MAPPING TENAT GROUPS TO IDENTITY MANAGEMENT CLASSES

US 20160335118A1
Filed: 01/20/2014
Published: 11/17/2016
Est. Priority Date: 01/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

mapping, by a system including a processor, groups of a plurality of tenants to identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants, wherein the identity management classes are associated with hierarchical delegation information that specify delegation rights among the identity management classes, the delegation rights specifying rights of members of the respective identity management classes to perform delegation with respect to further members of the identity management classes; and

in response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determining, by the system based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Groups of a plurality of tenants are mapped to identity management classes corresponding to respective roles that grant respective permissions. The identity management classes are associated with hierarchical delegation information that specify delegation rights among the identity management classes, the delegation rights specifying rights of members of the respective identity management classes to perform delegation with respect to further members of the identity management classes. In response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, it is determined, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member.

26 Citations

View as Search Results

15 Claims

1. A method comprising:
- mapping, by a system including a processor, groups of a plurality of tenants to identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants, wherein the identity management classes are associated with hierarchical delegation information that specify delegation rights among the identity management classes, the delegation rights specifying rights of members of the respective identity management classes to perform delegation with respect to further members of the identity management classes; and
  
  in response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determining, by the system based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the request is a request by the first member of the first identity management class to enroll the second member in a second identity management class, and wherein the determining comprises determining, based on the hierarchical delegation information, whether the first member is allowed to enroll the second member in the second identity management class.
  - 3. The method of claim 1, wherein the request is a request by the first member of the first identity management class to remove the second member from a second identity management class, and wherein the determining comprises determining, based on the hierarchical delegation information, whether the first member is allowed to remove the second member from the second identity management class.
  - 4. The method of claim 1, wherein the request is a request by the first member of the first identity management class to modify information of the second member of a second identity management class, and wherein the determining comprises determining, based on the hierarchical delegation information, whether the first member is allowed to modify the information of the second member of the second identity management class.
  - 5. The method of claim 1, wherein mapping the groups of the plurality of tenants to the identity management classes comprises mapping the groups of the plurality of tenants to system groups, the method further comprising:
    - mapping, by the system, the system groups to the respective roles.
  - 6. The method of claim 5, wherein mapping the groups of the plurality of tenants to the system groups is performed by an identity management engine, and wherein mapping the system groups to the roles is performed by the at least one application.
  - 7. The method of claim 5, wherein the system groups are common to a plurality of applications that have different sets of roles.
  - 8. The method of claim 1, wherein mapping the groups of the plurality of tenants to the identity management classes comprises mapping the groups of the plurality of tenants to the roles.
  - 9. The method of claim 1, wherein the at least one application is a cloud-based application for providing one or a combination of cloud resources and cloud services to members of the plurality of tenants.

10. A cloud system comprising:
- at least one of a cloud resource and a cloud service accessible by a plurality of tenants of the cloud system; and
  
  at least one storage medium to store a mapping between groups of the plurality of tenants and identity management classes corresponding to respective roles that grant respective permissions to access the cloud resource or cloud service, wherein the identity management classes are associated with hierarchical delegation information that specify delegation rights among the identity management classes, the delegation rights specifying rights of members of the respective identity management classes to perform delegation with respect to further members of the identity management classes; and
  
  at least one processor to;
  
  receive a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of a particular one of the identity management classes, andin response to the request, determine, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member of the particular identity management class.
- View Dependent Claims (11, 12, 13)
- - 11. The cloud system of claim 10, wherein the particular identity management class is the same as the first identity management class.
  - 12. The cloud system of claim 10, wherein the particular identity management class is different from the first identity management class.
  - 13. The cloud system of claim 10, wherein the mapping includes a first mapping between the groups of the plurality of tenants and system groups that correspond to the identity management classes, and a second mapping between the system groups and the roles.

14. An article comprising at least one non-transitory machine-readable storage medium storing instructions that upon execution by a cloud system cause the cloud system to:
- store a mapping between groups of a plurality of tenants and identity management classes corresponding to respective roles that grant respective permissions for performing tasks with respect to at least one application, the at least one application accessible by the plurality of tenants and managing access of one or a combination of a cloud resource and a cloud service, wherein the identity management classes are associated with hierarchical delegation information that specify delegation rights among the identity management classes, the delegation rights specifying rights of members of the respective identity management classes to perform delegation with respect to further members of the identity management classes, andin response to a request by a first member of a first of the identity management classes to perform delegation with respect to a second member of one of the identity management classes, determine, based on the hierarchical delegation information, whether the first member is allowed to perform the delegation with respect to the second member
- View Dependent Claims (15)
- - 15. The article of claim 14, wherein the hierarchical delegation information specifies delegation rights selected from among:
    - a right of a member of one of the identity management classes to enroll a new member of one of the identity management classes, a right of a member of one of the identity management classes to modify information another member of one of the identity management classes, and a right of a member of one of the identity management classes to remove another member from one of the identity management classes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Beiter, Michael B, Grohs, Randall E

Granted Patent

US 10,372,483 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 9/468 Specific access rights for ...

MAPPING TENAT GROUPS TO IDENTITY MANAGEMENT CLASSES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

MAPPING TENAT GROUPS TO IDENTITY MANAGEMENT CLASSES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links