 online service access control method and system using directory resources
专利摘要:
COMPUTER METHOD, SYSTEM AND STORAGE MEDIA INCLUDING CODED INSTRUCTIONS USED IN PART TO PROVIDE ON-LINE SERVICES. The present invention relates to embodiments that provide aspects of access control to the application and / or resource of an online computing environment (100), but are not limited to this. In one embodiment, a computer-implemented method provides access control aspects for an online application environment (100) based in part on the use of a series of directory service instances (102 (N)) isolated from direct access and implemented in a defined data processing center architecture. In one embodiment, a computing environment (100) uses aspects of network-based access control and a series of directory service instances (102 (N)) having organizational units (120 (N)) and corresponding mappings to maintain a support infrastructure as part of providing aspects of online application services to customers. Other embodiments are included and available. 公开号:BR112012033016B1 申请号:R112012033016-0 申请日:2011-06-16 公开日:2020-11-03 发明作者:Marcin Olszewski;Alexander I. Hopmann;Fabricio Chalub Barbosa Do Rosario;David Paul Harris Gorbet;Jason Matthew Cahill 申请人:Microsoft Technology Licensing, Llc; IPC主号:
专利说明:
Background [0001] A common practice for providing a collaborative environment at the company level requires the purchase of tangible software product for installation and local deployment within a user or company network. For example, a company can implement a company-level network architecture to control file and resource access by users, provided in part with the company's firewall features and with a local directory application to maintain access permissions for the company. architecture. The directory can be used to contain a centralized list of users for the system. For example, a directory can be used to create a private workspace (My Site) for each user in the directory. As the number of users and network components increases, the task of maintaining security and access permissions can be time-consuming and costly for the financial result of a business that has the product installed. [0002] As a natural evolution from the old paradigm, online application services are used more and more as businesses gravitate away from the often inefficient and tedious installation and management of applications and / or user within a defined network. Leaving the heavy maintenance, updates and security work to a separate entity is an attractive option. Ultimately, there must be some mechanism in place to ensure that access to customer data is limited to authorized users. For example, hosted application services need to consider service quality, website density, security and / or other service issues. Complexities associated with controlling access to application services hosted by current and future customers grow and become more difficult to maintain. summary [0003] This summary is provided to introduce a selection of concepts in a simplified way, which are further described below in the Detailed Description. This summary is not intended to identify key or essential aspects of the claimed subject, nor is it intended as an aid in determining the scope of the claimed subject. [0004] Achievements provide aspects of controlling access to the application and / or resource of an online computing environment, but are not limited to this. In one embodiment, a computer-implemented method provides access control aspects for an online application environment based in part on the use of a series of directory service instances isolated from direct client access and implemented in a defined architecture of data center. In one embodiment, a computing environment uses network-based access control aspects and a series of directory service instances with corresponding organizational units and mappings to maintain a supporting infrastructure as part of providing aspects of online application services. for customers. Other embodiments are included and available. [0005] These and other aspects and advantages will be apparent from a reading of the following detailed description and an inspection of the associated drawings. It is to be understood that both the foregoing general description and the following detailed description are only explanatory and do not restrict the invention as claimed. Brief Description of Drawings [0006] Figure 1 is a block diagram of an illustrative computing environment. [0007] Figure 2 is a flow chart illustrating aspects of an illustrative online application service. [0008] Figure 3 is a flowchart illustrating an illustrative process for controlling access to services and / or online application resources. [0009] Figure 4 is a block diagram of a computer network environment composed of a series of computer systems connected in a network topology. [00010] Figure 5 is a block diagram representing a series of organizational units illustrating an online service application environment. [00011] Figure 6 is a block diagram illustrating an illustrative computing environment for implementing the various embodiments described in this document. Detailed Description [00012] Figure 1 is a block diagram of an illustrative computing environment 100 that includes functionality to provide online application services and / or resources to users with permission from environment 100. In one embodiment, environment 100 includes the use of a series of directory service instances 102 (1) through 102 (n) to manage and control aspects of online application services and / or resources distributed to subscribing customers and other authorized users, but is not limited to this. As discussed below, subscriber customers can access and use online application services and / or resources from the environment 100, including online service networks based in part on a series of directory service instance parameters. Illustrative online service networks can include public and private networks communicating through some communication channel, such as networks based on the World Wide Web (for example, the Internet). Customers can subscribe to use some onlθine services and / or resources that can cover multiple hosts, partners and collections of sites, for example. [00013] As shown in figure 1 and described in further detail below, environment 100 includes an order provider or order provider component 104, a synchronizer or synchronizer component 106, a series manager component of computer systems connected in a network topology or series manager of computer systems connected in a network topology 108 associated with an online service architecture 10 that provide services and / or resources to a number of entities including client systems 112 (1) up to 112 (n). In one embodiment, order provider 104, synchronizer 106 and series manager of computer systems connected in a network topology 108 are included as part of a centralized resource center, available for the components of a defined computer network composed of a series of computer systems connected in a network topology. The online service architecture 110 of an embodiment includes application resources 14, online application services 16, and other resources / applications 118 including processing, networking and / or memory resources. It will be appreciated that environment 100 may include additional components and configurations. For example, each computer network composed of a series of computer systems connected in a network topology can include different service and / or component topologies configured to serve different types of customers. [00014] In various embodiments, all or selected parts of architecture 110 can be accessed and used by customers and / or other users of environment 100 based in part on the customer's distinct information and other information contained in the service instances of directory 102 (1) to 102 (n). As described below, directory service instances 102 (1) through 102 (n) can be used by components of environment 100 as part of maintaining and providing online services and / or resources for each customer, including any employees, partners and / or other allowed subscribers or users. For example, each directory service instance can be used to control access to services and / or resources based in part on the user's identity, security permissions, support roles and / or associated groups for each subscribing customer. [00015] Environment 100 of an embodiment includes the use of a series of domain controllers to control access and manage directory service instances as part of providing online services and / or resources. Domain controllers, dispersed throughout the 100 environment, can be used to provide a robust service architecture and fail-safe online resource. In one embodiment, environment 100 uses multiple domain controllers implemented with each directory service instance as part of serving multiple clients and / or regions, but is not limited to this. For example, multiple domain controllers can be implemented at remote data processing centers (for example, physical hosting locations) as part of facilitating synchronization and other services with customer accounts using one or more of the directory service instances 102 (1) to 102 (n). Additional domain controllers can be implemented for each directory service instance as part of improving the performance of authorization queries and / or other operations. [00016] According to one embodiment, order provider 104, synchronizer 106 and series manager of computer systems connected in a network topology 108 may include functionality to provide authorization and access for the user, resource management, partner and / or other aspects of access and use using one or more directory service instance data structures (DSI) to provide online services to subscribing customers. [00017] In one embodiment, request provider 104 is included as part of a network server role and operates to query a domain controller associated with a DSO data structure as part of controlling access to services on a computer network composed of a series of computer systems connected in a network topology. The environment 100 of an embodiment includes several domain controllers (e.g., four, six, etc.) associated with each DSI data structure. In one embodiment, the number of domain controllers and DSI data structures can be simplified based in part on examining a series of performance metrics that track performance aspects of an online service. For example, a performance metric can track the operation of a particular query based in part on the number of objects contained in a DSI data structure. Performance metrics can be used as part of implementing additional DSI data structures and / or other components. [00018] Synchronizer 106 in one embodiment can be used in part to populate and maintain each DSI data structure with customer information from several different customers. Such operations for filling an embodiment depend in part on the allocated number of objects to be contained in each DSI data structure. In one embodiment, synchronizer 106 may use a scheme and the number of calls to network services to populate