Objects in a virtual computing infrastructure
First Claim
1. A method of performing an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- determining a policy path from at least one permission within a policy of a customer, the at least one permission comprising a set of key-value pairs describing a delegation of privileges;
determining a first delegation path from within the determined policy path, the first delegation path being directed to at least one object permission for the object upon which the action is to be performed, the at least one object permission comprising permissions created by an owner of the object and describing what actions may be performed on the object and by whom those actions may be performed, wherein the first delegation path is defined by values of the at least one permission; and
assigning an authorized user from a second delegation path from within the determined policy path, the second delegation path being directed to at least one user permission for the action to be performed, the at least one user permission describing what actions may be performed by one or more users belonging to the customer, wherein the second delegation path is defined by values of the at least one permission;
wherein determining the policy path involves determining an existence of a path in a directed graph in which each vertex is a different permission from each other vertex in the directed graph.
2 Assignments
0 Petitions
Accused Products
Abstract
An action is performed on an object in a cloud computing environment having a plurality of computing nodes. A policy path is determined from at least one permission within a policy of a customer. A first delegation path is determined from within the determined policy path. The first delegation path is directed to at least one object permission for the object upon which the action is to be performed. An authorized user is assigned from a second delegation path from within the determined policy path. The second delegation path is directed to at least one user permission for the action to be performed.
-
Citations
14 Claims
-
1. A method of performing an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
determining a policy path from at least one permission within a policy of a customer, the at least one permission comprising a set of key-value pairs describing a delegation of privileges; determining a first delegation path from within the determined policy path, the first delegation path being directed to at least one object permission for the object upon which the action is to be performed, the at least one object permission comprising permissions created by an owner of the object and describing what actions may be performed on the object and by whom those actions may be performed, wherein the first delegation path is defined by values of the at least one permission; and assigning an authorized user from a second delegation path from within the determined policy path, the second delegation path being directed to at least one user permission for the action to be performed, the at least one user permission describing what actions may be performed by one or more users belonging to the customer, wherein the second delegation path is defined by values of the at least one permission; wherein determining the policy path involves determining an existence of a path in a directed graph in which each vertex is a different permission from each other vertex in the directed graph. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A cloud computing system, comprising:
-
a plurality of computing nodes; at least one storage device configured to store a plurality of processing instructions; and at least one hardware processor in communication with the at least one storage device, and configured to execute the plurality of processing instructions to; determine a policy path from at least one permission within a policy of a customer, the at least one permission comprising a set of key-value pairs describing a delegation of privileges; determine a first delegation path from within the determined policy path, the first delegation path being directed to at least one object permission for an object upon which an action is to be performed, the at least one object permission comprising permissions created by an owner of the object and describing what actions may be performed on the object and by whom those actions may be performed, wherein the first delegation path is defined by values of the at least one permission; and assign an authorized user from a second delegation path from within the determined policy path, the second delegation path being directed to at least one user permission for the action to be performed, the at least one user permission describing what actions may be performed by one or more users belonging to the customer and wherein the second delegation path is defined by values of the at least one permission; wherein the plurality of processing instructions to determine the policy path includes processing instructions to determine an existence of a path in a directed graph in which each vertex is a different permission from each other vertex in the directed graph. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification