the enterprise social media management platform and the subscriber's server cooperate to authenticate the user. In some embodiments, the enterprise social media management platform server parses the user request to determine the subscriber's identity. For example, if the request includes the identifier “insuranceco,” then the request is by a user affiliated with Insurance Co. and should be redirected to Insurance Co.'s web server. The enterprise social media management platform looks up a previously configured address that is located at the subscriber site for redirecting the request (e.g., “www.insuranceco.com/login”) and sends the redirected request.
Upon receiving the redirected request, the subscriber's server (e.g., corporate website server 158 of
In some embodiments, users with accounts on the subscriber's server have different levels of access to the enterprise social media management platform. For example, some organizations may permit only a subset of its users to access the enterprise social media management platform. Access may be controlled by the subscriber's server or on the enterprise social media management platform. For example, some subscriber systems use Active Directory to configure different access rules for different groups of users. When the redirected user request is received from the enterprise social media management platform, the server looks up the user's permission level in the Active Directory configuration and only allows authentication to proceed if the user has permission to access the enterprise social media management platform's services. In some embodiments, a list of permitted users is stored on the enterprise social media management platform and compared with the authentication result returned by the subscriber's server. Only permitted users who are successfully authenticated are allowed to proceed.
At 206, it is determined whether the authentication is successful. In this example, the indicator returned by the subscriber's server is examined to determine whether the user has logged on to the subscriber's site (and therefore the enterprise social media management platform) successfully. If the authentication is unsuccessful, the process terminates or the user is given another opportunity to re-login at 208. If the logon is successful, the process proceeds to 210.
During the setup process, at 210, the enterprise social media management platform determines the user's identity and obtains social media assets associated with this user. For example, when Bob Smith, an insurance agent from Insurance Co. logs on to the enterprise social media management platform, the platform will attempt to link various social media assets (e.g., profiles or accounts) that may be associated with Bob at various social media platforms. The platform may establish the links via automatic discovery (e.g., identifying profiles/pages/accounts/etc. associated with the name Bob Smith) and/or user input (e.g., Bob enters profiles or accounts he has created). User interfaces for establishing links between the user's identity and various social media assets are displayed to the user. The user may establish links between his identity and social media assets he deems to be pertinent to the organization and omit irrelevant ones. For example, Bob may choose to establish a link between a profile of his insurance business and his account on the enterprise social media management platform, but omit a page dedicated to his personal hobbies. The established link information is stored at the enterprise social media management platform (e.g., in a database such as 160).
In this example, the user first selects to connect to Facebook®. The enterprise social media management platform redirects the user to Facebook, where they log in to Facebook and grant permissions to the enterprise social management platform. The user interface of
Other social media platforms also provide similar interfaces for access. For example,
Once successfully authenticated, the social networking sites provide authentication information such as token information via their respective APIs. The authentication information is saved by the enterprise social media management platform to be used for future access. Once the user's access to the enterprise social media management platform and various social media platforms is set up, he can sign on once to the subscriber's server or the enterprise social media management platform, and access multiple social media platforms and social media assets on these platforms.
In addition, the support built into the enterprise social media management platform for the single sign-on feature is also used to allow the platform to automatically control permission levels for the social media assets by different users. In some embodiments, the permission levels are configured at the subscriber's server using a directory service (e.g., Active Directory® by Microsoft®). For example, the insurance company management may determine that all insurance sales representatives have posting, viewing (both of the page itself and analytics pertaining to the page) and deletion privileges to a Facebook® page pertaining to the company, but the representatives' assistants only have viewing privileges of the page itself and page analytics. Thus, at the subscriber's server, within Active Directory service, permission rules specifying these permission levels are configured by a system administrator. In some embodiments, the rules are propagated to the enterprise social media management platform, and the permission levels of a social media asset for particular users are stored. In some embodiments, Active Directory service is queried when the enterprise social media management platform needs to determine the permission level associated with a user.
