Access to the cloud environment through managed tenancy that complies with sovereignty requirements.

JP2026520283APending Publication Date: 2026-06-23ORACLE INT CORP

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
ORACLE INT CORP
Filing Date
2024-04-29
Publication Date
2026-06-23

Smart Images

  • Figure 2026520283000001_ABST
    Figure 2026520283000001_ABST
Patent Text Reader

Abstract

This document discloses a technology for providing user access to a cloud environment through a managed tenancy that complies with sovereignty requirements. The managed tenancy is one of several tenancies within the cloud environment. The managed tenancy includes tools for communicating with services operating outside of it. Users may only access these services through the managed tenancy. User access to the managed tenancy requires the user to meet one or more sovereignty requirements. After determining that the user meets the sovereignty requirements for the cloud environment, the system grants the user access to tools within the managed tenancy for communication with services outside of it.
Need to check novelty before this filing date? Find Prior Art

Claims

1. It is a method, This includes receiving a request from a first user to access one or more management tools of a management tenancy in a cloud environment. The aforementioned management tenancy is one of several tenancies in the aforementioned cloud environment, The management tenancy includes one or more management tools to communicate with one or more services operating outside the management tenancy. The aforementioned method, The first user determines that the sovereignty requirements of the cloud environment are met, At least the determination that the first user satisfies the sovereignty requirement grants the first user the request to access one or more management tools of the management tenancy, It further includes, The method is performed by at least one device including a hardware processor.

2. The method according to claim 1, wherein the one or more services operating outside the management tenancy are otherwise inaccessible to the first user.

3. The aforementioned cloud environment comprises a set of cloud resources, The aforementioned set of cloud resources comprises the one or more management tools and the one or more services operating outside of the management tenancy, The method according to claim 1, wherein access to the set of cloud resources is controlled by a set of access policies, each of which has the maximum range of one of the plurality of tenancies.

4. A set of one or more access policies enables the first user to access the one or more management tools of the management tenancy. The method according to claim 1, wherein the set of access policies specifies one or more permissions or authorizations for static or dynamic user groups, including the first user, to access static or dynamic cloud resources comprising one or more management tools of the management tenancy.

5. The method according to claim 1, wherein there is no access policy that allows the first user to directly access the one or more services operating outside the management tenancy.

6. The aforementioned management tenancy is operated by a Cloud Service Provider (CSP), The one or more services operating outside the aforementioned management tenancy are operated by the customer. The one or more services described above operate in one or more of the aforementioned tenancies, each of which is operated by the customer. The method according to claim 1, wherein the first user is associated with the CSP.

7. The method according to claim 1, wherein receiving the request is performed by a virtual private network (VPN) gateway associated with the management tenancy.

8. The method according to claim 1, wherein determining that the first user satisfies the sovereignty requirement includes performing a geographic location check based on the physical location of the first user.

9. The method according to claim 8, wherein performing the geographic location check includes determining whether the source Internet Protocol (IP) address associated with the first user belongs to a pre-configured classless interdomain routing (CIDR) range corresponding to a pre-approved geographic area.

10. The aforementioned cloud environment has multiple partitions, The first partition among the plurality of partitions is equipped with the management tenancy and, in accordance with the sovereignty requirements, The method according to claim 1, wherein access to the second management tenancy in the second partition of the plurality of partitions is not subject to the sovereignty requirement.

11. The method according to claim 1, further comprising continuously authenticating the first user while the management tenancy is in use.

12. The method according to claim 11, wherein the continuous authentication of the first user includes continuously performing two-factor authentication in response to the detection of multiple instances of one or more authentication triggers.

13. The method according to claim 1, further comprising: (a) determining that the first user is on a pre-approved list of operators; or (b) determining that the first user is not on a prohibited list of operators.

14. The method according to claim 1, further comprising detecting the presence of a hardware security device coupled to a physical device used by the first user to access the management tenancy.

15. The method according to claim 14, wherein the hardware security device is a hardware dongle.

16. The method according to claim 1, wherein the one or more management tools available to the first user in the management tenancy are based on a first setting specific to the first user.

17. The method according to claim 16, wherein the second user has access to at least one management tool that is not included in the one or more management tools available to the first user, based on a second setting specific to the second user.

18. The method according to claim 1, further comprising (a) the first user's access to the management tenancy, and (b) maintaining an audit log of actions taken by the first user within the management tenancy.

19. One or more non-temporary computer-readable media that, when executed by one or more hardware processors, stores instructions causing the operation described in any one of claims 1 to 18.

20. A system comprising means for performing the operation described in any one of claims 1 to 18.

21. It is a system, One or more hardware processors, One or more non-temporary computer-readable media, A program instruction stored in one or more non-temporary computer-readable media, which, when executed by one or more hardware processors, causes the system to perform the operation described in any one of claims 1 to 18; A system that includes these features.