and manage each DSI data structure. The synchronizer 106 of an embodiment uses a synchronization daemon, described below, to examine data objects (e.g., new, update, deleted, etc.) for a given customer, but is not limited to this. For example, the synchronization daemon can issue a query for an available Network service component to find a particular DSI data structure whenever a customer change is detected or made (for example, company information has changed, the list of users changed, groups changed, subscription and license changes, etc.). The consulted Network service can operate to provide a name for an associated DSI data structure for the synchronization daemon and used by synchronizer 106 as part of a synchronization operation. In one embodiment, a unique GUID can be used by synchronizer 106 as an identifier for each customer and contained in an associated DSI data structure to identify an associated organizational unit data structure. [00019] Synchronizer 106 can use multiple organizational units 120 (1) through 120 (n) of the various DSI data structures to maintain the integrity of online services, such as keeping online service accounts updated, for example , where each organizational unit can be filled with information from a customer, partner, affiliate and / or another user other than the online service. For example, each organizational unit can be used to represent customer subscription details for a given customer, including allowed customer users, access and / or security groups by service and / or resource, extranet users, and / or objects of external origin (FPOs). [00020] In one embodiment, an FPO can be used to represent a user who is not an employee or permission group for any customer. In one embodiment, one or more FPOs may be contained in an organizational unit of a first company, where FPO mapping parameters point to another user, group and / or directory service instance of one or more different organizational units that may or not be included in the same computer network made up of a series of computer systems connected in a network topology. For example, an FPO can be instantiated in the first company's organizational unit as a virtual representation of a group of managing agents contained within a second customer's organizational unit data structure. Correspondingly, permissions can be set for users who are not employees and who are not extranet from a customer's organizational unit in a similar way to providing permissions to groups in the customer's organizational unit. For example, users associated with a group FPO get access to the site collection as long as FPO objects are included as members of an authorized security group that has access to the site collection (for example, administrator group, special access group , etc.). [00021] Continuing with reference to figure 1, the series manager of computer systems connected in a network topology 108 of an embodiment operates as a central control center or governance component of a computer network composed of a series of systems of computers connected in a network topology of environment 100. The series manager of computer systems connected in a network topology 108 of one embodiment acts as a network service host for a network or computer networks composed of a series of systems of computers connected in an associated network topology. For example, the series manager of computer systems connected in a network topology hosts a series of network services that work to locate servers, create new client objects, locate directory service instances and / or provide other services or functions. The series manager of computer systems connected in a network topology 108 can preserve locations and / or mappings for particular DSI data structures for subscriber customers having any site collection or site collection collection. [00022] The DSI data structures of an embodiment can be added by the series manager of connected computer systems in a network topology 108 to environment 100 for several reasons. In some cases, a customer request for additional services based on the addition of new employees or groups may require the addition of a new DSI data structure to act as a container for the customer's request since an existing DSI data structure does not have the ability to contain a given amount of customer information. The series manager of computer systems connected in a network topology 108 can also manage aspects of the computer network composed of a series of computer systems connected in a network topology since some container limit, query delay, or another issue adversely affects performance. The computer network manager composed of a series of computer systems connected in a network topology 108 of one embodiment explicitly tracks (for example, using mappings) locations of each DSI data structure including new or relocated DSI data structures. [00023] Order provider 104 can use information provided by the series manager of computer systems connected in a network topology 108 to query a corresponding DSI data structure in relation to each new request. For example, as part of responding to a request, order provider 104 may use metadata associated with a collection of sites to identify a DSI data structure name in relation to a collection owner to be queried based in part on a name identified. In one embodiment, each DSI data structure can be used to include customer information from multiple subscribing customers, including competing companies, partners, accredited and non-accredited affiliates, which can be used to provide some online services and / or resources for a given user. In one embodiment, DSI data structures are populated with support groups that identify support partners (for example, FPO (s)) that can be called upon to resolve any service issues. [00024] As an example of providing an online service aspect, a DSI data structure can be used by order provider 104 to determine whether any requesting user is a member of a customer who subscribes to a particular application service or resource . Order provider 104 may base access or denial of access in part by determining whether the request was issued by an authorized member of the customer using a corresponding DSI data structure. For example, a DSI data structure can be referred to and used by ordering provider 104 to deny access to users who may have recently been removed from office or fired from a respective company or partner company. In such an example scenario, the DSI data structure can be used to disconnect or decouple the company's internal access control lists linked with client features that may still contain "allow" permissions for disconnected or recently unauthorized users. As a result, DSI data structures allow explicit control over which users can and cannot access resources on a collection of online service sites, regardless of whether the underlying customer has "allow" permissions for the user. [00025] In one embodiment, components of environment 100 may also use one or more DSI data structures as part of providing a resource management model for an online data processing center. The DSI data structure of an embodiment can be used as part of communicating and / or storing data using online storage resources allocated to each respective subscriber customer. Customers can elect to instantiate additional assets for the life of any particular access and use a subscription to an online service or resource. In one embodiment, any maximum amount of assets that can be created and / or used by a customer is based in part on the specific subscription and / or the types of use. [00026] Order provider 104 of an embodiment can use a DSI data structure to determine whether a customer has any remaining storage of total allowed storage when using the series manager component of connected computer systems in a network topology 108 to add new customer assets to an existing DSI data structure. For example, based in part on a subscription type, when the customer tries to create new assets, the DSI data structure can be checked by order provider 104 to determine an amount of capacity remaining and current usage before allowing or preventing the creation of additional assets by subscribing customers. [00027] The components of environment 100 can also be used to allow customers to build a business model around "supporting" other customers. For example, a first customer may obtain administrative permissions for assets (for example, collections of online sites to provide some services and / or resources) owned by a different customer and having no relationship defined outside a partnership defined by the parameters of a structure DSI data. In one embodiment, a first organizational unit 120 (1) associated with a first customer may include pointers or mappings for users and groups of users from a second organizational unit 120 (n) associated with a second customer. Correspondingly, a DSI data structure can be used to determine whether a customer's particular user is an authorized user or support of another customer or customer partner. [00028] In an illustrative environment 100, components can be configured to operate to provide online services and / or resources to customers, support partners, and / or other accredited users using one or more DSI data structures to control access to the various online resources, including using computing resources distributed over a computer network made up of a series of computer systems connected in a network topology. Customer permission data and other information can be used to populate organizational units with information corresponding to customers in one or more DSI data structures. Each organizational unit of an embodiment can be populated with user lists, group lists, distribution lists, extranet users, FPOs, subscriptions and / or other customer information. [00029] In one embodiment, mappings to the organizational unit and / or directory service instance can be used to discover and locate permissions associated with user access requests as part of implementing access control aspects for users subscribing to the environment 100 New and / or modified customer information can be communicated and used to populate each organizational unit of one or more DSI data structures as part of controlling access to resources and / or services to thereby maintain access control with the addition or departure of employees, partners, and / or other authorized or unauthorized associates. For example, an organizational unit of a DSI data structure for a large company can be populated with allowed users and access types. For such an example, permissions can be based in part on a subscription type and / or security type or group using a computer network composed of a series of computer systems connected in a dedicated network topology of server farms such as part of providing virtual application resources for company employees, support providers and / or other defined users. [00030] Components of environment 100 may use DSI data structures as part of providing secure access to geographically dispersed data centers, including handling service stops, resource allocation and / or selecting customers; use of