Abstract: The technology disclosed herein enables generation of effective permissions between principals and resources from access policies. In a particular embodiment, a method includes, in an effective permissions service, retrieving one or more access policies that define access permissions between a principal and a resource of the plurality of resources. The method also includes determining an effective permission defining the access of the principal to the resource based on the access policies and defining the effective permission in a canonical format. The method further includes storing the effective permission for reference when the principal attempts to access the resource.

Abstract: The technology disclosed herein enables pushing of access-privilege information from data environments to a graphing service. In a particular embodiment, a method includes registering a data environment to enable the data environment to use Application Programming Interface (API) calls and receiving an API call transmitted from the data environment. The API call provides information about access permissions for the data environment. The method further includes incorporating the information into a privilege graph representing data access authorizations.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for sub-cluster recovery in a data storage environment having a plurality of storage nodes. In a particular embodiment, the method provides scanning data items in the plurality of nodes. While scanning, the method further provides indexing the data items into an index of a plurality of partition groups. Each partition group includes data items owned by a particular one of the plurality of storage nodes. The method then provides storing the index.

Abstract: The technology disclosed herein enables generation of effective permissions between principals and resources from access policies. In a particular embodiment, a method includes, in an effective permissions service, retrieving one or more access policies that define access permissions between a principal and a resource of the plurality of resources. The method also includes determining an effective permission defining the access of the principal to the resource based on the access policies and defining the effective permission in a canonical format. The method further includes storing the effective permission for reference when the principal attempts to access the resource.

Abstract: The technology disclosed herein enables removal of unused access privileges for data environments based on usage. In a particular example, a method provides accessing audit logs for a plurality of data environments. The audit logs indicate which permissions were used for the plurality of data environments during and corresponding times in which the permissions were used. The method also provides aggregating the permissions into timeframes based on the corresponding times and tracking, in a database, a number of times each of the permissions was used in each of the timeframes. In response a one of the permissions satisfying a usage threshold, the method provides removing the one of the permissions.

Abstract: The technology disclosed herein enables automated approval and denial of access decisions responsive to access requests to data environments. In a particular example, a method provides obtaining access decisions responsive to access requests to a plurality of data environments. The method provides determining, based on baseline rules, a subset of the access decisions that should be rejected. The method further provides receiving user input indicating additional ones of the access decisions for inclusion in the subset and determining a new access-review rule based on the user input.

Abstract: The technology disclosed herein enables control of permissions to access resources of data environments based on business requirements. In a particular example, a method provides determining a high-level requirement for access to data environments and defining an access policy that maps to the high-level requirement. The method further provides generating one or more rules to implement the access policy and enforcing the rules on access requests to the data environments to satisfy the high-level requirement.

Abstract: The technology disclosed herein accelerates traversal of a privilege graph indicating access permissions to resources of data environments. In a particular example, a method provides identifying a first node type of a start node of a plurality of nodes in a privilege graph and a second node type of an end node of the plurality of nodes. The privilege graph indicates access privileges for a plurality of users to features of a plurality of data environments. The method also provides identifying one or more possible paths between the first node type and the second node type based on a schema of the privilege graph and traversing the plurality of nodes from the start node to the end node while ignoring paths that are not included in the one or more possible paths.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for sub-cluster recovery in a data storage environment having a plurality of storage nodes. In a particular embodiment, the method provides scanning data items in the plurality of nodes. While scanning, the method further provides indexing the data items into an index of a plurality of partition groups. Each partition group includes data items owned by a particular one of the plurality of storage nodes. The method then provides storing the index.

Abstract: The technology disclosed herein reduces nodes and edges within a privilege graph that indicates access privileges for users to features of data environments. In a particular example, a method provides identifying two attribute nodes of a plurality of nodes in a privilege graph and determining that the two attribute nodes share the same one or more outbound edges. The method further provides combining the two attribute nodes into a combined node. The combined node represents attributes represented by the two attribute nodes. The method also provides tracing the privilege graph from a user through the combined node when determining which of the access privileges correspond to the user.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for sub-cluster recovery in a data storage environment having a plurality of storage nodes. In a particular embodiment, the method provides scanning data items in the plurality of nodes. While scanning, the method further provides indexing the data items into an index of a plurality of partition groups. Each partition group includes data items owned by a particular one of the plurality of storage nodes. The method then provides storing the index.

