User abstracted RBAC in a multi tenant environment
First Claim
1. A method for improving efficiency and security of a role based access control (RBAC) identity management system said method comprising:
- assigning, by a service provider owner via one or more computer processors of the RBAC identity management system, a plurality of individual users to a service provider identity dataset;
requesting, by the service provider owner via the one or more computer processors, addition of the service provider identity dataset to a role dataset in the RBAC identity management system, wherein the role dataset comprising the added service provider identity dataset includes permissions to the individual users within the service provider identity dataset to access a secured resource of the RBAC identity management system and to perform the service on the secured resource, wherein the role dataset pertains to one or more roles pertaining to performing a service on the secured resource;
granting, by a tenant manager via the one or more computer processors, the addition of the service provider identity dataset to the role dataset, as a function of input data from the tenant manager instructing the one or more computer processors to add the service provider identity dataset to the role dataset, wherein the tenant manager owns the secured resource or is an administrator hired by an owner of the secured resource, wherein the tenant manager does not assign one or more roles to the individual users but rather assigns the one or more roles to the service provider identity dataset, wherein each individual user cannot be identified by the tenant manager, and wherein the tenant manager and the service provider owner are distinct from each other;
abstracting, from the service provider identity dataset by the one or more computer processors, the individual users being provided with said access, to the secured resource to perform the service, resulting from the service provider identity dataset having been added to the role dataset;
periodically revalidating, by the one or more computer processors, the addition of the service provider identity dataset to the role dataset, wherein said periodically revalidating comprises receiving an instruction from the tenant manager to maintain or delete the service provider identity dataset from the role dataset, wherein said access to the secured resource is based on the service provider identity dataset in the role dataset, instead of being based on the individual users, improves the efficiency and security of the RBAC identity management system; and
updating, by the one or more computer processors, the service provider identity data set to an updated service provider identity dataset as a function of input received from the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the RBAC identity management system, and wherein said updating the service provider identity data set does not require the tenant manager to make, a subsequent approval of said updating.
4 Assignments
0 Petitions
Accused Products
Abstract
Role based access control (RBAC) identity management tools, computing systems, computer products and methods of abstracting individual users from the role assignment and revalidation process of traditional RBAC. The RBAC tools, products and systems of the present disclosure organize and manage multi-tenanted networks and cloud computing environments by organizing individual users by service providers having a single or unified identity, which are separately managed by the service provider owners. The service provider identities are treated as a single service provider entity applying for one or more roles in the multi-tenant system, allowing for a simplified role revalidation that no longer requires managers of tenants in a multi-tenant network to approve the role assignment of each individual user, because the tenants and tenant managers are unaware of the users identities that make up the service provider identity.
28 Citations
17 Claims
-
1. A method for improving efficiency and security of a role based access control (RBAC) identity management system said method comprising:
-
assigning, by a service provider owner via one or more computer processors of the RBAC identity management system, a plurality of individual users to a service provider identity dataset; requesting, by the service provider owner via the one or more computer processors, addition of the service provider identity dataset to a role dataset in the RBAC identity management system, wherein the role dataset comprising the added service provider identity dataset includes permissions to the individual users within the service provider identity dataset to access a secured resource of the RBAC identity management system and to perform the service on the secured resource, wherein the role dataset pertains to one or more roles pertaining to performing a service on the secured resource; granting, by a tenant manager via the one or more computer processors, the addition of the service provider identity dataset to the role dataset, as a function of input data from the tenant manager instructing the one or more computer processors to add the service provider identity dataset to the role dataset, wherein the tenant manager owns the secured resource or is an administrator hired by an owner of the secured resource, wherein the tenant manager does not assign one or more roles to the individual users but rather assigns the one or more roles to the service provider identity dataset, wherein each individual user cannot be identified by the tenant manager, and wherein the tenant manager and the service provider owner are distinct from each other; abstracting, from the service provider identity dataset by the one or more computer processors, the individual users being provided with said access, to the secured resource to perform the service, resulting from the service provider identity dataset having been added to the role dataset; periodically revalidating, by the one or more computer processors, the addition of the service provider identity dataset to the role dataset, wherein said periodically revalidating comprises receiving an instruction from the tenant manager to maintain or delete the service provider identity dataset from the role dataset, wherein said access to the secured resource is based on the service provider identity dataset in the role dataset, instead of being based on the individual users, improves the efficiency and security of the RBAC identity management system; and updating, by the one or more computer processors, the service provider identity data set to an updated service provider identity dataset as a function of input received from the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the RBAC identity management system, and wherein said updating the service provider identity data set does not require the tenant manager to make, a subsequent approval of said updating. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product, comprising one or more computer readable hardware storage devices having computer readable program code stored therein, said program code containing instructions executable by one or more computer processors to implement a method for improving efficiency and security of a role based access control (RBAC) identity management system that includes the one or more computer processors, said method comprising:
-
assigning, by a service provider owner via the one or more computer processors of the RBAC identity management system, a plurality of individual users to a service provider identity dataset; requesting, by the service provider owner via the one or more computer processors, addition of the service provider identity dataset to a role dataset in the RBAC identity management system, wherein the role dataset comprising the added service provider identity dataset includes permissions to the individual users within the service provider identity dataset to access a secured resource of the RBAC identity management system and to perform the service on the secured resource, wherein the role dataset pertains to one or more roles pertaining to performing a service on the secured resource; granting, by a tenant manager via the one or more computer processors, the addition of the service provider identity dataset to the role dataset, as a function of input data from the tenant manager instructing the one or more computer processors to add the service provider identity dataset to the role dataset, wherein the tenant manager owns the secured resource or is an administrator hired by an owner of the secured resource, wherein the tenant manager does not assign one or more roles to the individual users but rather assigns the one or more roles to the service provider identity dataset, wherein each individual user cannot be identified by the tenant manager, and wherein the tenant manager and the service provider owner are distinct from each other; abstracting, from the service provider identity dataset by the one or more computer processors, the individual users being provided with said access, to the secured resource to perform the service, resulting from the service provider identity dataset having been added to the role dataset; periodically revalidating, by the one or more computer processors, the addition of the service provider identity dataset to the role dataset, wherein said periodically revalidating comprises receiving an instruction from the tenant manager to maintain or delete the service provider identity dataset from the role dataset, wherein said access to the secured resource is based on the service provider identity dataset in the role dataset, instead of being based on the individual users, improves the efficiency and security of the RBAC identity management system; and updating, by the one or more computer processors, the service provider identity data set to an updated service provider identity dataset as a function of input received from the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the RBAC identity management system, and wherein said updating the service provider identity data set does not require the tenant manager to make, a subsequent approval of said updating. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer system, comprising a role based access control (RBAC) identity management system that includes one or more processors, one or more memories coupled to the one or more computer processors, and one or more computer readable storage devices coupled to the one or more processors, said one or more storage devices containing program code executable by the one or more processors via one or more memories to implement a method for improving efficiency and security of the role based access control (RBAC) identity management system, said method comprising the steps of:
-
assigning, by a service provider owner via the one or more computer processors of the RBAC identity management system, a plurality of individual users to a service provider identity dataset; requesting, by the service provider owner via the one or more computer processors, addition of the service provider identity dataset to a role dataset in the RBAC identity management system, wherein the role dataset comprising the added service provider identity dataset includes permissions to the individual users within the service provider identity dataset to access a secured resource of the RBAC identity management system and to perform the service on the secured resource, wherein the role dataset pertains to one or more roles pertaining to performing a service on the secured resource; granting, by a tenant manager via the one or more computer processors, the addition of the service provider identity dataset to the role dataset, as a function of input data from the tenant manager instructing the one or more computer processors to add the service provider identity dataset to the role dataset, wherein the tenant manager owns the secured resource or is an administrator hired by an owner of the secured resource, wherein the tenant manager does not assign one or more roles to the individual users but rather assigns the one or more roles to the service provider identity dataset, wherein each individual user cannot be identified by the tenant manager, and wherein the tenant manager and the service provider owner are distinct from each other; abstracting, from the service provider identity dataset by the one or more computer processors, the individual users being provided with said access, to the secured resource to perform the service, resulting from the service provider identity dataset having been added to the role dataset; periodically revalidating, by the one or more computer processors, the addition of the service provider identity dataset to the role dataset, wherein said periodically revalidating comprises receiving an instruction from the tenant manager to maintain or delete the service provider identity dataset from the role dataset, wherein said access to the secured resource is based on the service provider identity dataset in the role dataset, instead of being based on the individual users, improves the efficiency and security of the RBAC identity management system; and updating, by the one or more computer processors, the service provider identity data set to an updated service provider identity dataset as a function of input received from the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the RBAC identity management system, and wherein said updating the service provider identity data set does not require the tenant manager to make, a subsequent approval of said updating. - View Dependent Claims (14, 15, 16, 17)
-
Specification