An example of social identity to user identity mapping is illustrated in
The last row, “Token,” stores the security token (e.g., OAuth token) used by the subscriber's server or the social media platform to authenticate the user's account. The tokens are obtained at setup time when the user logs on to the subscriber site or the social media website using application programming interfaces (APIs) for obtaining security tokens. In some embodiments, 202-208 of process 200 are substantially the same for the setup process and for the user logon process. Once the user logs on successfully, when permitted actions are conducted by the user with respect to various social media assets on social media platforms, the token information may be sent to the social media platforms to indicate that the user is authorized and has permission to perform these actions.
In
In
At 502, the identification information for a user at the enterprise social media management platform is obtained. The information may be obtained, for example, when the user successfully logs on and the subscriber's server returns user identifier information.
At 504, a request by the user to perform an action on a social media asset is received. In some embodiments, the request is sent by the user via a user interface provided by the enterprise social media management platform's applications. For example, the user may indicate that he wishes to post to a particular Facebook® page (e.g., “Insurance 101”).
At 506, it is determined whether the user has permission to perform the action on the social media asset. In some embodiments, to make the determination, the identifier of the social media asset is obtained based on the request, and the stored social media asset and user permission level mapping is looked up for the social media asset.
In some embodiments, a table such as the one shown in
Next, Bob Smith (who has an ESMMP ID of 001) is attempting to post to the same page. In the example shown, the corresponding table entry would indicate that Bob has posting privileges and therefore is allowed to proceed at 510. The enterprise social media management platform cooperates with the social media platform, using APIs provided by the social media platform to complete the action. For example, the application executing on the enterprise social media management platform may invoke a function implementing a Facebook Connect® API for sending a message requesting information to be posted to the Facebook® page “Insurance 101.” Security token information may be obtained from, for example, the table in
In some embodiments, the enterprise social media management platform proxies the user's request with the social media platforms to allow for more granular access control than default access control provided by the social media platforms. For example, on many existing social media platforms, users either have no privilege at all with respect to an asset or have full privileges to edit, delete, view, etc. To enable finer grained access, the enterprise social media management platform proxies the user's request by examining the user's privilege level, only permitting allowed requests to proceed, and modifying the request such that the modified request appears to be originated from a user with access privileges. For example, assistant Charlie sends a request to view analytics of a private Facebook® page set up by Bob. The enterprise social media management platform receives the request, determines that Charlie has viewing privileges, and sends a modified request to Facebook® that appears to be originated from Bob's account. This way, Charlie can view the analytics information even if Bob has not granted him the privilege to do so via Facebook®. Requests exceeding the requester's privilege level (for example, if Charlie makes a request to delete the page to which he has no delete privileges) are detected and prohibited.
The configurable permissions allow the corporations to have greater control over the privilege levels of their users. For example, by configuring Active Directory settings, a corporate administrator can set/unset different user access privilege levels to various social media assets, enabling new employees to have instant access and disabling former employee's access without having to log on to each social media platform and individually reconfigure access levels.
In some embodiments, the enterprise social media management platform uses the existing infrastructure for single sign-on to monitor social networking activities. The corporation may set up certain policies such as the types of advertising activities that are permitted on social networking sites, prohibited keywords in postings, etc. In some embodiments, the enterprise social media management platform is configured to monitor activities on social media assets linked to the corporation's users. Techniques such as rule matching and keyword filtering may be applied to detect violations. If activities in violation of the policies are detected, the owner of the social media assets in question or other appropriate personnel at the corporation may be notified, so that actions may be taken to ensure compliance. In some embodiments, the enterprise social media management platform is configured to independently monitor various social media assets. If any inappropriate activity is detected, the identifier associated with the social media asset is looked up in the user information database on the enterprise social media management platform to determine whether the activity is associated with a user of the platform. For example, the monitoring process may detect that a user with Facebook® identifier of 2319982 has made an inappropriate comment on someone's wall. Based on, for example, the table shown in
In some embodiments, the support built into the enterprise social media management platform for the single sign-on feature is additionally used to allow the platform to determine the user's role within the corporation's hierarchy, and suggest certain content based on the hierarchical information. In some embodiments, the corporate server maintains hierarchical information for its users using techniques such as Active Directory. During the setup process, the corporate web server returns to the enterprise social media management platform additional information regarding the user's position within the corporate hierarchy. For example, Insurance Co. organizes its corporate hierarchy according to geographical locations, where each agent is assigned a state, a district, and an agent identifier. Upon successful user authentication, Insurance Co.'s webserver returns hierarchical information regarding the user's state and district, agent identifier, etc. The information is encoded according to a predefined format. The enterprise social media management platform is configured to parse the encoded information and stores the hierarchical information in the user database (using its own format if appropriate). The hierarchical information can be used to suggest content to the user.
