Abstract: A system grants access for a computing entity to execute a requested operation upon a target resource based on a set of one or more access policies associated with a different computing entity. The access control service receives a surrogate access request from a first computing entity. The surrogate access request represents a request for the first computing entity to execute a requested operation upon a target resource based on a set of one or more access policies corresponding to a principal associated with a second computing entity. The system obtains a set of one or more access policies respectively, including a set of one or more authorized operations associated with the principal, and determines whether the requested operation corresponds to at least one authorized operation. Responsive to determining that the requested operation corresponds to at least one authorized operation, the system authorizes execution of the requested operation.

Abstract: A system executes an authorization process for initiating a session with a computing entity. Executing the authorization process includes determining an identity associated with the computing entity, identifying a current set of access policies associated with the identity, and determining, based on the current set of access policies, a first set of actions that the computing entity is authorized to perform. While executing the session, the system executes a first action in accordance with the current set of access policies. Subsequent to executing the first action, the set of access policies is modified. The system detects an occurrence of a trigger condition, and in response, re-executes the authorization process for the session, including determining, based on the modified set of access policies, a second set of actions the computing entity is authorized to perform that differs from the first set of actions.

Abstract: A system is disclosed that includes capabilities by which a nested sub-resource residing in a service tenancy can access a customer-owned resource residing in a customer tenancy without the use of a cross-tenant policy. The disclosed system provides the ability for a nested sub-resource residing in a service tenancy to obtain the resource principal identity of a higher-level resource residing in the customer tenancy and use the identity of the higher-level resource to access a customer-owned resource residing in the customer tenancy. Using the resource principal identity of its higher-level resource, the sub-resource can access a customer-owned resource that resides in a customer tenancy in a seamless way without having to write a cross-tenancy policy statement that provides permission to the sub-resource to access the customer-owned resource.

Abstract: Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer tenancy, where the traffic is generated by a multi-tenancy service. The traffic can be destined to the target service. The traffic can be tagged by the multi-tenancy service with information indicating that the traffic is egressing therefrom on behalf of the customer tenancy. The customer tenancy can be associated with the egress policy. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy on the traffic that the target service is receiving.

Abstract: Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer, where the traffic is generated by a customer network of the customer, such as a customer tenancy or an on-premise network, or by a multi-tenancy service on behalf of the customer. The traffic can be destined to the target service. The traffic can be tagged by the customer network (e.g., by a gateway of the customer network) or by the multi-tenancy service. The customer network can be associated with the egress policy. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy on the traffic that the target service is receiving.

Abstract: Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer, where the traffic is generated by a customer network of the customer, such as a customer tenancy or an on-premise network. The traffic can be destined to the target service. The traffic can be tagged by the customer network (e.g., by a gateway of the customer network). The customer network can be associated with the egress policy. The customer can define the egress policy at different granularity levels by using different attributes. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy, based on the customer-defined attributes, on the traffic that the target service is receiving.

Abstract: Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer, where the traffic is generated by a customer network of the customer, such as a customer tenancy or an on-premise network. The traffic can be destined to the target service. The traffic can be tagged by the customer network (e.g., by a gateway of the customer network). The customer network can be associated with the egress policy. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy on the traffic that the target service is receiving.

Abstract: A system is disclosed that includes capabilities by which a nested sub-resource residing in a service tenancy can access a customer-owned resource residing in a customer tenancy without the use of a cross-tenant policy. The disclosed system provides the ability for a nested sub-resource residing in a service tenancy to obtain the resource principal identity of a higher-level resource residing in the customer tenancy and use the identity of the higher-level resource to access a customer-owned resource residing in the customer tenancy. Using the resource principal identity of its higher-level resource, the sub-resource can access a customer-owned resource that resides in a customer tenancy in a seamless way without having to write a cross-tenancy policy statement that provides permission to the sub-resource to access the customer-owned resource.

Abstract: Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer tenancy, where the traffic is generated by a multi-tenancy service. The traffic can be destined to the target service. The traffic can be tagged by the multi-tenancy service with information indicating that the traffic is egressing therefrom on behalf of the customer tenancy. The customer tenancy can be associated with the egress policy. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy on the traffic that the target service is receiving.

Abstract: Techniques described herein relate to authorization between integrated cloud products. An example includes receiving, by a computing device and from a first resource, a first request for permission to access a certificate to verify a requestor's identity. The computing device can transmit a second request to a second resource to authorize permitting access to the certificate. The computing device can receive a response from the second resource comprising an authorization to permit access to the certificate. The computing device can grant permission to the first resource to access the certificate, wherein the first resource is configured to verify the requestor's identity based on accessing the certificate. The computing device can receive a third request from the first resource to generate an association object between the first resource and the certificate. The computing device can generate the association object, wherein the association object associates the first resource and the certificate.

Abstract: Systems and methods for combined authorization for entities within a domain are described. One aspect relates to a method. The method can include receiving a request for a user to take an action in a first system and determining a first authorization status of the action by the user with the first system. The method can include determining a second authorization status of the action by the user with a second system, determining a union of the first authorization status and the second authorization status, and comparing the union of the first authorization status and the second authorization status to authorization criteria.

Abstract: This disclosure describes techniques implemented partly by a service provider network for distributed storage of event data in data storage according to a data-storage schema in order to reduce the amount of computing resources required to store and access the event data. The techniques may include generating event identifiers (IDs) for actions performed by users to manage cloud-based services. Rather than indexing event IDs by writing the event IDs to a database, the techniques described herein include storing event IDs in different file folders in storage according to a storage schema where the different file folders are assigned to store event IDs having different prefix portions. In this way, event IDs may be stored, or grouped, in different file folders according to prefix portions of the event IDs to reduce the amount of reads and writes required for the event IDs.