Shared identity management (IDM) integration in a multi-tenant computing environment

US 9,721,117 B2
Filed: 09/14/2015
Issued: 08/01/2017
Est. Priority Date: 09/19/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a first computing system of a computing infrastructure system that provides access to a plurality of services, a request by a user to access a service of the plurality of services, wherein the computing infrastructure system restricts each tenant of the computing infrastructure system to one of the plurality of services;

extracting, by the first computing system, a tenant name and a service name of the service from a combined name included in the request;

authenticating, by the first computing system, the user by requesting a second computing system to determine whether the user is a member of a tenant having the tenant name in the second computing system, wherein the second computing system is different from the first computing system;

upon successfully authenticating that the user is the member of the tenant, accessing a directory of the second computing system to identify a set of roles that is both associated with the user and with a first service having the service name in the second computing system, wherein the first service is included in the plurality of services;

based on the set of roles, determining whether the user is permitted to perform an operation specified in the request relative to the service specified in the request; and

enabling the user to access the first service to perform the operation upon determining that a role in the set of roles is permitted to perform the operation specified in the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for enabling tenant hierarchy information to be migrated directly between different multi-tenant system (e.g., from a shared IDM system to a Nimbula system, or vice versa). A corresponding new tenant is created in a Nimbula system based on a combination of the tenant information and the service information from the shared IDM system. The Nimbula system extracts the tenant name and the service name from a request and asks the shared IDM system to verify that the user actually is a member of the tenant identified by the extracted tenant name. Upon successful authentication of the user, the Nimbula system requests the IDM system for roles that are associated with both the user and the extracted service name. The Nimbula system enable access to the service upon determining whether the requested operation can be performed relative to the specified service based on the roles.

55 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, at a first computing system of a computing infrastructure system that provides access to a plurality of services, a request by a user to access a service of the plurality of services, wherein the computing infrastructure system restricts each tenant of the computing infrastructure system to one of the plurality of services;
  
  extracting, by the first computing system, a tenant name and a service name of the service from a combined name included in the request;
  
  authenticating, by the first computing system, the user by requesting a second computing system to determine whether the user is a member of a tenant having the tenant name in the second computing system, wherein the second computing system is different from the first computing system;
  
  upon successfully authenticating that the user is the member of the tenant, accessing a directory of the second computing system to identify a set of roles that is both associated with the user and with a first service having the service name in the second computing system, wherein the first service is included in the plurality of services;
  
  based on the set of roles, determining whether the user is permitted to perform an operation specified in the request relative to the service specified in the request; and
  
  enabling the user to access the first service to perform the operation upon determining that a role in the set of roles is permitted to perform the operation specified in the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - preventing the user from accessing the first service to perform the operation upon determining that no role in the set of roles is permitted to perform the operation specified in the request.
  - 3. The method of claim 1, wherein the second computing system is included in an identity management system.
  - 4. The method of claim 3, wherein the second computing system provides the user with access to the first service based on a subscription by the tenant to the first service managed by the identity management system, and wherein the identity management system stores role information about each of the set of roles for accessing the first service.
  - 5. The method of claim 4, wherein the role information indicates one or more operations that are permitted by the tenant for the subscription to the first service, and wherein determining whether the user is permitted to perform an operation specified in the request includes determining whether the operation is included in the one or more operations that are permitted by the tenant for the subscription to the first service.
  - 6. The method of claim 4, wherein accessing the directory of the second computing system to identify the set of roles includes receiving the role information about each of the set of roles that is both associated with the user and with the first service having the service name.
  - 7. The method of claim 1, further comprising:
    - generating, by the first computing system, tenant information based on the tenant for which the user is the member of the tenant, wherein the tenant information includes the tenant name; and
      
      storing, at the first computing system, service data about the first service having the service name in association with the tenant information, wherein the service data indicates role information about the set of roles for accessing the first service.

8. A system comprising:
- one or more processors; and
  
  a memory coupled with and readable by the one or more processors, the memory configured to store a set of instructions that, when executed by the one or more processors, causes the one or more processors to;
  
  receive, at a first computing system of a computing infrastructure system that provides access to a plurality of services, a request by a user to access a service of the plurality of services, wherein the computing infrastructure system restricts each tenant of the computing infrastructure system to one of the plurality of services;
  
  extract, by the first computing system, a tenant name and a service name of the service from a combined name included in the request;
  
  authenticate, by the first computing system, the user by requesting a second computing system to determine whether the user is a member of a tenant having the tenant name in the second computing system, wherein the second computing system is different from the first computing system;
  
  upon successfully authenticating that the user is the member of the tenant, access a directory of the second computing system to identify a set of roles that is both associated with the user and with a first service having the service name in the second computing system, wherein the first service is included in the plurality of services;
  
  based on the set of roles, determine whether the user is permitted to perform an operation specified in the request relative to the service specified in the request; and
  
  enable the user to access the first service to perform the operation upon determining that a role in the set of roles is permitted to perform the operation specified in the request.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the set of instructions, when executed by the one or more processors, further causes the one or more processors to:
    - request the second computing system to provide subscription information for one or more services to which the tenant is subscribed, wherein the first service is included in the one or more services;
      
      generate, by the first computing system, a service node structure including tenant information for the tenant permitted to access the first service, wherein the tenant information is based on a combination of the tenant name and the service name;
      
      store the service node structure in association with a root node structure, the root node structure storing information identifying a plurality of service node structures;
      
