Granular permission assignment

US 9,992,074 B2
Filed: 05/15/2017
Issued: 06/05/2018
Est. Priority Date: 08/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

creating, by a processing device, a plurality of reusable role definitions for a cloud provider system, wherein each of the plurality of reusable role definitions comprises a resource type and an action set permitted to be performed on a plurality of resources of the resource type;

receiving, by the processing device, a first request to assign a user to a first role, the first request specifying a first cloud computing resource of a plurality of cloud computing resources of a respective resource type in the cloud provider system;

identifying, by the processing device, a role definition corresponding to the respective resource type, the identified role definition comprising the respective resource type and an action set permitted to be performed in the cloud provider system on the plurality of cloud computing resources of the respective resource type;

creating, by the processing device, the first role for the user on the first cloud computing resource, wherein creating the first role comprises associating the identified role definition with the first cloud computing resource and the user;

receiving, by the processing device, a second request to assign the user to a second role, the second request specifying a second cloud computing resource of the plurality of cloud computing resources of the respective resource type; and

creating, by the processing device, the second role for the user on the second cloud computing resource in view of the identified role definition corresponding to the resource type, wherein the identified role definition that was used for the first role of the user is being reused for the second role of the user, and wherein creating the second role comprises associating the identified role definition with the second cloud computing resource and the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for storing role definitions for cloud provider systems, receiving a first request to assign a user to a first role specifying a first cloud computing resource of a respective resource type, identifying a role definition corresponding to the first role that includes an action set permitted, and creating the first role for the user on the first cloud computing resource by associating the identified role definition with the first cloud computing resource and the user. A second request to assign the user to a second role is received specifying a second cloud computing of the respective resource type, and the second role is created for the user on the second cloud computing resource, where the identified role definition corresponds to the first and second roles, and wherein creating the second role includes associating the identified role definition with the first cloud computing resource and the user.

15 Citations

20 Claims

1. A method comprising:
- creating, by a processing device, a plurality of reusable role definitions for a cloud provider system, wherein each of the plurality of reusable role definitions comprises a resource type and an action set permitted to be performed on a plurality of resources of the resource type;
  
  receiving, by the processing device, a first request to assign a user to a first role, the first request specifying a first cloud computing resource of a plurality of cloud computing resources of a respective resource type in the cloud provider system;
  
  identifying, by the processing device, a role definition corresponding to the respective resource type, the identified role definition comprising the respective resource type and an action set permitted to be performed in the cloud provider system on the plurality of cloud computing resources of the respective resource type;
  
  creating, by the processing device, the first role for the user on the first cloud computing resource, wherein creating the first role comprises associating the identified role definition with the first cloud computing resource and the user;
  
  receiving, by the processing device, a second request to assign the user to a second role, the second request specifying a second cloud computing resource of the plurality of cloud computing resources of the respective resource type; and
  
  creating, by the processing device, the second role for the user on the second cloud computing resource in view of the identified role definition corresponding to the resource type, wherein the identified role definition that was used for the first role of the user is being reused for the second role of the user, and wherein creating the second role comprises associating the identified role definition with the second cloud computing resource and the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - receiving a request from the user to perform an action on the first cloud computing resource;
      
      identifying the first role of the user on the first cloud computing resource;
      
      allowing the user to perform the requested action if a role definition of the first role has an action set comprising the requested action; and
      
      preventing the user from performing the requested action if the role definition of the first role does not include the requested action.
  - 3. The method of claim 2, wherein the respective action set comprises one or more of view a resource, modify a resource, create services, delete services, assign permissions, start a virtual machine, or stop a virtual machine.
  - 4. The method of claim 1 further comprising:
    - receiving a request to assign a group comprising a user set to the role on the first cloud computing resource;
      
      assigning the group to the role on the first cloud computing resource;
      
      receiving a request from a user of the user set to perform an action of a respective action set on the first cloud computing resource; and
      
      allowing the user of the user set to perform the action.
  - 5. The method of claim 4 further comprising:
    - receiving an updated user set; and
      
      updating the group assigned to the role in view of the updated user set.
  - 6. The method of claim 1 further comprising:
    - receiving an updated action set for the role; and
      
      updating the role in view of the updated action set.
  - 7. The method of claim 1, wherein the respective resource type comprises a cloud computing environment, an instance in the cloud computing environment, an application in the cloud computing environment, a deployment in the cloud computing environment, or a catalog in the cloud computing environment.
  - 8. The method of claim 1, wherein the user is an owner of the first cloud computing resource and the second cloud computing resource, and the identified role definition is an owner role definition that provides for granting particular permissions to other users with respect to the first cloud computing resource and the second cloud computing resource.
  - 9. The method of claim 1, wherein the identified role definition is a zone administrator role definition that provides for granting permissions with respect to different zones.
  - 10. The method of claim 1 further comprising:
    - storing the first role and the second role in a data store; and
      
      querying the data store to determine whether the user is allowed to perform a requested operation with respect to at least one of the first cloud computing resource or the second cloud computing resource.