required compliance policies and antivirus signatures, along with high-level configuration parameters and required security updates; asset allocation and availability based on a subscription and / or service level agreement; availability of the Network's website for administrators and other users allowed to manage online selection services; and synchronizing a directory service application at the customer's location (e.g., location) with an online services directory using the synchronizer 106 and a defined level of trust. [00031] Synchronizer 106 in one embodiment operates to synchronize information from one or more of the client systems 112 (1) to 112 (n) with an online services directory component as part of populating DSI data structures with customer data and access privileges. In one embodiment, each DSI data structure can be populated with customer information including authorized users, access levels, subscription parameters, service agreement access limitations, etc. DSI data structures can be physically and / or logically isolated or communicatively separated from each other and from client systems as part of independently controlling access to online services and / or resources. While a number and type of component are described above, it will be appreciated that other numbers and / or types may be included according to various embodiments. Accordingly, the component's functionality can be further divided and / or combined with other component functionalities according to desired implementations. [00032] Figure 2 is a flow chart illustrating an illustrative process 200 that can be used to provide online application services and / or resources, including access control and subscription maintenance services, but is not limited to this. While a certain number and order of operations are described for the illustrative flow of figure 2, it will be appreciated that other numbers and / or orders can be used according to the desired implementations. In 202, process 200 of an embodiment can be used to implement service and network architectures as part of providing an online data processing center by creating one or more DSI data structures that include organizational unit and other data structures used in part to outline different subscriber customers. In one embodiment, the 200-by-202 process includes the implementation and / or use of server farms and other components that support online application services and resources when creating each DSI data structure. [00033] Process 200 of an embodiment employs the use of an implementation script that includes application code to automatically create new DSI data structures including ensuring that servers are properly configured, permissions are established and DSI data structures are ready for use . For example, process 200 can be used to implement computer networks composed of a series of computer systems connected in a separate network topology located on separate continents that employ the use of different directory service instances corresponding to collections of sites on -line which are used in part to provide online services and / or resources to corresponding subscribers, such as large, medium and small businesses, together with individual users, as examples. In some embodiments, components of a collection of sites (for example, server farm) can be shared or distributed by service components and other components of a computer network composed of a series of computer systems connected in a network topology . [00034] In one embodiment, process 200 includes a subscription phase where customers subscribe to some desirable online aspect or aspects, including defining selection support and other partners that can be called on as part of maintaining the distribution of services and / or resources for requesting users. A subscriber customer can define information such as access privileges for each employee, security group (s), support entities, partner (s), FPOs, distribution lists and other users allowed to fill in the respective organizational unit data structures during and after the subscription phase. In one embodiment, an FPO can be configured as a special type of tenant object that maps to another tenant that provides support services to other customers. Different levels of permission can be controlled for each user or group based in part on the topology of an associated DSI data structure. [00035] As an example, once created, DSI data structures can be used to control access to a server farm on a computer network composed of a series of computer systems connected in a network topology configured as a set of virtual machines that form a logical farm of servers, including various server roles (for example, Network front-end, back-end, content, communication, application, etc.) as part of providing online services and / or resources for different customers with different types of subscription. It will be appreciated that each computer network comprised of a series of computer systems connected in a network topology can include multiple server farms depending in part on the escalation of the network to be associated customers' online service. Customers can create customized online service topologies, including creating collections of extranet sites and designating associated users from different namespaces as extranet users. [00036] In 204, each organizational unit of a corresponding DSI data structure is filled with information that corresponds to each subscriber's signature definitions. For example, each organizational unit can be populated with customer identification information, employee data, groups and / or FPOs. In one embodiment, the definitions can be based in part on a subscription type, a service level or license agreement, and a current allocation limit associated with each customer. During an illustrative synchronization operation, process 200 may operate to extract customer data (for example, user names, e-mail addresses, contact information, groups, subscription information ^), license information, etc.) from a partner system, reporting the data to the computing systems associated with each DSI data structure (for example, dedicated service platforms). Extranet users can also be filled in as part of a DSI data structure according to user preferences and / or definitions. [00037] In 206, process 200 receives an update or modification request that may affect the subscriber's ability to access services and / or resources. For example, a synchronization daemon can be used to populate directory service instances with original, new, modified and / or other customer information if the allocation to the customer has not reached any defined threshold based in part on a subscription or type of license. It will be appreciated that updates to any computer network made up of a series of computer systems connected in a particular network topology can include the sometimes continuous changes made to each potentially business model and / or infrastructure of each customer. affecting an associated directory service instance. For example, changes to the company may affect employee, partner and extranet access privileges, such as new employee privileges, revocation of partner privileges, termination of a license agreement, etc. [00038] In 208, process 200 of an embodiment can operate to create one or more new DSI data structures if a DSI data structure associated with the request is close to some capacity or other limit. For example, limitations in technological scale and other factors can limit the number of objects that can be effectively contained by each data source instance. In one embodiment, the number of objects available to a customer may be based in part on an appropriate extension license or subscription. If the customer does not have the appropriate subscription or extension license, at 210 process 200 may operate to deny the request. In one embodiment, the denial of service may include a request to update a different subscription or license type. [00039] As an illustrative example, process 200 can be used to synchronize information from a new customer or tenant by subscribing to select application and / or online support services. For example, a new customer can be added to a set of customers contained in a service instance based in part on a location and / or type of service in a subscription agreement that identifies service and access levels as defined and / or customized for each customer. Depending in part on a state of the service instance of a desired service instance (for example, stopped state, close to capacity,% full,% full, etc.), process 200 can create a new tenant in a service instance existing or create a new service instance to contain additional tenant objects. In one embodiment, a synchronization daemon for the service instance collects the new tenant information and consults a series manager of connected computer systems in a network topology to assign a directory service instance or instance collection to a tenant , including storing mapping parameters for reference and future use. The synchronization daemon can use a series manager response from connected computer systems in a network topology to create the tenant and write the tenant objects to the associated directory service instance. [00040] As another illustrative example, process 200 can be used to synchronize updates to an existing tenant by consuming resources from an online service. For example, a tenant company having access to a collection of online sites can hire the services of new employees with different levels of trust, fire employees, or acquire other companies. For this example, as part of an update operation, a synchronization daemon fetches all updates against tenants for a particular service instance (for example, Virginia data processing center compared to a data processing center for London). For each tenant, the synchronization daemon queries the series manager of connected computer systems in a network topology to identify the directory or collection service instance where information about the tenant is kept. In one embodiment, the series manager of computer systems connected in a network topology maintains global mappings between tenants and directory service instances. The synchronization daemon can use the global mapping information provided by the series manager of connected computer systems in a network topology to synchronize any updates to the correct directory service instance. [00041] As yet another illustrative example, process 200 can be used as part of discovering a directory service instance topology during the initialization of the synchronization daemon. For example, the synchronization daemon can, during startup, for example, discover a list of directory service instances that exist on a given computer network composed of a series of computer systems connected in a network topology, identifying names of domain controllers, dedicated to synchronization operations for the respective directory service instances. In one embodiment, the sync daemon can elect a first domain controller as a "write to" domain controller and a second domain controller as a "read from" domain controller. Other