EXTERNAL ACCESS AND PARTNER DELEGATION

US 20100306393A1
Filed: 05/26/2009
Published: 12/02/2010
Est. Priority Date: 05/26/2009
Status: Active Grant

First Claim

Patent Images

1. In a multi-tenant environment including two or more tenants, wherein a management console provides administrative resources for each tenant and also stores data for each tenant, a method for the first tenant to specify access permission to its resources and/or data for the second tenant, the method comprising:

determining at the management console identity criteria for a user or group of users associated with a second tenant that desire access to perform operations on resources and/or data belonging to a first tenant;

mapping at the management console an external access object to the user or group of users based on the identity criteria, wherein the external access object is configured to represent the user or group of users when performing the operations on the resources or data of the first tenant; and

associating the external access object at the management console with a set of resources and/or data belonging to the first tenant that the user or group of users associated with the second tenant may be allowed access to.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments disclosed herein extend to the use of external access objects in a multi-tenant environment. First and second tenants contract for operations that users of the second tenant will perform in the first tenant. Identity criteria for the users are determined. These users are mapped to an external access object that represents the second tenant users when performing the operations in the first tenant. The external access object is also associated with the resources and/or data that the users of the second tenant will be allowed access to when performing the operations. The users of the second tenant provide a request for access to the resources and/or data to perform operations. Identity criteria are determined and the users are mapped to an external access object based on the identity criteria. It is determined if the user has permission to access the resources and/or data and perform the operations.

Citations

20 Claims

1. In a multi-tenant environment including two or more tenants, wherein a management console provides administrative resources for each tenant and also stores data for each tenant, a method for the first tenant to specify access permission to its resources and/or data for the second tenant, the method comprising:
- determining at the management console identity criteria for a user or group of users associated with a second tenant that desire access to perform operations on resources and/or data belonging to a first tenant;
  
  mapping at the management console an external access object to the user or group of users based on the identity criteria, wherein the external access object is configured to represent the user or group of users when performing the operations on the resources or data of the first tenant; and
  
  associating the external access object at the management console with a set of resources and/or data belonging to the first tenant that the user or group of users associated with the second tenant may be allowed access to.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method in accordance with claim 1, wherein associating the external access object with a set of the resources or data belonging to the first tenant comprises:
    - associating with the external access object at the management console one or more administrative tasks that define operations that may be performed on the resources and/or data and one or more target objects on which the associated administrative tasks may be performed.
  - 3. The method in accordance with claim 2, wherein the one or more target objects are one of a set of user accounts associated with the first tenant, a set of documents associated with the particular tenant, or other resources associated with the tenant.
  - 4. The method in accordance with claim 2, wherein the one or more target objects include all target objects associated with the first tenant at the management console.
  - 5. The method in accordance with claim 1, wherein associating the external access object with a set of the resources or data belonging to the first tenant comprises:
    - associating with the external access object at the management console one or more documents that may be subjected to a collaborative effort.
  - 6. The method in accordance with claim 1, wherein the identity criteria includes at least one of a user identifier, the role of the user in the second tenant, the name of the second tenant, a digital certificate, and a token.
  - 7. The method in accordance with claim 6, wherein the user identifier is a global identifier representing the name of the user.
  - 8. The method in accordance with claim 1, wherein the external access object is associated with an administrative role that the user or group of users will perform in the first tenant.
  - 9. The method in accordance with claim 6, wherein the administrative roles are one of a company administrative role, a license administrative role, a service administrative role, a helpdesk administrative role, a user role, a user administrative role, or a collaboration role.

