User abstracted RBAC in a multi tenant environment

US 10,298,589 B2
Filed: 01/27/2016
Issued: 05/21/2019
Est. Priority Date: 01/27/2016
Status: Active Grant

First Claim

Patent Images

1. A method for improving efficiency and security of a role based access control (RBAC) identity management system said method comprising:

assigning, by a service provider owner via one or more computer processors of the RBAC identity management system, a plurality of individual users to a service provider identity dataset;

requesting, by the service provider owner via the one or more computer processors, addition of the service provider identity dataset to a role dataset in the RBAC identity management system, wherein the role dataset comprising the added service provider identity dataset includes permissions to the individual users within the service provider identity dataset to access a secured resource of the RBAC identity management system and to perform the service on the secured resource, wherein the role dataset pertains to one or more roles pertaining to performing a service on the secured resource;

granting, by a tenant manager via the one or more computer processors, the addition of the service provider identity dataset to the role dataset, as a function of input data from the tenant manager instructing the one or more computer processors to add the service provider identity dataset to the role dataset, wherein the tenant manager owns the secured resource or is an administrator hired by an owner of the secured resource, wherein the tenant manager does not assign one or more roles to the individual users but rather assigns the one or more roles to the service provider identity dataset, wherein each individual user cannot be identified by the tenant manager, and wherein the tenant manager and the service provider owner are distinct from each other;

abstracting, from the service provider identity dataset by the one or more computer processors, the individual users being provided with said access, to the secured resource to perform the service, resulting from the service provider identity dataset having been added to the role dataset;

periodically revalidating, by the one or more computer processors, the addition of the service provider identity dataset to the role dataset, wherein said periodically revalidating comprises receiving an instruction from the tenant manager to maintain or delete the service provider identity dataset from the role dataset, wherein said access to the secured resource is based on the service provider identity dataset in the role dataset, instead of being based on the individual users, improves the efficiency and security of the RBAC identity management system; and

updating, by the one or more computer processors, the service provider identity data set to an updated service provider identity dataset as a function of input received from the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the RBAC identity management system, and wherein said updating the service provider identity data set does not require the tenant manager to make, a subsequent approval of said updating.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Role based access control (RBAC) identity management tools, computing systems, computer products and methods of abstracting individual users from the role assignment and revalidation process of traditional RBAC. The RBAC tools, products and systems of the present disclosure organize and manage multi-tenanted networks and cloud computing environments by organizing individual users by service providers having a single or unified identity, which are separately managed by the service provider owners. The service provider identities are treated as a single service provider entity applying for one or more roles in the multi-tenant system, allowing for a simplified role revalidation that no longer requires managers of tenants in a multi-tenant network to approve the role assignment of each individual user, because the tenants and tenant managers are unaware of the users identities that make up the service provider identity.

28 Citations

View as Search Results

17 Claims

1. A method for improving efficiency and security of a role based access control (RBAC) identity management system said method comprising:
- assigning, by a service provider owner via one or more computer processors of the RBAC identity management system, a plurality of individual users to a service provider identity dataset;
  
  requesting, by the service provider owner via the one or more computer processors, addition of the service provider identity dataset to a role dataset in the RBAC identity management system, wherein the role dataset comprising the added service provider identity dataset includes permissions to the individual users within the service provider identity dataset to access a secured resource of the RBAC identity management system and to perform the service on the secured resource, wherein the role dataset pertains to one or more roles pertaining to performing a service on the secured resource;
  
  granting, by a tenant manager via the one or more computer processors, the addition of the service provider identity dataset to the role dataset, as a function of input data from the tenant manager instructing the one or more computer processors to add the service provider identity dataset to the role dataset, wherein the tenant manager owns the secured resource or is an administrator hired by an owner of the secured resource, wherein the tenant manager does not assign one or more roles to the individual users but rather assigns the one or more roles to the service provider identity dataset, wherein each individual user cannot be identified by the tenant manager, and wherein the tenant manager and the service provider owner are distinct from each other;
  
  abstracting, from the service provider identity dataset by the one or more computer processors, the individual users being provided with said access, to the secured resource to perform the service, resulting from the service provider identity dataset having been added to the role dataset;
  
  periodically revalidating, by the one or more computer processors, the addition of the service provider identity dataset to the role dataset, wherein said periodically revalidating comprises receiving an instruction from the tenant manager to maintain or delete the service provider identity dataset from the role dataset, wherein said access to the secured resource is based on the service provider identity dataset in the role dataset, instead of being based on the individual users, improves the efficiency and security of the RBAC identity management system; and
  
  updating, by the one or more computer processors, the service provider identity data set to an updated service provider identity dataset as a function of input received from the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the RBAC identity management system, and wherein said updating the service provider identity data set does not require the tenant manager to make, a subsequent approval of said updating.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the RBAC identity management system is a multi-tenant network.
  - 3. The method of claim 2, wherein the multi-tenant network is a cloud computing environment.
  - 4. The method of claim 2, wherein said requesting specifies a plurality of requests for the service provider identity dataset to be added to one or more different role datasets.
  - 5. The method of claim 1, wherein the permissions include read or read/write operations of the secured resource, accessible from a node of the RBAC identity management system by the individual user of the service provider identity dataset.
  - 6. The method of claim 1, wherein said updating the service provider identity dataset occurs independently from any input by the tenant manager.
  - 7. The method of claim 1, said method further comprising:
    - providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in a computer system, where the computer-readable program code in combination with the computer system is configured to implement the steps of assigning, requesting, granting, abstracting and periodically revalidating.

