Multi-tenancy identity management system

US 9,276,942 B2
Filed: 03/15/2013
Issued: 03/01/2016
Est. Priority Date: 09/07/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

storing, in a cloud computing environment, in a shared identity store in a shared identity management system used by multiple identity domains that are isolated from each other, identities of a plurality of users associated with different identity domains within the multiple identity domains;

creating a first identity domain through the shared identity management system;

associating a first plurality of services with the first identity domain;

sharing, among the first plurality of services, identities of a first set of users from the plurality of users managed by the shared identity management system;

creating, through the shared identity management system, a second identity domain that is isolated from the first identity;

associating a second plurality of services with the second identity domain; and

sharing, among the second plurality of services, identities of a second set of users from the plurality of users managed by the shared identity management system, wherein the second set of users is different from the first set of users;

in response to a request to provision an instance of a particular service to the first or second identity domain of the multiple identity domains, selecting, from a plurality of different role hierarchy templates that are associated with different services, a particular role hierarchy template that was associated with the particular service prior to receiving the request; and

in response to the request, creating, in the first or second identity domain, a role hierarchy to map the first or second set of users to specific roles based on the particular role hierarchy template.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers'"'"' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers'"'"' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers'"'"' domains, and a cloud-wide policy store can contain security policy information for multiple customers'"'"' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.

177 Citations

18 Claims

1. A computer-implemented method comprising:
- storing, in a cloud computing environment, in a shared identity store in a shared identity management system used by multiple identity domains that are isolated from each other, identities of a plurality of users associated with different identity domains within the multiple identity domains;
  
  creating a first identity domain through the shared identity management system;
  
  associating a first plurality of services with the first identity domain;
  
  sharing, among the first plurality of services, identities of a first set of users from the plurality of users managed by the shared identity management system;
  
  creating, through the shared identity management system, a second identity domain that is isolated from the first identity;
  
  associating a second plurality of services with the second identity domain; and
  
  sharing, among the second plurality of services, identities of a second set of users from the plurality of users managed by the shared identity management system, wherein the second set of users is different from the first set of users;
  
  in response to a request to provision an instance of a particular service to the first or second identity domain of the multiple identity domains, selecting, from a plurality of different role hierarchy templates that are associated with different services, a particular role hierarchy template that was associated with the particular service prior to receiving the request; and
  
  in response to the request, creating, in the first or second identity domain, a role hierarchy to map the first or second set of users to specific roles based on the particular role hierarchy template.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, further comprising:
    - mapping, through the shared identity management system, (a) a first user of the first set of users to (b) first access permissions for a subset of the first plurality of services;
      
      mapping, through the shared identity management system, (c) a second user of the second set of users to (d) second access permissions for a subset of the second plurality of services.
  - 3. The computer-implemented method of claim 1, further comprising:
    - mapping, through the shared identity management system, (a) a first user of the first set of users to (b) a first role that is mapped to first access permissions for a subset of the first plurality of services;
      
      mapping, through the shared identity management system, (c) a second user of the second set of users to (d) a second role that is mapped to second access permissions for a subset of the second plurality of services.
  - 4. The computer-implemented method of claim 1, further comprising:
    - preventing users in the first set of users from performing operations relative to services that are in the second plurality of services but not in the first plurality of services;
      
      preventing users in the second set of users from performing operations relative to services that are in the first plurality of services but not in the second plurality of services;
      
      allowing operations users to perform operations relative to both services that are in the first plurality of services and services that are in the second plurality of services.
  - 5. The computer-implemented method of claim 1, further comprising:
    - storing the identities of the first set of users within a first partition of a lightweight access protocol (LDAP) directory that is partitioned by identity domain; and
      
      storing the identities of the second set of users within a second partition of the LDAP directory.
  - 6. The computer-implemented method of claim 1, further comprising:
    - presenting a user interface that includes a user interface element through which a particular user can identify, as a part of a login process, a particular identity domain to which the particular user is attempting to gain access.
  - 7. The computer-implemented method of claim 1, further comprising:
    - presenting a console that provides controls for adding user identities to and removing user identities from an identity domain;
      
      receiving a command through the console from an identity domain administrator;
      
      determining a particular identity domain to which the identity domain administrator belongs; and
      
      restricting user identity addition and removal operations performed by the identity domain administrator through the console to the particular identity domain.
  - 8. The computer-implemented method of claim 1, further comprising:
    - assigning, to a first user of the first set of users, an identity domain administrator role that gives the first user a capability to assign, to other users in the first set of users, service administrator roles;
      
      assigning, to a second user of the first set of users selected by the first user in an identity domain administrator capacity, a first service administrator role that gives the second user a capability to administer a first service of the first plurality of services; and
      
      assigning, to a third user of the first set of users selected by the first user in the identity domain administrator capacity, a second service administrator role that gives the third user a capability to administer a second service of the first plurality of services.
  - 9. The computer-implemented method of claim 1, further comprising:
    - receiving, from a first person who does not have a user identity in the first identity domain, but who is associated with an account through which the first identity domain was purchased, an e-mail address of a second person who also does not have a user identity in the first identity domain;
      
