| CPC G06F 21/6218 (2013.01) [G06F 9/45558 (2013.01); G06F 21/31 (2013.01); G06F 21/606 (2013.01)] | 17 Claims |
|
1. A method comprising:
receiving a primary request that includes a primary identity and is for a service that is provided by a services provider, wherein the service is within a service container group hosted by a cloud provider;
generating a shadow request from the primary request, wherein the shadow request includes a shadow identity that is created when the primary identity is created and is linked to the primary identity from the primary request;
authorizing the shadow request by verifying that the shadow identity has access to the service;
generating a tenant token for the shadow identity in response to authorizing the shadow request;
obtaining an access token using native authorization of the cloud provider in exchange for the tenant token, wherein the access token is a data store access token and provides the shadow identity with access to a tenant data repository of a tenant container group of a set of tenant container groups hosted by the cloud provider;
sending a data access request with the data store access token to a data access service that verifies authorization for access to a tenant data store of the tenant data repository;
accessing tenant data from the tenant data repository using the access token;
obtaining a shadow response that is generated for the shadow identity and includes processed tenant data generated by processing the tenant data from the tenant data repository with the service; and
sending a primary response that is for the primary identity and is generated from the shadow response, wherein generating the primary response removes references to the shadow identity by replacing the shadow identity with the primary identity linked to the shadow identity.
|