embodiments are available. [00042] Figure 3 is a flow chart illustrating an illustrative process 300 for controlling access to services and / or resources of online application. For example, process 300 may use a series of directory service instances as part of controlling access to collections of online sites. While a certain number and order of operations are described for the illustrative flow of figure 3, it will be appreciated that other numbers and / or orders can be used according to desired implementations. And, 302, an access request is received requesting access to an online service and / or resource. For example, a user may be using a smart phone in attempts to access a company's online resource managed by a third party as part of an online application service. [00043] In one embodiment, one or more frontend components of the Network process a request that arrives as part of controlling access to subscribed online services and / or resources. An embodiment process 300 may operate to determine an authorized user type (e.g., employee, extranet user, FPO user, etc.) before allowing access. For example, an online service authenticator (for example, LivelD service) can generate a service token that includes a user identifier (for example, domain extracted from the user's email address) when successful authentication against a collection of online sites owned by an employer or user partner. The service token parameters can be used in part to identify a directory service instance and / or an organizational unit associated with the requesting user. [00044] At 304, a service collection token can be generated for an employee user or an extranet user using information from an incoming access request. In one embodiment, an order provider component included as part of a front-end topology of the Network can operate to build a service collection token using all or some part of a requesting user's email address (for example, user @companyA), increased with any group orders. In one embodiment, an order provider component locates the associated user object using the user's identifier (for example, PUID, GUID, etc.) within a directory service instance containing the employer's organizational unit information. Once located, the order provider component can operate to increase the service collection token associated with orders for security groups from a localized organizational unit, including maintaining a mapping to the organizational unit for the particular user. [00045] In one embodiment, as part of processing an access request, a front-end component of the Network can identify a subscription ID for a given collection of sites, and resolve the subscription ID in the distinguished name of the organizational unit (OUDN ) of the tenant's organizational unit that owns the site collection. As an example, a user can browse to a collection of sites with a valid live token containing a user's primary name (UPN) and the user's unique ID (for example, unique passport ID (PUID)) and the front- end of the Network can pass the PUID, UPN and / or OUDN to the request provider component for further processing when responding to the access request. [00046] In 306, the order provider component of an embodiment can operate to generate a service token for an external user, such as a non-employee partner, for example, based in part on an incoming access request. For example, the order provider may operate to build service tokens for authorized partner users (for example, OU (1) through OU (5)) to access a collection of sites owned by an online service subscriber (for example , OR (N)). In one embodiment, as part of the token generation, the order provider component operates to request a directory connection to a directory service instance that contains an organizational unit in order to increase the service token for a user access request external (for example, using external PUID) with any group requests. [00047] The claim provider component of an embodiment can send a query (for example, query on the light directory access protocol (LPDA)) to search for a particular organizational unit in relation to the user object for the PUID as part of reading a attribute (for example, tokenGroups) from the user object. In one embodiment, the attribute can be configured to contain a list of security identifiers (SIDs) for all groups to which the user belongs, including all levels and nested groups. The order provider component can add a group order for the service token for each SI D. In one embodiment, the order provider component includes a base access request with the service token required to access any authenticated resource in a collection or collections of sites, increasing the service token with group orders corresponding to the partner's role. [00048] In one embodiment, process 300 may determine a type of partner agent or partner agent authorized to access the resources of any subscribing customer. A partner agent for an embodiment requires the client to have a contract with an associate partner. For example, a contract object can be used to contain references to the contexts of both organizations that entered the contract and a list of partner agent roles allowed to work under the contract. When the contract object is created, one or more FPOs can be used to populate a customer's organizational unit. [00049] Each FPO within the customer's organizational unit of an embodiment contains a reference to the partner tenant and a support agent role that agents can assume when working on behalf of a customer (for example, Administrator or Support). For example, the support agent's roles determine whether an agent can act as Administrator or Support for any customer. In one embodiment, an FPO object can include a contract object containing reference to partner organizations that a permitted partner agent needs to associate with before having access to a customer's site collection. For this example, the role of the partner agent assigned to the agent in a partner context must be associated with an agent's role in the FPO contained in the customer's organizational unit including having an associated contract object in the partner context. [00050] As another example, assume that a support user authenticates properly, as part of trying to access a collection of application sites belonging to Company A. A front-end component of the Network receives a request from the device or system of the support user's computation containing a PUID and UPN (for example, user@supportt.com) for the user as part of the service ID (for example, LivelD) The lost provider component can locate the Directory Service Instance and the Organizational Unit that contains the support user record by calling the series manager of connected computing systems in a network topology to resolve the UPN domain part of the (for example, support.com) in the Service Instance name and Distinguished Name OU (OUDN). The order provider component can then locate a support user object based on its PUID by searching for the identified OU within the identified service instance. The order provider component can build a service token for the increased support user with any group orders. As described above, an FPO for the support user can be instantiated in Company A's OU and mapped to an OU belonging to the support entity or tenant. The order provider component can validate that the support user maintains a partner agent role that corresponds to a support contract, increasing the service token with requests to security groups from Company A's OU stating that the agent's role partner is assigned to Company A. In 308, a permitted user can access an online service and / or resource. Other embodiments are available. [00051] Figure 4 is a block diagram of an illustrative computer network environment with a series of computer systems connected in a 400 network topology. For example, the computer network environment with a series of computer systems connected in a 400 network topology can be configured to provide application and other services to clients communicating using a number of server farm architectures. Server farms can include any number of physical and virtual components having the various relationships, interrelations and dissociations required to meet solution goals. In one embodiment, resources / services from one or more server farms can be accessed using a computer network, such as the Internet, for example, as part of providing online services to customers. In one embodiment, the computer network environment with a series of computer systems connected in a 400 network topology includes a series of directory service instances that include information about multiple users as part of providing online services through the Internet or some other communication path or network, for example. [00052] It will be appreciated that environment 400 may include other components including computer networks with a number of computer systems connected in an additional network topology and associated directory service instances. In one embodiment, the computer network environment with a series of computer systems connected in a network topology 400 can be used as part of providing online data processing centers having multiple computer networks with a series of computer systems. computers connected in a network topology. Computer networks with a series of computer systems connected in a network topology can be configured to serve a defined population of customers. For example, computer networks with a number of computer systems connected in a different network topology can be configured and implemented to serve the geographic regions of North America, Asia and Europe, including using directory service instances to manage access controls for customers and other authorized users in each region. Computer networks with a series of computer systems connected in a network topology can be configured as a group of processing, memory and application resources including communication couplings having fast network connections and low latencies, for example . [00053] As shown, the illustrative computer network environment with a series of computer systems connected in a network topology 400 of Figure 4 includes a first data processing center 404, a second data processing center 406 and a third data processing center 407. For this example, data processing center 404 includes a directory service instance (DSI) 408 including four domain controllers (collectively represented as 410) communicatively coupled with a junction management environment 412, and a resource domain 414 serving the computer network with a series of computer systems connected in a 400 network topology. In one embodiment, a global instance can be used to represent the 412 junction management environment including a single domain directory forest. As an example, a join management environment domain can be configured to encompass all physical machines (for example, virtual machine hosts), virtual machines, and service accounts used by server farms. [00054] Illustrative online service networks may include a series of computer networks with a series of computer systems connected in a network topology