      generate a role node structure including service data about the first service having the service name in association with the tenant information, wherein the service data indicates role information about the set of roles for accessing the first service;
      
      store the service node structure in association with the role node structure; and
      
      prevent the user from accessing the first service to perform the operation upon determining that no role in the set of roles is permitted to perform the operation specified in the request;
      
      wherein the second computing system is included in an identity management system, wherein the directory of the second computing system is a Lightweight Directory Access Protocol (LDAP) directory that includes a node structure for each of a plurality of identity domains, the node structure for each of the plurality of identity domains identifying one or more roles defined within the identity domain, and wherein the identity management system stores role information about each of the set of roles for accessing the first service;
      
      wherein authenticating the user includes;
      
      sending a request to the second computing system to determine whether the user is the member of the tenant having the tenant name, and receiving, from the second computing system, an authentication response indicating that the user is the member of the tenant having the tenant name;
      
      wherein the second computing system provides the user with access to the first service based on a subscription by the tenant to the first service of the one or more services; and
      
      wherein accessing the directory of the second computing system to identify the set of roles includes receiving the role information about each of the set of roles that is both associated with the user and with the first service having the service name.
  - 10. The system of claim 8, wherein the set of instructions, when executed by the one or more processors, further causes the one or more processors to:
    - prevent the user from accessing the first service to perform the operation upon determining that no role in the set of roles is permitted to perform the operation specified in the request.
  - 11. The system of claim 8, wherein the second computing system is included in an identity management system.
  - 12. The system of claim 11, wherein the second computing system provides the user with access to the first service based on a subscription by the tenant to the first service managed by the identity management system, wherein the identity management system stores role information about each of the set of roles for accessing the first service, wherein the role information indicates one or more operations that are permitted by the tenant for the subscription to the first service, and wherein determining whether the user is permitted to perform an operation specified in the request includes determining whether the operation is included in the one or more operations that are permitted by the tenant for the subscription to the first service.
  - 13. The system of claim 12, wherein accessing the directory of the second computing system to identify the set of roles includes receiving the role information about each of the set of roles that is both associated with the user and with the first service having the service name.
  - 14. The system of claim 8, wherein the set of instructions, when executed by the one or more processors, further causes the one or more processors to:
    - generate, by the first computing system, tenant information based on the tenant for which the user is the member of the tenant, wherein the tenant information includes the tenant name; and
      
      store, at the first computing system, service data about the first service having the service name in association with the tenant information, wherein the service data indicates role information about the set of roles for accessing the first service.

15. A non-transitory computer-readable storage memory storing a plurality of instructions executable by one or more processors to cause the one or more processors to:
- receive, at a first computing system of a computing infrastructure system that provides access to a plurality of services, a request by a user to access a service of the plurality of services, wherein the computing infrastructure system restricts each tenant of the computing infrastructure system to one of the plurality of services;
  
  extract, by the first computing system, a tenant name and a service name of the service from a combined name included in the request;
  
  authenticate, by the first computing system, the user by requesting a second computing system to determine whether the user is a member of a tenant having the tenant name in the second computing system, wherein the second computing system is different from the first computing system;
  
  upon successfully authenticating that the user is the member of the tenant, access a directory of the second computing system to identify a set of roles that is both associated with the user and with a first service having the service name in the second computing system, wherein the first service is included in the plurality of services;
  
  based on the set of roles, determine whether the user is permitted to perform an operation specified in the request relative to the service specified in the request; and
  
  enable the user to access the first service to perform the operation upon determining that a role in the set of roles is permitted to perform the operation specified in the request.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage memory of claim 15, wherein the plurality of instructions further cause the one or more processors to:
    - prevent the user from accessing the first service to perform the operation upon determining that no role in the set of roles is permitted to perform the operation specified in the request.
  - 17. The non-transitory computer-readable storage memory of claim 15, wherein the second computing system is included in an identity management system, and wherein authenticating the user includes sending a request to the second computing system to determine whether the user is the member of the tenant.
  - 18. The non-transitory computer-readable storage memory of claim 17, wherein the second computing system provides the user with access to the first service based on a subscription by the tenant to the first service managed by the identity management system, and wherein the identity management system stores role information about each of the set of roles for accessing the first service.
  - 19. The non-transitory computer-readable storage memory of claim 18, wherein accessing the directory of the second computing system to identify the set of roles includes receiving the role information about each of the set of roles that is both associated with the user and with the first service having the service name.
  - 20. The non-transitory computer-readable storage memory of claim 15, wherein the plurality of instructions further cause the one or more processors to:
    - generate, by the first computing system, tenant information based on the tenant for which the user is the member of the tenant, wherein the tenant information includes the tenant name; and
      
      store, at the first computing system, service data about the first service having the service name in association with the tenant information, wherein the service data indicates role information about the set of roles for accessing the first service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Pleau, Jeffrey, Revanuru, Naresh
Primary Examiner(s)
To, Baotran N

Application Number

US14/853,747
Publication Number

US 20160087960A1
Time in Patent Office

687 Days
Field of Search

726 7
US Class Current
CPC Class Codes

G06F 21/6236   between heterogeneous systems

H04L 63/0884   by delegation of authentica...

H04L 63/104   Grouping of entities

Shared identity management (IDM) integration in a multi-tenant computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

55 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Shared identity management (IDM) integration in a multi-tenant computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links