Abstract: According to examples, an apparatus may include a processor that may receive a request from a first device for an authentication token for access to a service, determine whether the first device is authorized to receive the authentication token for access to the service, and based on a determination that the first device is authorized to receive the authentication token for access to the service, generate a machine-readable code including the authentication token that a second device is to use for access to the service by the second device. The processor may also send the generated machine-readable code to the first device. The first device may display the machine-readable code and the second device may use a captured image of the machine-readable code to establish an authenticated session to the service on the second device.

Abstract: Selective validation of subgroups of users against group rule parameters is performed to validate group rule parameters for a dynamic group rule. An administrator defines the group rule parameters and selects individual user accounts which are either expected to be included within and/or excluded from a full membership list for the dynamic group rule. For example, the administrator may select first user accounts that are expected to be included within the full membership list and/or second user accounts that are expected to be excluded from the full membership list. Then, a subgroup validation report is generated to inform the administrator whether or not individual user accounts from the subgroup of user accounts satisfy the group rule parameters and, therefore, will be included within the full membership list of the dynamic group rule. The subgroup validation report reveals the efficacy of the group rule parameters.

Abstract: According to examples, an apparatus may include a processor that may receive a request from a first device for an authentication token for access to a service, determine whether the first device is authorized to receive the authentication token for access to the service, and based on a determination that the first device is authorized to receive the authentication token for access to the service, generate a machine-readable code including the authentication token that a second device is to use for access to the service by the second device. The processor may also send the generated machine-readable code to the first device. The first device may display the machine-readable code and the second device may use a captured image of the machine-readable code to establish an authenticated session to the service on the second device.