Shared identity management (IDM) integration in a multi-tenant computing environment

US 10,372,936 B2
Filed: 09/24/2018
Issued: 08/06/2019
Est. Priority Date: 09/19/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable media storing computer-executable instructions executable by one or more processors, the computer-executable instructions comprising:

instructions that cause the one or more processors to determine a tenant name and a service name of a service from a name included in a request by a user to access the service;

instructions that cause the one or more processors to request a second computer system to authenticate the user based on a relationship between the user and a tenant having the tenant name;

instructions that, based on successfully authenticating the user, cause the one or more processors to identify one or more roles that are both associated with the user and with the service from a hierarchical structure that associates the tenant name with the one or more roles; and

instructions that, based on identifying the one or more roles and a set of permissions associated with the one or more roles, cause the one or more processors to enable the user to access the service.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for enabling tenant hierarchy information to be migrated directly between different multi-tenant system (e.g., from a shared IDM system to a Nimbula system, or vice versa). A corresponding new tenant is created in a Nimbula system based on a combination of the tenant information and the service information from the shared IDM system. The Nimbula system extracts the tenant name and the service name from a request and asks the shared IDM system to verify that the user actually is a member of the tenant identified by the extracted tenant name. Upon successful authentication of the user, the Nimbula system requests the IDM system for roles that are associated with both the user and the extracted service name. The Nimbula system enable access to the service upon determining whether the requested operation can be performed relative to the specified service based on the roles.

52 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable media storing computer-executable instructions executable by one or more processors, the computer-executable instructions comprising:
- instructions that cause the one or more processors to determine a tenant name and a service name of a service from a name included in a request by a user to access the service;
  
  instructions that cause the one or more processors to request a second computer system to authenticate the user based on a relationship between the user and a tenant having the tenant name;
  
  instructions that, based on successfully authenticating the user, cause the one or more processors to identify one or more roles that are both associated with the user and with the service from a hierarchical structure that associates the tenant name with the one or more roles; and
  
  instructions that, based on identifying the one or more roles and a set of permissions associated with the one or more roles, cause the one or more processors to enable the user to access the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The non-transitory computer-readable media of claim 1, wherein the user is authenticated based on whether user is a member of the tenant.
  - 3. The non-transitory computer-readable media of claim 2, wherein the second computer system maintains the hierarchical structure comprising one or more nodes;
    - andwherein the user is authenticated based on the tenant name determined from the request matching a tenant name stored in at least one node of the hierarchical structure.
  - 4. The non-transitory computer-readable media of claim 1, wherein the computer-executable instructions further comprise instructions that cause the one or more processors to maintain the hierarchical structure comprising a service node and one or more role nodes;
    - wherein;
      
      the service node is associated with the tenant name and the service name;
      
      the one or more role nodes being descendant nodes of the service node and storing first role information of the one or more roles; and
      
      wherein the first role information identify the set of permissions with respect to the service having the service name.
  - 5. The non-transitory computer-readable media of claim 4, wherein the computer-executable instructions further comprise instructions that cause the one or more processors to:
    - identify, from the hierarchical structure, the service node based on the tenant name and the service name;
      
      identify the one or more role nodes based on identifying the service node; and
      
      identify the set of permissions associated with the one or more roles based on the first role information stored in the one or more role nodes.
  - 6. The non-transitory computer-readable media of claim 5, wherein the set of permissions is a first set of permissions;
    - wherein the computer-executable instructions further comprise instructions that cause the one or more processors to;
      
      access the second computer system using the tenant name and the service name to obtain the one or more roles and second role information associated with the one or more roles, the second role information identifying a second set of permissions with respect to a plurality of services; and
      
      extract the set of permissions from the second role information based on the service name to generate the first role information.
  - 7. The non-transitory computer-readable media of claim 4, wherein the second computer system is part of an identity management system (IDM).
  - 8. The non-transitory computer-readable media of claim 4, further comprising instructions that cause the one or more processors to access a directory that associates the one or more roles with the tenant name and with the service name.
  - 9. The non-transitory computer-readable media of claim 8, wherein the directory is a Lightweight Directory Access Protocol (LDAP).
  - 10. The non-transitory computer-readable media of claim 8, wherein the directory is accessed based on determining that the user is a member of the tenant.
  - 11. The non-transitory computer-readable media of claim 8, wherein the hierarchical structure is a first hierarchical structure;
    - wherein the computer-executable instructions further comprise instructions that cause the one or more processors to maintain the first hierarchical structure; and
      
