A customer of a shared resource environment can generate script to be executed by one or more virtual machines, or other such instances or resources, and share that script with other users. The script can relate to administrative or other such tasks, and can be encapsulated into a document, or other such expression, and stored to a network-accessible location. The owner of the document can designate permissions as to which users have rights to access and/or execute the script against their own virtual machines. An owner can grant permission to all users, no other users, or specific users. The script can include parameter values that can be set by the other users or links to specific executables or other objects, among other such options.

Implementations providing permissions to spawned computing resources within a computing environment include initiating a first computing resource whose operation is limited by a first set of permissions, for example, user-credential-based permissions. Permissions can be based on credentials of a user interfacing within the computing environment. A second computing resource spawned from the first computing resource is then identified and a second set of permissions is provided to the second computing resource. The second set of permissions is at least as restrictive in scope as the first permission set.

Systems, methods, and software described herein provide enhancements for managing permissions in a shared graph. In one implementation, a graph management system identifies a request to classify a first subgraph in the graph for access by a tenant of a plurality of tenants, wherein the request indicates one or more vertex types and/or one or more edge types for the first subgraph. The graph management system further identifies one or more vertices and/or one or more edges in the graph that qualify for the first subgraph based on the indicated one or more vertex types and/or one or more edge types, and allocates permissions to at least one user associated with the tenant to access the first subgraph.

Accessing privileged objects in a server environment. A privileged object is associated with an application comprising at least one process resource and a corresponding semi-privileged instruction. The association is filed in an entity of an operating system kernel. A central processing unit (CPU) performs an authorization check if the semi-privileged instruction is issued and attempts to access the privileged object. The CPU executes the semi-privileged instruction and grants access to the privileged object if the operating system kernel has issued the semi-privileged instruction; or accesses the entity if a process resource of the application has issued the semi-privileged instruction to determine authorization of the process resource to access the privileged object. Upon positive authorization the CPU executes the semi-privileged instruction and grants access to the privileged object, and upon authorization failure denies execution of the semi-privileged instruction and performs a corresponding authorization check failure handling.

Systems and methods for cloud-based file sharing, where templates are provided for creating workflow instances which enable the sharing of managed objects. Reusable workflow templates are stored in the repository of a cloud-based file sharing system as objects that define components of the workflow, or placeholders for these components. A user instantiates a workflow instance from one of the templates and configures the workflow instance to identify content objects or forms, tasks related to the content objects, and users assigned to perform the tasks. The workflow instance is stored as an object in the repository. Users assigned to tasks are authorized through the workflow instance to access the content objects or forms to perform the tasks.

A system control processor manager uses composed information handling systems that utilize resource sets of information handling systems and an infrastructure manager. The infrastructure manager obtains a composition request for a composed information handling system; allocates a portion of resource sets to the composed information handling system using a telemetry data map; makes a determination that at least one of the portion of the allocated resource sets is hosted by an information handling system that does not include a physical system control processor; and in response to the determination: provides the information handling system with access to a system control processor without adding any physical system control processors to the information handling system; and directs access requests, by entities hosted by the information handling system and directed to the portion of the allocated resource sets, through the system control processor.

According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to determine, for each of a plurality of members in a group, a respective least privilege level for a resource and determine, based on the determined respective least privilege levels, a privilege level to be assigned to the group for the resource. The instructions may also cause the processor to assign the determined privilege level to the group for the resource and apply the assigned privilege level to the members of the group for the resource.

Systems and methods are disclosed for data protection in a cluster of data processing accelerators (DPAs). The cluster of accelerators may include DPAs of a third party accelerator that may not be trusted. To ensure data protection in the cluster, a first DPA that receives a request from a second DPA to access a resource of the first DPA authenticates the second DPA. If the second DPA passes authentication, the second DPA is permitted to access non-sensitive resources of the first DPA, otherwise the second DPA is not permitted access to any resources of the first DPA and the first DPA breaks a communication link with the second DPA. Authentication is premised on a shared secret function between DPAs and a random number generated by the first DPA. The shared secret function is updateable by, e.g., a patch from a manufacturer of the DPA.

Embodiments as disclosed herein provide computing systems and methods that effectively serve to isolate processes in a computing environment. The isolation of such processes may serve additionally to substantially increase the observability of such processes, allowing a granular insight into data associated with those processes and the performing of individual tasks.

Systems and methods are disclosed for data protection in a cluster of data processing accelerators (DPAs) using a policy that determines a static partition of resources in each DPA in the cluster communicatively coupled to a host device. Each DPA has sensitive (secure) and non-sensitive (non-secure) resources. The host device and a DPA can access all resources of the DPA. Other DPAs can only access non-sensitive resources of a DPA. The partition of resources within a DPA is static and may be implemented in hardware or firmware. Resources include memory, one or more processing modules such as key generators and cryptographic modules, caches, registers, and storage.