Systems, methods, and computer-readable media are provided for generating a unique ID for a sensor in a network. Once the sensor is installed on a component of the network, the sensor can send attributes of the sensor to a control server of the network. The attributes of the sensor can include at least one unique identifier of the sensor or the host component of the sensor. The control server can determine a hash value using a one-way hash function and a secret key, send the hash value to the sensor, and designate the hash value as a sensor ID of the sensor. In response to receiving the sensor ID, the sensor can incorporate the sensor ID in subsequent communication messages. Other components of the network can verify the validity of the sensor using a hash of the at least one unique identifier of the sensor and the secret key.

Techniques for providing hybrid access control in a cloud-services computing environment are provided. In one embodiment, a method for providing hybrid access control is provided at a host computing device. The method includes obtaining access control settings including at least a first user's role-based access settings with respect to a first sub-system of a hierarchical computing-resource system. The method further includes propagating the access control settings from the first sub-system to a second sub-system; obtaining user group domains assigned to a plurality of sub-systems; and obtaining a group membership associated with the first user. The method further includes determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user's role-based access settings propagated to the second sub-system are to be adjusted; and making adjustments accordingly.

Systems and methods for sharing authentication between applications include receiving a request to share authentication from a first application with a second application. An account identifier and identity token for a user are obtained from the first application. Access to a communication application associated with the account identifier is verified as available. The account identifier and identity token are sent to a second application server for verification with a first application server. A verification message is received in the communication application from the second application server. The verification message is determined to contain confirmation information and authentication is shared from the first application with the second application. Related systems and methods include retrieving information associated with an operating system to facilitate sharing authentication between applications.

Aspects of the current subject matter are directed to secure group file sharing. An architecture for end-to-end encrypted, group-based file sharing using a trusted execution environment (TEE) is provided to protect confidentiality and integrity of data and management of files, enforce immediate permission and membership revocations, support deduplication, and mitigate rollback attacks.

Computing systems and methods are provided for defining, within a data platform, a segment having constraints at a level of the segment, implementing the constraints or the classification rules within the segment while insulating resources within the segment from inheriting the constraints, and controlling an ingestion of an external resource into the segment based on the constraints.

Techniques for enabling impersonation without requiring an access manager (AM) controlling access to a computing resource to have direct access to user information. The AM receives an impersonation request for a first user to impersonate a second user, the request being received during a first session initiated by the first user. The second user has an access privilege that permits access to the computing resource. The AM causes information to be obtained from an identity provider, the information being stored in a location inaccessible to the AM and indicating whether the first user has been granted permission to impersonate the second user. An impersonation session is initiated based on determining, using the information obtained from the identity provider, that the first user has been granted permission to impersonate the second user. The initiating comprises switching a user associated with the first session from the first user to the second user.

Credentials management and usage in application modernization can be implemented as computer-readable methods, media and systems. A notification identifying an application modernization operation is received. The operation is to be performed on an application deployed by multiple resources arranged in multiple hierarchical levels. A resource residing at a hierarchical level of the multiple hierarchical levels is identified. The application modernization operation is to be performed on the identified resource which has a resource type. A search for a credential is performed. The credential grants access to the resource to enable performing the application modernization operation. In response to the searching, a credential included in the multiple credentials is identified. The identified credential grants access either to the resource or to resources of the resource type. In response to receiving the notification, the identified credential is provided.

Systems and methods for provisioning a new secondary IdentityIQ instance to an existing IdentityIQ instance are disclosed. In one embodiment, a method may include: receiving a request to provision the new secondary IdentityIQ instance; creating a primary IdentityIQ instance for the existing IdentityIQ instance and the new secondary IdentityIQ instance; aggregating data from the existing IdentityIQ instance to the primary IdentityIQ instance; deploying an event handler to the primary IdentityIQ instance to handle incoming requests for the existing IdentityIQ instance; changing a reconciliation process and an audit process from the existing IdentityIQ instance to the primary IdentityIQ instance thereby changing the existing IdentityIQ instance to the secondary IdentityIQ instance for the primary IdentityIQ instance; deploying the new secondary IdentityIQ instance to the primary IdentityIQ instance; and deploying at least one application to the new secondary IdentityIQ instance based on an operation processed by the new secondary IdentityIQ instance.

A method for authorizing operation permissions of form-field values is disclosed in the present invention, including a step of authorizing operation permissions of form-field values and a step of selecting a grantee; the step of authorizing operation permissions of form-field values includes: S1: selecting a form to be authorized, and displaying fields in the form that need operation permission control; and S2: authorizing the operation permissions to each value of the fields respectively, where the grantee is one or more roles, the role is an independent individual rather than a group or class, one role can only be related to a unique user during the same period, and one user is related to one or more roles. The present invention can achieve respective authorization for the operation permissions of form-field values, and improves the fineness of system management. In this method, multiple authorized roles can be selected at the same time to batch authorization, thus improving the authorization efficiency. In addition, this method supports template authorization. Two methods are combined, so that the authorization efficiency of operation permissions of form-field values in a system is greatly improved.

Embodiments relate to configuring artificial-intelligence (AI) decision nodes throughout a communication decision tree. The decision nodes can support successive iteration of AI models to dynamically define iteration data that corresponds to a trajectory through the tree