Abstract: In the creative community, a need exists to efficiently market creative works including music, concerts, photographic, video programs, motion pictures, two and three dimensional works of art and literary works. The cost of creating works of art has never been less. Computer programs like Garage Band and iMovie have lowered production costs so that more people than ever before are engaged in creativity. The present invention links the creative community with investors, venue owners, social media influencers, other artists, art critics, art distributors, literary agents, art brokers and dealers and the overall audience for creative works. The present invention represents a significant augmentation to the traditional artists and repertoire departments of the major record companies and will enable a bidding marketplace so that creative works may be monetized at the moment of creation and combined with other preexisting artwork to enable marketing compilations or derivative works expeditiously.

Abstract: An information processing apparatus that permits login of a user by transmitting authentication information on the user to a server that provides an authentication service and based on response results from the server performs output control by selecting a user interface based on a predetermined condition, which is one of a first user interface prepared in advance and a second user interface obtained by rendering by a browsing function, both for causing the user to input the authentication information. Here, the information processing apparatus transmits first authentication information input by using the first user interface to the server and receives first response results for the transmission from the server. Further, the information processing apparatus transmits second authentication information input by using the second user interface to the server and receives second response results for the transmission from the server.

Abstract: The present disclosure provides a method for upgrading an Internet of Things (IoT) terminal device and an electronic device thereof. The method includes: determining a surveillance device and performing two-way verification with the surveillance device; sending, in response to successful two-way verification, a first upgrade instruction to at least one of the surveillance device and the terminal device, wherein a server communicates with the terminal device via the surveillance device, and the first upgrade instruction includes an encrypted upgrade file, encrypted server identification information, and an encrypted first check value.

Abstract: Techniques are described for automatically identifying and configuring IT and security application connectors relevant to users' IT environment by obtaining and analyzing data reflecting activity within an IT environment. The identification of types of assets within an IT environment may be based on analyzing a “source type” field included in events associated with the IT environment, where the source type field included in each event provides an indication of a type of device or service to which the event relates. The values stored in the source type field of events associated with a user's IT environment might indicate, for example, the presence of various types of computing devices, software applications, network devices, and so forth. Based on the identification of types of assets present in an IT environment, an IT and security operations application automatically configures corresponding connectors for those types of assets.

Abstract: Aspects of the disclosure relate to computing hardware and software for performing uniform document updates. A computing platform may receive, from a user device, a document change request. The computing platform may authenticate authority of a user of the user device to perform the document change request. Based on authenticating the authority of the user of the user device to perform the document change request, the computing platform may identify storage locations at which documents that are affected by the document change request are located. The computing platform may access the documents at each of the storage locations. The computing platform may scan the documents to identify locations, within the documents, of changes to be made, which may include identifying the locations based on enterprise-adopted change tags. The computing platform may write the changes to the documents at the identified locations based on the enterprise-adopted change tags.

Abstract: An aircraft is described. The aircraft includes an avionics management system including one or more control display units. The control display units include an alphanumeric keyboard. By the alphanumeric keyboard, an operator within the aircraft may input a personal identification number (PIN). The input PIN is received from the alphanumeric keyboard and compared with a PIN stored in memory. When the input PIN is validated, the avionics management system changes a system state from not validated to validated, thereby permitting the control display unit to access otherwise unavailable mobile user objective system (MUOS) feature sets, such as viewing MUOS presets or tuning to the MUOS presets.

Abstract: Systems for tracking incident data across phases of a data incident response including analysis, containment, and recovery, and automatically generating data incident reports are disclosed herein. Embodiments enable viewing of all the incident data in a single place including tracking of origin and history of the incident data to create an audit trail. Embodiments include managing incident data sharing and reporting including automatically generating and sharing data incident reports. Embodiments include a first feedback loop and a second feedback loop. The first feedback loop includes automatically surfacing to users changes to incident report specifications, errors or warnings in incident data with resolving recommendations including specific tasks to resolve the errors or warnings.

Abstract: A method and a system are provided for processing payment card transactions in conjunction with a user device configured to detect intoxicated use. The user device includes a behavior detection application which can detect whether a user is intoxicated using the device's motion sensing hardware, user endpoint data, and application level data. When the user attempts a transaction while intoxicated, the user's device can detect that the user is impaired or sober. If impaired, the payment card system can deny the transaction. If sober, the payment card system can offer incentives for certain transactions. The payment card system can also allow sponsoring entities to pay for transactions that incentivize better behavior when a user is intoxicated or support transactions for sober users.

