Tenant lockbox
First Claim
1. A computer-implemented method for providing tenant approval for operator access to a tenant'"'"'s data, comprising:
- receiving an indication to create an access control request for temporarily elevating a role of an operator to a security group giving the operator a set of permissions for allowing the operator to perform an action on behalf of the tenant and to enable operator access to the tenant'"'"'s data;
creating the access control request for temporarily elevating the role of the operator;
computing a set of one or more internal administrators authorized to grant a first set of permissions to temporarily elevate the role of the operator;
sending the access control request to the one or more internal administrators;
receiving an access control response from one of the one or more internal administrators;
determining whether the access control response from the internal administrator is an approval or a rejection of the access control request;
upon determining that the access control response from the internal administrator is an approval of the access control request, granting the first set of permissions to temporarily elevate the role of the operator;
computing a set of one or more tenant administrators authorized to grant a second set of permissions to temporarily elevate the role of the operator, wherein the one or more tenant administrators are associated with an organization of the tenant;
sending the access control request to the one or more tenant administrators;
receiving an access control response from one of the one or more tenant administrators;
determining whether the access control response from the tenant administrator is an approval or a rejection of the access control request;
upon determining that the access control response from the tenant administrator is an approval of the access control request, granting the second set of permissions to temporarily elevate the role of the operator; and
temporarily elevating the role of the operator to the security group giving the operator the set of permissions for allowing the operator to perform the action on behalf of the tenant and to enable operator access to the tenant'"'"'s data.
1 Assignment
0 Petitions
Accused Products
Abstract
Tenant approval for operator access to tenant data is provided. In order to grant service personnel operators access to a tenant'"'"'s data for performing a requested action, a lockbox determines a security group role to which an operator needs to be elevated to perform a requested action, computes a set of internal administrators and tenant administrators authorized to grant a temporary role elevation, and sends an access control request to the administrators. Upon receiving approval of the access control request from an internal administrator and a tenant administrator, the lockbox elevates the operator to the security group role, granting the operator a set of permissions needed in order to allow the operator to perform the requested action. Accordingly, tenants are enabled to control access to their data and scrutinize access requests per their company procedures and compliance needs.
185 Citations
20 Claims
-
1. A computer-implemented method for providing tenant approval for operator access to a tenant'"'"'s data, comprising:
-
receiving an indication to create an access control request for temporarily elevating a role of an operator to a security group giving the operator a set of permissions for allowing the operator to perform an action on behalf of the tenant and to enable operator access to the tenant'"'"'s data; creating the access control request for temporarily elevating the role of the operator; computing a set of one or more internal administrators authorized to grant a first set of permissions to temporarily elevate the role of the operator; sending the access control request to the one or more internal administrators; receiving an access control response from one of the one or more internal administrators; determining whether the access control response from the internal administrator is an approval or a rejection of the access control request; upon determining that the access control response from the internal administrator is an approval of the access control request, granting the first set of permissions to temporarily elevate the role of the operator; computing a set of one or more tenant administrators authorized to grant a second set of permissions to temporarily elevate the role of the operator, wherein the one or more tenant administrators are associated with an organization of the tenant; sending the access control request to the one or more tenant administrators; receiving an access control response from one of the one or more tenant administrators; determining whether the access control response from the tenant administrator is an approval or a rejection of the access control request; upon determining that the access control response from the tenant administrator is an approval of the access control request, granting the second set of permissions to temporarily elevate the role of the operator; and temporarily elevating the role of the operator to the security group giving the operator the set of permissions for allowing the operator to perform the action on behalf of the tenant and to enable operator access to the tenant'"'"'s data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for providing tenant approval for operator access to a tenant'"'"'s data, the system comprising:
-
one or more processors; memory storing one or more computer-executable instructions that when executed by the one or more processors, cause the system to; receive an indication to create an access control request for temporarily elevating a role of an operator to a security group giving the operator a set of permissions for allowing the operator to perform an action on behalf of the tenant and to enable operator access to the tenant'"'"'s data; and create the access control request for temporarily elevating the role of the operator; authenticate the access control request; compute a set of at least one internal administrator authorized to grant a first set of permissions to temporarily elevate the role of the operator, wherein the set of the at least one internal administrator is associated with an organization of the tenant; receive an access control response from an internal administrator of the set of the at least one internal administrator; determine whether the access control response from the internal administrator is an approval or a rejection of the access control request; upon determining that the access control response from the internal administrator is an approval of the access control request, grant the first set of permissions to temporarily elevate the role of the operator; and compute a set of at least one tenant administrator authorized to grant a second set of permissions to temporarily elevate the role of the operator; and send the access control request to the at least one internal administrator; receive the access control response from the internal administrator; send the access control request to the at least one tenant administrator; and receive an access control response from a tenant administrator of the set of at least one tenant administrator. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A computer storage device storing computer-useable instructions that, when executed by one or more processors, cause one or more computing devices to perform a method for providing tenant approval for operator access to a tenant'"'"'s data, the method comprising:
-
receiving an indication to create an access control request for temporarily elevating a role of an operator to a security group giving the operator a set of permissions for allowing the operator to perform an action on behalf of the tenant and to enable operator access to the tenant'"'"'s data; determining the security group that would give the operator the set of permissions needed to allow the operator to perform the action; creating the access control request for temporarily elevating the role of the operator; authenticating the access control request, wherein authenticating the access control request comprises determining a current role of the operator, and determining whether elevation to the role corresponding to the determined security group from the current role complies with at least one of a plurality of policies; generating a set of at least one internal administrator authorized to grant a first set of permissions to temporarily elevate the role of the operator, wherein the at least one internal administrator is associated with an organization of the tenant; sending the access control request to the at least one internal administrator; receiving an access control response from one internal administrator of the set of at least one internal administrator; determining whether the access control response from the internal administrator is an approval or a rejection of the access control request; upon determining that the access control response from the internal administrator is an approval of the access control request; granting a first set of permissions to temporarily elevate the role of the operator; generating a set of at least one tenant administrator authorized to grant a second set of permissions to temporarily elevate the role of the operator; sending the access control request to the at least one tenant administrator; receiving an access control response from one tenant administrator of the set of at least one tenant administrator; determining whether the access control response from the tenant administrator is an approval or a rejection of the access control request; and upon determining that the response from the tenant administrator is an approval of the access control request; granting the second set of permissions to temporarily elevate the role of the operator; and temporarily elevating the role of the operator to the security group giving the operator the set of permissions for allowing the operator to perform the action on behalf of the tenant and to enable operator access to the tenant'"'"'s data. - View Dependent Claims (20)
-
Specification