      wherein the directory includes a second hierarchical structure comprising a first node associated with a tenant having the tenant name, a plurality of second nodes associated with a plurality of services subscribed by the tenant, and a third node that stores second role information of the one or more roles, the second role information identifying a second set of permissions with respect to the plurality of services;
      
      wherein the plurality of second nodes and the third node are descendent nodes of the first node.
  - 12. The non-transitory computer-readable media of claim 11, wherein the computer-executable instructions further comprise instructions that cause the one or more processors to:
    - identify the tenant name from the first node of the second hierarchical structure;
      
      create a plurality of tenant-service combinations, each tenant-service combination including the tenant name and a service name of a service associated with each second node of the plurality of second nodes;
      
      create a plurality of service nodes in the first hierarchical structure based on the plurality of tenant-service combinations.
  - 13. The non-transitory computer-readable media of claim 12, wherein each role of the one or more roles is associated with one or more services of the plurality of services in the third node of the second hierarchical structure;
    - wherein the computer-executable instructions further comprise instructions that cause the one or more processors to;
      
      determine, based on the second role information stored in the third node, that a first role of the one or more roles pertains to a first service of the plurality of services;
      
      identify a first service node of the plurality of service nodes in the first hierarchical structure that includes a first service name of the first service; and
      
      store the first role information of the first role in a descendent role node of the first service node.
  - 14. The non-transitory computer-readable media of claim 13, wherein the computer-executable instructions further comprise instructions that cause the one or more processors to:
    - assign a group identity to the user based on a plurality of roles being associated with the first service in the second hierarchical structure; and
      
      store the group identity at the descendent role node.
  - 15. The non-transitory computer-readable media claim 1, wherein enabling the user to access the service includes sending a message to a client system indicating that access is permitted to the service.
  - 16. The non-transitory computer-readable media claim 1, wherein the service is one of a software as a service (SAAS), a platform as a service (PAAS), or an infrastructure as a service (IAAS).
  - 17. The non-transitory computer-readable media of claim 1, wherein the one or more processors are part of a first computer system;
    - wherein at least one of the first computer system or the second computer system is part of an infrastructure system that provides the service.

18. A computer-implemented method comprising:
- determining a tenant name and a service name of a service from a name included in a request by a user to access the service;
  
  requesting a second computer system to authenticate the user based on a relationship between the user and a tenant having the tenant name;
  
  identifying one or more roles that are both associated with the user and with the service from a hierarchical structure that associates the tenant name with the one or more roles; and
  
  based on identifying the one or more roles and a set of permissions associated with the one or more roles, enabling the user to access the service.

19. A system comprising:
- one or more processors; and
  
  a memory accessible to the one or more processors, the memory storing instructions that, upon execution by the one or more processors, causes the one or more processors to;
  
  determine a tenant name and a service name of a service from a name included in a request by a user to access the service;
  
  request a second computer system to authenticate the user based on a relationship between the user and a tenant having the tenant name;
  
  identify one or more roles that are both associated with the user and with the service from a hierarchical structure that associates the tenant name with the one or more roles; and
  
  based on identifying the one or more roles and a set of permissions associated with the one or more roles, enable the user to access the service.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the service is provided by an infrastructure system;
    - andwherein the one or more processors and the memory are included in the infrastructure system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dish Technologies LLC (Dish Network Corporation), Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Pleau, Jeffrey, Revanuru, Naresh
Primary Examiner(s)
To, Baotran N

Application Number

US16/140,299
Publication Number

US 20190026486A1
Time in Patent Office

316 Days
Field of Search

726 7
US Class Current
CPC Class Codes

G06F 21/6236   between heterogeneous systems

H04L 63/0884   by delegation of authentica...

H04L 63/104   Grouping of entities

Shared identity management (IDM) integration in a multi-tenant computing environment

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Shared identity management (IDM) integration in a multi-tenant computing environment

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links