Dynamic authorization of users in a multi-tenant environment using tenant authorization profiles

US 9,774,586 B1
Filed: 08/31/2015
Issued: 09/26/2017
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating and authorizing users in a multi-tenant environment, the method comprising:

in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant,determining one or more user roles of the user within the tenant, andfor each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user;

accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile;

for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role;

generating a token based on the user roles and the user privileges, including the modified user privileges; and

transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token;

wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises;

determining a first time associated with the request;

determining a time period specified in the tenant authorization profile;

determining whether the first time is within the time period specified in the tenant authorization profile; and

removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In response to a request received from a client device to authorize a user for accessing a resource associated with a tenant, user roles of the user within the tenant are determined. For each of the user roles, user privileges the user is entitled within a capacity of the user role are determined based on static access control settings associated with the user. A tenant authorization profile associated with the tenant is accessed to determine tenant roles and tenant privileges for each tenant role. For each of the user roles that matches at least one of the tenant roles, at least one user privilege is modified based on corresponding tenant privileges of the matched tenant role. A token is generated based on the user roles and the modified user privileges and transmitted to the client device to determine whether the user is allowed to access the resource of the tenant.

157 Citations

20 Claims

1. A computer-implemented method for authenticating and authorizing users in a multi-tenant environment, the method comprising:
- in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant,determining one or more user roles of the user within the tenant, andfor each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user;
  
  accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile;
  
  for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role;
  
  generating a token based on the user roles and the user privileges, including the modified user privileges; and
  
  transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token;
  
  wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises;
  
  determining a first time associated with the request;
  
  determining a time period specified in the tenant authorization profile;
  
  determining whether the first time is within the time period specified in the tenant authorization profile; and
  
  removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the user roles and user privileges are configured and stored as part of the static access control settings stored in a persistent storage device by a first administrator of a service provider that provides storage resources to a plurality of tenants, and wherein the tenant roles and tenant privileges are dynamically configured and stored via a configuration interface by a second administrator associated with the tenant.
  - 3. The method of claim 2, wherein the user privileges are modified and incorporated into the token based on the tenant privileges, without modifying the user privileges as part of the static access control settings stored in the persistent storage device.
  - 4. The method of claim 2, wherein when a user role of the static access control settings matches a tenant role of the tenant authorization profile, tenant privileges of the matched tenant role of the tenant authorization profile override user privileges of the matched user role in the token.
  - 5. The method of claim 1, wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises:
    - obtaining a first user ID from the request, the first user ID uniquely identifying the user;
      
      obtaining a list of user IDs from the tenant authorization profile, the list of user IDs representing a list of users to be excluded;
      
      determining whether the first user ID is included in the list of user IDs from the tenant authorization profile; and
      
      removing or disabling user privileges of the tenant from the token, in response to determining that the first user ID is included in the list of user IDs.
  - 6. The method of claim 1, wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises:
    - determining a first geographic location of the user;
      
      determining a list of geographic locations from the tenant authorization profile;
      
      determining whether the first geographic location is the list of geographic locations specified in the tenant authorization profile; and
      
      removing or disabling user privileges of the tenant from the token, in response to determining that the first geographic location is the list of geographic locations.
  - 7. The method of claim 1, further comprising:
    - accessing an application authorization profile associated with the client application to determine one or more application roles and one or more application privileges for each application role; and
      
      for each of the user roles that matches at least one of the application roles, modifying at least one user privilege based on corresponding application privileges of the matched application role.
  - 8. The method of claim 7, wherein when a user role of the static access control settings matches an application role of the application authorization profile, application privileges of the matched application role of the application authorization profile override user privileges of the matched user role in the token.