For example, when Bob Smith initially logs on to Hearsay Social's website via redirection to Insurance Co's web server, the latter web server sends hierarchical information indicating that Bob is in the state of California, district 7. Based on the hierarchical information, the enterprise social media management platform can provide appropriate content to the user. For example, the corporation may wish to deliver certain content that is appropriate only for district 7 in California (e.g., an advertising campaign that says “Happy Labor Day, Be Safe on Lake Tahoe”). The platform can be used to identify targeted users such as Bob based on their hierarchical information and send the content only to these users.
In some embodiments, the social media assets are also assigned hierarchical positions. For example, social media assets linked to Bob, such as the “Insurance 101” page and Bob's twitter feed, can be assigned hierarchical information by Bob via a configuration interface. In some embodiments, the system automatically associates the social media assets linked to Bob to have the same hierarchical position as Bob (in this case, California, district 7). Later, when another user, Dan (who is also in California, district 7) logs on, the platform can recommend social media assets within the same hierarchical position (such as the “Insurance 101” page and Bob's twitter feed) to Dan, as well as recommend social media assets linked to Dan to other users within the same hierarchical position (e.g., Bob).
Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.
Number | Name | Date | Kind |
---|---|---|---|
6205453 | Tucker et al. | Mar 2001 | B1 |
6850895 | Brodersen et al. | Feb 2005 | B2 |
8370244 | Daly | Feb 2013 | B1 |
20030040995 | Daddario et al. | Feb 2003 | A1 |
20030229783 | Hardt | Dec 2003 | A1 |
20040148195 | Kalies | Jul 2004 | A1 |
20060048224 | Duncan et al. | Mar 2006 | A1 |
20060080397 | Chene et al. | Apr 2006 | A1 |
20060123234 | Schmidt | Jun 2006 | A1 |
20060174017 | Robertson | Aug 2006 | A1 |
20080242221 | Shapiro et al. | Oct 2008 | A1 |
20080282324 | Hoal | Nov 2008 | A1 |
20080313714 | Fetterman et al. | Dec 2008 | A1 |
20090100469 | Conradt et al. | Apr 2009 | A1 |
20090132519 | Rathod et al. | May 2009 | A1 |
20090171686 | Eberstadt | Jul 2009 | A1 |
20090182664 | Trombley | Jul 2009 | A1 |
20090222449 | Hom et al. | Sep 2009 | A1 |
20100077208 | Appiah et al. | Mar 2010 | A1 |
20100114935 | Polo-Malouvier et al. | May 2010 | A1 |
20110022812 | van der Linden et al. | Jan 2011 | A1 |
20110138304 | Ungerman | Jun 2011 | A1 |
20110145064 | Anderson | Jun 2011 | A1 |
20110178869 | Ravichandran et al. | Jul 2011 | A1 |
20110179119 | Penn | Jul 2011 | A1 |
20110246476 | Macklem et al. | Oct 2011 | A1 |
20120011432 | Strutton | Jan 2012 | A1 |
20120036245 | Dare et al. | Feb 2012 | A1 |
20130014223 | Bhatia et al. | Jan 2013 | A1 |
20130036034 | Karon et al. | Feb 2013 | A1 |
20130074179 | Das | Mar 2013 | A1 |
20130086189 | Elleouet et al. | Apr 2013 | A1 |
Number | Date | Country |
---|---|---|
2224385 | Sep 2010 | EP |
Entry |
---|
Kruk et al., “D-FOAF: Distributed Identity Management with Access Rights Delegation”, 2006. |
Krolo et al., “Security of Web Level User Identity Management”, Croatian Society for Information and Communication Technology, Electronics and Microelectronics—MIPRO 2009. |
Number | Date | Country | |
---|---|---|---|
20130110922 A1 | May 2013 | US |