      receiving, from the first person, a role to which the first person is nominating the second person within the first identity domain;
      
      sending, to the e-mail address of the second person, an e-mail message containing a hyperlink to a web-based form usable to create a user identity within the first identity domain;
      
      adding an identity of the second person to the identities of the first set of users based on information that the second person supplied through the web-based form; and
      
      assigning the role to the second person within the first identity domain.
  - 10. The computer-implemented method of claim 1, further comprising:
    - binding a particular service instance that is an instance of a service in the first plurality of services to a first partition of the shared identity store; and
      
      binding the particular service instance to a second partition of a policy store that stores policies for multiple service instances belonging to different identity domains defined in the cloud computing environment;
      
      wherein the first partition contains only identities that belong to the first identity domain;
      
      wherein the second partition contains only policies that pertain to the particular service instance.
  - 11. The computer-implemented method of claim 1, wherein the plurality of different role hierarchy templates includes both:
    - a first role hierarchy template that is associated with a database service; and
      
      a second role hierarchy template, different from the first role hierarchy template, that is associated with a JAVA service.

12. A computer-readable storage memory device storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
- instructions to create a plurality of identity domains within a cloud computing environment;
  
  instructions to enforce isolation between identity domains within the plurality of identity domains;
  
  instructions to store, in the cloud computing environment, in a shared identity store in a shared identity management system used by multiple identity domains of the plurality of identity domains, identities of a plurality of users associated with different identity domains within the multiple identity domains;
  
  instructions to add a service instance of a particular service to a particular identity domain of the plurality of identity domains;
  
  instructions to store data associating the service instance with a particular partition of the shared identity store that stores identities for each identity domain of the multiple identity domains, wherein the identities for each identity domain of the multiple identity domains include identities of a different set of users from the plurality of users;
  
  instructions to store data associating the service instance with a particular partition of a policy store that stores policies for a plurality of service instances that are associated with different identity domains of the plurality of identity domains;
  
  instructions to select, from a plurality of different role hierarchy templates that are associated with different services, a particular role hierarchy template that was associated with the particular service prior to receipt of a request to provision the service instance of the particular service to the particular identity domain of the multiple identity domains; and
  
  instructions to create, in the particular identity domain, and in response to the request, a role hierarchy to map the set of users of the particular identity domain to specific roles based on the particular role hierarchy template.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The computer-readable storage memory device of claim 12, wherein the particular instructions further comprise:
    - instructions to assign a first role, from a hierarchy of roles, to a first user having a first user identity that is stored in the shared identity store and associated with the particular identity domain;
      
      wherein the first role is a role that allows users having the first role to manage all service instances that are associated with the particular identity domain;
      
      instructions to assign a second role, from the hierarchy of roles, to a second user having a second user identity that is stored in the shared identity store;
      
      wherein the second role is a role that allows users having the second role to manage a single service instance that is associated with the particular identity domain.
  - 14. The computer-readable storage memory device of claim 13, wherein the instructions to assign the second role to the second user comprise instructions to assign the second role to the second user in response to the first user delegating the second role to the second user.
  - 15. The computer-readable storage memory device of claim 13, wherein the instructions to add the service instance to the particular identity domain of the plurality of identity domains comprise instructions to assign, to a third user having a third identity that is stored in the shared identity store and associated with the particular identity domain, a third role that is defined by a plurality of roles that are associated with a type of the service instance.
  - 16. The computer-readable storage memory device of claim 15, wherein the particular instructions comprise instructions to cause the second role to inherit all permissions that are associated with the third role;
    - and wherein the particular instructions comprise instructions to cause the first role to inherit all permissions that are inherited by the second role.
  - 17. The computer-readable storage memory device of claim 12, wherein the instructions to create the plurality of identity domains within the cloud computing environment comprise instructions to create the particular identity domain within the cloud computing environment;
    - and wherein the instructions to create the particular identity domain within the cloud computing environment comprise instructions to send, to a specified e-mail address, an e-mail message providing a mechanism whereby a recipient of the e-mail message can establish an administrative identity within the particular identity domain.
  - 18. The computer-readable storage memory device of claim 12, wherein the plurality of different role hierarchy templates includes both:
    - a first role hierarchy template that is associated with a database service; and
      
      a second role hierarchy template, different from the first role hierarchy template, that is associated with a JAVA service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Srinivasan, Uppili, Asokkumar, Vasukiammaiyar
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US13/838,813
Publication Number

US 20140075565A1
Time in Patent Office

1,082 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06Q 10/06315   Needs-based resource requir...

H04L 41/5054   Automatic deployment of ser...

H04L 47/70   Admission control; Resource...

H04L 47/83   based on usage prediction

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

Multi-tenancy identity management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

177 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tenancy identity management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

177 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links