depending in part on implementation considerations including physical, logical and other topology restrictions. A computer network with a series of computer systems connected in an illustrative network topology can be configured as a set of series servers of computer systems connected in a network topology and network devices having low latency and network connectivity with high effective data transmission rate used in part to provide application and other online services to subscribers and licensees, for example. Each computer network with a series of computer systems connected in a network topology of one embodiment contains a replica of the junction management environment directory 412 (for example, ACTIVE DIRECTORY application), a series of server / application farms, and / or a series of customer objects representing subscribing customers and / or permitted users including partners and extranet users. For example, each computer network with a series of computer systems connected in a network topology can be implemented to encompass groups of server computers providing online application services and client forests distributed among some server computers, where the forests of Customers may include subscription information, partner licensing information and other information associated with each customer subscribing to at least one of the online services. [00055] Data processing center 406 includes directory service instance 416 including associated domain controllers n418, and directory service instance 420 including associated domain controllers 422. Data processing center 407 includes the directory service instances 424, 426 and 428 including the respective domain controllers 430, 432 and 434. As shown, DSIs of data processing centers 406 and 407 are also communicatively coupled with the junction management environment 412 and with resource domain 414 serving the computer network with a series of computer systems connected in a network topology 400. Figure 4 represents a series of illustrative trusts between the components of the computer network environment with a series of systems of computers connected in a 400 network topology. In one embodiment, directory service instances are independent u but of the others and not connected with relationships of trust. [00056] In one embodiment, resource domain 414 is co-communicatively coupled with each directory service instance (for example, defined in the implementation) and includes a series manager of computer systems connected in a network topology, the synchronization daemons, and / or the provider daemons operatively used in conjunction with the respective domain controllers for each directory service instance. In one embodiment, a resource domain 414 includes all machines (physical and virtual), roles, and / or accounts from a computer network with a series of computer systems connected in a network topology, excluding domain controllers from directory service. Each component of the 414 resource domain can be deployed out of band before implementing directory service instances. Out-of-band implementation of an embodiment includes configuring the actual instance and accredited relationships with the junction management environment component 412, creating service domain accounts that will access the implemented directory service instances, and implementing a manager network interconnect device. [00057] In one embodiment, a computer network manager with a series of computer systems connected in a network topology operates in part to coordinate a directory service instance implementation procedure by configuring virtual machines for new domain controllers and start an implementation script for an online directory service server role. In one embodiment, new virtual machines can be installed using a pre-established series of computer systems connected in a network topology that includes a number of processing resources (eg 2, 4, etc., CPUU cores) and some amount of processing memory (for example, seven gigabytes (GB) of random access memory (RAM)) for each virtual machine. Each virtual machine can be promoted to a domain controller for a new forest. In one embodiment, virtual machines can be deployed using separate hosts to prevent multiple domain controller failures due to the same source event. The series manager of computer systems connected in a network topology of one embodiment operates to monitor the condition of implementation of directory service instances and makes a new directory service instance available to callers from an Application Programming interface ( API) (for example, GetDSITopologyO) when the directory service instance is ready for completion and use. [00058] In one embodiment, a single instance of a synchronization daemon can be shared across all directory service forests on a computer network with a series of computer systems connected in a network topology. The synchronization daemon can use domain controller names and other identifiers to identify dedicated domain controllers for each computer network with a series of computer systems connected in a network topology. The synchronization daemon can use domain mappings in part to identify organizational units for each directory service instance. An embodiment synchronization daemon can work to populate directory service forests with objects obtained from a synchronization communication flow associated with a client system. In one embodiment, environment 400 may employ a single synchronization communication flow for each computer network with a series of computer systems connected in a network topology. In another embodiment, a synchronization communication flow can be used for each directory service forest. [00059] An embodiment request provider can operate to augment a support agent user token with FPO identifiers as well as with any groups to which the FPOs belong to the site owner's organizational unit. As an example, the order provider can use a provider daemon that it operates to create a service token for an incoming user based in part on an authenticated identification token (for example, LIvelD) and the contents of a service instance directory. The contents of a directory service instance can be searched for a list of users and / or groups available in an organizational unit for various administrative tasks. As an illustrative example, so that a "partner user" accesses the content of another tenant, the partner user must be a member of a security group that is referenced by an FPO contained in the tenant's organizational unit (see figure 5 as An example). A requesting user will be denied access if they are not a member of the security group. In one embodiment, when generating an order for a given partner user, the provider daemon can use a GUID object from an FPO as the order value instead of the object's GUID being referenced in an external organizational unit as part of a control operation access. [00060] In some embodiments, a forest of customers or directory services can be used to represent a portion of an online service or series topology of computer systems connected in a network topology and configured to consist of a forest of single domain directory services having multiple directory service instances and associated domain controllers, including synchronization and provisioning daemons. In one embodiment, each online tenant occupies a forest of customers. It will be appreciated that each computer network with a series of computer systems connected in a network topology can include different instances of directory service as part of providing online services and resources to subscribing customers associated with the customer forests. In one embodiment, components of the 400 environment operate to divide tenants or organizational units into units of scale such as forests of online directory services. Each directory service forest can be contained in a single service instance that contains a subset of tenants assigned to that service instance. [00061] As described in muzzle, the environment component 400 can be configured to control and manage access to online services and / or resources for various types of users and / or membership levels. For example, a customer can subscribe to online services that include using pre-established partners to provide support services to customers subscribing to a pre-established service (s), such as a partner company that performs administrative actions on behalf of a service customer online. Partners can also be customers of online service. [00062] An illustrative online support service may include an online service customer receiving support from a partner. A corresponding partner organizational unit can be used to contain all objects for the partner company. Likewise, a customer's organizational unit contains all objects for the customer's company including objects referring to the partner's organizational units. Illustrative online support services include various administrator services and support roles. For example, support administrators can be defined as a security group that contains managers who receive only limited access to resources, and the scope of actions allowed for the group may differ across systems (for example, they can only read data, reset passwords and manage support tickets). Tenant administrators can be defined as a security group that contains managers who receive each and every administrative right in online application services. [00063] An illustrative support agent is an employee of a partner who is permitted to perform actions on behalf of a partner's customers to the extent permitted under a group of associated support administrators defined in a corresponding customer's organizational unit. An illustrative administrator person is an employee of a partner who is allowed to perform actions on behalf of the partner's customers to the extent permitted under an associated tenant administrator group defined in a customer's organizational unit. As described above, one or more FPOs can be contained in a customer's organizational unit to represent one or more security managers (groups and / or users). [00064] Figure 5 is a block diagram representing a series of illustrative organizational units (OU1 through OU4) of an online application service environment 500. In one embodiment, one or more of the organizational units may be contained in one or more instances of directory services, as described above. For example, a first instance of directory service can be used to contain OU1 from Company A and OU3 from Company B, and a second instance of directory service can be used to contain OU2 from Company C and OU4 from Company D. embodiment, each directory service can be hosted by a server farm or dedicated component. [00065] As shown in figure 5, OU1 includes a security group object 502 that contains a user object 504 for security group A. 0U2 includes FP01 506 and FPO2 508. As described above, an FPO can be used to reference to a group or user that provides support services for some aspect of an online application service, but is not limited to this. OU3 includes objects security group 510, 512 and 514 representing security group B, security group C and security