Secure resource authorization for external identities using remote principal objects
摘要
說明書
Another method is also described herein. The method is for authorizing access by a remote principal of a second domain to a secure data resource in a first domain, according to embodiments. The method includes generating a data structure that specifies a group, at and associated with the second domain, that is based on an access requirement to the secure data resource in the first domain of a domain host, the first domain being different from the second domain, and retrieving a permissions template generated at the second domain, the permissions template defining a set of permissions that include at least one entitlement for members of the group to the secure data resource. The method also includes generating an access policy of the secure data resource that is associated with the set of permissions, and providing the set of permissions and the access policy to the domain host for the first domain, the set of permissions and the access policy being immutable from the first domain. The method further includes providing to the first domain on behalf of the remote principal, as a member of the group, an access permission approval request for the secure data resource causing generation in a directory of the first domain at the domain host of a remote principal object based at least on an indication of an approval of the access permission approval request from the first domain, the remote principal object linking the group to the at least one entitlement for the secure data resource as enumerated in the set of permissions and specified by the access policy.
