Multi-tenant identity and data security management cloud service

US 10,218,705 B2
Filed: 09/22/2017
Issued: 02/26/2019
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A system for providing cloud-based identity and access management, comprising:

a first data partition of a data source storing data for a first tenancy and a second data partition of the data source storing data for a second tenancy, wherein the first data partition is isolated from the second data partition;

one or more processors coupled to a storage device comprising instructions that, when executed by the one or more processors, are configured to;

receive a request from a client for an identity management service;

authenticate the request;

access a microservice based on the request;

determine, at the microservice based on the request, that a user related to the request comprises the first tenancy and a resource related to the request comprises the second tenancy, wherein the first tenancy and the second tenancy are determined from among a plurality of tenancies;

retrieve, by the microservice, data from at least one the first data partition based on the first tenancy or the second data partition based on the second tenancy, wherein a runtime binding with the first data partition is established when data is retrieved in a context of the first tenancy and a runtime binding with the second data partition is established when data is retrieved in a context of the second tenancy; and

perform the identity management service using the retrieved data at the microservice.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system provides cloud-based identity and access management. The system receives a request from a client for an identity management service, authenticates the request, and accesses a microservice based on the request. The system determines, based on the request, a tenancy of the client, a tenancy of a user, and a tenancy of a resource. The system retrieves data from the determined tenancies as required to process the request, where the data is retrieved by the microservice using a connection pool that provides connections to the database. The system then performs the identity management service by the appropriate microservice responsible for processing the received request.

102 Citations

View as Search Results

20 Claims

1. A system for providing cloud-based identity and access management, comprising:
- a first data partition of a data source storing data for a first tenancy and a second data partition of the data source storing data for a second tenancy, wherein the first data partition is isolated from the second data partition;
  
  one or more processors coupled to a storage device comprising instructions that, when executed by the one or more processors, are configured to;
  
  receive a request from a client for an identity management service;
  
  authenticate the request;
  
  access a microservice based on the request;
  
  determine, at the microservice based on the request, that a user related to the request comprises the first tenancy and a resource related to the request comprises the second tenancy, wherein the first tenancy and the second tenancy are determined from among a plurality of tenancies;
  
  retrieve, by the microservice, data from at least one the first data partition based on the first tenancy or the second data partition based on the second tenancy, wherein a runtime binding with the first data partition is established when data is retrieved in a context of the first tenancy and a runtime binding with the second data partition is established when data is retrieved in a context of the second tenancy; and
  
  perform the identity management service using the retrieved data at the microservice.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the one or more processors are further configured to:
    - determine, based on the request, a third tenancy of the client, wherein a third data partition of the data source stores data for the third tenancy; and
      
      retrieve data from at least one of the first data partition, the second data partition, or the third data partition at the microservice, wherein the first data partition, the second data partition, and the third data partition are isolated from one another.
  - 3. The system of claim 1, wherein the data is retrieved by the microservice using a connection pool that provides connections to the data source such that the microservice uses a proxy user context configure a connection in the connection pool and the proxy user context represents a tenancy in the data source.
  - 4. The system of claim 1, wherein the identity management service includes obtaining an access token for the user to access the resource, wherein the token identifies the first tenancy and the second tenancy.
  - 5. The system claim 1, wherein the isolated first and second data partitions comprise physically different databases per tenancy.
  - 6. The system of claim 1, wherein the microservice comprises a stateless OAuth microservice and the data source and the microservice are configured to scale independently of one another.
  - 7. The system of claim 1, wherein the second data partition is isolated from the first data partition such that data from the second data partition cannot be accessed using a runtime binding with the first data partition.
  - 8. The system of claim 1, wherein a runtime binding with one of the first data partition or the second data partition is established on a per request basis.
  - 9. The system of claim 8, wherein establishing a runtime binding with the first data partition comprises configuring an existing connection with the data source in the context of the first tenancy and establishing a runtime binding with the second data partition comprises configuring an existing connection with the data source in the context of the first tenancy.

10. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide cloud-based identity and access management, the providing comprising:
- receiving a request from a client for an identity management service;
  
  authenticating the request;
  
  accessing a microservice based on the request;
  
  determining, based on the request, a first tenancy of a user related to the request and a second tenancy of a resource related to the request, wherein the first tenancy and second tenancy are determined from among a plurality of tenancies;
  
  retrieving data from at least one of a first data partition of a data source for the first tenancy or a second data partition of the data source for the second tenancy, wherein the first data partition is isolated from the second data partition, and a runtime binding with the first data partition is established when data is retrieved in a context of the first tenancy and a runtime binding with the second data partition is established when data is retrieved in a context of the second tenancy; and
  
  performing the identity management service by the microservice using the retrieved data.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory computer readable medium of claim 10, wherein the providing further comprises:
    - determining, based on the request, a third tenancy of the client;
      
      retrieving data from at least one of the first data partition, the second data partition, or a third data partition of the data source for the third tenancy, wherein the first data partition, the second data partition, and the third data partition are isolated from one another.
  - 12. The non-transitory computer readable medium of claim 10, wherein the data is retrieved by the microservice using a connection pool that provides connections to the data source such that the microservice uses a proxy user context to configure a connection in the connection pool and the proxy user context represents a tenancy in the data source.
  - 13. The non-transitory computer readable medium of claim 10, wherein the identity management service includes obtaining an access token for the user to access the resource, wherein the token identifies the first tenancy and the second tenancy.
  - 14. The non-transitory computer readable medium claim 10, wherein the isolated first and second data partitions comprise physically different databases per tenancy.
  - 15. The non-transitory computer readable medium of claim 10, wherein the microservice comprises a stateless OAuth microservice and the data source and the microservice are configured to scale independently of one another.

16. A method of providing cloud-based identity and access management, comprising:
- receiving a request from a client for an identity management service;
  
  authenticating the request;
  
  accessing a microservice based on the request;
  
  determining, based on the request, a first tenancy of a user related to the request and a second tenancy of a resource related to the request, wherein the first tenancy and second tenancy are determined from among a plurality of tenancies;
  
  retrieving data from at least one of a first data partition of a data source for the first tenancy or a second data partition of the data source for the second tenancy, wherein the first data partition is isolated from the second data partition, and a runtime binding with the first data partition is established when data is retrieved in a context of the first tenancy and a runtime binding with the second data partition is established when data is retrieved in a context of the second tenancy; and
  
  performing the identity management service by the microservice using the retrieved data.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - determining, based on the request, a third tenancy of the client;
      
      retrieving data from at least one of the first data partition, the second data partition, or a third data partition of the data source for the third tenancy, wherein the first data partition, the second data partition, and the third data partition are isolated from one another.
  - 18. The method of claim 16, wherein the data is retrieved by the microservice using a connection pool that provides connections to the data source such that the microservice uses a proxy user context to configure a connection in the connection pool and the proxy user context represents a tenancy in the data source.
  - 19. The method claim 16, wherein the isolated first and second data partitions comprise physically different databases per tenancy.
  - 20. The method of claim 16, wherein the first data partition is isolated from the second data partition such that data for the first tenancy is not stored in the same data table as data for the second tenancy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Wilson, Gregg, Knappek, Tomas
Primary Examiner(s)
Pearson, David J

Application Number

US15/712,588
Publication Number

US 20180013763A1
Time in Patent Office

522 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/101   Access control lists [ACL]

H04W 12/06   Authentication

H04W 12/08   Access security

Multi-tenant identity and data security management cloud service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

102 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tenant identity and data security management cloud service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links