Abstract: In one example, a method for managing user access is performed by or at the direction of an application, and includes receiving a token from an authentication service, and the token includes an application role and associated privilege mask. An authentication request is then received from a sender seeking access to an application. Information in the authentication request is compared with the token, and the authentication request is approved when the information in the authentication request matches the token. Alternatively, access to the application is denied when the information in the authentication request does not match the token.

Abstract: In one example, a method for managing user access to data contained in a computing system, includes receiving a token from an authentication service, wherein the token includes an application role and associated privilege mask; receiving an authentication request from an entity seeking access to an application; comparing information in the authentication request with the token; approving the authentication request when the information in the authentication request matches the token, and granting access to the application when the authentication request has been approved, and denying access to the application when the information in the authentication request does not match the token. The receiving, comparing, approving, granting, and denying processes are performed by the application to which the entity is seeking access, and wherein when the entity, or a different entity, seeks access to another application, user access to the another application is controlled by the another application.

Abstract: A method for backing up and recovering data is disclosed. Data representing an allocation of a plurality of backup resources to a plurality of restricted data zones is stored in a storage device. Any of the plurality of backup resources allocated to one restricted data zone is not allocated to another restricted data zone. A user is associated with one of the plurality of restricted data zones. Backup and recovery services are provided to the user using one or more backup resources allocated to the restricted data zone associated with the user. The backup and recovery services provided to the user are segregated from backup and recovery services provided to other users associated with restricted data zones that are different from the restricted data zone associated with the user.

Abstract: A first request is received to execute a batch of a plurality of tasks from a user via a command-line interface (CLI). A predetermined storage location is accessed to determine whether there is an access token associated with the user. If not, the user is prompted via the CLI interface for login credentials. The login credentials are transmitted to an authentication and authorization (AUTH) request to a remote AUTH server to allow the AUTH server to authenticate and authorize the user. An access token associated with the user is received from the AUTH server containing authorization information of the user for accessing resources of one or more cloud servers. The access token is stored in the predetermined storage location. One or more of the cloud servers are accessed using the access token to perform the tasks of the batch without having to log in multiple times.

Abstract: A user is authenticated based on user credentials obtained from a request in response to the request received from a client device. A plurality of tenants is identified in which the user is a member and, for each of the tenants associated with the user, one or more roles of the user are determined within the tenant. For each of the one or more roles, one or more privileges the user is entitled within a capacity of the role are determined. An authorization token is generated based on information identifying the tenants associated with the user, one or more roles of the user within each tenant, and one or more privileges associated with each role. The authorization token is transmitted to the client device to allow the client device to determine whether the user is authenticated and allowed to access the resource of a particular tenant.

Abstract: A first request is received from a first user to revoke an access right of a second user of a first tenant for accessing data of a second tenant, where the first tenant is a parent tenant of the second tenant. In one embodiment, in response to the first request, a first role of the first user within the second tenant and a second role of the first user within the first tenant are determined. A first and second access privileges of the first role and second role of the first user, respectively, are determined to allow the first user to revoke the access right to the second tenant. In response to the first user having a revoke privilege in the first and second tenant, the first user is allowed to remove the second tenant from the first tenant.

Abstract: In response to a request received from a client device, the user is authenticated based on user credentials extracted from the request. Upon having successfully authenticated the user, tenants and one or more roles of each of the tenants associated with the user are identified. In one embodiment, an authorization token having information identifying the plurality of tenants and their respective one or more roles of the user is generated. The information of each of the tenants and its respective roles are encrypted with a specific key corresponding to the tenant. The authorization token containing the encrypted tenants and the roles of the user is transmitted to the client device to allow the client device to determine whether the user is allowed to access a requested resource based on the authorization token.

Abstract: In response to a request received from a client device to authorize a user for accessing a resource associated with a tenant, user roles of the user within the tenant are determined. For each of the user roles, user privileges the user is entitled within a capacity of the user role are determined based on static access control settings associated with the user. A tenant authorization profile associated with the tenant is accessed to determine tenant roles and tenant privileges for each tenant role. For each of the user roles that matches at least one of the tenant roles, at least one user privilege is modified based on corresponding tenant privileges of the matched tenant role. A token is generated based on the user roles and the modified user privileges and transmitted to the client device to determine whether the user is allowed to access the resource of the tenant.

Abstract: A ticket request is transmitted from an execution engine to an authentication engine. In response, a ticket comprising privileges is received from the authentication engine. The ticket is transmitted to a client, and a service request including the ticket is received back from the client. A service is executed in response to the ticket received from the client and results are transmitted to the client.

Abstract: In one example, a method for managing user access includes creating a set of user characteristics for authorization of a user. The user characteristics are compared to application roles included in respective application authorization profiles, each of which corresponds to a different respective application. Matches are identified between the user characteristics and multiple application roles, and matching application roles and associated respective privilege masks are extracted from the application authorization profiles. The extracted information is used to create multiple tokens, each of which corresponds to a respective application. The tokens are returned to the applications and enable access control to be performed by the respective applications to which the tokens are returned.

Abstract: A method for restarting backup including receiving an indication of an interruption to a backup process, saving data backed up prior to the interruption as a partial save set, and upon restart of the backup process, saving subsequently backed data in one or more subsequent partial save sets linked to a first partial save set.

Abstract: A method for evaluating a project is disclosed. Information is extracted programmatically from the output generated by two or more project development tools. The extracted information is normalized programmatically based at least in part on a standardized set of metrics. Two or more maps are generated based at least in part on the normalized extracted information, wherein each of the maps includes at least part of the normalized information extracted from a project development tool that generated the output on which the normalized extracted information is based, and wherein the normalized extracted information is associated with a project component with which the corresponding output is associated.