Secure resource authorization for external identities using remote principal objects
摘要
說明書
In an embodiment of the system, generating the remote principal object is performed based on an acceptance within the first domain of an access permission approval request for the secure data resource that is initiated in and provided on behalf of the second domain.
In an embodiment of the system, generating the remote principal object includes determining a temporal validity period associated therewith, and the method includes performing at the domain host, and subsequent to an expiration of the temporal validity period, at least one of removing the remote principal object from the directory or removing the set of permissions and the at least one associated access policy from the directory.
In an embodiment of the system, the method includes generating, subsequent to said providing the access token, an audit report including at least one of one or more entries for operations performed by the remote principal on the secure data resource that exclude a personal identifier of the remote principal or indicia of the set of permissions with which the remote principal object is associated.
In an embodiment, the system includes a cloud-based services platform that includes a secure token service configured to generate the access token, and the domain host comprises a first tenancy of the cloud-based services platform, and the second domain comprises a second tenancy of the cloud-based services platform.
In an embodiment of the system, the method includes verifying that an entry of the identity of the remote principal is absent from the directory in the first domain and is present in a directory of the second domain subsequent to said receiving, and performing said determining responsive to said verifying.
