US2023161895A1PendingUtilityA1

Controlling access to cloud resources in data using cloud-enabled data tagging and a dynamic access control policy engine

Assignee: MICROSOFT TECHNOLOGY LICENSING LLCPriority: Oct 22, 2019Filed: Jan 10, 2023Published: May 25, 2023
Est. expiryOct 22, 2039(~13.3 yrs left)· nominal 20-yr term from priority
G06F 9/5072G06F 21/31G06F 2221/2141G06F 21/602G06F 21/6209G06F 9/468G06F 21/6218G06F 9/451
63
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Access to data and resources in a multi-tenant computing system is managed by tagging the data and resources with attributes, as well as by tagging users with attributes. Tenant-specific access policies are configured. When an access request is received from a workload, a policy decision engine processes the attributes that are tagged to the requesting workload (e.g., user, application, etc.) as well as those tagged to the requested data or resource, given a relevant tenant-specific policy. An access decision is provided in response to the access request, and the access decision can be enforced by a tenant-specific enforcement system.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computing system comprising:
 one or more processors; and   memory storing instructions executable by the one or more processors, wherein the instructions, when executed, cause the computing system to:
 generate a user interface having a tag type generation input mechanism and a tag mapping input mechanism; 
 based on an indication of actuation of the tag type generation input mechanism, generate a tag type and store the tag type in a tag type store having a plurality of different tag types; 
 based on an indication of actuation of the tag mapping input mechanism, select a resource identity and a particular tag type from the plurality of different tag types in the tag type store, and
 generate a mapping that maps a tag having the particular tag type to the resource identity; 
 
 receive an access request from a workload in a multi-tenant system, the access request being indicative of a requestor requesting access to a resource having the resource identity; 
 identify a requestor attribute corresponding to the requestor and a resource attribute corresponding to the resource based on the mapping; 
 obtain a tenant-specific data access policy; 
 generate an access decision indicative of whether the access is granted based on the requestor attribute, the resource attribute and the tenant-specific data access policy; and 
 return the access decision to the workload. 
   
     
     
         2 . The computing system of  claim 1 , wherein the resource identity identifies at least one of a user, a device, an environment, or a computing system resource. 
     
     
         3 . The computing system of  claim 1 , wherein the instructions, when executed, cause the computing system to:
 perform a set of administrative actions based on user input through the user interface; and   generate an administrative log that logs the set of administrative actions.   
     
     
         4 . The computing system of  claim 1 , wherein the user interface includes a search input mechanism configured to receive a search input that includes a tag criterion and to return a search result indicative of one or more tags that match the tag criterion. 
     
     
         5 . The computing system of  claim 1 , wherein the instructions, when executed, cause the computing system to:
 receive an indication of an administrative role associated with a user;   access a set of access policies based on the administrative role; and   render a representation of the set of access polices in the user interface.   
     
     
         6 . The computing system of  claim 5 , wherein the instructions, when executed, cause the computing system to:
 store the set of access policies in a policy data store; and   restrict access to the set of access policies in the policy data store based on the administrative role.   
     
     
         7 . The computing system of  claim 6 , wherein the policy data store comprises a tenant-specific policy data store that is specific to a particular tenant, in the multi-tenant system, that is associated with the user, and the instructions, when executed, cause the computing system to:
 define one or more administrative roles corresponding to the particular tenant; and   restrict access to the set of access policies, stored in the tenant-specific policy data stored, to the one or more administrative roles.   
     
     
         8 . The computing system of  claim 7 , wherein the instructions, when executed, cause the computing system to:
 access a multi-tenant policy storage system that includes a plurality of tenant-specific policy stores, wherein
 each tenant-specific policy store, 
 corresponds to a different tenant in the multi-tenant system, and 
 stores a set of tenant-specific data access policies, for the corresponding tenant, separate from data access policies for other tenants. 
   
     
     
         9 . The computing system of  claim 5 , wherein the instructions, when executed, cause the computing system to:
 isolate administration resource attributes from user attributes based on the administrative role.   
     
     
         10 . The computing system of  claim 5 , wherein the instructions, when executed, cause the computing system to:
 separate administrative roles to inhibit an administrator of data from manipulating attributes of users.   
     
