Abstract: Embodiments include a multi-tenant cloud-based identity management system for a plurality of tenants. Embodiments include a global database providing a first set of resources to the plurality of tenants and a plurality of tenant databases, each tenant database providing a second set of resources to one of the plurality of tenants. Embodiments further include a plurality of resources accessible by the tenants and an automated upgrade framework for upgrading the global database and the tenant databases in response to an upgrade of a first release of the system to a second release of the system. For the automated upgrade framework, embodiments determine resource changes between the first release and the second release, generate an upgrade patch based on the resource changes and apply the upgrade patch to the global database.

Abstract: Embodiments operate a multi-tenant cloud system. At a first data center, embodiments authenticate a first client corresponding to a first tenant ID and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client and replicate the resources. The first data center receives an Application Programming Interface (“API”) request for the first client corresponding to a change to the resources, and generates a change log and corresponding change event message in response to the API request. Embodiments compute a first hash corresponding to the first tenant ID of the change log to determine a first partition of a first queue at the first data center. The first data center pushes the change event message to the second data center via an API call.

Abstract: Embodiments operate a multi-tenant cloud system. At a first data center, embodiments authenticate a first client and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client. Embodiments divide the resources into base data and regular data, where the base data is a minimum data needed to allow the resources to be available to the first client at the second data center. Embodiments store the base data on a cloud storage in a base data export file and store the regular data on the cloud storage in a regular data export file. Embodiments export the base data export file to the second data center and when the exporting the base data export file has completed, exports the regular data export file to the second data center.

Abstract: A system stores and uses object relationships in a multi-tenant cloud-based identity and access management (IAM) system by: defining a schema for storing related objects, where the schema includes reference attributes indicative of relationships between the related objects in a database, and the schema defines a relationship type and a persistence scope for each reference attribute; constructing an in-memory representation of the related objects and their relationships based on the schema, where the in-memory representation indicates the relationship type and the persistence scope for each reference attribute; and using the in-memory representation of the related objects to perform an IAM service for a client of the multi-tenant cloud-based IAM system.

Abstract: Embodiments perform write operations in a multi-tenant cloud system that includes a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. Embodiments receive a request from a first client to perform a first write for a resource at the second data center. Embodiments generate a call to the first data center including a second write for the resource at the first data center. Embodiments retrieve data corresponding to the first write and send the retrieved data to the first data center. Embodiments write on the data based on the first write, the writing on the data including changing the data to generate changed data.

Abstract: Embodiments provide cloud based identity management by receiving a request from an application for a resource that includes an operation on a resource type out of a plurality of resource types and the request specifies a tenant out of a plurality of tenants, the resource type including a schema, and the schema includes a plurality of schema attributes and metadata for each of the schema attributes, the resource type including one of a user or a second application. Embodiments store multiple versions of the resource type, at least a first version of the resource indicating a deprecated attribute with respect to a first previous version of the resource type, and at least a second version of the resource type indicating an added attribute with respect to a second previous version of resource type, where the request indicates one of the multiple versions of the resource type.

Abstract: Embodiments operate a multi-tenant cloud system. At a first data center, embodiments authenticate a first client corresponding to a first tenant ID and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client and replicate the resources. The first data center receives an Application Programming Interface (“API”) request for the first client corresponding to a change to the resources, and generates a change log and corresponding change event message in response to the API request. Embodiments compute a first hash corresponding to the first tenant ID of the change log to determine a first partition of a first queue at the first data center. The first data center pushes the change event message to the second data center via an API call.

Abstract: Embodiments include a multi-tenant cloud system with a first data center and a second remote data center. The first data center authenticates a first client and stores resources that correspond to the first client, and is in communication with the second data center. The second data center authenticates the first client and replicates the resources. The first data center receives a write request for the first client, writes the write request and generates change event messages in a first order. The first data center pushes the change event messages to the second data center via REST API calls. In response to receiving the change event messages, the second data center is configured to write the change event messages in the first order to its local database.

Abstract: Embodiments operate a multi-tenant cloud system with a first data center. At the first data center, embodiments authenticate a first client and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client and replicate the resources. In response to upgrading global resources at the first data center to a new version, embodiments generate a manifest file including a listing of global resource types and schemas that are modified or added in response to the upgrading. Embodiments further upgrade global resources based on the manifest file and write the upgraded global resources to a first global database and generate change event messages corresponding to the upgraded global resources.

Abstract: Embodiments replicate resources in a multi-tenant cloud system. Embodiments receive a master resource, associated with a master account of the cloud system to be replicated, where the master resource includes a master JavaScript Object Notation (“JSON”) object and includes a plurality of master attributes. Embodiments generate a master resource metadata JSON by calculating hash values for each of the master attributes to generate master attribute level hashes and by calculating an aggregate of all of the hash values to generate a master resource level hash. Embodiments store each master attribute of the master JSON object in a separate column of a master database table associated with the master account and store the master resource metadata JSON is in a separate hash column of the master database table. Embodiments replicate the master JSON object to create a replicated JSON object including a plurality of replicated attributes.

