Abstract: Some embodiments improve the security of service principals, service accounts, and other application identity accounts by detecting compromise of account credentials. Application identity accounts provide computational services with access to resources, as opposed to human identity accounts which operate on behalf of a particular person. Authentication attempt access data is submitted to a machine learning model which is trained specifically to detect application identity account anomalies. Heuristic rules are applied to the anomaly detection result to reduce false positives, yielding a compromise assessment suitable for access control mechanism usage. Embodiments reflect differences between application identity accounts and human identity accounts, in order to avoid inadvertent service interruptions, improve compromise detection for application identity accounts, and facilitate compromise containment and recovery efforts by focusing on credentials individually.

Abstract: Usage-limited passcodes support authentication when onboarding new employees, when recovering access after an enrolled device is lost or temporarily unavailable, or when registering passwordless authentication methods for new devices during an out of the box setup, among other scenarios. Usage-limited passcodes are also referred to as “temporary access passes” or TAPs. TAP usage may be limited to a specific number of uses, particular kinds of uses, certain time periods, or a combination thereof. A TAP includes a code string and an implementation of corresponding tokens, rights, and other identity aspects within an enhanced access control infrastructure. TAP usage may supplement or replace other authentication, and in particular may replace authentication through a username and password combination, thereby enhancing both usability and security. Self-service identity confirmation may be used to obtain a TAP. Redirection to a federated domain identity provider may be avoided during TAP authentication.

Abstract: Methods, systems, and apparatuses in a computing device enable user access to a resource. The method includes receiving, from a user, a request for access to a resource; accessing an authentication flow for granting access to the resource; obtaining first claims for a user from a first claims provider in the authentication flow; determining a second claims provider in the authentication flow, the second claims provider having a trust relationship with the claims facilitator; directing the user to the second claims provider; receiving second claims for the user from the second claims provider; and enabling the user to access the resource in response to at least the received first and second claims.

Abstract: Methods, systems, and apparatuses in a computing device enable user access to a resource. The method includes receiving, from a user, a request for access to a resource; accessing an authentication flow for granting access to the resource; obtaining first claims for a user from a first claims provider in the authentication flow; determining a second claims provider in the authentication flow, the second claims provider having a trust relationship with the claims facilitator; directing the user to the second claims provider; receiving second claims for the user from the second claims provider; and enabling the user to access the resource in response to at least the received first and second claims.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Defining a unified access management policy expression that unifies access control policy with events or workflows. Unified management policy information is stored. The unified management policy information defines permissions for access to resources together with events or workflows. A request is received to execute the one or more operations on one or more objects. The requested operation is verified against the unified management rules. Verifying includes performing a single retrieval, retrieving both the access control information and the events or workflows and calculating the applicability of the rule to the conditions represented by the request. Matching rules are applied, access control decisions performed and associated workflows are executed.

Abstract: The embodiments described herein generally relate to a method and system of injecting repeatable processes, or workflows, into the processing of data-oriented or procedural requests in an entity management system. A request in such a system is subject to authentication, authorization, and action phases of processing, and workflows may be associated with each phase for automatic processing upon the triggering of a certain request under particular circumstances. A declarative mapping associates workflows with the request type, phase, requester, and target. The mapping may be created at the system administrator level, or by any person with the necessary capabilities, through the application of the processing concept in API or UI and may be consulted and invoked upon receipt of a request matching the mapping's criteria. Mappings may also be created and retrieved to manage state changes resulting from processing in other phases of the request processing model.

Abstract: Enforcing access control based on resource state. A method includes receiving a request for an operation on one or more objects stored on computer readable media. One or more pre-operation states of the one or more objects are determined. One or more post-operation states of the one or more objects are determined. One or more access control rules are referenced. The access control rules control access to resources based on pre-operation state and post operation state. It can then be determined that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states. Based on determining that the one or more access control rules allow the operation to succeed, the operation is allowed to succeed.

Abstract: Several embodiments disclosed herein are directed to methods, computer program products, and systems configured to track operation dependencies. For example, in one embodiment, at a first entity, a first identifier corresponding to a first operation is accessed. For a second operation occurring as a result of the first operation, a second identifier is generated. A directed event including the first and second identifiers is emitted. The directed event is logged. The second identifier is sent to a second entity. An operation call for the second operation is also sent to the second entity. The second identifier is made available at the second entity for use in creating directed events for subsequent operations occurring as a result of the second operation.

Abstract: A web service includes a protected resource. A requester requests access to the protected resource by sending a request to the web service. The web service prevents access to the web service until the request has been authorized by an authorizer. After the request has been authorized by the authorizer, the web service allows the requester to access the protected resource.

Abstract: Resources are partitioned via a virtual partitioning system to distribute the resources over a plurality of resource servers. A virtual partition table can be kept at each of a set of resource managers handling requests for resources in tandem. When a resource is requested, a virtual partition value is calculated algorithmically, and the value is mapped to a resource component via the virtual partition table. The resource component encapsulates information indicating on which of the resource servers the resource resides and can provide a component for performing operations on the resource even though the requester does not have information about where the resource resides. The resources can be repartitioned by modifying the virtual partition table, thus allowing the addition of additional resource servers to the system while the resources remain available. Additional resource types can be added without reengineering the system.

Abstract: The intuitive display of trace historical data in a manner that processing control transfer between processing entities is represented in the context of trace data from multiple processing entities. For each processing entity, a set of one or more trace entries are identified for that processing entity and displayed in a manner that the trace entries for the processing entity are shown associated with the processing entity. The transfer of control between processing entities is also shown in a manner that illustrates a transfer of processing control.