EXTERNAL ACCESS AND PARTNER DELEGATION
First Claim
1. In a multi-tenant environment including two or more tenants, wherein a management console provides administrative resources for each tenant and also stores data for each tenant, a method for the first tenant to specify access permission to its resources and/or data for the second tenant, the method comprising:
- determining at the management console identity criteria for a user or group of users associated with a second tenant that desire access to perform operations on resources and/or data belonging to a first tenant;
mapping at the management console an external access object to the user or group of users based on the identity criteria, wherein the external access object is configured to represent the user or group of users when performing the operations on the resources or data of the first tenant; and
associating the external access object at the management console with a set of resources and/or data belonging to the first tenant that the user or group of users associated with the second tenant may be allowed access to.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments disclosed herein extend to the use of external access objects in a multi-tenant environment. First and second tenants contract for operations that users of the second tenant will perform in the first tenant. Identity criteria for the users are determined. These users are mapped to an external access object that represents the second tenant users when performing the operations in the first tenant. The external access object is also associated with the resources and/or data that the users of the second tenant will be allowed access to when performing the operations. The users of the second tenant provide a request for access to the resources and/or data to perform operations. Identity criteria are determined and the users are mapped to an external access object based on the identity criteria. It is determined if the user has permission to access the resources and/or data and perform the operations.
-
Citations
20 Claims
-
1. In a multi-tenant environment including two or more tenants, wherein a management console provides administrative resources for each tenant and also stores data for each tenant, a method for the first tenant to specify access permission to its resources and/or data for the second tenant, the method comprising:
-
determining at the management console identity criteria for a user or group of users associated with a second tenant that desire access to perform operations on resources and/or data belonging to a first tenant; mapping at the management console an external access object to the user or group of users based on the identity criteria, wherein the external access object is configured to represent the user or group of users when performing the operations on the resources or data of the first tenant; and associating the external access object at the management console with a set of resources and/or data belonging to the first tenant that the user or group of users associated with the second tenant may be allowed access to. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. In a multi-tenant environment including two or more tenants, wherein a management console provides administration resources for each tenant and also stores data for each tenant, a method for a user associated with the second tenant to obtain permission to access resources and/or data of the first tenant, the method comprising:
-
receiving at the management console a user request of a user associated with the second tenant for access to a resource and/or data of the first tenant to perform operations, determining at the management console identity criteria of the user; mapping at the management console the user to an external access object based on the identity criteria, wherein the external access object is configured to represent the user when performing operations on the resources or data of the first tenant; and determining at the management console if the user has permission to access the requested resource and/or data and to perform the operations based on the mapping to the external access object. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computing system comprising the following:
-
one or more processors; system memory; one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for a user associated with a second tenant to obtain permission to access resources and/or data of a first tenant to perform contracted operations, the method comprising the following; negotiating a service agreement between the first and second tenants, wherein the second tenant contracts to perform specified operations on the resources and/or data of the first tenant; determining identity criteria for one or more users associated with the second tenant who will provide the contracted for specified operations; receiving at the management console a request from one of the one or more users associated with the second tenant for access to the resource and/or data of the first tenant that are to be subjected to the specified operations; mapping an external access object to the one of the one or more users based on the identity criteria, wherein the external access object is configured to represent the one of the one or more users when performing the specified operations on the resources and/or data of the first tenant; associating the external access object with a set of the one or more administrative tasks, wherein the set of administrative tasks define the specified operations that may be performed on the resources and/or data by the one of the one or more users; determining if access is to be granted to the resources and/or data of the first tenant by determining if the one or more administrative tasks are permitted by the external access object; and determining if a designated target object is permitted to be subjected to the one or more administrative tasks. - View Dependent Claims (20)
-
Specification