group D, respectively. OU4 includes FPO3, 516, FPO4 518, object 520 containing extranet user information, object 522 containing employee user information, and object 524 containing group information for the particular customer. [00066] As shown, FPO1 506 includes a mapping that points to the OU1 security group object 502, and FPO2 508 includes a mapping that points to the OU3 security group object 512. FPO3 516 includes a mapping that points to the security group object 514 and FPO4 518 includes a mapping that points to the security group object 510 of OU3. As discussed above, mappings can be between particular objects of corresponding OUs that can be used to verify that a particular user and / or group has permission to access a customer's private assets online. For example, User 1 502 of OU1 will obtain any permission granted to FPO1 506 within OU2 because User 1 502 is a member of Security Group A 504 to which FPO1 506 maps. It will be appreciated that each OU can include distinct access management information corresponding to the access permissions of the client or the particular entity. [00067] Although some embodiments are described in this document, other embodiments are available and the embodiments described should not be used to limit claims. Illustrative communication environments for the various embodiments may include the use of secure networks, non-secure networks, hybrid networks and / or some other network or combination of networks. As an example and not a limitation, the environment may include wired media such as a wired network or direct wired connection, and / or wired media such as acoustic, radio frequency (RF) media ), infrared, and / or other means and components using wires and / or without wires. In addition to systems, devices, etc. In computing, various embodiments can be implemented as a computer process (for example, a method), an article of manufacture, such as a computer program product or computer-readable medium, computer-readable storage medium, and / or as part of various communication technologies. [00068] The term computer-readable medium as used in this document may include computer storage medium. The computer's storage medium may include volatile and non-volatile, removable and non-removable media, implemented in any method or technology for storing information, such as computer-readable instructions, data structures, program modules, or other data. System memory, removable storage, and non-removable storage are all examples of a computer's storage medium (that is, memory storage). The computer's storage medium may include, but is not limited to RAM, ROM, read-only memory that can be electrically erased (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile discs (DVD ) or other optical storage, magnetic tapes, magnetic tape, magnetic disk or other magnetic storage devices, or any other medium that can be used to store information and that can be accessed by a computing device. Any computer storage medium can be part of the device. [00069] The term computer-readable medium as used in this document can also include means of communication. The communication medium can be incorporated by computer-readable instructions, data structures, program modules, or other data into a modulated data signal, such as a carrier wave or other transport mechanism, and includes any means of information distribution . The term "modulated data signal" can describe a signal that has one or more characteristics established or altered in order to encode information in the signal. As an example and not a limitation, the communication medium may include wired media such as wired network or direct wired connection, and non-wired media such as acoustic, RF, infrared or other media without using wires. [00070] The embodiments and examples described in this document are not intended to be limiting and other embodiments are available. In addition, the components described above can be implemented as part of a networked, distributed and / or other computer-implemented environment. The components can be communicating via wired networks, without using wires and / or a combination of communication networks. The network components and / or the couplings between the components can include any one of a type, number and / or combination of networks, and the corresponding network components include, but are not limited to, wide area networks (WANs), networks local area networks (LANs), metropolitan area networks (MANs), proprietary networks, back-end networks, etc. [00071] Client and server computing devices / systems can be any type and / or combination of processor-based devices or systems. In addition, the server functionality can include several components and include other servers. The components of computing environments described in the singular sense can include multiple instances of such components. Although some embodiments include software implementations, they are not limited to this and include hardware, or mixed hardware / software solutions. Other embodiments and configurations are available. Illustrative Operating Environment [00072] Now, referring to figure 6, the following discussion is intended to provide a brief overview of a suitable computing environment in which the embodiments of the invention can be implemented. Although the invention will be described in the general context of program modules that run in conjunction with program modules that run on an operating system on a personal computer, those skilled in the art will recognize that the invention can also be implemented in combination with other types of computer systems and program modules. [00073] Program modules generally include routines, programs, components, data structures and other types of structures that perform particular tasks or implement particular types of abstract data. In addition, those skilled in the art will appreciate that the invention can be practiced with other computer system configurations, including handheld devices, multiprocessor systems, microprocessor-based or programmable electronics, minicomputers, large computers, among others. The invention can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are connected via a communications network. In a distributed computing environment, program modules can be located on both local and remote memory storage devices. [00074] Now, referring to figure 6, an illustrative operating environment for the embodiments of the invention will be described. As shown in figure 6, computer 2 comprises a desktop, laptop, handheld, or other type of computer capable of running one or more application programs. Computer 2 includes at least one central processing unit 8 ("CPU"), system memory 12, including random access memory 18 ("RAM") and read-only memory ("ROM") 20, and a system bus 10 that couples memory with CPU 8. A basic input / output system containing basic routines that help transfer information between elements inside the computer, such as during startup, is stored in ROM 20 Computer 2 additionally includes a mass storage device 14 for storing an operating system 24, application programs and other program modules. [00075] The mass storage device 14 is connected to the CPU 8 via a mass storage controller (not shown) connected to the bus 10. The mass storage device 14 and its associated computer-readable medium provides storage non-volatile for the computer 2. Although the computer-readable medium description in this document refers to a mass storage device, such as a hard disk or CD-ROM, it should be appreciated by those skilled in the art that the readable medium by computer can be any available medium that can be accessed or used by the computer 2. [00076] By way of example and not by way of limitation, the computer-readable medium may comprise computer storage medium and communication medium. The computer's storage medium includes volatile and non-volatile, removable and non-removable media, implemented in any method or technology for storing information such as computer-readable instructions, data structures, program modules and other data. The computer's storage medium includes, but is not limited to, RAM, ROM, EPROM, flash memory or other solid state memory technology, CD-ROM, digital versatile discs ("DVD"), or other optical storage, magnetic tapes , magnetic tape, magnetic disk storage or other magnetic storage devices, or any other means that can be used to store the desired information and that can be accessed by the computer 2. [00077] According to various embodiments of the invention, computer 2 can operate in a networked environment using logical connections to remote computers over a network 4, in addition to a local network, the Internet, etc., for example. Computer 2 can connect to network 4 via a network interface unit 16 connected to bus 10. It should be appreciated that network interface unit 16 can also be used to connect to other types of networks and network systems remote computing. Computer 2 may also include an input / output controller 22 for receiving and processing input from a number of other devices, including a keyboard, mouse, etc. (not shown). Similarly, an input / output controller 22 can provide output to a video screen, printer, or other type of output device. [00078] As briefly mentioned, a series of program modules and data files can be stored on the mass storage device 14 and RAM 18 of computer 2, including an operating system 24 suitable for controlling the operation of a personal computer networking, such as the WINDOWS operating system from MICROSOFT CORPORATION of Redmond, Washington. Mass storage device 14 and RAM 18 can also store one or more program modules. In particular, the mass storage device 14 and the RAM 18 can store application programs, such as word processing, spreadsheet, drawing, email, and other applications and / or program modules. [00079] It should be appreciated that various embodiments of the present invention can be implemented (1) as a sequence of acts implemented by a computer or program modules running on a computer system and / or (2) as interconnected machine logic circuits or modules circuit within the computing system. Implementation is a matter of choice depending on the performance requirements of the computing system implementing the invention. Consequently, logical operations including related algorithms can be referred to in a variety of ways as operations, structural devices, acts or modules. It will be recognized by those skilled in the art that these operations, structural devices, acts and modules can be implemented in software, firmware, digital logic of special purpose, and in any combination thereof without departing from the spirit and scope of the present invention as declared within the claims set out in this document. [00080] Although the invention has been described in connection with various illustrative embodiments, those skilled in the art will understand that various modifications can be made to it within the scope of the following claims. Accordingly, it is not intended that the scope of the invention be limited in any way by the above description, but instead is determined entirely by reference to the following claims.
