Abstract: Systems and corresponding computer-implemented methods for context-based rule evaluation in an electronic data storage system are described. A request to perform an operation with respect to a resource is received from a client device, with the request including various attributes associated with the client device. At least one set of rules applicable to the operation is identified. The rules can be formed from a combination of primitives arranged to dynamically evaluate attributes associated with the resource and attributes associated with the client device. Based on the evaluation of the rule set(s), an action is identified to be performed with respect to the resource.

Abstract: Techniques are described for separating subdomains as part of a secure login process. For example the subdomains can correspond to an enterprise user or personal user accounts, or both. The login process involves responding to a login request with an assertion, such as for example a redirect based assertion, that includes an encrypted data structure with account and user information necessary for identification of the corresponding subdomain. The encrypted data structure includes browser-, IP address, and user-specific information to thwart a cross-site request forgery (CSRF) security vulnerability, among other things.

Abstract: Techniques are described for separating subdomains as part of a secure login process. For example the subdomains can correspond to an enterprise user or personal user accounts, or both. The login process involves responding to a login request with an assertion, such as for example a redirect based assertion, that includes an encrypted data structure with account and user information necessary for identification of the corresponding subdomain. The encrypted data structure includes browser-, IP address, and user-specific information to thwart a cross-site request forgery (CSRF) security vulnerability, among other things.

Abstract: Systems for managing user-level security in a cloud-based service platform. A server in a cloud-based environment is configured to interface with storage devices that store objects that are accessible over a network by two or more users. An enterprise entity is identified using an enterprise identifier associated with the enterprise, and an application service is associated with an application identifier. An application service request comprising a user identifier and the application identifier is received, and authentication is determined based on the combination of the user identifier and a pre-authenticated application identifier. Once the application service request is authenticated, then specific aspects of the service request are authorized. The integrity of the application identifier is confirmed by locating a secure association of the given application identifier to a pre-shared enterprise identifier.

Abstract: Systems and corresponding computer-implemented methods for context-based rule evaluation in an electronic data storage system are described. A request to perform an operation with respect to a resource is received from a client device, with the request including various attributes associated with the client device. At least one set of rules applicable to the operation is identified. The rules can be formed from a combination of primitives arranged to dynamically evaluate attributes associated with the resource and attributes associated with the client device. Based on the evaluation of the rule set(s), an action is identified to be performed with respect to the resource.

Abstract: Systems for managing user-level security in a cloud-based service platform. A server in a cloud-based environment is configured to interface with storage devices that store objects that are accessible over a network by two or more users. An enterprise entity is identified using an enterprise identifier associated with the enterprise, and an application service is associated with an application identifier. An application service request comprising a user identifier and the application identifier is received, and authentication is determined based on the combination of the user identifier and a pre-authenticated application identifier. Once the application service request is authenticated, then specific aspects of the service request are authorized. The integrity of the application identifier is confirmed by locating a secure association of the given application identifier to a pre-shared enterprise identifier.