Mapping tenat groups to identity management classes

US 10,372,483 B2
Filed: 01/20/2014
Issued: 08/06/2019
Est. Priority Date: 01/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

mapping, by a system including a processor, groups of a plurality of tenants to identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants, wherein the identity management classes are associated with hierarchical delegation information that specifies delegation rights among members of the identity management classes; and

in response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determining, by the system based on the delegation rights specified in the hierarchical delegation information for the first identity management class, whether the first member is allowed to perform the delegation with respect to the second member,wherein to perform the delegation with respect to the second member includes at least one of enrolling the second member in a particular identity management class, modifying information of the second member in the particular identity management class, and removing the second member from the particular identity management class, andwherein a first group and a second group of the groups of the plurality of tenants have a same role, but are mapped to different identity management classes having different delegation rights, wherein the delegation rights of each of the members of the identity management classes specify rights of each of the members of the identity management class to perform delegation with respect to further members of the identity management class.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Groups of a plurality of tenants are mapped to identity management classes corresponding to respective roles that grant respective permissions. The identity management classes are associated with hierarchical delegation information that specify delegation rights among the identity management classes, the delegation rights specifying rights of members of the respective identity management classes to perform delegation with respect to further members of the identity management classes. In response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, it is determined, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member.

Citations

15 Claims

1. A method comprising:
- mapping, by a system including a processor, groups of a plurality of tenants to identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants, wherein the identity management classes are associated with hierarchical delegation information that specifies delegation rights among members of the identity management classes; and
  
  in response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determining, by the system based on the delegation rights specified in the hierarchical delegation information for the first identity management class, whether the first member is allowed to perform the delegation with respect to the second member,wherein to perform the delegation with respect to the second member includes at least one of enrolling the second member in a particular identity management class, modifying information of the second member in the particular identity management class, and removing the second member from the particular identity management class, andwherein a first group and a second group of the groups of the plurality of tenants have a same role, but are mapped to different identity management classes having different delegation rights, wherein the delegation rights of each of the members of the identity management classes specify rights of each of the members of the identity management class to perform delegation with respect to further members of the identity management class.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the request is a request by the first member of the first identity management class to enroll the second member in a second identity management class, and wherein the determining comprises determining, based on the hierarchical delegation information, whether the first member is allowed to enroll the second member in the second identity management class.
  - 3. The method of claim 1, wherein the request is a request by the first member of the first identity management class to remove the second member from a second identity management class, and wherein the determining comprises determining, based on the hierarchical delegation information, whether the first member is allowed to remove the second member from the second identity management class.
  - 4. The method of claim 1, wherein the request is a request by the first member of the first identity management class to modify information of the second member of a second identity management class, and wherein the determining comprises determining, based on the hierarchical delegation information, whether the first member is allowed to modify the information of the second member of the second identity management class.
  - 5. The method of claim 1, wherein mapping the groups of the plurality of tenants to the identity management classes comprises mapping the groups of the plurality of tenants to system groups, the method further comprising:
    - mapping, by the system, the system groups to the respective roles.
  - 6. The method of claim 5, wherein mapping the groups of the plurality of tenants to the system groups is performed by an identity management engine, and wherein mapping the system groups to the roles is performed by the at least one application.
  - 7. The method of claim 5, wherein the system groups are common to a plurality of applications that have different sets of roles.
  - 8. The method of claim 1, wherein mapping the groups of the plurality of tenants to the identity management classes comprises mapping the groups of the plurality of tenants to the roles.
  - 9. The method of claim 1, wherein the at least one application is a cloud-based application for providing one or a combination of cloud resources and cloud services to members of the plurality of tenants.

10. A cloud system comprising:
- at least one of a cloud resource and a cloud service accessible by a plurality of tenants of the cloud system; and
  
  at least one storage medium to store a mapping between groups of the plurality of tenants and identity management classes corresponding to respective roles that grant respective permissions to access the cloud resource or cloud service, wherein the identity management classes are associated with hierarchical delegation information that specifies delegation rights among members of the identity management classes; and
  
  at least one processor to;
  
  receive a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of a particular one of the identity management classes,wherein to perform the delegation with respect to the second member includes at least one of enrolling the second member in a particular identity management class, modifying information of the second member in the particular identity management class, or removing the second member from the identity management class; and
  
  in response to the request, determine, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member of the particular identity management class,wherein a first group and a second group of the groups of the plurality of tenants have a same role, but are mapped to different identity management classes having different delegation rights, wherein the delegation rights of each of the members of the identity management classes specify rights of each of the members of the identity management class to perform delegation with respect to further members of the identity management class.
- View Dependent Claims (11, 12, 13)
- - 11. The cloud system of claim 10, wherein the particular identity management class is the same as the first identity management class.
  - 12. The cloud system of claim 10, wherein the particular identity management class is different from the first identity management class.
  - 13. The cloud system of claim 10, wherein the mapping includes a first mapping between the groups of the plurality of tenants and system groups that correspond to the identity management classes, and a second mapping between the system groups and the roles.

14. An article comprising at least one non-transitory machine-readable storage medium storing instructions that upon execution by a cloud system cause the cloud system to:
- store a mapping between groups of a plurality of tenants and identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants and managing access of one or a combination of a cloud resource and a cloud service, wherein the identity management classes are associated with hierarchical delegation information that specifies delegation rights among members of the identity management classes; and
  
  in response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determine, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member,wherein to perform the delegation with respect to the second member includes at least one of enrolling the second member in a particular identity management class, modifying information of the second member in the particular identity management class, and removing the second member from the identity management class, andwherein a first group and a second group of the groups of the plurality of tenants have a same role, but are mapped to different identity management classes having different delegation rights, wherein the delegation rights of each of the members of the identity management classes specify rights of each of the members of the identity management class to perform delegation with respect to further members of the identity management class.
- View Dependent Claims (15)
- - 15. The article of claim 14, wherein the hierarchical delegation information specifies delegation rights selected from among:
    - a right of a member of one of the identity management classes to enroll a new member of one of the identity management classes, a right of a member of one of the identity management classes to modify information another member of one of the identity management classes, and a right of a member of one of the identity management classes to remove another member from one of the identity management classes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Beiter, Michael B, Grohs, Randall E
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US15/112,371
Publication Number

US 20160335118A1
Time in Patent Office

2,024 Days
Field of Search
US Class Current
CPC Class Codes

G06F 9/468 Specific access rights for ...

Mapping tenat groups to identity management classes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Mapping tenat groups to identity management classes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links