Mapping tenat groups to identity management classes
First Claim
1. A method comprising:
- mapping, by a system including a processor, groups of a plurality of tenants to identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants, wherein the identity management classes are associated with hierarchical delegation information that specifies delegation rights among members of the identity management classes; and
in response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determining, by the system based on the delegation rights specified in the hierarchical delegation information for the first identity management class, whether the first member is allowed to perform the delegation with respect to the second member,wherein to perform the delegation with respect to the second member includes at least one of enrolling the second member in a particular identity management class, modifying information of the second member in the particular identity management class, and removing the second member from the particular identity management class, andwherein a first group and a second group of the groups of the plurality of tenants have a same role, but are mapped to different identity management classes having different delegation rights, wherein the delegation rights of each of the members of the identity management classes specify rights of each of the members of the identity management class to perform delegation with respect to further members of the identity management class.
1 Assignment
0 Petitions
Accused Products
Abstract
Groups of a plurality of tenants are mapped to identity management classes corresponding to respective roles that grant respective permissions. The identity management classes are associated with hierarchical delegation information that specify delegation rights among the identity management classes, the delegation rights specifying rights of members of the respective identity management classes to perform delegation with respect to further members of the identity management classes. In response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, it is determined, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member.
-
Citations
15 Claims
-
1. A method comprising:
-
mapping, by a system including a processor, groups of a plurality of tenants to identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants, wherein the identity management classes are associated with hierarchical delegation information that specifies delegation rights among members of the identity management classes; and in response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determining, by the system based on the delegation rights specified in the hierarchical delegation information for the first identity management class, whether the first member is allowed to perform the delegation with respect to the second member, wherein to perform the delegation with respect to the second member includes at least one of enrolling the second member in a particular identity management class, modifying information of the second member in the particular identity management class, and removing the second member from the particular identity management class, and wherein a first group and a second group of the groups of the plurality of tenants have a same role, but are mapped to different identity management classes having different delegation rights, wherein the delegation rights of each of the members of the identity management classes specify rights of each of the members of the identity management class to perform delegation with respect to further members of the identity management class. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A cloud system comprising:
-
at least one of a cloud resource and a cloud service accessible by a plurality of tenants of the cloud system; and at least one storage medium to store a mapping between groups of the plurality of tenants and identity management classes corresponding to respective roles that grant respective permissions to access the cloud resource or cloud service, wherein the identity management classes are associated with hierarchical delegation information that specifies delegation rights among members of the identity management classes; and at least one processor to; receive a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of a particular one of the identity management classes, wherein to perform the delegation with respect to the second member includes at least one of enrolling the second member in a particular identity management class, modifying information of the second member in the particular identity management class, or removing the second member from the identity management class; and in response to the request, determine, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member of the particular identity management class, wherein a first group and a second group of the groups of the plurality of tenants have a same role, but are mapped to different identity management classes having different delegation rights, wherein the delegation rights of each of the members of the identity management classes specify rights of each of the members of the identity management class to perform delegation with respect to further members of the identity management class. - View Dependent Claims (11, 12, 13)
-
-
14. An article comprising at least one non-transitory machine-readable storage medium storing instructions that upon execution by a cloud system cause the cloud system to:
-
store a mapping between groups of a plurality of tenants and identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants and managing access of one or a combination of a cloud resource and a cloud service, wherein the identity management classes are associated with hierarchical delegation information that specifies delegation rights among members of the identity management classes; and in response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determine, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member, wherein to perform the delegation with respect to the second member includes at least one of enrolling the second member in a particular identity management class, modifying information of the second member in the particular identity management class, and removing the second member from the identity management class, and wherein a first group and a second group of the groups of the plurality of tenants have a same role, but are mapped to different identity management classes having different delegation rights, wherein the delegation rights of each of the members of the identity management classes specify rights of each of the members of the identity management class to perform delegation with respect to further members of the identity management class. - View Dependent Claims (15)
-
Specification