Abstract: A first user device may be used to request provisioning of a secure credential on a second user device. A provisioning system may facilitate the provisioning in a manner that ensures security and privacy of the requesting parties. The provisioning requests may be made using an application on the first user device such as a third-party application or using a web application via a browser. The credential may be added to a digital wallet on the second user device. The credential may be useable by the second user device to perform one or more contactless transactions.

Abstract: Systems and methods include obtaining a profile for an application, wherein the profile includes one or more tenants, rules for use of the application by the one or more tenants, and users for the rules; monitoring a user of a tenant of the one or more tenants inline via a node in a cloud-based system; identifying an application of the one or more applications based on the monitoring and associated rules for the user; and enforcing the associated rules for the user for the application.

Abstract: A method is disclosed for automating creation of an account to access to a plurality of cloud based platforms, comprising receiving an intake request; determining whether the account is requested on a first cloud platform or a second cloud platform; determining whether an environment is requested; in response to a determination that an environment is requested, creating a created environment; in response to a determination that an environment is not requested, associating an existing environment with the account; in response to a determination that an environment is requested and a determination that the account is requested on the first cloud platform, creating network handlers; creating a workspace and a repository; creating vault secrets; in response to a determination that the account is requested on the first cloud platform, and tagging at least one resource associated with the account with a resource tag.

Abstract: The following description is directed to a logic repository service. In one example, a method of a logic repository service can include receiving a first request to generate configuration data for configurable hardware using a specification for application logic of the configurable hardware. The method can include generating the configuration data for the configurable hardware. The configuration data can include data for implementing the application logic. The method can include receiving a second request to download the configuration data to a host server computer comprising the configurable hardware. The method can include transmitting the configuration data to the host server computer in response to the second request so that the configurable hardware is configured with the host logic and the application logic.

Abstract: An apparatus comprising means for performing: sending, to a network entity, a Network Function Discovery request comprising parameter information; and receiving, from the network entity, a response to the request, the response comprising: at least one identifier for at least one Network Function service producer; and at least one of: information ranking the at least one Network Function service producer according to how well the at least one Network Function service producer matches the request; and an indication of how much of the parameter information is matched by one or more parameters of the at least one Network Function service producer.

Abstract: Systems and methods for generating and filtering visualizations are disclosed herein. In an embodiment, a DPA provides a graphical user interface for defining a query, including specifying semantic classes and attributes of the query. The DPA further provides options for generating a visualization from the query results and for adding the visualization to a collection of visualizations. When visualizations are later displayed on a graphical user interface, filters are provided based on attribute filters defined for queries that form the basis of visualizations on the graphical user interface. When a filter option is selected, the graphical user interface displays new visualizations based on filtered query results for the visualizations generated from queries that include the selected filter and removes from display the visualizations generated from queries that do not include the selected filter and/or adds to the display visualizations that have mandatory filter requirements met by the selected filter.

Abstract: Methods and systems for secure, encrypted and distributed ownership and usage of big data are provided. According to one example, a server maintains a local key management data store, a data blockchain copy, an audit blockchain copy, and a metadata blockchain copy. A data operation from a user electronic device is received. The server verifies that the user electronic device has access against the local key management data store, runs the data operation and records metadata about the data operation, and writes data blocks to the data blockchain copy, the audit blockchain copy, and the metadata blockchain copy. The server broadcasts the updated blockchain copies to the peer-to-peer network for replication.

Abstract: Described herein is a system and method for improving cyber resilience for determining an optimal security policy for a network. The system uses an objective function to balance cyberattack risks, accessibility to network resources, resource limitations, minimum mission availability requirements within a network environment, or a combination thereof. The objective function comprises objectives (one or more variables that enhance accessibility to network resources and reduce cyberattack risks) and constraints (one or more variables that characterize resource limitations or minimum mission availability requirements within a network environment). The optimal security policy is selected by solving one or more optimization problems. The optimization problem may be solved by determining candidate security policies that meet the constraints and selecting among candidate security policies having the highest score for a given objective function.

Abstract: An online software platform (OSP) classifies challenges to digital rules into buckets according to respective challenged digital rules that were applied to produce respective challenged resources. The OSP computes respective statistics for the buckets. Each bucket may have a corresponding statistic associated with the bucket based on a current total number of challenges that have been classified into that bucket. The OSP ranks the buckets according to the respective statistics of the buckets. The OSP may correct, based on the ranking of the buckets, the respective challenged stored digital rule of the selected bucket without yet correcting the respective challenged digital rule of at least one of the other buckets. This correction is stored and included in digital rules to be used to produce resources going forward.

