Defining an authorizer in a virtual computing infrastructure
First Claim
1. A method of allowing an authorizing entity to grant permission to a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- defining an authorizer value for an authorizer key in a permission, the authorizer value identifying an entity delegating the permission;
defining a subject value for a subject key in the permission, the subject value identifying a group to whom the permission is being delegated;
defining an object value for an object key in the permission, the object value identifying an object upon which action is authorized by the permission within the cloud computing environment;
defining an action value for an action key in the permission, the action value identifying an action authorized by the permission in the cloud computing environment;
determining that a path exists in a directed graph between (a) a node corresponding to the authorizer value and (b) another node corresponding to an initial set of permissions created in connection with a creation of a customer to which the group belongs; and
authorizing members of the subject group to perform a requested action on a requested object based on the defined values of the permission and the existence of the path.
2 Assignments
0 Petitions
Accused Products
Abstract
An authorizing entity is allowed to grant permission to a subject to perform an action on an object in a cloud computing environment. An authorizer is defined as the entity having granting authority to delegate a predetermined permission. A subject is defined as a group to whom the permission is being delegated. An object is defined upon which an action is authorized within the cloud computing environment. The action being authorized in the cloud computing environment is defined. Members of the subject group are authorized to perform the permitted action on the object.
-
Citations
8 Claims
-
1. A method of allowing an authorizing entity to grant permission to a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
defining an authorizer value for an authorizer key in a permission, the authorizer value identifying an entity delegating the permission; defining a subject value for a subject key in the permission, the subject value identifying a group to whom the permission is being delegated; defining an object value for an object key in the permission, the object value identifying an object upon which action is authorized by the permission within the cloud computing environment; defining an action value for an action key in the permission, the action value identifying an action authorized by the permission in the cloud computing environment; determining that a path exists in a directed graph between (a) a node corresponding to the authorizer value and (b) another node corresponding to an initial set of permissions created in connection with a creation of a customer to which the group belongs; and authorizing members of the subject group to perform a requested action on a requested object based on the defined values of the permission and the existence of the path. - View Dependent Claims (2, 3, 4)
-
-
5. A cloud computing system, comprising:
-
at least one storage device configured to store a plurality of instructions; and at least one processor device in communication with the at least one storage device, and configure to execute the plurality of instructions to; define an authorizer value for an authorizer key in a permission, the authorizer value identifying an entity delegating the permission; define a subject value for a subject key in the permission, the subject value identifying a group to whom the permission is being delegated; define an object value for an object key in the permission, the object value identifying an object upon which action is authorized by the permission within the cloud computing environment; define an action value for an action key in the permission, the action value identifying an action authorized by the permission in the cloud computing environment; determine that a path in a directed graph exists between (a) a node corresponding to the authorizer value and (b) another node corresponding to an initial set of permissions created in connection with a creation of a customer to which the group belongs; and authorize members of the subject group to perform a requested action on a requested object based on the defined values of the permission and the existence of the path. - View Dependent Claims (6, 7, 8)
-
Specification