Abstract: The technology disclosed herein enables pushing of access-privilege information from data environments to a graphing service. In a particular embodiment, a method includes registering a data environment to enable the data environment to use Application Programming Interface (API) calls and receiving an API call transmitted from the data environment. The API call provides information about access permissions for the data environment. The method further includes incorporating the information into a privilege graph representing data access authorizations.

Abstract: The technology disclosed herein enables enforcement of high-level rules defined by a user across multiple data environments. In a particular embodiment, a method includes receiving a high-level rule from a user for enforcement across a plurality of data environments and interpreting the high-level rule into a computer-readable rule. The method further includes translating the computer-readable rule into an instruction compatible with a data environment of the plurality of data environments. The method also includes providing the instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the instruction.

Abstract: The technology disclosed herein enables generation of effective permissions between principals and resources from access policies. In a particular embodiment, a method includes, in an effective permissions service, retrieving one or more access policies that define access permissions between a principal and a resource of the plurality of resources. The method also includes determining an effective permission defining the access of the principal to the resource based on the access policies and defining the effective permission in a canonical format. The method further includes storing the effective permission for reference when the principal attempts to access the resource.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for sub-cluster recovery in a data storage environment having a plurality of storage nodes. In a particular embodiment, the method provides scanning data items in the plurality of nodes. While scanning, the method further provides indexing the data items into an index of a plurality of partition groups. Each partition group includes data items owned by a particular one of the plurality of storage nodes. The method then provides storing the index.

Abstract: The method disclosed is for instantiating a second cluster based on a first cluster. For at least one node of a second plurality of nodes, generating per node data based on mappings between a plurality of partition groups and a first plurality of nodes, the first plurality of nodes corresponding to the first cluster. The method further discloses identifying data items included in the plurality of partition groups based on the mappings between the plurality of partition groups and the first plurality of nodes. The method further discloses each partition group corresponding to a node of the first plurality of nodes and comprising a subset of data items stored in the node. The method further discloses loading the data items included in the plurality of partition groups onto the second plurality of nodes, the second plurality of nodes corresponding to the second cluster.

Abstract: The method disclosed includes scanning data items stored in the first plurality of nodes of a first cluster. While scanning, creating a partition group index indexing the data items into a plurality of partition groups. Each partition group corresponds to a node of the first plurality of nodes and comprises a subset of data items stored in the node. Storing the index. Instantiating a second cluster, comprising generating per node data, for each node of a second plurality of nodes, based on mappings between the partition groups and the first plurality of nodes. Identifying the data items included in the partition groups according to the partition group index and loading the data items included in the partition groups onto the second plurality of nodes.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for sub-cluster recovery in a data storage environment having a plurality of storage nodes. In a particular embodiment, the method provides scanning data items in the plurality of nodes. While scanning, the method further provides indexing the data items into an index of a plurality of partition groups. Each partition group includes data items owned by a particular one of the plurality of storage nodes. The method then provides storing the index.

Abstract: The technology disclosed herein enables representation of data access authorizations using a privilege graph. In a particular embodiment, a method includes identifying first attributes of a first user. The method further includes traversing nodes of a privilege graph using the first attributes to determine subsequent nodes until one or more nodes representing a first subset of environments of a plurality of data environments is reached. The method also includes authorizing the first user to access the first subset.

Abstract: The technology disclosed herein enables generation of a privilege graph to represent data access authorizations. In a particular embodiment, a method includes extracting identity information for a plurality of users from a plurality of identity environments and privilege information from a plurality of data environments. The method further includes forming subgraphs for the identity environments and the data environments from the identity information and the privilege information. The method also includes translating the subgraphs into a canonical schema and, after translating the subgraphs, combining the subgraphs into the privilege graph.