Abstract: An information processing architecture for implementation in a vehicle includes a software segregation unit which is configured to provide a first security domain and a second security domain which are assigned in each case to different operational areas of the vehicle and have their own data processing environments which are segregated from one another to run a multiplicity of computer applications. The software segregation unit is further configured to provide a synchronization instance, wherein the synchronization instance has a central dataset which is synchronized with data generated in the respective security domains independently from one another via data exchange and is selectively readable by both security domains.

Abstract: A method may include a method of automating processes for remote work. The method may include receiving, at a server, first login data from a client software application. The client software application may be executing on a user device of a remote worker user. The method may include authenticating the remote worker user based on the first login data. The method may include receiving, at the server, command data from the client software application. The command data may include data indicating to the server to launch a software application. The method may include launching, on the server, the software application. The method may include inputting, using a robotic process automation (RPA) process, second login data of the remote worker user into the software application. The method may include key site information, speech-to-text functionality, onboarding functionality, automated support, or activity logging.

Abstract: Logic to determine a record indicating an authentication by a first multi-factor authentication does not exist for a user in a memory. Logic to receive a request for issuance of a transaction token for a financial transaction, maintain a situation-specific predetermined value for each of a plurality of predetermined situations, and select the situation-specific predetermined value of the predetermined situation in the request, and sum a number of requested transaction tokens. And logic to retrieve the predetermined value and a predetermined number of transaction tokens, issue the transaction token, and complete the financial transaction using the transaction token issued.

Abstract: Technologies for cross-device shared web resource caching include a client device and a shared cache device. The client device scans for a shared cache device in local proximity to the client device and, in response to the scan, registers with the shared cache device. After registering, the client device requests a cached web resource from the shared cache device. The shared cache device determines whether a cached web resource that matches the request is installed in a shared cache. The shared cache device may determine whether an origin of the request matches the origin of the cached web resource. If installed, the shared cache device sends a found response and the cached web resource to the client device. If not installed, the shared cache device sends a not-found response and the client device may request the web resource from a remote web server. Other embodiments are described and claimed.

Abstract: This disclosure relates to methods, systems, and non-transitory computer-readable storage media for integrating a multi-factor authentication system with a security system. The present technology can receive authentication data descriptive of a user associated with a user device. The present technology can also permit the user to access a secure physical location. The present technology can also limit capabilities of the user device while the user is within the secure physical location.

Abstract: The subject disclosure relates to employing sourcing and generation components to facilitate a generation of identity data by a biometric chip. In an example, a system comprising one or more processors and one or more storage devices comprising processor executable instructions that, responsive to execution by the one or more processors, cause the system to perform operations comprising sourcing, by a biometric chip implantation device, biometric data, transactional data, activity data and statistical data corresponding to a user from a set of data sources corresponding to a set of data feeds. Furthermore, the system can employ the biometric chip to interpolate subsets of data feeds.

Abstract: A processor may install an imposter security client (ISC) at an endpoint. The processor may install a subscription based imposter security service (ISS). The ISS may be part of an identity and access management (IAM) system. The processor may exchange information between the ISC and the ISS. The exchange may be automatically triggered when the ISS receives an imposter identification (ID) from the IAM system. The imposter ID may be associated with an unauthorized endpoint user. The processor may protect the endpoint from the unauthorized endpoint user.

Abstract: An industrial development hub (IDH) supports industrial development and testing capabilities that are offered as a cloud-based service. The IDH comprises an enhanced storage platform and associated design tools that serve as a repository on which customers can store control project code, device configurations, and other digital aspects of an industrial automation project. The IDH system can facilitate discovery and management of digital content associated with control systems, and can be used for system backup and restore, code conversion, and version management. The IDH also supports storage and instantiation of virtual machine images preconfigured with digital engineering applications or project conversion that can be instantiated and executed remotely as part of a digital engineering services framework.

Abstract: Aspects described herein may provide techniques for authenticating a user using transaction-based authentication questions that are generated based on item-level purchase data. The item-level purchase data of a transaction may include specific details of a transaction such as identification of each item purchased and corresponding prices paid for each item. Transaction-based authentication questions for a financial account may be generated based on the item-level purchase data that an authorized user of the financial account is likely to remember and that a malicious actor is unlikely to correctly guess. As a result, the authorized user of the account is likely to be correctly authenticated while the malicious actor is likely to answer the transaction-based authentication question incorrectly. Authentication can therefore effectively block malicious actors without overly burdening actual authorized users during the authentication process.

