Search

EP-4055499-B1 - NESTED ACCESS PRIVILEGE CHECK FOR MULTI-TENANT ORGANIZATIONS

EP4055499B1EP 4055499 B1EP4055499 B1EP 4055499B1EP-4055499-B1

Inventors

  • GORDON, ARIEL
  • Bhattacharyya, Somak
  • SHUKLA, MANISH

Dates

Publication Date
20260506
Application Date
20201019

Claims (15)

  1. A computing device configured to: receive (810), via a communication network, a first signal requesting an indication whether a user associated with a first tenant of an access management service (135) has an access privilege to access a resource or perform an operation by a data processing system using the resource; responsive (820) to receiving the first signal, access a first user account data of the user stored in a memory and associated with the first tenant of the access management service, wherein the first user account data comprises a linked account identifier associated with a second user account data of a second tenant, wherein the user is associated with the second user account data of the second tenant; determine (830) that the first user account data does not include an access privilege attribute that permits access to the resource; in response (840) to determining that the first user account data does not have the access privilege to access the resource, perform a nested access privilege check by: accessing (840a) the linked account identifier attribute of the first user account data to determine whether the user is associated with the second user account data of the second tenant; upon determining that the user is associated with the second user account data, accessing the second user account data in the second tenant of the access management service; and determining (840c) that the second user account data includes the access privilege attribute indicating that the user is permitted to access to the resource; and granting (850) the user, via the communication network, access to the resource responsive to the nested access privilege check determining that the user is permitted to access to the resource.
  2. The computing device of claim 1 wherein the second user account is a primary user account of the user, defining access privileges for the user in the second tenant, and the first user account is a duplicate account of the user, wherein a determination that the duplicate user account does not have access privilege to access the resource comprises determining that the shadow account does not have access privileges for the user in the first tenant, wherein the primary user account indicates that the user is permitted to access the resource in the second tenant, wherein granting the user access to the resource in the first tenant is based on the access privileges of the user in the second tenant.
  3. The computing device of claim 1, wherein the resource managed by the access management service comprises an application for which the access management service manages access privileges to access the application, computing device being further configured to: receive the first signal via an access privilege verification Application Programming Interface (API) associated with the access management service.
  4. The computing device of claim 3, further configured to: send a second signal to the application via the access privilege verification API indicating that should be granted access to the application in response to the user being associated with a second user account that has the access privileged for the resource.
  5. The computing device of claim 1, further configured to: determine whether the first tenant and the second tenant are part of a same organization; and responsive to a result of the nested access privilege check, grant access to the resource responsive to the nested access privilege check determining that the user is associated with the second user account, the second user account is associated with the access privilege to access the resource, and the first tenant and the second tenant are part of the same organization.
  6. The computing device of claim 1, further configured to: determine that the user does not have a user account associated with the first tenant responsive to receiving the request from the user; determine that the user has the second user account associated with the second tenant; and create the first user account with the first tenant responsive to determining that the user does not have a user account associated with the first tenant and that the user has the second user account with the second tenant.
  7. The computing device of claim 6, further configured to: link the first user account to the second user account in the access management service.
  8. The computing device of claim 6, further configured to : create a member account for the first user that is not associated with any access privileges to access resources associated with the first tenant, to create the first user account responsive to determining that the user does not have a user account associated with the first tenant.
  9. The computing device of claim 1, further configured, to perform the nested access privilege check, to: determine that the first user account of the user is associated with a plurality of user accounts managed by the access management service; determine whether a respective one of the plurality of user accounts is associated with an access privilege to access the resources; and determine that the user is associated with a second user account that is associated with the access privilege to access the resource responsive to a respective one of the plurality of user accounts being associated with the access privilege.
  10. A method performed by an access management service, the method comprising: receiving (810), via a communication network, a first signal requesting an indication whether a user has an access privilege to access a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource; responsive (820) to receiving the first signal, accessing a first user account data of the user stored in a memory and associated with the first tenant of the access management service, wherein the first user account data comprises a linked account identifier attribute associated with a second user account data of a second tenant, wherein the user is associated with the second user account data of the second tenant; determining (830) that the first user account data does not include an access privilege attribute that permits access to the resource; in response (840) to determining that the first user account data does not have the access privilege to access the resource, performing a nested access privilege check by: accessing the linked account identifier attribute of the first user account data to determine whether the user is associated with the second user account data of the second tenant; upon determining that the user is associated with the second user account data, accessing the second user account data in the second tenant of the access management service; and determining that the second user account data includes the access privilege attribute indicating that the user is permitted to access to the resource; and granting, via the communication network, access to the resource responsive to the nested access privilege check determining that the user is permitted to access to the resource.
  11. The method of claim 10, wherein the resource managed by the access management service comprises an application for which the access management service manages access privileges to access the application, and wherein receiving the first signal comprising the request from the user comprises: receiving the first signal from the application via an access privilege verification Application Programming Interface (API) associated with the access management service; and sending a second signal to the application via the access privilege verification API indicating that the user should be granted access to the application in response to the user being associated with a second user account that has the access privileged for the resource.
  12. The method of claim 10, further comprising: determining whether the first tenant and the second tenant are part of a same organization; and responsive to a result of the nested access privilege check, granting access to the resource responsive to the nested access privilege check determining that the user is associated with the second user account, the second user account is associated with the access privilege to access the resource, and the first tenant and the second tenant are part of the same organization.
  13. The method of claim 11, further comprising: determining that the user does not have an account associated with the first tenant responsive to receiving the request from the user; determining that the user has user account associated with the second tenant associated with the first tenant; and creating the first user account responsive to determining that the user does not have an account associated with the first tenant.
  14. The method of claim 13, further comprising: linking the first user account to the second user account in the access management service.
  15. The method of claim 10, wherein performing the nested access privilege check further comprises: determining that the first user account of the user is associated with a plurality of user accounts managed by the access management service; determining whether a respective one of the plurality of user accounts is associated with an access privilege to access the resources; and determining that the user is associated with a second user account that is associated with the access privilege to access the resource responsive to a respective one of the plurality of user accounts being associated with the access privilege.

