Multi-tenancy using suite of authorization manager components

US 8,271,536 B2
Filed: 11/14/2008
Issued: 09/18/2012
Est. Priority Date: 11/14/2008
Status: Active Grant

First Claim

Patent Images

1. A method, implemented at a server computer system in a computer networking environment that includes plurality of computing systems, the method for implementing a multi-tenancy service component configured to provide multi-tenancy capabilities to submitted services that do not otherwise provide multi-tenancy capabilities, the method comprising:

an act of instantiating a hosting service that includes a multi-tenancy component that is configurable to define how the hosting service provides resource access to one or more resources of a submitted service including enabling a single instance of the one or more resources to be accessed by a plurality of users such that the submitted service functions as a multi-tenancy service even though the submitted service does not by itself provide multi-tenancy capabilities;

an act of receiving the submitted service submitted to be hosted by the hosting service, the submitted service including a portion of use information that defines that access to a single instance of the one or more resources of the submitted service is to be provided to a plurality of users;

an act of configuring the multi-tenancy component to provide access to the single instance of the one or more resources of the submitted service to the plurality of users by configuring a validation plug-in that defines one or more resource instance claims for each of the plurality of users that define the type of access each of the plurality of users will have to the single instance of the one or more resources, wherein the plug-in provides an application programming interface for creating, updating and deleting resource instance claims in an authentication database;

an act of receiving a security token from a first of the plurality of users, the security token including one or more resource instance claims that identify the first user'"'"'s purported access rights to the single instance of the one or more resources;

an act of validating the security token received from the first user, including validating the one or more resource instance claims in the security token by comparing the one or more resource instance claims in the security token to resource instance claims in the authentication database to verify that the one or more resource instance claims in the security token are included in the authentication database;

an act of providing, to the first user, access to the single instance of the one or more resources in accordance with the validated one or more resource instance claims;

an act of receiving a security token from a second of the plurality of users, the security token including one or more resource instance claims that identify the second user'"'"'s purported access rights to the single instance of the one or more resources;

an act of validating the security token received from the second user, including validating the one or more resource instance claims in the security token by comparing the one or more resource instance claims in the security token to resource instance claims in the authentication database to verify that the one or more resource instance claims in the security token are included in the authentication database; and

an act of providing, to the second user, access to the single instance of the one or more resources in accordance with the validated one or more resource instance claims.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments described herein are directed to implementing a multi-tenancy service component configured to provide multi-tenancy capabilities for submitted services. In one embodiment, a computer system instantiates a hosting service that includes a multi-tenancy component configured to provide resource access to multiple users through a single multi-tenant resource instance. The computer system receives a submitted service submitted to be hosted by the hosting service. The submitted service includes a portion of use information usable to configure parameters of the multi-tenancy component. The computer system configures the multi-tenancy component to provide resource access for multiple users through a single multi-tenant resource instance, where each user provides a resource instance claim indicating a resource instance level authorization for the user. The computer system also provides resource access to each of the users through the single multi-tenant resource instance, based on the resource instance level authorization included in the resource instance claim.

64 Citations

View as Search Results

18 Claims

1. A method, implemented at a server computer system in a computer networking environment that includes plurality of computing systems, the method for implementing a multi-tenancy service component configured to provide multi-tenancy capabilities to submitted services that do not otherwise provide multi-tenancy capabilities, the method comprising:
- an act of instantiating a hosting service that includes a multi-tenancy component that is configurable to define how the hosting service provides resource access to one or more resources of a submitted service including enabling a single instance of the one or more resources to be accessed by a plurality of users such that the submitted service functions as a multi-tenancy service even though the submitted service does not by itself provide multi-tenancy capabilities;
  
  an act of receiving the submitted service submitted to be hosted by the hosting service, the submitted service including a portion of use information that defines that access to a single instance of the one or more resources of the submitted service is to be provided to a plurality of users;
  
  an act of configuring the multi-tenancy component to provide access to the single instance of the one or more resources of the submitted service to the plurality of users by configuring a validation plug-in that defines one or more resource instance claims for each of the plurality of users that define the type of access each of the plurality of users will have to the single instance of the one or more resources, wherein the plug-in provides an application programming interface for creating, updating and deleting resource instance claims in an authentication database;
  
