Secure resource authorization for external identities using remote principal objects
摘要
說明書
Additionally, if issues arise during the performance of a task, the owners of data resources on which tasks are performed are enabled to determine specific information regarding the task performance in order track and/or resolve issues via logs/audit reports without being required to maintain a list of group members from a remote domain that have access to the data resource. That is, in some scenarios, the data resource owner may not want to include remote domain users in its directory, of which there may be many in embodiments, because maintaining lists of remote domain users requires additional memory and processing usage, additional administration/overhead, and remote domain user access may only be required for a limited period of time (e.g., to perform a task related to the data resource). Furthermore, the group membership list for access to a data resource for performing a task may include many more members than will actually participate in task performance. As an example, a group can include ten members who are granted access to a data resource, but only a single member may be involved to complete a given task associated with the data resource. Over time, considering that different tasks may also have different corresponding groups with different memberships, a large number of remote domain users, many of which never accessed a data resource in performance of a task, could be maintained by the domain of the data resource owner. The described RPO embodiments, however, allow for the transient access permissions associated with RPOs to have little persisting impact on the domain of the resource owner as the lists of remote domain users are not required to be persisted.
