Access to the cloud environment through managed tenancy that complies with sovereignty requirements.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- ORACLE INT CORP
- Filing Date
- 2024-04-29
- Publication Date
- 2026-06-23
Smart Images

Figure 2026520283000001_ABST
Abstract
Claims
1. It is a method, This includes receiving a request from a first user to access one or more management tools of a management tenancy in a cloud environment. The aforementioned management tenancy is one of several tenancies in the aforementioned cloud environment, The management tenancy includes one or more management tools to communicate with one or more services operating outside the management tenancy. The aforementioned method, The first user determines that the sovereignty requirements of the cloud environment are met, At least the determination that the first user satisfies the sovereignty requirement grants the first user the request to access one or more management tools of the management tenancy, It further includes, The method is performed by at least one device including a hardware processor.
2. The method according to claim 1, wherein the one or more services operating outside the management tenancy are otherwise inaccessible to the first user.
3. The aforementioned cloud environment comprises a set of cloud resources, The aforementioned set of cloud resources comprises the one or more management tools and the one or more services operating outside of the management tenancy, The method according to claim 1, wherein access to the set of cloud resources is controlled by a set of access policies, each of which has the maximum range of one of the plurality of tenancies.
4. A set of one or more access policies enables the first user to access the one or more management tools of the management tenancy. The method according to claim 1, wherein the set of access policies specifies one or more permissions or authorizations for static or dynamic user groups, including the first user, to access static or dynamic cloud resources comprising one or more management tools of the management tenancy.
5. The method according to claim 1, wherein there is no access policy that allows the first user to directly access the one or more services operating outside the management tenancy.
6. The aforementioned management tenancy is operated by a Cloud Service Provider (CSP), The one or more services operating outside the aforementioned management tenancy are operated by the customer. The one or more services described above operate in one or more of the aforementioned tenancies, each of which is operated by the customer. The method according to claim 1, wherein the first user is associated with the CSP.
7. The method according to claim 1, wherein receiving the request is performed by a virtual private network (VPN) gateway associated with the management tenancy.
8. The method according to claim 1, wherein determining that the first user satisfies the sovereignty requirement includes performing a geographic location check based on the physical location of the first user.
9. The method according to claim 8, wherein performing the geographic location check includes determining whether the source Internet Protocol (IP) address associated with the first user belongs to a pre-configured classless interdomain routing (CIDR) range corresponding to a pre-approved geographic area.
10. The aforementioned cloud environment has multiple partitions, The first partition among the plurality of partitions is equipped with the management tenancy and, in accordance with the sovereignty requirements, The method according to claim 1, wherein access to the second management tenancy in the second partition of the plurality of partitions is not subject to the sovereignty requirement.
11. The method according to claim 1, further comprising continuously authenticating the first user while the management tenancy is in use.
12. The method according to claim 11, wherein the continuous authentication of the first user includes continuously performing two-factor authentication in response to the detection of multiple instances of one or more authentication triggers.
13. The method according to claim 1, further comprising: (a) determining that the first user is on a pre-approved list of operators; or (b) determining that the first user is not on a prohibited list of operators.
14. The method according to claim 1, further comprising detecting the presence of a hardware security device coupled to a physical device used by the first user to access the management tenancy.
15. The method according to claim 14, wherein the hardware security device is a hardware dongle.
16. The method according to claim 1, wherein the one or more management tools available to the first user in the management tenancy are based on a first setting specific to the first user.
17. The method according to claim 16, wherein the second user has access to at least one management tool that is not included in the one or more management tools available to the first user, based on a second setting specific to the second user.
18. The method according to claim 1, further comprising (a) the first user's access to the management tenancy, and (b) maintaining an audit log of actions taken by the first user within the management tenancy.
19. One or more non-temporary computer-readable media that, when executed by one or more hardware processors, stores instructions causing the operation described in any one of claims 1 to 18.
20. A system comprising means for performing the operation described in any one of claims 1 to 18.
21. It is a system, One or more hardware processors, One or more non-temporary computer-readable media, A program instruction stored in one or more non-temporary computer-readable media, which, when executed by one or more hardware processors, causes the system to perform the operation described in any one of claims 1 to 18; A system that includes these features.