Multi-tenancy identity management system
First Claim
1. A computer-implemented method comprising:
- storing, in a cloud computing environment, in a shared identity store in a shared identity management system used by multiple identity domains that are isolated from each other, identities of a plurality of users associated with different identity domains within the multiple identity domains;
creating a first identity domain through the shared identity management system;
associating a first plurality of services with the first identity domain;
sharing, among the first plurality of services, identities of a first set of users from the plurality of users managed by the shared identity management system;
creating, through the shared identity management system, a second identity domain that is isolated from the first identity;
associating a second plurality of services with the second identity domain; and
sharing, among the second plurality of services, identities of a second set of users from the plurality of users managed by the shared identity management system, wherein the second set of users is different from the first set of users;
in response to a request to provision an instance of a particular service to the first or second identity domain of the multiple identity domains, selecting, from a plurality of different role hierarchy templates that are associated with different services, a particular role hierarchy template that was associated with the particular service prior to receiving the request; and
in response to the request, creating, in the first or second identity domain, a role hierarchy to map the first or second set of users to specific roles based on the particular role hierarchy template.
1 Assignment
0 Petitions
Accused Products
Abstract
A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers'"'"' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers'"'"' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers'"'"' domains, and a cloud-wide policy store can contain security policy information for multiple customers'"'"' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.
177 Citations
18 Claims
-
1. A computer-implemented method comprising:
-
storing, in a cloud computing environment, in a shared identity store in a shared identity management system used by multiple identity domains that are isolated from each other, identities of a plurality of users associated with different identity domains within the multiple identity domains; creating a first identity domain through the shared identity management system; associating a first plurality of services with the first identity domain; sharing, among the first plurality of services, identities of a first set of users from the plurality of users managed by the shared identity management system; creating, through the shared identity management system, a second identity domain that is isolated from the first identity; associating a second plurality of services with the second identity domain; and sharing, among the second plurality of services, identities of a second set of users from the plurality of users managed by the shared identity management system, wherein the second set of users is different from the first set of users; in response to a request to provision an instance of a particular service to the first or second identity domain of the multiple identity domains, selecting, from a plurality of different role hierarchy templates that are associated with different services, a particular role hierarchy template that was associated with the particular service prior to receiving the request; and in response to the request, creating, in the first or second identity domain, a role hierarchy to map the first or second set of users to specific roles based on the particular role hierarchy template. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-readable storage memory device storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
-
instructions to create a plurality of identity domains within a cloud computing environment; instructions to enforce isolation between identity domains within the plurality of identity domains; instructions to store, in the cloud computing environment, in a shared identity store in a shared identity management system used by multiple identity domains of the plurality of identity domains, identities of a plurality of users associated with different identity domains within the multiple identity domains; instructions to add a service instance of a particular service to a particular identity domain of the plurality of identity domains; instructions to store data associating the service instance with a particular partition of the shared identity store that stores identities for each identity domain of the multiple identity domains, wherein the identities for each identity domain of the multiple identity domains include identities of a different set of users from the plurality of users; instructions to store data associating the service instance with a particular partition of a policy store that stores policies for a plurality of service instances that are associated with different identity domains of the plurality of identity domains; instructions to select, from a plurality of different role hierarchy templates that are associated with different services, a particular role hierarchy template that was associated with the particular service prior to receipt of a request to provision the service instance of the particular service to the particular identity domain of the multiple identity domains; and instructions to create, in the particular identity domain, and in response to the request, a role hierarchy to map the set of users of the particular identity domain to specific roles based on the particular role hierarchy template. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification