Role-based access in a multi-customer computing environment
First Claim
1. A method for managing role-based access in a multi-customer computing environment, the method comprising:
- receiving, by a computing device, a request from an actor to take action within the multi-customer computing environment;
determining, by the computing device, a role from one or more roles for the actor based on an identification of the actor, wherein each role is assigned a plurality of context parameters, each role is used by a plurality of customers, and the role that is determined can have a first policy element for the actor and a second policy element for a different actor, the first policy element and the second policy element are not the same;
receiving, by the computing device, one value for each of the one or more context parameters assigned to the role based on the identification of the actor;
determining, by the computing device, a role scope for the role based on the one value of each of the one or more context parameters assigned to the actor;
determining, by the computing device, an actor-role scope value based on the role scope and the one value of each of the one or more context parameters assigned to the role;
determining, by the computing device, a policy type based on the request from the actor and the actor'"'"'s role and the one or more context parameters assigned to actor;
populating, by the computing device, policy elements of the policy type to form a policy instance with one or more values from the one or more context parameters assigned to the role; and
providing to the actor, by the computing device, an access permission for the first policy element or the second policy element so the actor can take action within the multi-customer computing environment based on the policy instance.
2 Assignments
0 Petitions
Accused Products
Abstract
An actor is associated with a role, a policy type is associated with the role, and a role scope is associated with the role. One or more values are received for one or more corresponding context parameters associated with the actor. A request for access to a resource is received from the actor. A policy instance is determined based on the policy type and the one or more values for the one or more corresponding context parameters associated with the actor. One or more actor-role scope values are determined based on the role scope and the one or more values for the one or more corresponding context parameters associated with the actor. A response to the request is determined based on the policy instance and the actor-role scope values.
-
Citations
20 Claims
-
1. A method for managing role-based access in a multi-customer computing environment, the method comprising:
-
receiving, by a computing device, a request from an actor to take action within the multi-customer computing environment; determining, by the computing device, a role from one or more roles for the actor based on an identification of the actor, wherein each role is assigned a plurality of context parameters, each role is used by a plurality of customers, and the role that is determined can have a first policy element for the actor and a second policy element for a different actor, the first policy element and the second policy element are not the same; receiving, by the computing device, one value for each of the one or more context parameters assigned to the role based on the identification of the actor; determining, by the computing device, a role scope for the role based on the one value of each of the one or more context parameters assigned to the actor; determining, by the computing device, an actor-role scope value based on the role scope and the one value of each of the one or more context parameters assigned to the role; determining, by the computing device, a policy type based on the request from the actor and the actor'"'"'s role and the one or more context parameters assigned to actor; populating, by the computing device, policy elements of the policy type to form a policy instance with one or more values from the one or more context parameters assigned to the role; and providing to the actor, by the computing device, an access permission for the first policy element or the second policy element so the actor can take action within the multi-customer computing environment based on the policy instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for managing role-based access in a multi-customer computing environment, the system comprising:
-
one or more servers configured to; receive a request from an actor to take action within the multi-customer computing environment; determine a role from one or more roles for the actor based on an identification of the actor, wherein each role is assigned a plurality of context parameters, each role is used by a plurality of customers, and the role that is determined can have a first policy element for the actor and a second policy element for a different actor, the first policy element and the second policy element are not the same; receive one value for each of the one or more context parameters assigned to the role based on the identification of the actor; determine a role scope for the role based on the one value of each of the one or more context parameters assigned to the actor; determine an actor-role scope value based on the role scope and the one value of each of the one or more context parameters assigned to the role; determine a policy type based on the request from the actor and the actor'"'"'s role and the one or more context parameters assigned to actor; populate policy elements of the policy type to form a policy instance with one or more values from the one or more context parameters assigned to the role; and provide to the actor an access permission for the first policy element or the second policy element so the actor can take action within the multi-customer computing environment based on the policy instance. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A computer program product, tangibly embodied in a non-transitory machine-readable storage device, for managing role-based access in a multi-customer computing environment, the computer program product including instructions being operable to cause data processing apparatus to:
-
receive a request from an actor to take action within the multi-customer computing environment; determine a role from one or more roles for the actor based on an identification of the actor, wherein each role is assigned a plurality of context parameters, each role is used by a plurality of customers, and the role that is determined can have a first policy element for the actor and a second policy element for a different actor, the first policy element and the second policy element are not the same; receive one value for each of the one or more context parameters assigned to the role based on the identification of the actor; determine a role scope for the role based on the one value of each of the one or more context parameters assigned to the actor; determine an actor-role scope value based on the role scope and the one value of each of the one or more context parameters assigned to the role; determine a policy type based on the request from the actor and the actor'"'"'s role and the one or more context parameters assigned to actor; populate policy elements of the policy type to form a policy instance with one or more values from the one or more context parameters assigned to the role; and provide to the actor an access permission for the first policy element or the second policy element so the actor can take action within the multi-customer computing environment based on the policy instance.
-
Specification