Abstract: A computer implemented method includes granting a tenant administrator client machine access to a cloud hosted tenant service joined to a directory service. A bulk token for the tenant is obtained in response to a request received from the tenant administrator client machine. An identifier of an authorized tenant client to the cloud hosted tenant service is received and results in the provisioning of a tenant client virtual machine in a cloud service for the authorized tenant client in accordance with a specified provisioning package associated with the bulk token. The tenant client virtual machine is then joined to the directory service. On receipt of an authorized client token at the cloud hosted tenant service from a tenant client machine, the tenant client machine is provided a connection to the tenant client virtual machine.

Abstract: A data gateway system and a data intercommunication method are provided. The data gateway system includes a client system and a cloud server. The client system includes a first connector module and a listener module. The cloud server includes a second connector module and an authentication management module. The listener module performs a command listening for the cloud server. When the listener module obtains a connection configuration information, the client system sends a connection request command to the cloud server through the first connector module, so that the cloud server receives the connection request command through the second connector module, and issues a gateway code. The cloud server sends the gateway code to the first connector module of the client system through the second connector module, so that the client system establishes a connection between the client system and the cloud server based on the gateway code.

Abstract: In some implementations, a token client may transmit, to a token server, a request for a token associated with the front-end device and derived from a secret associated with the front-end device. The token client may receive, from the token server, the token in response to the request for the token and may transmit, to the front-end device, the token. The token client may determine an expiry associated with the token. The token client may transmit, to the token server, a request for a new token prior to the expiry associated with the token. The token client may receive, from the token server, the new token in response to the request for the new token and may transmit, to the front-end device, the new token.

Abstract: One embodiment of the present invention sets forth a technique for validating a set of input data used by a software application, the method comprising: determining a first validation class for a first portion of the set of input data; determining a first validation operation to be performed on the first portion of the set of input data based on the first validation class; causing the first validation operation to be performed on the first portion of the set of input data; determining that the first validation operation is unsuccessful; and generating a validation report indicating that the set of input data includes an error.

Abstract: In one embodiment, a method for secure virtualized wireless base station orchestration comprises: obtaining a node certificate and private key from a global CA defining a PKI signing certificate/private key; obtaining a sub CA certificate/private key from either an edge cloud node cluster or the global CA, using a PKI request signed using the PKI signing certificate/private key; establishing an orchestration access IPsec tunnel to a cloud comprising edge cloud orchestration functions; utilizing the orchestration functions to deploy on the node virtualized entities comprising VNFs of a wireless base station; obtaining at least one VNF certificate and private key for the VNFs from the global CA using a PKI request signed using the global certificate/private key; utilizing the VNF certificate/private key, establishing IPsec tunnels between the VNFs and a wireless network services operator network and/or to an OAM secure gateway for a DMS.

Abstract: A first device and a home hub have a same TEE platform, and a second device and the home hub have different TEE platforms. A control method includes the home hub receiving an identity credential of the second device and public key information of the first device from the second device. The home hub controls an IoT device based on the identity credential of the second device. The home hub receives private key information that is of the first device and that is from the first device. The home hub forms an identity credential of the first device based on the public key information of the first device and the private key information of the first device to control the IoT device.

Abstract: Example mobile devices disclosed herein include a camera, memory including computer-executable instructions, and a processor to execute the instructions to at least associate a location of the mobile device with picture data obtained with the camera. The processor is also to assign a first data tag to the picture data when the location of the mobile device corresponds to a first area, the first data tag to identify a first security level for the picture data, or assign a second data tag to the picture data when the location of the mobile device does not correspond to the first area, the second data tag to identify a second security level for the picture data. The processor is further to determine whether to permit an application to access the picture data based on whether the first data tag or the second data tag is assigned to the picture data.

Abstract: Based on analyzing a serverless function associated with a first role, a set of security permissions granted to the serverless function is identified based on the first role and a first attribute of the serverless function. A least privilege role indicating a set of least privilege security permissions for the serverless function is generated based, at least in part, on the first attribute. Based on comparing the least privilege role with the first role, it is determined if the set of security permissions granted to the serverless function is more permissive than the set of least privilege security permissions. Based on determining that the set of security permissions granted to the serverless function is more permissive than the set of least privilege security permissions, the first role is reported as over-permissive.