  an act of receiving a security token from a first of the plurality of users, the security token including one or more resource instance claims that identify the first user'"'"'s purported access rights to the single instance of the one or more resources;
  
  an act of validating the security token received from the first user, including validating the one or more resource instance claims in the security token by comparing the one or more resource instance claims in the security token to resource instance claims in the authentication database to verify that the one or more resource instance claims in the security token are included in the authentication database;
  
  an act of providing, to the first user, access to the single instance of the one or more resources in accordance with the validated one or more resource instance claims;
  
  an act of receiving a security token from a second of the plurality of users, the security token including one or more resource instance claims that identify the second user'"'"'s purported access rights to the single instance of the one or more resources;
  
  an act of validating the security token received from the second user, including validating the one or more resource instance claims in the security token by comparing the one or more resource instance claims in the security token to resource instance claims in the authentication database to verify that the one or more resource instance claims in the security token are included in the authentication database; and
  
  an act of providing, to the second user, access to the single instance of the one or more resources in accordance with the validated one or more resource instance claims.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein each security token is generated from the corresponding user'"'"'s credentials.
  - 3. The method of claim 2, wherein configuring a validation plug-in that defines one or more resource instance claims for each of the plurality of users that define the type of access each of the plurality of users will have to the single instance of the one or more resources comprises configuring the validation plug-in to access the authentication database to verify that one or more resource instance claims included in the received security token are authorized.
  - 4. The method of claim 1, wherein at least one resource instance claim includes a listing of resource instance rights corresponding to each resource provided by the service.
  - 5. The method of claim 1, wherein each authenticated user accesses a customized virtual application instance.
  - 6. The method of claim 1, wherein the security token includes an indication that the user is assigned to a role that has access to the single instance of the one or more resources.
  - 7. The method of claim 6, wherein the role indicates rights for a plurality of users across a federation.
  - 8. The method of claim 1, wherein the type of access indicated in the one or more resource instance claims includes at least one of read, write and execute.
  - 9. The method of claim 8, further comprising an act of inspecting the resource instance claim to determine the type of access the user is requesting.
  - 10. The method of claim 9, further comprising denying the user access to the single instance of the one or more resources of the submitted service based on a determination that the user does not have rights for the type of access requested.
  - 11. The method of claim 1, wherein each resource includes a resource identifier linking the resource to one or more resource instance claims.
  - 12. The method of claim 11, wherein the resource identifier is validated against the resource instance claims to determine that the user has access rights of the type requested for the resource requested.
  - 13. The method of claim 1, wherein the multi-tenancy component provides one or more users with an indication of customizable multi-tenancy component parameters that are implementable using use information.

14. A computer program product for implementing a method for implementing a multi-tenancy service component configured to provide multi-tenancy capabilities to submitted services that do not otherwise provide multi-tenancy capabilities, the computer program product comprising one or more physical storage media having stored thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
- an act of instantiating a hosting service that includes a multi-tenancy component that is configurable to define how the hosting service provides resource access to one or more resources of a submitted service including enabling a single instance of the one or more resources to be accessed by a plurality of users such that the submitted service functions as a multi-tenancy service even though the submitted service does not by itself provide multi-tenancy capabilities;
  
  an act of receiving the submitted service submitted to be hosted by the hosting service, the submitted service including a portion of use information that defines that access to a single instance of the one or more resources of the submitted service is to be provided to a plurality of users;
  
  an act of configuring the multi-tenancy component to provide access to the single instance of the one or more resources of the submitted service to the plurality of users by configuring a validation plug-in that defines one or more resource instance claims for each of the plurality of users that define the type of access each of the plurality of users will have to the single instance of the one or more resources, wherein the plug-in provides an application programming interface for creating, updating and deleting resource instance claims in an authentication database;
  
  an act of receiving a security token from a first of the plurality of users, the security token including one or more resource instance claims that identify the first user'"'"'s purported access rights to the single instance of the one or more resources;
  