9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for authenticating and authorizing users in a multi-tenant environment, the operations comprising:
- in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant,determining one or more user roles of the user within the tenant, andfor each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user;
  
  accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile;
  
  for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role;
  
  generating a token based on the user roles and the user privileges, including the modified user privileges; and
  
  transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token;
  
  wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises;
  
  determining a first time associated with the request;
  
  determining a time period specified in the tenant authorization profile;
  
  determining whether the first time is within the time period specified in the tenant authorization profile; and
  
  removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The non-transitory machine-readable medium of claim 9, wherein the user roles and user privileges are configured and stored as part of the static access control settings stored in a persistent storage device by a first administrator of a service provider that provides storage resources to a plurality of tenants, and wherein the tenant roles and tenant privileges are dynamically configured and stored via a configuration interface by a second administrator associated with the tenant.
  - 11. The non-transitory machine-readable medium of claim 10, wherein the user privileges are modified and incorporated into the token based on the tenant privileges, without modifying the user privileges as part of the static access control settings stored in the persistent storage device.
  - 12. The non-transitory machine-readable medium of claim 10, wherein when a user role of the static access control settings matches a tenant role of the tenant authorization profile, tenant privileges of the matched tenant role of the tenant authorization profile override user privileges of the matched user role in the token.
  - 13. The non-transitory machine-readable medium of claim 9, wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises:
    - obtaining a first user ID from the request, the first user ID uniquely identifying the user;
      
      obtaining a list of user IDs from the tenant authorization profile, the list of user IDs representing a list of users to be excluded;
      
      determining whether the first user ID is included in the list of user IDs from the tenant authorization profile; and
      
      removing or disabling user privileges of the tenant from the token, in response to determining that the first user ID is included in the list of user IDs.
  - 14. The non-transitory machine-readable medium of claim 9, wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises:
    - determining a first geographic location of the user;
      
      determining a list of geographic locations from the tenant authorization profile;
      
      determining whether the first geographic location is the list of geographic locations specified in the tenant authorization profile; and
      
      removing or disabling user privileges of the tenant from the token, in response to determining that the first geographic location is the list of geographic locations.

15. A system, comprising:
- a processor; and
  
  a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor to perform operations, the operations including;
  
  in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant,determining one or more user roles of the user within the tenant, andfor each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user,accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile,for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role,generating a token based on the user roles and the user privileges, including the modified user privileges, andtransmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token;
  
  wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises;
  
  determining a first time associated with the request;
  
  determining a time period specified in the tenant authorization profile;
  
  determining whether the first time is within the time period specified in the tenant authorization profile; and
  
  removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the user roles and user privileges are configured and stored as part of the static access control settings stored in a persistent storage device by a first administrator of a service provider that provides storage resources to a plurality of tenants, and wherein the tenant roles and tenant privileges are dynamically configured and stored via a configuration interface by a second administrator associated with the tenant.
  - 17. The system of claim 16, wherein the user privileges are modified and incorporated into the token based on the tenant privileges, without modifying the user privileges as part of the static access control settings stored in the persistent storage device.
  - 18. The system of claim 16, wherein when a user role of the static access control settings matches a tenant role of the tenant authorization profile, tenant privileges of the matched tenant role of the tenant authorization profile override user privileges of the matched user role in the token.
  - 19. The system of claim 15, wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises:
    - obtaining a first user ID from the request, the first user ID uniquely identifying the user;
      
      obtaining a list of user IDs from the tenant authorization profile, the list of user IDs representing a list of users to be excluded;
      
      determining whether the first user ID is included in the list of user IDs from the tenant authorization profile; and
      
      removing or disabling user privileges of the tenant from the token, in response to determining that the first user ID is included in the list of user IDs.
  - 20. The system of claim 15, wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises:
    - determining a first geographic location of the user;
      
      determining a list of geographic locations from the tenant authorization profile;
      
      determining whether the first geographic location is the list of geographic locations specified in the tenant authorization profile; and
      
      removing or disabling user privileges of the tenant from the token, in response to determining that the first geographic location is the list of geographic locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Roche, Michael G., Drozd, Michal J.
Primary Examiner(s)
Reza, Mohammad W

Application Number

US14/840,573
Time in Patent Office

757 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/107   wherein the security polici...

Dynamic authorization of users in a multi-tenant environment using tenant authorization profiles

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

157 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Dynamic authorization of users in a multi-tenant environment using tenant authorization profiles

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others