Secure resource authorization for external identities using remote principal objects
摘要
說明書
In step 710, an access permission approval request for the secure data resource is provided to the first domain on behalf of the remote principal, as a member of the group, causing generation in a directory of the first domain at the domain host of a remote principal object based at least on an indication of an approval of the access permission approval request from the first domain, the remote principal object linking the group to the at least one entitlement for the secure data resource as enumerated in the set of permissions and specified by the access policy. For instance, a secure data resource owner or representative (e.g., an authorized member of the domain for tenant A 226) approves access permission to the secure data resource based on the permissions and the access policy provided in step 708 (e.g., via lock box 222 of system 200) from ELM 214 on behalf of a user/remote principal of tenant B/P 228. When an indication of the approval is received by ELM 214, ELM 214 is configured to cause the creation/generation of an RPO in directory A 468. As described herein, such as with respect to RPO 308 of system 300 in
