Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for container based application reification. In a particular embodiment, an application reification system is provided including one or more computer readable storage media and a processing system operatively coupled with the one or more computer readable storage media. The application reification system further includes program instructions stored on the one or more computer readable storage media that, when read and executed by the processing system, direct the processing system to preserve a version of application data at a first time and a configuration of an application at the first time. At a second time subsequent to the first time, the program instructions direct the processing system to create a template for a container containing the application in the configuration and a pointer to the version of the application data in a secondary storage repository.

Abstract: The technology disclosed herein enables generation of effective permissions between principals and resources from access policies. In a particular embodiment, a method includes, in an effective permissions service, retrieving one or more access policies that define access permissions between a principal and a resource of the plurality of resources. The method also includes determining an effective permission defining the access of the principal to the resource based on the access policies and defining the effective permission in a canonical format. The method further includes storing the effective permission for reference when the principal attempts to access the resource.

Abstract: The technology disclosed herein enables pushing of access-privilege information from data environments to a graphing service. In a particular embodiment, a method includes registering a data environment to enable the data environment to use Application Programming Interface (API) calls and receiving an API call transmitted from the data environment. The API call provides information about access permissions for the data environment. The method further includes incorporating the information into a privilege graph representing data access authorizations.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for data lineage based multi-data store recovery. In a particular embodiment, a method provides identifying first data in a first table of a plurality of tables stored in a plurality of data stores and restoring the first data to a first correct version of the first data in a prior version of the first table. The method further provides identifying a second table of the plurality of tables that descends from the first table and includes second descendent data that stems from the first data. The method also provides restoring the second descendent data to a second correct version of the second descendent data in a prior version of the second table.

Abstract: The technology disclosed herein enables generation of effective permissions between principals and resources from access policies. In a particular embodiment, a method includes, in an effective permissions service, retrieving one or more access policies that define access permissions between a principal and a resource of the plurality of resources. The method also includes determining an effective permission defining the access of the principal to the resource based on the access policies and defining the effective permission in a canonical format. The method further includes storing the effective permission for reference when the principal attempts to access the resource.

Abstract: The technology disclosed herein enables removal of unused access privileges for data environments based on usage. In a particular example, a method provides accessing audit logs for a plurality of data environments. The audit logs indicate which permissions were used for the plurality of data environments during and corresponding times in which the permissions were used. The method also provides aggregating the permissions into timeframes based on the corresponding times and tracking, in a database, a number of times each of the permissions was used in each of the timeframes. In response a one of the permissions satisfying a usage threshold, the method provides removing the one of the permissions.

Abstract: The technology disclosed herein enables control of permissions to access resources of data environments based on business requirements. In a particular example, a method provides determining a high-level requirement for access to data environments and defining an access policy that maps to the high-level requirement. The method further provides generating one or more rules to implement the access policy and enforcing the rules on access requests to the data environments to satisfy the high-level requirement.

Abstract: The technology disclosed herein enables automated approval and denial of access decisions responsive to access requests to data environments. In a particular example, a method provides obtaining access decisions responsive to access requests to a plurality of data environments. The method provides determining, based on baseline rules, a subset of the access decisions that should be rejected. The method further provides receiving user input indicating additional ones of the access decisions for inclusion in the subset and determining a new access-review rule based on the user input.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for infinite versioning by automatic coalescing. In a particular embodiment, a method provides determining an age range for a plurality of data versions stored in a secondary data repository and identifying first data versions of the plurality of data versions that are within the age range. The method further provides determining a compaction ratio for the first data versions and compacting the first data versions based on the compaction ratio.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for data lineage based multi-data store recovery. In a particular embodiment, a method provides identifying first data in a first table of a plurality of tables stored in a plurality of data stores and restoring the first data to a first correct version of the first data in a prior version of the first table. The method further provides identifying a second table of the plurality of tables that descends from the first table and includes second descendent data that stems from the first data. The method also provides restoring the second descendent data to a second correct version of the second descendent data in a prior version of the second table.