Abstract: Methods, systems, devices, and tangible non-transitory computer readable media for generating and validating reports. The disclosed technology can access organizational data that can include organizational reports associated with payrolls of an organization. The organizational reports can include fields respectively associated with entries. Formats of the organizational reports can be determined based at least in part on configurations of the fields. Validated reports can then be generated based on the performance of validation operations including evaluation of a validity of each of the organizational reports. The validated reports can include a portion of the fields and a portion of the entries. Furthermore, indications associated with the validity of the portion of the entries of the validated reports that were evaluated can be generated.

Abstract: A proxy server receives from a client device a request for a network resource that is hosted at an origin server for a domain. The request is received at the proxy server as a result of DNS request for the domain returning an IP address of the proxy server instead of an IP address of the origin server. The proxy server retrieves the requested network resource. The proxy server determines that the retrieved network resource includes at least one modification token that is of a type that indicates a threat to the client device. For at least this modification token, the proxy server automatically modifies at least a portion of the retrieved network resource that corresponds to that modification token. The proxy server transmits the modified network resource to the client device.

Abstract: Database objects are retrieved from a database and parsed into normalized cached data objects. The database objects are stored in the normalized cached data objects in a cache store, and tenant data requests are serviced from the normalized cached data objects. The normalized cached data objects include references to shared objects in a shared object pool that can be shared across different rows of the normalized cached data objects and across different tenant cache systems.

Abstract: The present document describes a communication session resumption mechanism. A client computer system establishes a communication session to a server computer that is a member of a set of related server computers. As a result of establishing the communication session, the server computer identifies the set of related server computers to the client computer system. The set of related server computers share communication session information with each other, allowing the client computer system to resume the communication session with another server computer belonging to the set of related server computers. The communication session may be specified to the other server computer by the client computer system by providing a session identifier or a session ticket.

Abstract: A system, method, and computer-readable medium are disclosed for performing a data center connectivity management operation. The connectivity management operation includes: providing a data center asset with a data center asset client module and an embedded data center asset client module; establishing a secure communication channel between the connectivity management system client and a connectivity management system; exchanging information between the connectivity management system client and the connectivity management system via the secure communication channel between the connectivity management system client and the connectivity management system, the information including a data center asset client module authentication request; authenticating the data center asset client module in response to the data center asset module authentication request; and, configuring software in the data center asset in response to authentication of the data center asset client module.

Abstract: A system includes a processor in communication with a memory, a virtual machine running on the processor, and a hypervisor. The hypervisor is configured to receive a workload definition file (“WDF”). The WDF is associated with a workload, and the WDF is packaged such that the WDF is configured to generate a workload definition device (“WDD”). Additionally, the hypervisor is configured to receive a request to deploy the WDD within the virtual machine. The request includes the WDF. The hypervisor is also configured to deploy the WDD within the virtual machine. The WDD is configured to automatically execute the workload responsive to meeting at least one execution criteria.

Abstract: A system and method for predictive pre-authorization of transactions using biometrics which uses wireless mobile devices and biometric scanning to automatically predict pre-authorized transaction amounts in a secure manner without requiring the customer to handle his or her mobile device. The system and method uses a payment facilitation device at the business location which automatically detects and recognizes registered mobile devices, displays a photo of the customer to a business employee for identity confirmation, verifies the customer with a biometrics verification database, generates a pre-authorization amount with an authorization generator, and automatically deducts payments for purchases from a pre-authorized customer account.

Abstract: Systems, methods, and storage media for migrating identity information across identity domains in an identity infrastructure are disclosed. Exemplary implementations may: receive a login request from a first user in a first identity domain; extract, from the login request, identity data, wherein the identity data comprises at least one of a user identifier and user credentials information associated with the first user; identify one or more credential verification resources in the first identity domain; verify at least one of the user identifier and user credentials information for the first user; identify one or more other identity domains, including at least a second identity domain, in the identity infrastructure, wherein the first user is an unmigrated user in the second identity domain; request additional identity data for the first user from the first identity domain; and create a user profile for the first user in the second identity domain.