Abstract: A method for mapping SCIM resources to LDAP entries is provided. An LDAP Directory Information Tree (DIT), including a plurality of LDAP DIT entries that describe LDAP containers, users and groups, is provided. Each LDAP DIT entry includes a Distinguished Name and a plurality of LDAP attribute-value pairs, each of which include an attribute name and one or more attribute values. A SCIM directory, including a plurality of SCIM resource entries, is also provided. Each SCIM resource entry includes a plurality of SCIM attributes, each of which includes a name and one or more values. The plurality of SCIM resource entries are converted to corresponding LDAP DIT entries, and, for each SCIM resource entry that has a SCIM CMVA, the SCIM CMVA is mapped to a plurality of LDAP attributes in the corresponding LDAP DIT entry using LDAP attribute subtypes.

Abstract: Embodiments operate a multi-tenant cloud system. At a first data center, embodiments authenticate a first client and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client. Embodiments divide the resources into base data and regular data, where the base data is a minimum data needed to allow the resources to be available to the first client at the second data center. Embodiments store the base data on a cloud storage in a base data export file and store the regular data on the cloud storage in a regular data export file. Embodiments export the base data export file to the second data center and when the exporting the base data export file has completed, exports the regular data export file to the second data center.

Abstract: Embodiments include a multi-tenant cloud-based identity management system for a plurality of tenants. Embodiments include a global database providing a first set of resources to the plurality of tenants and a plurality of tenant databases, each tenant database providing a second set of resources to one of the plurality of tenants. Embodiments further include a plurality of resources accessible by the tenants and an automated upgrade framework for upgrading the global database and the tenant databases in response to an upgrade of a first release of the system to a second release of the system. For the automated upgrade framework, embodiments determine resource changes between the first release and the second release, generate an upgrade patch based on the resource changes and apply the upgrade patch to the global database.

Abstract: Embodiments operate a multi-tenant cloud system with a first data center. At the first data center, embodiments authenticate a first client and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client and replicate the resources. In response to upgrading global resources at the first data center to a new version, embodiments generate a manifest file including a listing of global resource types and schemas that are modified or added in response to the upgrading. Embodiments further upgrade global resources based on the manifest file and write the upgraded global resources to a first global database and generate change event messages corresponding to the upgraded global resources.

Abstract: Embodiments provide cloud based identity management by receiving a request from an application for a resource that includes an operation on a resource type out of a plurality of resource types and the request specifies a tenant out of a plurality of tenants, the resource type including a schema, and the schema includes a plurality of schema attributes and metadata for each of the schema attributes, the resource type including one of a user or a second application. Embodiments store multiple versions of the resource type, at least a first version of the resource indicating a deprecated attribute with respect to a first previous version of the resource type, and at least a second version of the resource type indicating an added attribute with respect to a second previous version of resource type, where the request indicates one of the multiple versions of the resource type.

Abstract: Cloud based identity management is provided by receiving a request from an application by a web gate for a resource, where the request includes an operation on a resource type out of a plurality of resource types and the request specifies a tenant out of a plurality of tenants. Embodiments access a microservice based on the request, resolve the resource type, and validate that the operation is supported by the resource type based on metadata. Embodiments get a data provider associated with the tenant, call the data provider to perform the operation, and then return the resource.

Abstract: Embodiments perform write operations in a multi-tenant cloud system that includes a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. Embodiments receive a request from a first client to perform a first write for a resource at the second data center. Embodiments generate a call to the first data center including a second write for the resource at the first data center. Embodiments retrieve data corresponding to the first write and send the retrieved data to the first data center. Embodiments write on the data based on the first write, the writing on the data including changing the data to generate changed data.

Abstract: Embodiments include a multi-tenant cloud system with a first data center and a second remote data center. The first data center authenticates a first client and stores resources that correspond to the first client, and is in communication with the second data center. The second data center authenticates the first client and replicates the resources. The first data center receives a write request for the first client, writes the write request and generates change event messages in a first order. The first data center pushes the change event messages to the second data center via REST API calls. In response to receiving the change event messages, the second data center is configured to write the change event messages in the first order to its local database.

Abstract: Embodiments replicate resources in a multi-tenant cloud system. Embodiments receive a master resource, associated with a master account of the cloud system to be replicated, where the master resource includes a master JavaScript Object Notation (“JSON”) object and includes a plurality of master attributes. Embodiments generate a master resource metadata JSON by calculating hash values for each of the master attributes to generate master attribute level hashes and by calculating an aggregate of all of the hash values to generate a master resource level hash. Embodiments store each master attribute of the master JSON object in a separate column of a master database table associated with the master account and store the master resource metadata JSON is in a separate hash column of the master database table. Embodiments replicate the master JSON object to create a replicated JSON object including a plurality of replicated attributes.

Abstract: A system stores and uses object relationships in a multi-tenant cloud-based identity and access management (IAM) system by: defining a schema for storing related objects, where the schema includes reference attributes indicative of relationships between the related objects in a database, and the schema defines a relationship type and a persistence scope for each reference attribute; constructing an in-memory representation of the related objects and their relationships based on the schema, where the in-memory representation indicates the relationship type and the persistence scope for each reference attribute; and using the in-memory representation of the related objects to perform an IAM service for a client of the multi-tenant cloud-based IAM system.