     
         11 . The computing system of  claim 1 , wherein the workload comprises an encryption key computing system configured to issue an encryption key to the requestor, the encryption key being configured to access an item of content. 
     
     
         12 . A computer-implemented method comprising:
 generating a user interface having a tag type generation input mechanism and a tag mapping input mechanism;   based on an indication of actuation of the tag type generation input mechanism, generating a tag type and store the tag type in a tag type store having a plurality of different tag types;   based on an indication of actuation of the tag mapping input mechanism,
 selecting a resource identity and a particular tag type from the plurality of different tag types in the tag type store, and 
 generating a mapping that maps a tag having the particular tag type to the resource identity; 
   receiving an access request from a workload in a multi-tenant system, the access request being indicative of a requestor requesting access to a resource having the resource identity;   identifying a requestor attribute corresponding to the requestor and a resource attribute corresponding to the resource based on the mapping;   obtaining a tenant-specific data access policy;   generating an access decision indicative of whether the access is granted based on the requestor attribute, the resource attribute and the tenant-specific data access policy; and   returning the access decision to the workload.   
     
     
         13 . The computer-implemented method of  claim 12 , wherein the resource identity identifies at least one of a user, a device, an environment, or a computing system resource. 
     
     
         14 . The computer-implemented method of  claim 12 , and further comprising:
 performing a set of administrative actions based on user input through the user interface; and   generating an administrative log that logs the set of administrative actions.   
     
     
         15 . The computer-implemented method of  claim 12 , wherein the user interface includes a search input mechanism, and further comprising:
 receiving a search input that includes a tag criterion; and   returning a search result indicative of one or more tags that match the tag criterion.   
     
     
         16 . The computer-implemented method of  claim 12 , and further comprising:
 receiving an indication of an administrative role associated with a user;   accessing a set of access policies based on the administrative role; and   rendering a representation of the set of access polices in the user interface.   
     
     
         17 . The computer-implemented method of  claim 16 , and further comprising:
 storing the set of access policies in a tenant-specific policy data store that is specific to a particular tenant, in the multi-tenant system, that is associated with the user;   defining one or more administrative roles corresponding to the particular tenant; and   restricting access to the set of access policies, stored in the tenant-specific policy data stored, to the one or more administrative roles.   
     
     
         18 . The computer-implemented method of  claim 12 , wherein the workload comprises an encryption key computing system configured to issue an encryption key to the requestor, the encryption key being configured to access an item of content. 
     
     
         19 . A method performed by a computing system, the method comprising:
 receiving an access request from a workload in a multi-tenant computing system, the access request being indicative of a requestor requesting access to a resource;   identifying a particular tenant, of a plurality of tenants in the multi-tenant computing system, based on the access request;   determining that one or more of a requester attribute or a resource attribute are not include with the access request;   in response to the determination, accessing a multi-tenant attribute storage system that segments attribute mappings corresponding to different tenants and identify a set of attribute mappings corresponding to the particular tenant;   obtaining the one or more of the requestor attribute or the resource attribute from the identified set of attribute mappings;   selecting a tenant-specific data access policy from a set of data access policies, the relevant tenant-specific data access policy being specific to the particular tenant;   obtaining the tenant-specific data access policy from a multi-tenant policy storage system in encrypted form;   decrypting the selected tenant-specific access policy to obtain a decrypted tenant-specific data access policy;   generating an access decision indicative of whether the requested access is granted based on the requestor attribute, the resource attribute and the decrypted tenant-specific data access policy; and   returning the access decision to the workload.   
     
     
         20 . The method of  claim 19 , wherein
 the multi-tenant attribute storage system includes a set of tenant-specific mapping stores,   each tenant-specific mapping store
 corresponds to a different one of the tenants, and 
 stores a set of mappings that map entities to attributes corresponding to the tenant, and 
   the method comprises:
 selecting the tenant-specific mapping store corresponding to the particular tenant, and 
 obtaining the tenant-specific requestor attribute from the selected tenant-specific mapping store.

Join the waitlist — get patent alerts

Track US2023161895A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.