| CPC H04L 63/083 (2013.01) [H04L 63/107 (2013.01); H04L 63/20 (2013.01)] | 19 Claims |
|
1. A computerized method comprising:
receiving, from a user, a request to perform an operation on data stored in a shared data resource, wherein the shared data resource stores physically integrated data from a plurality of tenants;
obtaining a credential document from the user, wherein:
the credential document includes (i) a session portion that is specific to a current session of the user and (ii) a set of restriction criteria, and
the set of restriction criteria identifies a set of permitted user computing device types;
determining whether the user is authorized to access the shared data resource storing the data associated with the request based on a role attribute specified by the credential document; and
in response to the user having access to the shared data resource storing the data:
determining, using user attributes in the credential document, a set of tenants whose data the user is authorized to access to perform the operation of the request;
evaluating, selectively based on the session portion, whether the set of restriction criteria restricts the user from performing the operation;
in response to the evaluating identifying that a current computing device of the user is not included in the set of permitted user computing device types, restricting the user from performing the operation; and
in response to the evaluating identifying that the user is not restricted from performing the operation, performing the operation on a subset of the shared data resource, wherein the subset is limited to data stored in the shared data resource that corresponds to the set of tenants.
|