11. A system comprising:
- a memory to store instructions; and
  
  a processing device, executing the instructions and coupled to the memory, to;
  
  create a plurality of reusable role definitions for a cloud provider system, wherein each of the plurality of reusable role definitions comprises a resource type and an action set permitted to be performed on a plurality of resources of the resource type;
  
  receive a first request to assign a user to a first role, the first request specifying a first cloud computing resource of a plurality of cloud computing resources of a respective resource type in the cloud provider system;
  
  identify a role definition corresponding to the respective resource type, the identified role definition comprising the respective resource type and an action set permitted to be performed in the cloud provider system on the plurality of cloud computing resources of the respective resource type;
  
  create the first role for the user on the first cloud computing resource, wherein creating the first role comprises associating the identified role definition with the first cloud computing resource and the user;
  
  receive a second request to assign the user to a second role, the second request specifying a second cloud computing resource of the plurality of cloud computing resources of the respective resource type; and
  
  create the second role for the user on the second cloud computing resource in view of the identified role definition corresponding to the resource type, wherein the identified role definition that was used for the first role of the user is being reused for the second role of the user, and wherein creating the second role comprises associating the identified role definition with the second cloud computing resource and the user.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein the processing device further to:
    - receive a request from the user to perform an action on the first cloud computing resource;
      
      identify the first role of the user on the first cloud computing resource;
      
      allow the user to perform the requested action if a role definition of the first role has an action set comprising the requested action; and
      
      prevent the user from performing the requested action if the role definition of the first role does not include the requested action.
  - 13. The system of claim 12, wherein the respective action set comprises one or more of view a resource, modify a resource, create services, delete services, assign permissions, start a virtual machine, or stop a virtual machine.
  - 14. The system of claim 11, wherein the processing device is further to:
    - receive a request to assign a group comprising a user set to the role on the first cloud computing resource;
      
      assign the group to the role on the first cloud computing resource;
      
      receive a request from a user of the user set to perform an action of a respective action set on the first cloud computing resource; and
      
      allow the user of the user set to perform the action.
  - 15. The system of claim 14, wherein the processing device is further to:
    - receive an updated user set; and
      
      update the group assigned to the role in view of the updated user set.
  - 16. The system of claim 11, wherein the processing device is further to:
    - receive an updated action set for the role; and
      
      update the role in view of the updated action set.
  - 17. The system of claim 11, wherein the respective resource type comprises a cloud computing environment, an instance in a cloud computing environment, an application in a cloud computing environment, a deployment in a cloud computing environment, or a catalog in a cloud computing environment.

18. A non-transitory computer-readable storage medium including instructions that, when executed by a computer server, cause the computer server to perform a set of operations comprising:
- creating a plurality of reusable role definitions for a cloud provider system, wherein each of the plurality of reusable role definitions comprises a resource type and an action set permitted to be performed on a plurality of resources of the resource type;
  
  receiving a first request to assign a user to a first role, the first request specifying a first cloud computing resource of a plurality of cloud computing resources of a respective resource type in the cloud provider system;
  
  identifying a role definition corresponding to the respective resource type, the identified role definition comprising the respective resource type and an action set permitted to be performed in the cloud provider system on the plurality of cloud computing resources of the respective resource type;
  
  creating the first role for the user on the first cloud computing resource, wherein creating the first role comprises associating the identified role definition with the first cloud computing resource and the user;
  
  receiving a second request to assign the user to a second role, the second request specifying a second cloud computing resource of the plurality of cloud computing resources of the respective resource type; and
  
  creating the second role for the user on the second cloud computing resource in view of the identified role definition corresponding to the resource type, wherein the identified role definition that was used for the first role of the user is being reused for the second role of the user, and wherein creating the second role comprises associating the identified role definition with the second cloud computing resource and the user.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the operations further comprise:
    - receiving a request from the user to perform an action on the first cloud computing resource;
      
      identifying the first role of the user on the first cloud computing resource;
      
      allowing the user to perform the requested action if a role definition of the first role has an action set comprising the requested action; and
      
      preventing the user from performing the requested action if the role definition of the first role does not include the requested action.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein a respective action set comprises one or more of view a resource, modify a resource, create services, delete services, assign permissions, start a virtual machine, or stop a virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Seago, Scott Wayne
Primary Examiner(s)
Mejia, Anthony
Assistant Examiner(s)
DABIPI, DIXON F

Application Number

US15/595,862
Publication Number

US 20170250876A1
Time in Patent Office

386 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45575   Starting, stopping, suspend...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/28   Restricting access to netwo...

H04L 41/50   Network service management,...

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

Granular permission assignment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Granular permission assignment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links