Dynamic authorization of users in a multi-tenant environment using tenant authorization profiles

What is claimed is: 1. A computer-implemented method for authenticating and authorizing users in a multi-tenant environment, the method comprising: in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant, determining one or more user roles of the user within the tenant, and for each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user; accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile; for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role; generating a token based on the user roles and the user privileges, including the modified user privileges; and transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token; wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises: determining a first time associated with the request; determining a time period specified in the tenant authorization profile; determining whether the first time is within the time period specified in the tenant authorization profile; and removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period. 2. The method of claim 1 , wherein the user roles and user privileges are configured and stored as part of the static access control settings stored in a persistent storage device by a first administrator of a service provider that provides storage resources to a plurality of tenants, and wherein the tenant roles and tenant privileges are dynamically configured and stored via a configuration interface by a second administrator associated with the tenant. 3. The method of claim 2 , wherein the user privileges are modified and incorporated into the token based on the tenant privileges, without modifying the user privileges as part of the static access control settings stored in the persistent storage device. 4. The method of claim 2 , wherein when a user role of the static access control settings matches a tenant role of the tenant authorization profile, tenant privileges of the matched tenant role of the tenant authorization profile override user privileges of the matched user role in the token. 5. The method of claim 1 , wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises: obtaining a first user ID from the request, the first user ID uniquely identifying the user; obtaining a list of user IDs from the tenant authorization profile, the list of user IDs representing a list of users to be excluded; determining whether the first user ID is included in the list of user IDs from the tenant authorization profile; and removing or disabling user privileges of the tenant from the token, in response to determining that the first user ID is included in the list of user IDs. 6. The method of claim 1 , wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises: determining a first geographic location of the user; determining a list of geographic locations from the tenant authorization profile; determining whether the first geographic location is the list of geographic locations specified in the tenant authorization profile; and removing or disabling user privileges of the tenant from the token, in response to determining that the first geographic location is the list of geographic locations. 7. The method of claim 1 , further comprising: accessing an application authorization profile associated with the client application to determine one or more application roles and one or more application privileges for each application role; and for each of the user roles that matches at least one of the application roles, modifying at least one user privilege based on corresponding application privileges of the matched application role. 8. The method of claim 7 , wherein when a user role of the static access control settings matches an application role of the application authorization profile, application privileges of the matched application role of the application authorization profile override user privileges of the matched user role in the token. 9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for authenticating and authorizing users in a multi-tenant environment, the operations comprising: in response to a request received from a client application running within a client device to authorize a user for accessing a resource associated with a tenant, determining one or more user roles of the user within the tenant, and for each of the user roles, determining one or more user privileges the user is entitled within a capacity of the user role based on static access control settings associated with the user; accessing a tenant authorization profile associated with the tenant to determine one or more tenant roles and one or more tenant privileges for each tenant role, wherein the tenant roles and tenant privileges are dynamically configured and stored as part of dynamic access control settings in the tenant authorization profile; for each of the user roles that matches at least one of the tenant roles, modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role; generating a token based on the user roles and the user privileges, including the modified user privileges; and transmitting the token to the client device to allow the client application to determine whether the user is allowed to access the resource of the tenant based on the token; wherein modifying at least one user privilege based on corresponding tenant privileges of the matched tenant role comprises: determining a first time associated with the request; determining a time period specified in the tenant authorization profile; determining whether the first time is within the time period specified in the tenant authorization profile; and removing or disabling user privileges of the tenant from the token, in response to determining that the first time is within the time period. 10. The non-transitory machine-readable medium of claim 9 , wherein the user roles and user privileges are configured and stored as part of the static access control settings stored in a persistent storage device by a first administrator of a service provider that provides storage resources to a plurality of tenants, and wherein the tenant roles and tenant privileges are dynamically configured and stored via a configuration interface by a second administrator associated with the tenant. 11. The non-transitory machine-readable medium of claim 10 , wherein the user privileges are modified and incorporated into the token based on the tenant privileges, without modifying the user privileges as part of the static access control settings stored in the persistent storage device. 12. The non-transitory machine-rea