Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.

Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.

Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.

Abstract: A method, apparatus and computer program product for evaluating a context-based (e.g., XACML) policy having a set of attributes using a weighted index tree having one or more leaves extending from a root node. Each leaf of the tree represents a policy rule. A depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable. An input is evaluated against the weighted index tree to generate a response. One type of input is an authorization request, in which case the response is an authorization decision (e.g., permit or deny). Another type of input is a query for a set of entitlements, in which case the response is a set of entitlements.

Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.

Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.

Abstract: A machine-implemented method for evaluating a context-based (e.g., XACML) policy having a set of attributes formulates a search against one or more existing external repositories using a query that is dynamically-generated based on the security policy being evaluated. The approach shifts the building of a candidate set of potentially-allowable resources to the authorization engine (e.g., a Policy Decision Point (PDP)). In operation, an application calls the PDP using an entitlement request and, in response, the PDP builds the candidate set of values based on the defined security policy by generating a query to an external data repository and receiving the results of that query. This approach enables a policy-driven entitlement query at runtime.

Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.

Abstract: An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.

Abstract: A machine-implemented method for evaluating a context-based (e.g., XACML) policy having a set of attributes formulates a search against one or more existing external repositories using a query that is dynamically-generated based on the security policy being evaluated. The approach shifts the building of a candidate set of potentially-allowable resources to the authorization engine (e.g., a Policy Decision Point (PDP)). In operation, an application calls the PDP using an entitlement request and, in response, the PDP builds the candidate set of values based on the defined security policy by generating a query to an external data repository and receiving the results of that query. This approach enables a policy-driven entitlement query at runtime.

Abstract: In one embodiment, a computer implemented method for indexing security policies is provided. The computer implemented method determines a policy vocabulary to form a set of policy elements, and creates an index from the set of policy elements. The computer implemented method further receives a request to form requested policy elements, locates requested policy elements in the index to form a set of returned policy elements, and identifies a rule for use with the returned policy elements.

Abstract: Computer implemented method, system and computer usable program code for facilitating utilization of data. A computer implemented method for facilitating utilization of data includes receiving data, wherein the received data is in a first representation. The received data is converted from the first representation to a common representation that is mapped to the first representation using an external configuration file. The common representation of the data is output to facilitate utilization of the data.

Abstract: Special interest subgroups are formed by a group of participants by establishing a profile for each participant. The profile defines contribution attributes dealing with contributions the profiled participant might make to a subgroup and attribution attributes dealing with benefits the profile participant might receive from participating in the subgroup. For each possible pairing of participants in the group, an overall contribution score and an overall benefit score is calculated for each participant. A mutual benefit score is calculated by combining the benefit scores for both participants in the pair. Participants are assigned to subgroups as a function of participant contribution and mutual benefit scores.

Abstract: An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.

Abstract: An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.

Abstract: A method, apparatus and computer program product for evaluating a context-based (e.g., XACML) policy having a set of attributes using a weighted index tree having one or more leaves extending from a root node. Each leaf of the tree represents a policy rule. A depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable. An input is evaluated against the weighted index tree to generate a response. One type of input is an authorization request, in which case the response is an authorization decision (e.g., permit or deny). Another type of input is a query for a set of entitlements, in which case the response is a set of entitlements.

Abstract: An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.

Abstract: In one embodiment, a computer implemented method for indexing security policies is provided. The computer implemented method determines a policy vocabulary to form a set of policy elements, and creates an index from the set of policy elements. The computer implemented method further receives a request to form requested policy elements, locates requested policy elements in the index to form a set of returned policy elements, and identifies a rule for use with the returned policy elements.

Abstract: Computer implemented method, system and computer usable program code for facilitating utilization of data. A computer implemented method for facilitating utilization of data includes receiving data, wherein the received data is in a first representation. The received data is converted from the first representation to a common representation that is mapped to the first representation using an external configuration file. The common representation of the data is output to facilitate utilization of the data.