权利要求:
Claims (7) [0001] 1. Method of controlling access to the online service using directory resources characterized by the fact that it comprises the steps of: using a network architecture of computer systems that includes a plurality of service computers and a plurality of isolated dedicated service platforms , each platform stores one or more directory service instances; use a computer systems manager (108) that maintains global mappings between clients (112) and where their respective directory service instances (102) are maintained; wherein the computer systems manager (108) operates to monitor the deployment status of the directory service instances (102) and makes new directory service instances (102) available to customers; create (202), by the computer systems manager, the directory service instances (102), in which the directory service instances define access privileges for groups of clients requesting services from the service computers, each service instance directory (102) including one or more organizational units (120); fill (204) each organizational unit (120) with customer data used to control access to services on service computers, where each organizational unit (120) includes one or more user objects, security group objects, or objects of external origin, FPOs, in which FPOs included in an organizational unit (120) comprise mapping parameters that point to a user object or a security group object from one or more different organizational units (120); receive (206) an update request to populate directory service instances with new or modified customer information; and if the directory service instance associated with the request is unable to contain modified customer information, create (208), by the computer systems manager, a new directory service instance for new customer information. [0002] 2. Method, according to claim 1, characterized by the fact that it still comprises receiving access requests to access a data processing center including using domain information for each request to identify an organizational unit (120) of an instance of directory service (102) corresponding to a user issuing the request. [0003] 3. Method, according to claim 1, characterized by the fact that it still comprises using a number of domain controllers to control access and manage directory service instances (102) to offer resources and services online. [0004] 4. Method, according to claim 1, characterized by the fact that it still comprises verifying a user's access to a client's resources, in which the user is assigned a role as a partner agent in a partner client's organizational unit, in that the verification of user access comprises the correspondence of an agent role of an FPO contained in the client's organizational unit (120) with the partner agent role assigned in the partner client's organizational unit (120). [0005] 5. Method, according to claim 1, characterized by the fact that it still comprises providing access to the requested services if a requesting user is associated with an organizational unit (120) and included in a security group with defined access permissions . [0006] 6. Method, according to claim 1, characterized by the fact that it still comprises updating directory service instances (102) to maintain current access permissions within the corresponding organizational units (120). [0007] 7. Access control system for online service using directory resources, characterized by the fact that it comprises: a network architecture of computer systems that includes a plurality of service computers and a plurality of isolated dedicated service platforms, each platform storing one or more directory service instances since directory service instances define access privileges for groups of clients requesting services from service computers, each DSI including one or more organizational units (120), where each organizational unit ( 120) is filled with customer data used to control access to services from the service computers, where each organizational unit (120) includes one or more user objects, security group objects, or objects of external origin, FPOs, where each of the FPOs comprises mapping parameters that point to a user object or a group object security of one or more different organizational units; a computer systems manager (108) configured to maintain global mappings between clients (112) and where their respective directory service instances are maintained; wherein the computer systems manager (108) is configured to create the directory service instances; where the computer systems manager (108) is configured to monitor the deployment status of the directory service instances (102) and make new directory service instances (102) available to customers, where the computer systems manager computer (108), in response to a customer request for additional services based on adding new user objects or security group objects, is configured to create a new DSI data structure for the new user objects or group objects security if a DSI data structure associated with the request is unable to contain modified customer information, storage to store the DSI data structures; an order provider component (104) configured to query storage to control access to server resources; and a synchronization component configured to synchronize customer data online with an online application service using DSI data structures, where synchronization comprises populating the DSI data structures with original, new or modified customer information.
类似技术:
公开号 | 公开日 | 专利标题 BR112012033016B1|2020-11-03|online service access control method and system using directory resources JP6876836B2|2021-05-26|Systems and methods to support partitions in a multi-tenant application server environment US9961053B2|2018-05-01|Detecting compromised credentials US10565402B2|2020-02-18|System and method for serving online synchronized content from a sandbox domain via a temporary address US8544070B2|2013-09-24|Techniques for non repudiation of storage in cloud or shared storage environments US10372483B2|2019-08-06|Mapping tenat groups to identity management classes US20120131646A1|2012-05-24|Role-based access control limited by application and hostname US10659495B1|2020-05-19|Dynamic authorization in a multi-tenancy environment via tenant policy profiles US20130125217A1|2013-05-16|Authorization Control US20210014172A1|2021-01-14|Access management tags US10148637B2|2018-12-04|Secure authentication to provide mobile access to shared network resources US20190319794A1|2019-10-17|Distributed access control US10270759B1|2019-04-23|Fine grained container security KR20120127339A|2012-11-21|Method and apparatus for sharing data between users of a social network service US10951600B2|2021-03-16|Domain authentication US10789179B1|2020-09-29|Decentralized access management in information processing system utilizing persistent memory US10841079B1|2020-11-17|Data registration-aware storage systems US20160337337A1|2016-11-17|Identiy information including a schemaless portion CN111324799B|2021-05-04|Search request processing method and device WO2021115231A1|2021-06-17|Authentication method and related device WO2021242454A1|2021-12-02|Secure resource authorization for external identities using remote principal objects Cucinotta et al.2012|Access Control for the Pepys Internet-wide File-System
同族专利:
