IBM Patents a Provider-Agnostic Multi-Tenant Storage Management System

By Patentlyze Team · Updated May 16, 2026

Managing storage across dozens of departments inside a single Kubernetes cluster without stepping on each other's data is a genuine headache for enterprise IT. IBM's new patent tries to solve it with a layer of software-defined storage that doesn't care which identity provider you use.

What IBM's departmental storage isolation actually does

Imagine your company runs all its apps in containers — think of those like self-contained boxes that each department's software lives in. The problem is, when dozens of departments share the same underlying storage, keeping their data separate and letting each team manage their own slice is surprisingly messy.

IBM's patent describes a system it calls a software-defined storage-as-a-service workspace (SDSaaS workspace). Think of it as a shared storage mall where each department gets its own locked storefront. A department in Marketing can resize their storage or change who has access without ever touching Finance's data — and vice versa.

The clever part is the "identity provider agnostic" bit. Whether your company uses Microsoft's Active Directory, Google's SSO, or something else entirely to verify who employees are, IBM's system doesn't care. It manages who can access what storage on its own terms, using role-based access control layered on top of open-source container infrastructure like Kubernetes.

How IBM's SDSaaS workspace enforces per-department storage

The patent centers on a construct called the SDSaaS workspace, which acts as a logical boundary — called a tenancy circle — that groups together Kubernetes namespaces (isolated environments for running containerized apps) and the underlying storage resources they need.

Within that workspace, storage is divvied up and assigned to individual departments. Each department gets autonomy: they can provision, resize, or adjust access to their own storage blocks without needing a central IT ticket. The system uses role-based access control (RBAC) — a permission model where users get roles (like "admin" or "read-only") rather than individual access rules — applied at the workspace level rather than requiring configuration at every individual storage volume.

The "identity provider agnostic" angle means the system doesn't assume any particular authentication backend. Instead of hooking directly into, say, Okta or Azure AD, it abstracts those away. This is useful in large enterprises that may have multiple identity providers across business units or acquired companies.

The patent's diagram references components like RBD (RADOS Block Device) — a block storage format from Ceph, a popular open-source storage system — connected to Kubernetes namespaces, suggesting the implementation builds on existing open-source tooling rather than proprietary hardware.

What this means for enterprise Kubernetes storage teams

For enterprise IT and DevOps teams, this kind of multi-tenancy management is an unglamorous but genuinely painful problem. As Kubernetes adoption has grown, so has the complexity of managing shared storage underneath it — especially in regulated industries where Finance absolutely cannot accidentally see HR's data.

IBM's framing around identity provider agnosticism is strategically smart: it positions this as neutral infrastructure that works in hybrid or multi-cloud environments regardless of which directory service a customer already uses. That fits squarely into IBM's broader pitch around Red Hat OpenShift and IBM Storage solutions for enterprise Kubernetes deployments.

Editorial commentary on a publicly published patent application. Not legal advice.