8. A computer program product, comprising one or more computer readable hardware storage devices having computer readable program code stored therein, said program code containing instructions executable by one or more computer processors to implement a method for improving efficiency and security of a role based access control (RBAC) identity management system that includes the one or more computer processors, said method comprising:
- assigning, by a service provider owner via the one or more computer processors of the RBAC identity management system, a plurality of individual users to a service provider identity dataset;
  
  requesting, by the service provider owner via the one or more computer processors, addition of the service provider identity dataset to a role dataset in the RBAC identity management system, wherein the role dataset comprising the added service provider identity dataset includes permissions to the individual users within the service provider identity dataset to access a secured resource of the RBAC identity management system and to perform the service on the secured resource, wherein the role dataset pertains to one or more roles pertaining to performing a service on the secured resource;
  
  granting, by a tenant manager via the one or more computer processors, the addition of the service provider identity dataset to the role dataset, as a function of input data from the tenant manager instructing the one or more computer processors to add the service provider identity dataset to the role dataset, wherein the tenant manager owns the secured resource or is an administrator hired by an owner of the secured resource, wherein the tenant manager does not assign one or more roles to the individual users but rather assigns the one or more roles to the service provider identity dataset, wherein each individual user cannot be identified by the tenant manager, and wherein the tenant manager and the service provider owner are distinct from each other;
  
  abstracting, from the service provider identity dataset by the one or more computer processors, the individual users being provided with said access, to the secured resource to perform the service, resulting from the service provider identity dataset having been added to the role dataset;
  
  periodically revalidating, by the one or more computer processors, the addition of the service provider identity dataset to the role dataset, wherein said periodically revalidating comprises receiving an instruction from the tenant manager to maintain or delete the service provider identity dataset from the role dataset, wherein said access to the secured resource is based on the service provider identity dataset in the role dataset, instead of being based on the individual users, improves the efficiency and security of the RBAC identity management system; and
  
  updating, by the one or more computer processors, the service provider identity data set to an updated service provider identity dataset as a function of input received from the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the RBAC identity management system, and wherein said updating the service provider identity data set does not require the tenant manager to make, a subsequent approval of said updating.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer program product of claim 8, wherein the RBAC identity management system is a multi-tenant network.
  - 10. The computer program product of claim 9, wherein the multi-tenant network is a cloud computing environment.
  - 11. The computer program product of claim 8, wherein the permissions include read or read/write operations of the secured resource, accessible from a node of the RBAC identity management system by the individual user of the service provider identity dataset.
  - 12. The computer program product of claim 8, wherein said updating the service provider identity dataset occurs independently from any input by the tenant manager.

13. A computer system, comprising a role based access control (RBAC) identity management system that includes one or more processors, one or more memories coupled to the one or more computer processors, and one or more computer readable storage devices coupled to the one or more processors, said one or more storage devices containing program code executable by the one or more processors via one or more memories to implement a method for improving efficiency and security of the role based access control (RBAC) identity management system, said method comprising the steps of:
- assigning, by a service provider owner via the one or more computer processors of the RBAC identity management system, a plurality of individual users to a service provider identity dataset;
  
  requesting, by the service provider owner via the one or more computer processors, addition of the service provider identity dataset to a role dataset in the RBAC identity management system, wherein the role dataset comprising the added service provider identity dataset includes permissions to the individual users within the service provider identity dataset to access a secured resource of the RBAC identity management system and to perform the service on the secured resource, wherein the role dataset pertains to one or more roles pertaining to performing a service on the secured resource;
  
  granting, by a tenant manager via the one or more computer processors, the addition of the service provider identity dataset to the role dataset, as a function of input data from the tenant manager instructing the one or more computer processors to add the service provider identity dataset to the role dataset, wherein the tenant manager owns the secured resource or is an administrator hired by an owner of the secured resource, wherein the tenant manager does not assign one or more roles to the individual users but rather assigns the one or more roles to the service provider identity dataset, wherein each individual user cannot be identified by the tenant manager, and wherein the tenant manager and the service provider owner are distinct from each other;
  
  abstracting, from the service provider identity dataset by the one or more computer processors, the individual users being provided with said access, to the secured resource to perform the service, resulting from the service provider identity dataset having been added to the role dataset;
  
  periodically revalidating, by the one or more computer processors, the addition of the service provider identity dataset to the role dataset, wherein said periodically revalidating comprises receiving an instruction from the tenant manager to maintain or delete the service provider identity dataset from the role dataset, wherein said access to the secured resource is based on the service provider identity dataset in the role dataset, instead of being based on the individual users, improves the efficiency and security of the RBAC identity management system; and
  
  updating, by the one or more computer processors, the service provider identity data set to an updated service provider identity dataset as a function of input received from the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the RBAC identity management system, and wherein said updating the service provider identity data set does not require the tenant manager to make, a subsequent approval of said updating.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer system of claim 13, wherein the RBAC identity management system is a multi-tenant network.
  - 15. The computer system of claim 14, wherein the multi-tenant network is a cloud computing environment.
  - 16. The computer system of claim 14, wherein said requesting specifies a plurality of requests for the service provider identity dataset to be added to one or more different role datasets.
  - 17. The computer system of claim 13, wherein said updating the service provider identity dataset occurs independently from any input by the tenant manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Cleaver, James D., McGuire, Michael J.
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Le, Canh

Application Number

US15/007,556
Publication Number

US 20170214696A1
Time in Patent Office

1,210 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/104 Grouping of entities

User abstracted RBAC in a multi tenant environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

User abstracted RBAC in a multi tenant environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links