Abstract: Techniques are described for enabling resources within a cloud computing system to interact with each other. In certain embodiments, a base identifier assigned to a first resource is extended by mapping the base identifier onto a second identifier assigned to a logical resource that is built upon the first resource. This allows the first resource to have two identities, one identity indicating what the first resource is (e.g., a particular compute instance) and another identity indicating the purpose of the first resource (e.g., operating as a database for a particular tenancy). Consequently, the first resource may be provided with access privileges different from those associated with the base identifier. For example, the first resource may access another resource in the tenancy using the second identifier, but may have no access to the other resource using the base identifier.

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request.

Abstract: Techniques for generating syntax graphs corresponding to user-defined policy statement are disclosed. In one or more embodiments, a policy management service receives a user-defined policy statement that includes a requestor variable value, an action variable value, a resource variable value, and a location variable value. The user-defined policy statement describes an authorization policy. The policy authorization service converts the user-defined policy statement to a canonical policy statement, which involves: mapping the requestor variable value to a unique system-wide requestor identifier, and mapping the location variable value to a unique system-wide location identifier. The policy management service generates a syntax graph of the canonical policy statement. The syntax graph is traversable to determine whether the authorization policy is satisfied for a particular authorization request. The policy management service stores the syntax graph for use by an authorization service.

Abstract: Techniques for generating and using reader-friendly policy statements are disclosed. In one or more embodiments, a policy management service receives a request for an authorization policy in a language-localized syntax. The policy management service identifies a syntax graph corresponding to the authorization policy and traverses the syntax graph to obtain at least a requestor variable value associated with the authorization policy, an action variable value associated with the authorization policy, a resource variable value associated with the authorization policy, and a location variable value associated with the authorization policy. The policy authorization service generates a reader-friendly policy statement in the language-localized syntax using the requestor variable value, the action variable value, the resource variable value, and the location variable value. Responsive to the request, the policy authorization service provides the reader-friendly policy statement.

Abstract: Techniques for generating syntax graphs corresponding to user-defined policy statement are disclosed. In one or more embodiments, a policy management service receives a user-defined policy statement that includes a requestor variable value, an action variable value, a resource variable value, and a location variable value. The user-defined policy statement describes an authorization policy. The policy authorization service converts the user-defined policy statement to a canonical policy statement, which involves: mapping the requestor variable value to a unique system-wide requestor identifier, and mapping the location variable value to a unique system-wide location identifier. The policy management service generates a syntax graph of the canonical policy statement. The syntax graph is traversable to determine whether the authorization policy is satisfied for a particular authorization request. The policy management service stores the syntax graph for use by an authorization service.

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request.

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request.

Abstract: Techniques for generating and using reader-friendly policy statements are disclosed. In one or more embodiments, a policy management service receives a request for an authorization policy in a language-localized syntax. The policy management service identifies a syntax graph corresponding to the authorization policy and traverses the syntax graph to obtain at least a requestor variable value associated with the authorization policy, an action variable value associated with the authorization policy, a resource variable value associated with the authorization policy, and a location variable value associated with the authorization policy. The policy authorization service generates a reader-friendly policy statement in the language-localized syntax using the requestor variable value, the action variable value, the resource variable value, and the location variable value. Responsive to the request, the policy authorization service provides the reader-friendly policy statement.

Abstract: Techniques for evaluating authorization requests using cached policy data are disclosed. In one or more embodiments, a thick client receives an authorization request. The thick client evaluates the authorization request, based on partial contextual information associated with the authorization request and a local policy data cache, to generate a preliminary authorization response. The preliminary authorization response includes one of (a) denial of the authorization request and (b) non-denial of the authorization request. Responsive to the preliminary authorization response including non-denial of the authorization request, the thick client submits complete contextual information associated with the authorization request to an authorization service. The authorization service provides a final authorization result, which the thick client uses to grant or deny the authorization request.

