Shared identity management (IDM) integration in a multi-tenant computing environment
First Claim
1. A non-transitory computer-readable media storing computer-executable instructions executable by one or more processors, the computer-executable instructions comprising:
- instructions that cause the one or more processors to determine a tenant name and a service name of a service from a name included in a request by a user to access the service;
instructions that cause the one or more processors to request a second computer system to authenticate the user based on a relationship between the user and a tenant having the tenant name;
instructions that, based on successfully authenticating the user, cause the one or more processors to identify one or more roles that are both associated with the user and with the service from a hierarchical structure that associates the tenant name with the one or more roles; and
instructions that, based on identifying the one or more roles and a set of permissions associated with the one or more roles, cause the one or more processors to enable the user to access the service.
6 Assignments
0 Petitions
Accused Products
Abstract
Techniques are disclosed for enabling tenant hierarchy information to be migrated directly between different multi-tenant system (e.g., from a shared IDM system to a Nimbula system, or vice versa). A corresponding new tenant is created in a Nimbula system based on a combination of the tenant information and the service information from the shared IDM system. The Nimbula system extracts the tenant name and the service name from a request and asks the shared IDM system to verify that the user actually is a member of the tenant identified by the extracted tenant name. Upon successful authentication of the user, the Nimbula system requests the IDM system for roles that are associated with both the user and the extracted service name. The Nimbula system enable access to the service upon determining whether the requested operation can be performed relative to the specified service based on the roles.
-
Citations
20 Claims
-
1. A non-transitory computer-readable media storing computer-executable instructions executable by one or more processors, the computer-executable instructions comprising:
-
instructions that cause the one or more processors to determine a tenant name and a service name of a service from a name included in a request by a user to access the service; instructions that cause the one or more processors to request a second computer system to authenticate the user based on a relationship between the user and a tenant having the tenant name; instructions that, based on successfully authenticating the user, cause the one or more processors to identify one or more roles that are both associated with the user and with the service from a hierarchical structure that associates the tenant name with the one or more roles; and instructions that, based on identifying the one or more roles and a set of permissions associated with the one or more roles, cause the one or more processors to enable the user to access the service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer-implemented method comprising:
-
determining a tenant name and a service name of a service from a name included in a request by a user to access the service; requesting a second computer system to authenticate the user based on a relationship between the user and a tenant having the tenant name; identifying one or more roles that are both associated with the user and with the service from a hierarchical structure that associates the tenant name with the one or more roles; and based on identifying the one or more roles and a set of permissions associated with the one or more roles, enabling the user to access the service.
-
-
19. A system comprising:
-
one or more processors; and a memory accessible to the one or more processors, the memory storing instructions that, upon execution by the one or more processors, causes the one or more processors to; determine a tenant name and a service name of a service from a name included in a request by a user to access the service; request a second computer system to authenticate the user based on a relationship between the user and a tenant having the tenant name; identify one or more roles that are both associated with the user and with the service from a hierarchical structure that associates the tenant name with the one or more roles; and based on identifying the one or more roles and a set of permissions associated with the one or more roles, enable the user to access the service. - View Dependent Claims (20)
-
Specification