Abstract: Embodiments operate a multi-tenant cloud system. At a first data center, embodiments authenticate a first client corresponding to a first tenant ID and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client and replicate the resources. The first data center receives an Application Programming Interface (“API”) request for the first client corresponding to a change to the resources, and generates a change log and corresponding change event message in response to the API request. Embodiments compute a first hash corresponding to the first tenant ID of the change log to determine a first partition of a first queue at the first data center. The first data center pushes the change event message to the second data center via an API call.

Abstract: Embodiments operate a multi-tenant cloud system. At a first data center, embodiments authenticate a first client and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client. Embodiments divide the resources into base data and regular data, where the base data is a minimum data needed to allow the resources to be available to the first client at the second data center. Embodiments store the base data on a cloud storage in a base data export file and store the regular data on the cloud storage in a regular data export file. Embodiments export the base data export file to the second data center and when the exporting the base data export file has completed, exports the regular data export file to the second data center.

Abstract: Embodiments perform write operations in a multi-tenant cloud system that includes a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. Embodiments receive a request from a first client to perform a first write for a resource at the second data center. Embodiments generate a call to the first data center including a second write for the resource at the first data center. Embodiments retrieve data corresponding to the first write and send the retrieved data to the first data center. Embodiments write on the data based on the first write, the writing on the data including changing the data to generate changed data.

Abstract: Embodiments operate a multi-tenant cloud system. At a first data center, embodiments authenticate a first client corresponding to a first tenant ID and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client and replicate the resources. The first data center receives an Application Programming Interface (“API”) request for the first client corresponding to a change to the resources, and generates a change log and corresponding change event message in response to the API request. Embodiments compute a first hash corresponding to the first tenant ID of the change log to determine a first partition of a first queue at the first data center. The first data center pushes the change event message to the second data center via an API call.

Abstract: Embodiments include a multi-tenant cloud system with a first data center and a second remote data center. The first data center authenticates a first client and stores resources that correspond to the first client, and is in communication with the second data center. The second data center authenticates the first client and replicates the resources. The first data center receives a write request for the first client, writes the write request and generates change event messages in a first order. The first data center pushes the change event messages to the second data center via REST API calls. In response to receiving the change event messages, the second data center is configured to write the change event messages in the first order to its local database.

Abstract: Embodiments operate a multi-tenant cloud system with a first data center. At the first data center, embodiments authenticate a first client and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client and replicate the resources. In response to upgrading global resources at the first data center to a new version, embodiments generate a manifest file including a listing of global resource types and schemas that are modified or added in response to the upgrading. Embodiments further upgrade global resources based on the manifest file and write the upgraded global resources to a first global database and generate change event messages corresponding to the upgraded global resources.

Abstract: Embodiments replicate resources in a multi-tenant cloud system. Embodiments receive a master resource, associated with a master account of the cloud system to be replicated, where the master resource includes a master JavaScript Object Notation (“JSON”) object and includes a plurality of master attributes. Embodiments generate a master resource metadata JSON by calculating hash values for each of the master attributes to generate master attribute level hashes and by calculating an aggregate of all of the hash values to generate a master resource level hash. Embodiments store each master attribute of the master JSON object in a separate column of a master database table associated with the master account and store the master resource metadata JSON is in a separate hash column of the master database table. Embodiments replicate the master JSON object to create a replicated JSON object including a plurality of replicated attributes.

Abstract: Embodiments operate a multi-tenant cloud system. At a first data center, embodiments authenticate a first client and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client. Embodiments divide the resources into base data and regular data, where the base data is a minimum data needed to allow the resources to be available to the first client at the second data center. Embodiments store the base data on a cloud storage in a base data export file and store the regular data on the cloud storage in a regular data export file. Embodiments export the base data export file to the second data center and when the exporting the base data export file has completed, exports the regular data export file to the second data center.

Abstract: Embodiments operate a multi-tenant cloud system with a first data center. At the first data center, embodiments authenticate a first client and store resources that correspond to the first client, the first data center in communication with a second data center that is configured to authenticate the first client and replicate the resources. In response to upgrading global resources at the first data center to a new version, embodiments generate a manifest file including a listing of global resource types and schemas that are modified or added in response to the upgrading. Embodiments further upgrade global resources based on the manifest file and write the upgraded global resources to a first global database and generate change event messages corresponding to the upgraded global resources.

Abstract: A privileged account manager is provided for monitoring privileged sessions on target systems of an enterprise. In an embodiment, the privileged account manager is configured to capture metadata related to a privileged session and generate a first activity pattern for the privileged session based on the captured metadata. The first activity pattern may include a sequence of one or more activities performed by a first user during the privileged session. The privileged account manager may be configured to identify a second activity pattern that comprises at least a subset of the one or more activities performed by the first user during the privileged session and determine an appropriate action to be performed for the first activity pattern based on the identification of the second activity pattern. In some embodiments, the privileged account manager may be configured to transmit the action to a second user on a client device.

Abstract: A privileged account management system is provided that controls the management and access of resources within the organization. Resources may include target systems and accounts of the organization. In an embodiment, the privileged account management system is configured to enable the creation of one or more resource groups. A resource group includes a subset of a plurality of resources provided by the organization. In certain embodiments, the privileged account management system is configured to define one or more groups of administrative entities within the organization and assign to each administrative entity in a group of administrative entities, a set of privileges on a resource group. In certain embodiments, the privileged account manager system may be configured to enable an administrative entity from a group of administrative entities to delegate a subset of privileges associated with a resource group to a user entity not in the group of administrative entities.