Abstract: Systems and methods for continuous measurement of an analyte in a host are provided. The system generally includes a continuous analyte sensor configured to continuously measure a concentration of analyte in a host and a sensor electronics module physically connected to the continuous analyte sensor during sensor use, wherein the sensor electronics module is further configured to directly wirelessly communicate sensor information to one or more display devices. Establishment of communication between devices can involve using a unique identifier associated with the sensor electronics module to authenticate communication. Times tracked at the sensor electronics module and the display module can be at different resolutions, and the different resolutions can be translated to facilitate communication. In addition, the frequency of establishing communication channels between the sensor electronics module and the display devices can vary depending upon whether reference calibration information is being updated.

Abstract: A computer-implemented method for sharing access to a database of records relating to clinical trial investigators amongst a number of users is disclosed. Each record includes a number of data fields associated with a clinical trial investigator and has associated metadata indicating a record owner. The method comprises: a) receiving a database query from a first user; b) resolving the query using a first subset of the records in the database including only those records for which the associated metadata indicates that the record owner is the first user and those records for which the associated metadata indicates that the record owner is another user which has registered a sharing rule in respect of the first user, whereby the first user is granted permission to access its records; and c) generating a result set including only those records used to resolve the query that satisfy the query.

Abstract: The techniques disclosed herein improve existing systems by generating a data object indicative of a defined group of users of a communication session, messages being communicated between the defined group of users, and permissions defined for the defined group of users to access content of the communication session. In response to receiving a selection of a message set including a subset of the messages of the defined group for corresponding with a non-member user who is not a member of the defined group, the system updates the first data object to include the selected message set and subsequent messages exchanged between the non-member user and a subset of the users in the defined group directed to the selected message set, and permissions defined for the additional participant to limit full access to other subsequent messages in the defined group not directed to the selected message set.

Abstract: The present embodiments relate to a secure boot partition for a cloud computing device of a cloud computing system. The computing device of the cloud computing system can transmit a first request for a pre-boot execution environment executable from a smart network interface card (SmartNIC). The computing device can receive the pre-boot environment executable from the SmartNIC and verify the pre-boot execution environment executable. The computing device can execute the pre-boot execution environment executable. Executing the pre-boot execution environment executable can include transmitting a second request secure boot metadata from the SmartNIC and receiving the secure boot metadata. Executing the pre-boot execution environment executable can further include mounting a boot partition, loading a boot loader obtained from the boot partition, verifying the boot loader based at least in part on the secure boot metadata, and executing the boot loader in response to verifying the boot loader.

Abstract: Disclosed is a communication method for a device, a first cloud platform and a second cloud platform. The communication method includes obtaining, by the first cloud platform, a first access token from the second cloud platform. The first access token is configured for the first cloud platform to access a second resource link of a second device on the second cloud platform, and the second device is connected to the second cloud platform. The method also includes obtaining, by the first cloud platform, the second resource link based on the first access token. The method further includes determining, by the first cloud platform, a first resource link of the second device on the first cloud platform based on the second resource link. The first resource link is configured for a first device connected to the first cloud platform to communicate with the second device.

Abstract: An interworking service entity receives server registration requests including indications of service layer protocols used by each server, maintains a repository of server information, and uses the repository for interworking requests of devices to servers of different protocols based on a server type provided in discovery requests. Other matching information may include, for example, server security protocol, supported services, service territory, availability, capacity, or loading, as device information or preferences, such a supported service, supported interface type, or a supported device type.

Abstract: Methods and systems for a document-level attribute-based access control service are provided. The document-level attribute-based access control service may be positioned between a directory service and a search engine service. The directory service can manage information and permissions for users. The document-level attribute-based access control service can map security attributes to the user based on the information and permissions. Based on the mapping, it can be determined whether to permit the user making a query to the search engine service to access documents based on the query. Information and permissions attributes can be injected into queries dynamically via a template. Attributes may be combined with role query templates to create document-level attribute-based access control on top of role-based access control. The present technology can enable enforcement of security policies requiring all of a combination of attributes to be satisfied before permitting certain access.

Abstract: A method for implementing a migration action for a vulnerability includes receiving an indication that a target resource includes a vulnerability where the target resource is being hosted in a cloud environment and associated with a user of the cloud environment. The method also includes receiving a plurality of rules configured to mitigate vulnerabilities for cloud environment resources. The method further includes determining whether the plurality of rules include one or more rules corresponding to the vulnerability of the target resource. When the plurality of rules comprises the one or more rules corresponding to the vulnerability of the target resource, the method includes applying a reversible mitigation action associated with a respective rule of the one or more rules corresponding to the vulnerability of the target resource.