Description

BACKGROUND Managing access to software and other resources in large organizations is a complex process. Users may join and leave the organization, requiring purchasing of additional licenses or reassigning licenses as users leave the organization. Some organizations may be divided into multiple sub-entities for which software licenses are purchased. When a user from one sub-entity of the organization needs to share a licensed resource with a user from another sub-entity of the organization, licensing constraints and other access privileges may prevent users from being able to cooperate across organizational boundaries. There are significant areas for new and approved mechanisms for handling access privileges to resources in multi-tenant organizations. US 2019 0014120 discloses a system configured to receiver, from a first user associated with a first tenant, a request to access a resource associated with a second tenant. US 10 044 723 discloses that a user is authenticated based on user credentials obtained from a request. A plurality of tenants are identified in which the user is a member. SUMMARY The invention is defined by the appended claims. There Mere is a provided a system according to claim 1. There is also provided a method according to claim 10. An example computing device according to a first aspect of the invention includes a processor and a computer-readable medium. The computer-readable medium stores executable instructions for causing the processor to perform operations comprising: receiving, via a communication network, a first signal requesting an indication whether a user has an access privilege to access a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource; responsive to receiving the first signal, accessing a first user account data of the user stored in a memory and associated with the first tenant of the access management service, wherein the first user account data comprises a linked account identifier attribute including a first identifier associated with a second tenant of the access management service and a second identifier associated with second user account data of the second tenant; determining that first user account data does not include an access privilege attribute that permits access to the resource; in response to determining that the first user account data does not have the access privilege to access the resource, performing a nested access privilege check by: accessing the linked account identifier attribute of the first user account data to determine whether the user is associated with the second user account data of the second tenant; upon determining that the user is associated with the second user account data, accessing the second user account data in the second tenant of the access management service; and determining that the second user account data includes the access privilege attribute indicating that the user is permitted to access to the resource; and granting, via the communication network, access to the resource responsive to the nested access privilege check determining that the user is permitted to access to the resource. An example method executed by a data processing system for managing access to resources managed by an access management service according to a second aspect of the invention includes receiving, via a communication network, a first signal requesting an indication whether a user has an access privilege to access a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource; responsive to receiving the first signal, accessing a first user account data of the user stored in a memory and associated with the first tenant of the access management service, wherein the first user account data comprises a linked account identifier attribute including a first identifier associated with a second tenant of the access management service and a second identifier associated with second user account data of the second tenant; determining that first user account data does not include an access privilege attribute that permits access to the resource; in response to determining that the first user account data does not have the access privilege to access the resource, performing a nested access privilege check by: accessing the linked account identifier attribute of the first user account data to determine whether the user is associated with the second user account data of the second tenant; upon determining that the user is associated with the second user account data, accessing the second user account data in the second tenant of the access management service; and determining that the second user account data includes the access privilege attribute indicating that the user is permitted to access to the resource; and granting, via the communication network, access to the resource res