Dynamic authorization of users in a multi-tenant environment using tenant authorization profiles
First Claim
1. A computer-implemented method for authenticating and authorizing users in a multi-tenant environment, the method comprising:
- in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant,determining one or more user roles of the user within the tenant, andfor each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user;
accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile;
for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role;
generating a token based on the user roles and the user privileges, including the modified user privileges; and
transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token;
wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises;
determining a first time associated with the request;
determining a time period specified in the tenant authorization profile;
determining whether the first time is within the time period specified in the tenant authorization profile; and
removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period.
9 Assignments
0 Petitions
Accused Products
Abstract
In response to a request received from a client device to authorize a user for accessing a resource associated with a tenant, user roles of the user within the tenant are determined. For each of the user roles, user privileges the user is entitled within a capacity of the user role are determined based on static access control settings associated with the user. A tenant authorization profile associated with the tenant is accessed to determine tenant roles and tenant privileges for each tenant role. For each of the user roles that matches at least one of the tenant roles, at least one user privilege is modified based on corresponding tenant privileges of the matched tenant role. A token is generated based on the user roles and the modified user privileges and transmitted to the client device to determine whether the user is allowed to access the resource of the tenant.
159 Citations
20 Claims
-
1. A computer-implemented method for authenticating and authorizing users in a multi-tenant environment, the method comprising:
-
in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant, determining one or more user roles of the user within the tenant, and for each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user; accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile; for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role; generating a token based on the user roles and the user privileges, including the modified user privileges; and transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token; wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises; determining a first time associated with the request; determining a time period specified in the tenant authorization profile; determining whether the first time is within the time period specified in the tenant authorization profile; and removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for authenticating and authorizing users in a multi-tenant environment, the operations comprising:
-
in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant, determining one or more user roles of the user within the tenant, and for each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user; accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile; for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role; generating a token based on the user roles and the user privileges, including the modified user privileges; and transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token; wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises; determining a first time associated with the request; determining a time period specified in the tenant authorization profile; determining whether the first time is within the time period specified in the tenant authorization profile; and removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a processor; and a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor to perform operations, the operations including; in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant, determining one or more user roles of the user within the tenant, and for each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user, accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile, for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role, generating a token based on the user roles and the user privileges, including the modified user privileges, and transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token; wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises; determining a first time associated with the request; determining a time period specified in the tenant authorization profile; determining whether the first time is within the time period specified in the tenant authorization profile; and removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification