Controlling access to cloud resources in data using cloud-enabled data tagging and a dynamic access control policy engine
Abstract
Access to data and resources in a multi-tenant computing system is managed by tagging the data and resources with attributes, as well as by tagging users with attributes. Tenant-specific access policies are configured. When an access request is received from a workload, a policy decision engine processes the attributes that are tagged to the requesting workload (e.g., user, application, etc.) as well as those tagged to the requested data or resource, given a relevant tenant-specific policy. An access decision is provided in response to the access request, and the access decision can be enforced by a tenant-specific enforcement system.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computing system comprising:
one or more processors; and memory storing instructions executable by the one or more processors, wherein the instructions, when executed, cause the computing system to:
generate a user interface having a tag type generation input mechanism and a tag mapping input mechanism;
based on an indication of actuation of the tag type generation input mechanism, generate a tag type and store the tag type in a tag type store having a plurality of different tag types;
based on an indication of actuation of the tag mapping input mechanism, select a resource identity and a particular tag type from the plurality of different tag types in the tag type store, and
generate a mapping that maps a tag having the particular tag type to the resource identity;
receive an access request from a workload in a multi-tenant system, the access request being indicative of a requestor requesting access to a resource having the resource identity;
identify a requestor attribute corresponding to the requestor and a resource attribute corresponding to the resource based on the mapping;
obtain a tenant-specific data access policy;
generate an access decision indicative of whether the access is granted based on the requestor attribute, the resource attribute and the tenant-specific data access policy; and
return the access decision to the workload.
2 . The computing system of claim 1 , wherein the resource identity identifies at least one of a user, a device, an environment, or a computing system resource.
3 . The computing system of claim 1 , wherein the instructions, when executed, cause the computing system to:
perform a set of administrative actions based on user input through the user interface; and generate an administrative log that logs the set of administrative actions.
4 . The computing system of claim 1 , wherein the user interface includes a search input mechanism configured to receive a search input that includes a tag criterion and to return a search result indicative of one or more tags that match the tag criterion.
5 . The computing system of claim 1 , wherein the instructions, when executed, cause the computing system to:
receive an indication of an administrative role associated with a user; access a set of access policies based on the administrative role; and render a representation of the set of access polices in the user interface.
6 . The computing system of claim 5 , wherein the instructions, when executed, cause the computing system to:
store the set of access policies in a policy data store; and restrict access to the set of access policies in the policy data store based on the administrative role.
7 . The computing system of claim 6 , wherein the policy data store comprises a tenant-specific policy data store that is specific to a particular tenant, in the multi-tenant system, that is associated with the user, and the instructions, when executed, cause the computing system to:
define one or more administrative roles corresponding to the particular tenant; and restrict access to the set of access policies, stored in the tenant-specific policy data stored, to the one or more administrative roles.
8 . The computing system of claim 7 , wherein the instructions, when executed, cause the computing system to:
access a multi-tenant policy storage system that includes a plurality of tenant-specific policy stores, wherein
each tenant-specific policy store,
corresponds to a different tenant in the multi-tenant system, and
stores a set of tenant-specific data access policies, for the corresponding tenant, separate from data access policies for other tenants.
9 . The computing system of claim 5 , wherein the instructions, when executed, cause the computing system to:
isolate administration resource attributes from user attributes based on the administrative role.
10 . The computing system of claim 5 , wherein the instructions, when executed, cause the computing system to:
separate administrative roles to inhibit an administrator of data from manipulating attributes of users.
11 . The computing system of claim 1 , wherein the workload comprises an encryption key computing system configured to issue an encryption key to the requestor, the encryption key being configured to access an item of content.
12 . A computer-implemented method comprising:
generating a user interface having a tag type generation input mechanism and a tag mapping input mechanism; based on an indication of actuation of the tag type generation input mechanism, generating a tag type and store the tag type in a tag type store having a plurality of different tag types; based on an indication of actuation of the tag mapping input mechanism,
selecting a resource identity and a particular tag type from the plurality of different tag types in the tag type store, and
generating a mapping that maps a tag having the particular tag type to the resource identity;
receiving an access request from a workload in a multi-tenant system, the access request being indicative of a requestor requesting access to a resource having the resource identity; identifying a requestor attribute corresponding to the requestor and a resource attribute corresponding to the resource based on the mapping; obtaining a tenant-specific data access policy; generating an access decision indicative of whether the access is granted based on the requestor attribute, the resource attribute and the tenant-specific data access policy; and returning the access decision to the workload.
13 . The computer-implemented method of claim 12 , wherein the resource identity identifies at least one of a user, a device, an environment, or a computing system resource.
14 . The computer-implemented method of claim 12 , and further comprising:
performing a set of administrative actions based on user input through the user interface; and generating an administrative log that logs the set of administrative actions.
15 . The computer-implemented method of claim 12 , wherein the user interface includes a search input mechanism, and further comprising:
receiving a search input that includes a tag criterion; and returning a search result indicative of one or more tags that match the tag criterion.
16 . The computer-implemented method of claim 12 , and further comprising:
receiving an indication of an administrative role associated with a user; accessing a set of access policies based on the administrative role; and rendering a representation of the set of access polices in the user interface.
17 . The computer-implemented method of claim 16 , and further comprising:
storing the set of access policies in a tenant-specific policy data store that is specific to a particular tenant, in the multi-tenant system, that is associated with the user; defining one or more administrative roles corresponding to the particular tenant; and restricting access to the set of access policies, stored in the tenant-specific policy data stored, to the one or more administrative roles.
18 . The computer-implemented method of claim 12 , wherein the workload comprises an encryption key computing system configured to issue an encryption key to the requestor, the encryption key being configured to access an item of content.
19 . A method performed by a computing system, the method comprising:
receiving an access request from a workload in a multi-tenant computing system, the access request being indicative of a requestor requesting access to a resource; identifying a particular tenant, of a plurality of tenants in the multi-tenant computing system, based on the access request; determining that one or more of a requester attribute or a resource attribute are not include with the access request; in response to the determination, accessing a multi-tenant attribute storage system that segments attribute mappings corresponding to different tenants and identify a set of attribute mappings corresponding to the particular tenant; obtaining the one or more of the requestor attribute or the resource attribute from the identified set of attribute mappings; selecting a tenant-specific data access policy from a set of data access policies, the relevant tenant-specific data access policy being specific to the particular tenant; obtaining the tenant-specific data access policy from a multi-tenant policy storage system in encrypted form; decrypting the selected tenant-specific access policy to obtain a decrypted tenant-specific data access policy; generating an access decision indicative of whether the requested access is granted based on the requestor attribute, the resource attribute and the decrypted tenant-specific data access policy; and returning the access decision to the workload.
20 . The method of claim 19 , wherein
the multi-tenant attribute storage system includes a set of tenant-specific mapping stores, each tenant-specific mapping store
corresponds to a different one of the tenants, and
stores a set of mappings that map entities to attributes corresponding to the tenant, and
the method comprises:
selecting the tenant-specific mapping store corresponding to the particular tenant, and
obtaining the tenant-specific requestor attribute from the selected tenant-specific mapping store.Join the waitlist — get patent alerts
Track US2023161895A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.