1. Field of the Invention
The present invention relates to a management device, a management system, a control method, and a storage medium.
2. Description of the Related Art
There has been proposed a cloud system in which a service provider manages data owned by customers. The term “service provider” refers to a company which provides various services to customers who use a service provider. In the cloud service, data storage and user information are managed by a tenant which is a dedicated region for each customer. In the cloud service, data is managed in a tenant unit, a service provider can access only data in a tenant to which the service provider itself belongs but is not permitted to access other tenants. However, in order to manage customer data by a service provider to whom customers have entrusted business activities, the service provider needs to access customer data stored in a customer tenant (a tenant owned by a customer). The service provider cannot provide a data management service if the service provider cannot access customer data. Since customer data may include personal information and confidential information, it is required that the service provider can access customer data after being accepted in advance by customers.
Japanese Patent Laid-Open No. 2010-108170 discloses a role-based access control method. In the role-based access control method, a management device permits access from users for each role for each of data items and functions. The management device determines access to a data object and a functional object based on a role set in user identification information.
Assume that a user environment for utilizing a cloud service is the following environment. For example, it is contemplated that a customer who has made a service providing contract with a service provider may be a large-scale company having a plurality of intra-group companies or a global company where its locations are spread over a wide area. In such a case, a single service provider may not realize services to all customers. Thus, the single service provider may entrust services to customers to another service provider (second service provider). In order to secure entrustment, customers to be entrusted are managed by being divided into divided tenants in regional units or in group company units, so that the range of customers to be entrusted can be clarified. Then, access rights are permitted to a second service provider serving as an entrustee for each divided customer tenant, so that services can be entrusted to the second service provider.
However, a second service provider may not have a direct relationship with a tenant for a customer to be entrusted because there exists no service contract therebetween or they have no upper-and-lower relationship in the hierarchical structure. Consequently, from the viewpoints of security, the second service provider cannot obtain direct access rights in order to access data (resource) of a customer to be entrusted.