  an act of validating the security token received from the first user, including validating the one or more resource instance claims in the security token by comparing the one or more resource instance claims in the security token to resource instance claims in the authentication database to verify that the one or more resource instance claims in the security token are included in the authentication database;
  
  an act of providing, to the first user, access to the single instance of the one or more resources in accordance with the validated one or more resource instance claims;
  
  an act of receiving a security token from a second of the plurality of users, the security token including one or more resource instance claims that identify the second user'"'"'s purported access rights to the single instance of the one or more resources;
  
  an act of validating the security token received from the second user, including validating the one or more resource instance claims in the security token by comparing the one or more resource instance claims in the security token to resource instance claims in the authentication database to verify that the one or more resource instance claims in the security token are included in the authentication database; and
  
  an act of providing, to the second user, access to the single instance of the one or more resources in accordance with the validated one or more resource instance claims.
- View Dependent Claims (15, 16)
- - 15. The computer program product of claim 14, further comprising an act of receiving a validated security token from a user connected to a different, remote datacenter.
  - 16. The computer program product of claim 15, further comprising accessing an authentication database on the remote datacenter to verify that the user has rights to access the single instance of the one or more resources of the submitted service.

17. A computer system comprising the following:
- one or more processors;
  
  system memory;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for providing a service delivery platform with a multi-tenancy service component configured to provide multi-tenancy capabilities for user-submitted services, the method comprising the following;
  
  an act of instantiating a hosting service that includes a multi-tenancy component that is configurable to define how the hosting service provides resource access to one or more resources of a submitted service including enabling a single instance of the one or more resources to be accessed by a plurality of users such that the submitted service functions as a multi-tenancy service even though the submitted service does not by itself provide multi-tenancy capabilities;
  
  an act of receiving the submitted service submitted to be hosted by the hosting service, the submitted service including a portion of use information that defines that access to a single instance of the one or more resources of the submitted service is to be provided to a plurality of users;
  
  an act of configuring the multi-tenancy component to provide access to the single instance of the one or more resources of the submitted service to the plurality of users by configuring a validation plug-in that defines one or more resource instance claims for each of the plurality of users that define the type of access each of the plurality of users will have to the single instance of the one or more resources, wherein the plug-in provides an application programming interface for creating, updating and deleting resource instance claims in an authentication database;
  
  an act of receiving a security token from a first of the plurality of users, the security token including one or more resource instance claims that identify the first user'"'"'s purported access rights to the single instance of the one or more resources;
  
  an act of validating the security token received from the first user, including validating the one or more resource instance claims in the security token by comparing the one or more resource instance claims in the security token to resource instance claims in the authentication database to verify that the one or more resource instance claims in the security token are included in the authentication database;
  
  an act of providing, to the first user, access to the single instance of the one or more resources in accordance with the validated one or more resource instance claims;
  
  an act of receiving a security token from a second of the plurality of users, the security token including one or more resource instance claims that identify the second user'"'"'s purported access rights to the single instance of the one or more resources;
  
  an act of validating the security token received from the second user, including validating the one or more resource instance claims in the security token by comparing the one or more resource instance claims in the security token to resource instance claims in the authentication database to verify that the one or more resource instance claims in the security token are included in the authentication database; and
  
  an act of providing, to the second user, access to the single instance of the one or more resources in accordance with the validated one or more resource instance claims.
- View Dependent Claims (18)
- - 18. The computer program product of claim 17, wherein the service delivery platform is part of an online service provided by a datacenter server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Amradkar, Purushottam Shridhar, Chandrasekhar, Arun Ramanathan, Fitter, Percy Dara
Primary Examiner(s)
Ehichioya, Fred I
Assistant Examiner(s)
Fan, Shiow-Jy

Application Number

US12/271,716
Publication Number

US 20100125612A1
Time in Patent Office

1,404 Days
Field of Search

707/802, 707/E17.014, 709/229, 726/4, 726/9
US Class Current

707/802
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/105 Multiple levels of security

Multi-tenancy using suite of authorization manager components

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tenancy using suite of authorization manager components

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links