USER ABSTRACTED RBAC IN A MULTI TENANT ENVIRONMENT

US 20170214696A1
Filed: 01/27/2016
Published: 07/27/2017
Est. Priority Date: 01/27/2016
Status: Active Grant

First Claim

Patent Images

1. A method for abstracting individual users from a role based access control (RBAC) identity management system, said method comprising the steps of:

assigning, by a computer processor of the identity management system, each of the individual users to a service provider identity dataset as a function of a service provider owner'"'"'s input data instructing the computer processor to assign each of the individual users to the service provider identity dataset;

requesting, by the computer processor, addition of the service provider identity dataset to a role dataset, wherein the role dataset includes permissions to access a secured resource of the identity management system;

granting, by the computer processor, the addition of the service provider identity dataset to the role dataset, as a function of input data from a tenant manager instructing the computer processor to add the service provider identity dataset to the role dataset; and

periodically revalidating, by the computer processor, the addition of the service provider identity dataset to the role dataset, wherein the input data of the tenant manager instructs the computer processor to maintain or delete the service provider identity dataset from the role dataset.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Role based access control (RBAC) identity management tools, computing systems, computer products and methods of abstracting individual users from the role assignment and revalidation process of traditional RBAC. The RBAC tools, products and systems of the present disclosure organize and manage multi-tenanted networks and cloud computing environments by organizing individual users by service providers having a single or unified identity, which are separately managed by the service provider owners. The service provider identities are treated as a single service provider entity applying for one or more roles in the multi-tenant system, allowing for a simplified role revalidation that no longer requires managers of tenants in a multi-tenant network to approve the role assignment of each individual user, because the tenants and tenant managers are unaware of the users identities that make up the service provider identity.

63 Citations

View as Search Results

20 Claims

1. A method for abstracting individual users from a role based access control (RBAC) identity management system, said method comprising the steps of:
- assigning, by a computer processor of the identity management system, each of the individual users to a service provider identity dataset as a function of a service provider owner'"'"'s input data instructing the computer processor to assign each of the individual users to the service provider identity dataset;
  
  requesting, by the computer processor, addition of the service provider identity dataset to a role dataset, wherein the role dataset includes permissions to access a secured resource of the identity management system;
  
  granting, by the computer processor, the addition of the service provider identity dataset to the role dataset, as a function of input data from a tenant manager instructing the computer processor to add the service provider identity dataset to the role dataset; and
  
  periodically revalidating, by the computer processor, the addition of the service provider identity dataset to the role dataset, wherein the input data of the tenant manager instructs the computer processor to maintain or delete the service provider identity dataset from the role dataset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 13)
- - 2. The method of claim 1, further comprising the step of updating, by the computer processor, the service provider identity data set to an updated service provider identity dataset as a function of the input data of the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the identity management system.
  - 3. The method of claim 1, wherein the role based access control identity management system is multi-tenant network.
  - 4. The method of claim 3, wherein the multi-tenant network is a cloud computing environment.
  - 5. The method of claim 3, wherein the requesting step includes a plurality of requests for the service provider identity dataset to be added to one or more different role datasets.
  - 6. The method of claim 1, wherein the permissions include read or read/write operations of the secured resource, accessible from a node of the identity management system by the individual user of the service provider identity dataset.
  - 7. The method of claim 2, wherein the step of updating the service provider identity dataset occurs independently from any input by the tenant manager.
  - 8. The method of claim 1, further comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in a computer system, where the computer-readable program code in combination with the computer system is configured to implement the steps of assigning, requesting, granting and periodically revalidating.
  - 13. The computer program product of claim 8, wherein the permissions include read or read/write operations of the secured resource accessible from a node of the identity management system by the individual user of the service provider identity dataset.

9. A computer program product, comprising one or more computer readable hardware storage devices having computer readable program code stored therein, said program code containing instructions executable by the one or more computer processors to implement a method for abstracting one or more individual users from a role based access control identity management system, said method comprising the steps of:
- assigning, by the computer processor, each of the individual users to a service provider identity dataset as a function of a service provider owner'"'"'s input data instructing the computer processor to assign each of the individual users to the service provider identity dataset;
  
  requesting, by the computer processor, addition of the service provider identity dataset to a role dataset, wherein the role dataset includes permissions to access a secured resource of the identity management system;
  
  granting, by the computer processor, the addition of the service provider identity dataset to the role dataset, as a function of input data from a tenant manager instructing the computer processor to add the service provider identity dataset to the role dataset; and
  
  periodically revalidating, by the computer processor, the addition of the service provider identity dataset to the role dataset, wherein the input data of the tenant manager instructs the computer processor to maintain or delete the service provider identity dataset from the role dataset.
- View Dependent Claims (10, 11, 12, 14)
- - 10. The computer program product of claim 9, further comprising the step of updating, by the computer processor, the service provider identity data set to an updated service provider identity dataset as a function of the input data of the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the identity management system.
  - 11. The computer program product of claim 9, wherein the role based access control identity management system is multi-tenant network.
  - 12. The computer program product of claim 11, wherein the multi-tenant network is a cloud computing environment.
  - 14. The computer program product of claim 9, wherein the step of updating the service provider identity dataset occurs independently from any input by the tenant manager.

15. A computer system, comprising one or more processors, one or more memories coupled to the one or more computer processors, and one or more computer readable storage devices coupled to the one or more processors, said one or more storage devices containing program code executable by the one or more processors via one or more memories to implement a method for abstracting one or more individual users from a role based access control identity management system, said method comprising the steps of:
- assigning, by a computer processor of the identity management system, each of the individual users to a service provider identity dataset as a function of a service provider owner'"'"'s input data instructing the computer processor to assign each of the individual users to the service provider identity dataset;
  
  requesting, by the computer processor, addition of the service provider identity dataset to a role dataset, wherein the role dataset includes permissions to access a secured resource of the identity management system;
  
  granting, by the computer processor, the addition of the service provider identity dataset to the role dataset, as a function of input data from a tenant manager instructing the computer processor to add the service provider identity dataset to the role dataset; and
  
  periodically revalidating, by the computer processor, the addition of the service provider identity dataset to the role dataset, wherein the input data of the tenant manager instructs the computer processor to maintain or delete the service provider identity dataset from the role dataset.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, further comprising the step of updating, by the computer processor, the service provider identity data set to an updated service provider identity dataset as a function of the input data of the service provider owner, wherein the updated service provider identity dataset replaces the service provider identity dataset in the role dataset, and individual users of the updated service provider identity dataset receive the permissions to access the secured resources of the identity management system.
  - 17. The computer system of claim 15, wherein the computer system is a multi-tenant network.
  - 18. The computer system of claim 17, wherein the multi-tenant network is a cloud computing environment.
  - 19. The computer system of claim 17, the requesting step includes a plurality of requests for the service provider identity dataset to be added to one or more different role datasets.
  - 20. The computer system of claim 16, wherein the step of updating the service provider identity dataset occurs independently from any input by the tenant manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Cleaver, James D., McGuire, Michael J.

Granted Patent

US 10,298,589 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/104 Grouping of entities

USER ABSTRACTED RBAC IN A MULTI TENANT ENVIRONMENT

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USER ABSTRACTED RBAC IN A MULTI TENANT ENVIRONMENT

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links