10. In a multi-tenant environment including two or more tenants, wherein a management console provides administration resources for each tenant and also stores data for each tenant, a method for a user associated with the second tenant to obtain permission to access resources and/or data of the first tenant, the method comprising:
- receiving at the management console a user request of a user associated with the second tenant for access to a resource and/or data of the first tenant to perform operations,determining at the management console identity criteria of the user;
  
  mapping at the management console the user to an external access object based on the identity criteria, wherein the external access object is configured to represent the user when performing operations on the resources or data of the first tenant; and
  
  determining at the management console if the user has permission to access the requested resource and/or data and to perform the operations based on the mapping to the external access object.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method in accordance with claim 10, wherein determining at the management console if the user has permission to access the requested resource and/or data and to perform the operations based on the mapping to the external access object comprises:
    - associating the external access object with a set of administrative tasks defining the operations that may be performed on the resource or data that the user is allowed to access;
      
      determining at the management console if the set of administrative tasks the user desires to perform is permitted by the external access object based on the mapping; and
      
      determining at the management console if a designated target object is permitted to be subjected to the set of administrative tasks.
  - 12. The method in accordance with claim 10, wherein determining at the management console if the user has permission to access the requested resource and/or data and to perform the operations based on the mapping to the external access object comprises:
    - determining if one or more documents that are to be subjected to collaboration between a user of the first tenant and the user associated with the second tenant are associated with the external access object.
  - 13. The method in accordance with claim 10, wherein the external access object is a first external access object, the method further comprising:
    - mapping at the management console the user to a second external access object based on the identity criteria, wherein the second external access object is configured to represent the user when performing operations on the resources or data of the first tenant; and
      
      determining at the management console if the user has permission to access the requested resource and/or data based on the mapping to the second external access object.
  - 14. The method in accordance with claim 12, wherein determining at the management console if the user has permission to access the requested resource and/or data and to perform the operations based on the mapping to the second external access object comprises.associating the second external access object with a second set of administrative tasks defining the operations that may be performed on the resource or data that the user is allowed to access;
    - determining at the management console if the second set of administrative tasks the user desires to perform is permitted by the second external access object based on the mapping; and
      
      determining at the management console if a second designated target object is permitted to be subjected to the set of administrative tasks.
  - 15. The method in accordance with claim 12, wherein determining at the management console if the user has permission to access the requested resource and/or data and to perform the operations based on the mapping to the second external access object comprises:
    - determining if one or more second documents that are to be subjected to collaboration between a user of the first tenant and the user associated with the second tenant are associated with the second external access object.
  - 16. The method in accordance with claim 10, further comprising:
    - disabling at the management console the external access object such that the user of the second tenant no longer has permission to access the resources and/or data of the first tenant.
  - 17. The method in accordance with claim 16, further comprising:
    - subsequent to disabling the external access object, once again enabling the external access object such that user of the second tenant once again has permission to access the resources and/or data of the first tenant.
  - 18. The method in accordance with claim 10, wherein the user comprises a group of multiple users that are associated with the second tenant.

19. A computing system comprising the following:
- one or more processors;
  
  system memory;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for a user associated with a second tenant to obtain permission to access resources and/or data of a first tenant to perform contracted operations, the method comprising the following;
  
  negotiating a service agreement between the first and second tenants, wherein the second tenant contracts to perform specified operations on the resources and/or data of the first tenant;
  
  determining identity criteria for one or more users associated with the second tenant who will provide the contracted for specified operations;
  
  receiving at the management console a request from one of the one or more users associated with the second tenant for access to the resource and/or data of the first tenant that are to be subjected to the specified operations;
  
  mapping an external access object to the one of the one or more users based on the identity criteria, wherein the external access object is configured to represent the one of the one or more users when performing the specified operations on the resources and/or data of the first tenant;
  
  associating the external access object with a set of the one or more administrative tasks, wherein the set of administrative tasks define the specified operations that may be performed on the resources and/or data by the one of the one or more users;
  
  determining if access is to be granted to the resources and/or data of the first tenant by determining if the one or more administrative tasks are permitted by the external access object; and
  
  determining if a designated target object is permitted to be subjected to the one or more administrative tasks.
- View Dependent Claims (20)
- - 20. The computing system in accordance with claim 19, wherein the one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the computing system to further perform:
    - disabling the external access object such that the one of the one or more users of the second tenant no longer has permission to access the resources and/or data of the first tenant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kershaw, Daniel, Appiah, Madan R., Pearson, Malcolm E.

Granted Patent

US 8,843,648 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06Q 10/10 Office automation; Time man...

EXTERNAL ACCESS AND PARTNER DELEGATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EXTERNAL ACCESS AND PARTNER DELEGATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links