Abstract: Embodiments perform write operations in a multi-tenant cloud system that includes a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. Embodiments receive a request from a first client to perform a first write for a resource at the second data center. Embodiments generate a call to the first data center including a second write for the resource at the first data center. Embodiments retrieve data corresponding to the first write and send the retrieved data to the first data center. Embodiments write on the data based on the first write, the writing on the data including changing the data to generate changed data.

Abstract: Embodiments include a multi-tenant cloud system with a first data center and a second remote data center. The first data center authenticates a first client and stores resources that correspond to the first client, and is in communication with the second data center. The second data center authenticates the first client and replicates the resources. The first data center receives a write request for the first client, writes the write request and generates change event messages in a first order. The first data center pushes the change event messages to the second data center via REST API calls. In response to receiving the change event messages, the second data center is configured to write the change event messages in the first order to its local database.

Abstract: Embodiments replicate resources in a multi-tenant cloud system. Embodiments receive a master resource, associated with a master account of the cloud system to be replicated, where the master resource includes a master JavaScript Object Notation (“JSON”) object and includes a plurality of master attributes. Embodiments generate a master resource metadata JSON by calculating hash values for each of the master attributes to generate master attribute level hashes and by calculating an aggregate of all of the hash values to generate a master resource level hash. Embodiments store each master attribute of the master JSON object in a separate column of a master database table associated with the master account and store the master resource metadata JSON is in a separate hash column of the master database table. Embodiments replicate the master JSON object to create a replicated JSON object including a plurality of replicated attributes.

Abstract: Techniques for managing network-connected objects are provided. In some examples, code for accessing a network-connected object may be received. The code may be configured to enable generation of an application programming interface method. In some aspects, account information associated with a user may be stored. A particular method call corresponding to the application programming interface method may be received from a computer device of the user. The particular method call may include a request to access the network-connected object. In some examples, the request to access the network-connected object may be authenticated based at least in part on the account information. Additionally, in some examples, an instruction to the network-connected object may be provided over a network if the request is authenticated.

Abstract: Techniques for managing accounts are provided. An access management system may check out credentials for accessing target systems. For example a user may receive a password for a period of time or until checked back in. Access to the target system may be logged during this time. Upon the password being checked in, a security account may modify the password so that the user may not log back in without checking out a new password. Additionally, in some examples, password policies for the security account may be managed. As such, when a password policy changes, the security account password may be dynamically updated. Additionally, in some examples, hierarchical viewing perspectives may be determined and/or selected for visualizing one or more managed accounts. Further, accounts may be organized into groups based on roles, and grants for the accounts may be dynamically updated as changes occur or new accounts are managed.

Abstract: Techniques for managing accounts are provided. An access management system may check out credentials for accessing target systems. For example a user may receive a password for a period of time or until checked back in. Access to the target system may be logged during this time. Upon the password being checked in, a security account may modify the password so that the user may not log back in without checking out a new password. Additionally, in some examples, password policies for the security account may be managed. As such, when a password policy changes, the security account password may be dynamically updated. Additionally, in some examples, hierarchical viewing perspectives may be determined and/or selected for visualizing one or more managed accounts. Further, accounts may be organized into groups based on roles, and grants for the accounts may be dynamically updated as changes occur or new accounts are managed.

Abstract: Techniques for managing accounts are provided. An access management system may check out credentials for accessing target systems. For example a user may receive a password for a period of time or until checked back in. Access to the target system may be logged during this time. Upon the password being checked in, a security account may modify the password so that the user may not log back in without checking out a new password. Additionally, in some examples, password policies for the security account may be managed. As such, when a password policy changes, the security account password may be dynamically updated. Additionally, in some examples, hierarchical viewing perspectives may be determined and/or selected for visualizing one or more managed accounts. Further, accounts may be organized into groups based on roles, and grants for the accounts may be dynamically updated as changes occur or new accounts are managed.

Abstract: A privileged account management system is provided that controls the management and access of resources within the organization. Resources may include target systems and accounts of the organization. In an embodiment, the privileged account management system is configured to enable the creation of one or more resource groups. A resource group includes a subset of a plurality of resources provided by the organization. In certain embodiments, the privileged account management system is configured to define one or more groups of administrative entities within the organization and assign to each administrative entity in a group of administrative entities, a set of privileges on a resource group. In certain embodiments, the privileged account manager system may be configured to enable an administrative entity from a group of administrative entities to delegate a subset of privileges associated with a resource group to a user entity not in the group of administrative entities.

Abstract: A privileged account manager is provided for monitoring privileged sessions on target systems of an enterprise. In an embodiment, the privileged account manager is configured to capture metadata related to a privileged session and generate a first activity pattern for the privileged session based on the captured metadata. The first activity pattern may include a sequence of one or more activities performed by a first user during the privileged session. The privileged account manager may be configured to identify a second activity pattern that comprises at least a subset of the one or more activities performed by the first user during the privileged session and determine an appropriate action to be performed for the first activity pattern based on the identification of the second activity pattern. In some embodiments, the privileged account manager may be configured to transmit the action to a second user on a client device.