Abstract: The technology disclosed herein accelerates traversal of a privilege graph indicating access permissions to resources of data environments. In a particular example, a method provides identifying a first node type of a start node of a plurality of nodes in a privilege graph and a second node type of an end node of the plurality of nodes. The privilege graph indicates access privileges for a plurality of users to features of a plurality of data environments. The method also provides identifying one or more possible paths between the first node type and the second node type based on a schema of the privilege graph and traversing the plurality of nodes from the start node to the end node while ignoring paths that are not included in the one or more possible paths.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for data lineage based multi-data store recovery. In a particular embodiment, a method provides identifying first data in a first table of a plurality of tables stored in a plurality of data stores and restoring the first data to a first correct version of the first data in a prior version of the first table. The method further provides identifying a second table of the plurality of tables that descends from the first table and includes second descendent data that stems from the first data. The method also provides restoring the second descendent data to a second correct version of the second descendent data in a prior version of the second table.

Abstract: The technology disclosed herein reduces nodes and edges within a privilege graph that indicates access privileges for users to features of data environments. In a particular example, a method provides identifying two attribute nodes of a plurality of nodes in a privilege graph and determining that the two attribute nodes share the same one or more outbound edges. The method further provides combining the two attribute nodes into a combined node. The combined node represents attributes represented by the two attribute nodes. The method also provides tracing the privilege graph from a user through the combined node when determining which of the access privileges correspond to the user.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for container based application reification. In a particular embodiment, an application reification system is provided including one or more computer readable storage media and a processing system operatively coupled with the one or more computer readable storage media. The application reification system further includes program instructions stored on the one or more computer readable storage media that, when read and executed by the processing system, direct the processing system to preserve a version of application data at a first time and a configuration of an application at the first time. At a second time subsequent to the first time, the program instructions direct the processing system to create a template for a container containing the application in the configuration and a pointer to the version of the application data in a secondary storage repository.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for container based application reification. In a particular embodiment, an application reification system is provided including one or more computer readable storage media and a processing system operatively coupled with the one or more computer readable storage media. The application reification system further includes program instructions stored on the one or more computer readable storage media that, when read and executed by the processing system, direct the processing system to preserve a version of application data at a first time and a configuration of an application at the first time. At a second time subsequent to the first time, the program instructions direct the processing system to create a template for a container containing the application in the configuration and a pointer to the version of the application data in a secondary storage repository.

Abstract: An example networked computing system for iterative node level recovery comprises a node cluster; a database; at least one processor configured by instructions to perform operations comprising at least: identifying a failed node among existing nodes in the node cluster; identifying and initiating a replacement node as a new node for the node cluster; accessing at the database a logical backup of the node cluster; retrieving logical backup data of the node cluster and identifying specific rows of backup data to be restored to the new node; restoring the specific data rows to the new node; identifying new data written by applications, to the existing nodes of the node cluster, during restoration of the new node; iteratively accessing supplementary back up data to identify supplementary data rows to be restored to the new node; and iteratively restoring the supplementary data rows to the new node until the new node is synchronized with the existing nodes in the node cluster.

Abstract: The technology disclosed herein enables enforcement of high-level rules defined by a user across multiple data environments. In a particular embodiment, a method includes receiving a high-level rule from a user for enforcement across a plurality of data environments and interpreting the high-level rule into a computer-readable rule. The method further includes translating the computer-readable rule into an instruction compatible with a data environment of the plurality of data environments. The method also includes providing the instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the instruction.

Abstract: The technology disclosed herein enables pushing of access-privilege information from data environments to a graphing service. In a particular embodiment, a method includes registering a data environment to enable the data environment to use Application Programming Interface (API) calls and receiving an API call transmitted from the data environment. The API call provides information about access permissions for the data environment. The method further includes incorporating the information into a privilege graph representing data access authorizations.

Abstract: The technology disclosed herein enables generation of effective permissions between principals and resources from access policies. In a particular embodiment, a method includes, in an effective permissions service, retrieving one or more access policies that define access permissions between a principal and a resource of the plurality of resources. The method also includes determining an effective permission defining the access of the principal to the resource based on the access policies and defining the effective permission in a canonical format. The method further includes storing the effective permission for reference when the principal attempts to access the resource.

Abstract: An example networked computing system comprises a node cluster; a database; at least one processor configured by instructions to perform operations in a method of node level recovery, the method comprising operations including at least: identifying a failed node among existing nodes in the node cluster; identifying and initiating a replacement node as a new node for the node cluster; accessing at the database a logical backup of the node cluster; retrieving logical backup data of the node cluster from the logical backup and applying a node level filter to identify rows of backup data associated with the failed node; and restoring the data rows identified by the node level filter to the new node.