公开号 | 公开日 EP2585970A4|2018-02-07| RU2598324C2|2016-09-20| CN102947797A|2013-02-27| EP2585970A2|2013-05-01| CA2803839A1|2011-12-29| US8782748B2|2014-07-15| WO2011163038A2|2011-12-29| WO2011163038A3|2012-02-23| SG186137A1|2013-01-30| US20110314520A1|2011-12-22| CN102947797B|2016-06-29| CA2803839C|2017-09-26| RU2012155862A|2014-06-27| BR112012033016A2|2016-12-20| EP2585970B1|2019-09-04|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 WO1997049039A1|1996-06-21|1997-12-24|Bell Communications Research, Inc.|Apparatus and methods for highly available directory services in the distributed computing environment| IL139006D0|1998-12-12|2001-11-25|Brodia Group|Trusted agent for electronic commerce| US6047324A|1998-02-05|2000-04-04|Merrill Lynch & Co. Inc.|Scalable distributed network controller| AU4676800A|1999-04-26|2000-11-10|Dodots, Inc.|Apparatus and method for delivering internet content| US7237027B1|2000-11-10|2007-06-26|Agami Systems, Inc.|Scalable storage system| US7146635B2|2000-12-27|2006-12-05|International Business Machines Corporation|Apparatus and method for using a directory service for authentication and authorization to access resources outside of the directory service| AU2002338270A1|2001-04-02|2002-10-15|Akamai Technologies, Inc.|Scalable, high performance and highly available distributed storage system for internet content| AU2002336701A1|2001-10-31|2003-05-12|Csg Systems, Inc.|System and method for provisioning network services| US7487233B2|2001-12-05|2009-02-03|Canon Kabushiki Kaisha|Device access based on centralized authentication| US7260836B2|2002-02-26|2007-08-21|Aol Llc|System and method for distributed authentication service| US7228417B2|2002-02-26|2007-06-05|America Online, Inc.|Simple secure login with multiple-authentication providers| JP2003256301A|2002-02-28|2003-09-12|Canon Inc|System and program for network management, and display method| US20050166260A1|2003-07-11|2005-07-28|Christopher Betts|Distributed policy enforcement using a distributed directory| CA2578379A1|2004-08-26|2006-03-02|Omni-Branch Wireless Solutions, Inc.|Opt-in directory of verified individual profiles| US20060161785A1|2005-01-20|2006-07-20|Christopher Conner|System and method for querying a network directory for information handling system user privileges| US7555771B2|2005-03-22|2009-06-30|Dell Products L.P.|System and method for grouping device or application objects in a directory service| US7779091B2|2005-12-19|2010-08-17|Vmware, Inc.|Method and system for providing virtualized application workspaces| US9762576B2|2006-11-16|2017-09-12|Phonefactor, Inc.|Enhanced multi factor authentication| US9769177B2|2007-06-12|2017-09-19|Syracuse University|Role-based access control to computing resources in an inter-organizational community| US7921686B2|2007-08-28|2011-04-12|Cisco Technology, Inc.|Highly scalable architecture for application network appliances| US8738923B2|2007-09-14|2014-05-27|Oracle International Corporation|Framework for notifying a directory service of authentication events processed outside the directory service| US20090178131A1|2008-01-08|2009-07-09|Microsoft Corporation|Globally distributed infrastructure for secure content management| US9002984B2|2008-06-17|2015-04-07|Go Daddy Operating Company, LLC|Direct domain software and file access computer system| WO2010090664A1|2009-02-05|2010-08-12|Wwpass Corporation|Centralized authentication system with safe private data storage and method|US8863138B2|2010-12-22|2014-10-14|Intel Corporation|Application service performance in cloud computing| US9058349B2|2012-12-03|2015-06-16|Aruba Networks, Inc.|Method and system for maintaining derived data sets| US9325632B2|2013-03-15|2016-04-26|International Business Machines Corporation|Multi-tenancy support for enterprise social business computing| EP3028164A1|2013-07-31|2016-06-08|Hewlett-Packard Enterprise Development LP|Providing subscriber options| EP2945055A4|2013-08-13|2016-05-25|Huawei Tech Co Ltd|Application upgrade method and device| US9390276B2|2013-09-30|2016-07-12|Lexisnexis, A Division Of Reed Elsevier Inc.|Flexible role based authorization model| US9736159B2|2013-11-11|2017-08-15|Amazon Technologies, Inc.|Identity pool bridging for managed directory services| US10908937B2|2013-11-11|2021-02-02|Amazon Technologies, Inc.|Automatic directory join for virtual machine instances| WO2015070248A1|2013-11-11|2015-05-14|Amazon Technologies, Inc.|Managed directory service| US9407615B2|2013-11-11|2016-08-02|Amazon Technologies, Inc.|Single set of credentials for accessing multiple computing resource services| US10375013B2|2013-11-11|2019-08-06|Amazon Technologies, Inc.|Managed directory service connection| US9684937B2|2014-01-07|2017-06-20|International Business Machines Corporation|Allowing a user to view network contacts of other users when visiting an environment of a different organization| US10372483B2|2014-01-20|2019-08-06|Hewlett-Packard Development Company, L.P.|Mapping tenat groups to identity management classes| US10003592B2|2014-05-05|2018-06-19|Schneider Electric Software, Llc|Active directory for user authentication in a historization system| US10355942B1|2014-09-29|2019-07-16|Amazon Technologies, Inc.|Scaling of remote network directory management resources| US9998499B2|2014-09-29|2018-06-12|Amazon Technologies, Inc.|Management of application access to directories by a hosted directory service| US10257184B1|2014-09-29|2019-04-09|Amazon Technologies, Inc.|Assigning policies for accessing multiple computing resource services| US9641503B2|2014-10-03|2017-05-02|Amazon Technologies, Inc.|Using credentials stored in different directories to access a common endpoint| EP3231136A1|2015-01-13|2017-10-18|Huawei Technologies Co., Ltd.|System and method for dynamic orchestration| US10509663B1|2015-02-04|2019-12-17|Amazon Technologies, Inc.|Automatic domain join for virtual machine instances| US9609026B2|2015-03-13|2017-03-28|Varmour Networks, Inc.|Segmented networks that implement scanning| US9467476B1|2015-03-13|2016-10-11|Varmour Networks, Inc.|Context aware microsegmentation| US10178070B2|2015-03-13|2019-01-08|Varmour Networks, Inc.|Methods and systems for providing security to distributed microservices| US9560081B1|2016-06-24|2017-01-31|Varmour Networks, Inc.|Data network microsegmentation| US9787639B1|2016-06-24|2017-10-10|Varmour Networks, Inc.|Granular segmentation using events| US10623410B2|2017-04-24|2020-04-14|Microsoft Technology Licensing, Llc|Multi-level, distributed access control between services and applications| US11233842B2|2017-07-17|2022-01-25|Online Readiness, Llc|Online technical capability system and method| CN108875387B|2018-05-29|2019-12-10|平安科技(深圳)有限公司|Data processing method, device, equipment and medium based on AD system| US20200412765A1|2019-06-30|2020-12-31|Microsoft Technology Licensing, Llc|Access management system with a multi-environment policy| CN110995806A|2019-11-24|2020-04-10|济南浪潮数据技术有限公司|Resource state conversion method, device, equipment and storage medium| US20210326160A1|2020-04-20|2021-10-21|Microsoft Technology Licensing, Llc|Remote network control for network virtualization|
法律状态:
2017-07-25| B25A| Requested transfer of rights approved|Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC (US) | 2018-03-27| B15K| Others concerning applications: alteration of classification|Ipc: G06F 9/46 (2006.01), G06F 21/60 (2013.01), G06F 21 | 2018-12-26| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]| 2020-05-26| B09A| Decision: intention to grant [chapter 9.1 patent gazette]| 2020-11-03| B16A| Patent or certificate of addition of invention granted [chapter 16.1 patent gazette]|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 16/06/2011, OBSERVADAS AS CONDICOES LEGAIS. |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 US12/821,103|2010-06-22| US12/821,103|US8782748B2|2010-06-22|2010-06-22|Online service access controls using scale out directory features| PCT/US2011/040598|WO2011163038A2|2010-06-22|2011-06-16|Online service access controls using scale out directory features| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|