Methods, systems, and computer readable media for authorization frameworks for web-based applications

What is claimed is: 1 . A method performed by a server comprising one or more computers, the method comprising: executing an application tier of an enterprise software application for receiving a plurality of Application Programming Interface (API) calls from a user device presenting a graphical user interface (GUI) for a presentation tier of the enterprise software application in a web browser, and for responding to the API calls; and executing an application tier security controller for checking the API calls against a mapping that maps each API call into a respective group with a respective user interface (UI) element of the GUI and a respective security key, and for authorizing user access to the application tier based on checking the API calls against the mapping. 2 . The method of claim 1 , wherein each security key specifies an authorization policy for both the UI element and the API call associated with the security key, and wherein checking the API calls against the mapping comprises comparing a user role of an authenticated user with one or more authorized roles specified by the authorization policy. 3 . The method of claim 1 , wherein the GUI includes a controlled group of UI elements specified in the mapping and an uncontrolled group of UI elements not specified in the mapping. 4 . The method of claim 3 , wherein executing the application tier security controller comprises receiving an instruction to add a first UI element from the uncontrolled group to the controlled group and, in response, creating a group for the first UI element in the mapping. 5 . The method of claim 4 , wherein creating the group for the first UI element comprises associating a first API call and a first security key with the first UI element. 6 . The method of claim 4 , wherein creating the group for the first UI element comprises creating the group without modifying software of the enterprise software application or without causing a system outage of the enterprise software application. 7 . The method of claim 1 , wherein checking the API calls against the mapping comprises checking the API calls against individual attributes of input and/or output payloads of the API calls. 8 . The method of claim 1 , wherein checking the API calls against the mapping comprises checking for conditional or unconditional restrictions specified in the mapping. 9 . The method of claim 1 , wherein checking the API calls against the mapping comprises consulting an external data source when specified by the mapping to successfully evaluate a security policy of the enterprise software application. 10 . The method of claim 1 , wherein executing the application tier security controller comprises storing, in a cache, an authorization policy, the mapping, and a plurality of keys specified in the mapping, and refreshing the cache in response to determining that the authorization policy or one of the keys has been changed. 11 . A server comprising: one or more processors; an application tier of an enterprise software application executable by the one or more processors for receiving a plurality of Application Programming Interface (API) calls from a user device presenting a graphical user interface (GUI) for a presentation tier of the enterprise software application in a web browser, and for responding to the API calls; and an application tier security controller executable by the one or more processors for checking the API calls against a mapping that maps each API call into a respective group with a respective user interface (UI) element of the GUI and a respective security key, and for authorizing user access to the application tier based on checking the API calls against the mapping. 12 . The server of claim 11 , wherein each security key specifies an authorization policy for both the UI element and the API call associated with the security key, and wherein checking the API calls against the mapping comprises comparing a user role of an authenticated user with one or more authorized roles specified by the authorization policy. 13 . The server of claim 11 , wherein the GUI includes a controlled group of UI elements specified in the mapping and an uncontrolled group of UI elements not specified in the mapping. 14 . The server of claim 13 , wherein executing the application tier security controller comprises receiving an instruction to add a first UI element from the uncontrolled group to the controlled group and, in response, creating a group for the first UI element in the mapping. 15 . The server of claim 14 , wherein creating the group for the first UI element comprises associating a first API call and a first security key with the first UI element. 16 . The server of claim 14 , wherein creating the group for the first UI element comprises creating the group without modifying software of the enterprise software application or without causing a system outage of the enterprise software application. 17 . The server of claim 11 , wherein checking the API calls against the mapping comprises checking the API calls against individual attributes of input and/or output payloads of the API calls. 18 . The server of claim 11 , wherein checking the API calls against the mapping comprises checking for conditional or unconditional restrictions specified in the mapping. 19 . The server of claim 11 , wherein checking the API calls against the mapping comprises consulting an external data source when specified by the mapping to successfully evaluate a security policy of the enterprise software application. 20 . The server of claim 11 , wherein executing the application tier security controller comprises storing, in a cache, an authorization policy, the mapping, and a plurality of keys specified in the mapping, and refreshing the cache in response to determining that the authorization policy or one of the keys has been changed. 21 . One or more non-transitory computer readable media storing instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: executing an application tier of an enterprise software application for receiving a plurality of Application Programming Interface (API) calls from a user device presenting a graphical user interface (GUI) for a presentation tier of the enterprise software application in a web browser, and for responding to the API calls; and executing an application tier security controller for checking the API calls against a mapping that maps each API call into a respective group with a respective user interface (UI) element of the GUI and a respective security key, and for authorizing user access to the application tier based on checking the API calls against the mapping.