US Patent 10044723 Principal/user operation in the context of a tenant infrastructure

A user is authenticated based on user credentials obtained from a request in response to the request received from a client device. A plurality of tenants is identified in which the user is a member and, for each of the tenants associated with the user, one or more roles of the user are determined within the tenant. For each of the one or more roles, one or more privileges the user is entitled within a capacity of the role are determined. An authorization token is generated based on information identifying the tenants associated with the user, one or more roles of the user within each tenant, and one or more privileges associated with each role. The authorization token is transmitted to the client device to allow the client device to determine whether the user is authenticated and allowed to access the resource of a particular tenant.