Abstract: Techniques for generating syntax graphs corresponding to user-defined policy statement are disclosed. In one or more embodiments, a policy management service receives a user-defined policy statement that includes a requestor variable value, an action variable value, a resource variable value, and a location variable value. The user-defined policy statement describes an authorization policy. The policy authorization service converts the user-defined policy statement to a canonical policy statement, which involves: mapping the requestor variable value to a unique system-wide requestor identifier, and mapping the location variable value to a unique system-wide location identifier. The policy management service generates a syntax graph of the canonical policy statement. The syntax graph is traversable to determine whether the authorization policy is satisfied for a particular authorization request. The policy management service stores the syntax graph for use by an authorization service.

Abstract: Techniques for evaluating authorization requests using cached policy data are disclosed. In one or more embodiments, a thick client receives an authorization request. The thick client evaluates the authorization request, based on partial contextual information associated with the authorization request and a local policy data cache, to generate a preliminary authorization response. The preliminary authorization response includes one of (a) denial of the authorization request and (b) non-denial of the authorization request. Responsive to the preliminary authorization response including non-denial of the authorization request, the thick client submits complete contextual information associated with the authorization request to an authorization service. The authorization service provides a final authorization result, which the thick client uses to grant or deny the authorization request.

Abstract: Techniques for generating syntax graphs corresponding to user-defined policy statement are disclosed. In one or more embodiments, a policy management service receives a user-defined policy statement that includes a requestor variable value, an action variable value, a resource variable value, and a location variable value. The user-defined policy statement describes an authorization policy. The policy authorization service converts the user-defined policy statement to a canonical policy statement, which involves: mapping the requestor variable value to a unique system-wide requestor identifier, and mapping the location variable value to a unique system-wide location identifier. The policy management service generates a syntax graph of the canonical policy statement. The syntax graph is traversable to determine whether the authorization policy is satisfied for a particular authorization request. The policy management service stores the syntax graph for use by an authorization service.

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request.

Abstract: Techniques for generating and using reader-friendly policy statements are disclosed. In one or more embodiments, a policy management service receives a request for an authorization policy in a language-localized syntax. The policy management service identifies a syntax graph corresponding to the authorization policy and traverses the syntax graph to obtain at least a requestor variable value associated with the authorization policy, an action variable value associated with the authorization policy, a resource variable value associated with the authorization policy, and a location variable value associated with the authorization policy. The policy authorization service generates a reader-friendly policy statement in the language-localized syntax using the requestor variable value, the action variable value, the resource variable value, and the location variable value. Responsive to the request, the policy authorization service provides the reader-friendly policy statement.

Abstract: A method or kit for mounting or displaying a collectable flying disc. The kit includes a box clamp frame capable of capturing a segment of an edge lip and web of a disc under gentle pressure, where gentle pressure is sufficient to immobilize the disc in a generally upright position when the box clamp frame is seated on a horizontal surface, or in a generally pendent position when the box clamp frame is hung from a vertical surface. Discs may be displayed with other memorabilia such as photographs on a wall or positioned on a desk or table, for example.

Abstract: A method or kit for mounting or displaying a collectable flying disc. The kit includes a box clamp frame capable of capturing a segment of an edge lip and web of a disc under gentle pressure, where gentle pressure is sufficient to immobilize the disc in a generally upright position when the box clamp frame is seated on a horizontal surface, or in a generally pendent position when the box clamp frame is hung from a vertical surface. Discs may be displayed with other memorabilia such as photographs on a wall or positioned on a desk or table, for example.

Abstract: Systems and methods are disclosed that facilitate the evaluation of the operation of host computing devices by utilization of targeted scripts. Each host computing device includes a local targeted script management component that interfaces with a centralized or master targeted script management component. The local targeted script management component obtains targeted scripts, causes the execution of the targeted script and can terminate the targeted script. Additionally, the local targeted script management component can collect information associated with the execution of the targeted scripts and initiate the restoration of previous state in the event that the execution of the targeted script modifies or otherwise affects the host computing device.