Abstract: Aspects of the present disclosure provide techniques for rule-based document security. Embodiments include receiving, from a computing device: an amended document; an encrypted sensitive component; and information relating to reconstructing a document based on the amended document and the encrypted sensitive component. Embodiments include decrypting the encrypted sensitive component to produce a decrypted sensitive component. Embodiments include determining, based on the information relating to reconstructing the document, a document location that corresponds to the decrypted sensitive component. Embodiments include reconstructing the document by inserting the decrypted sensitive component into the amended document at the document location.

Abstract: Embodiments are directed to managing cryptographic keys in a multi-tenant cloud based system. Embodiments receive from a client a request for a wrapped data encryption key (“DEK”). Embodiments generate a random key and fetch encryption context that corresponds to the client. Embodiments generate the wrapped DEK including the random key and the encryption context encoded in the wrapped DEK. Embodiments then return the wrapped DEK to the client.

Abstract: A system for authorizing access to a resource associated with a tenancy in an identity management system that includes a plurality of tenancies receives an access token request for an access token that corresponds to the resource, the request including user information and application information, the user information including roles of a user and the application information including roles of the application. The system evaluates the access token request by computing dynamic roles and corresponding dynamic scopes for the access token including a second intersection between the dynamic roles of the user and the dynamic roles of the application. The system then provides the access token that includes the computed static scopes, where the scopes are based at least on the roles of the user and the roles of the application, and further including the computed dynamic roles and corresponding dynamic scopes.

Abstract: Embodiments are directed to managing cryptographic keys in a multi-tenant cloud based system. Embodiments receive from a client a request for a wrapped data encryption key (“DEK”). Embodiments generate a random key and fetch encryption context that corresponds to the client. Embodiments generate the wrapped DEK including the random key and the encryption context encoded in the wrapped DEK. Embodiments then return the wrapped DEK to the client.

Abstract: A system for authorizing access to a resource receives a request for an access token that corresponds to the resource, where the request includes user information and application information. The user information includes a role of the user and the application information includes a role of the application. The system evaluates the request by computing scopes for the access token, including determining an intersection between the user information and the application information. The system then provides the access token that includes the computed scopes, the scopes being based at least on the role of the user and the role of the application.

Abstract: A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

Abstract: Application customization enables many different types of customers, from small companies to large multinational enterprises, to use various applications provided by a cloud service provider. To accommodate these customizations, previous systems generally require manual human intervention to identify custom, customized, and cloud service provider authorization policies (also referred to herein as “seed” authorization policies) and to decide how each type of authorization policy should be upgraded. When applications are customized, artifacts that represent those customizations can be created. In some embodiments, the customizations can include new resources or entitlements, and grants to new roles. In addition to new resources, entitlements, and grants, existing resources, entitlements, and grants can be modified and artifacts corresponding to those modifications can be generated.

Abstract: A system for authorizing access to a resource receives a request for an access token that corresponds to the resource, where the request includes user information and application information. The user information includes a role of the user and the application information includes a role of the application. The system evaluates the request by computing scopes for the access token, including determining an intersection between the user information and the application information. The system then provides the access token that includes the computed scopes, the scopes being based at least on the role of the user and the role of the application.

Abstract: A system for authorizing access to a resource associated with a tenancy in an identity management system that includes a plurality of tenancies receives an access token request for an access token that corresponds to the resource, the request including user information and application information, the user information including roles of a user and the application information including roles of the application. The system evaluates the access token request by computing dynamic roles and corresponding dynamic scopes for the access token including a second intersection between the dynamic roles of the user and the dynamic roles of the application. The system then provides the access token that includes the computed static scopes, where the scopes are based at least on the roles of the user and the roles of the application, and further including the computed dynamic roles and corresponding dynamic scopes.

Abstract: A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

Abstract: Application customization enables many different types of customers, from small companies to large multinational enterprises, to use various applications provided by a cloud service provider. To accommodate these customizations, previous systems generally require manual human intervention to identify custom, customized, and cloud service provider authorization policies (also referred to herein as “seed” authorization policies) and to decide how each type of authorization policy should be upgraded. When applications are customized, artifacts that represent those customizations can be created. In some embodiments, the customizations can include new resources or entitlements, and grants to new roles. In addition to new resources, entitlements, and grants, existing resources, entitlements, and grants can be modified and artifacts corresponding to those modifications can be generated.

Abstract: A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

Abstract: A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. Components in the enterprise utilizing either Java Platform Security (JPS) or Oracle Access Manager (OAM) can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources.

Abstract: An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications.

Abstract: A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

Abstract: A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. For example, components in the enterprise utilizing either JPS or OAM can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both JSP and OAM environments, such as both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A single unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources.

Abstract: An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Because the authorization system conforms to the legacy model, legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications.