白丝美女被狂躁免费视频网站,500av导航大全精品,yw.193.cnc爆乳尤物未满,97se亚洲综合色区,аⅴ天堂中文在线网官网

Secure resource authorization for external identities using remote principal objects

專利號(hào)
US11888856B2
公開(kāi)日期
2024-01-30
申請(qǐng)人
Microsoft Technology Licensing, LLC(US WA Redmond)
發(fā)明人
Charles Prakash Rao Dasari; Maksym Yaryn; Debashis Choudhury; Jeffrey A Staiman
IPC分類
H04L9/40
技術(shù)領(lǐng)域
domain,principal,remote,tenant,resource,rpo,access,in,directory,data
地域: WA WA Redmond

摘要

Methods of secure resource authorization for external identities using remote principal objects are performed by systems and devices. An external entity creates a user group and defines entitlements to an owning entity's secure resource as a set of permissions for the group. An immutable access template with the permissions and an access policy for the secure resource are provided to the owning entity for approval. On approval, a remote principal object is created in the owner directory according to the permissions and access policy. A remote principal that is a group member requests access via an interface to the owner domain using external domain credentials. The identity of the remote principal is verified against the remote principal object by a token service. Verification causes generation and issuance of a token, with the enumerated entitlements, to the remote principal interface affecting a redirect for access to the secure resource.

說(shuō)明書(shū)

At least one computer-readable storage medium that stores program instructions that, when executed by one or more processing devices, performs a method, is also described herein. The method is for authorizing access by a remote principal of a second domain to a secure data resource of a first domain, according to embodiments. The method includes receiving from an interface associated with the remote principal a request to access a first domain of a domain host, the first domain being different from the second domain, the request including an identifier and second domain credentials of the remote principal, and determining that the remote principal is associated with a remote principal object generated by, and stored at a directory of, the domain host and inaccessible from the second domain. The method also includes verifying that the remote principal is identified as being associated with a group, of the second domain, having at least one entitlement to the secure data resource as enumerated in a set of permissions and at least one associated access policy defined by the second domain and represented in the remote principal object, generating an access token for the remote principal that includes the at least one entitlement, and providing the access token to the remote principal causing a redirect of the interface that provides access to the secure data resource by the remote principal.

In an embodiment of the at least one computer-readable storage medium, the method includes causing generation of the remote principal object in the first domain at the domain host that links the remote principal to the entitlements based on the set of permissions prior to said determining.

權(quán)利要求

1
微信群二維碼
意見(jiàn)反饋