The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Additionally or alternatively, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls to the tenant's virtual network.

Access to data and resources in a multi-tenant computing system is managed by tagging the data and resources with attributes, as well as by tagging users with attributes. Tenant-specific access policies are configured. When an access request is received from a workload, a policy decision engine processes the attributes that are tagged to the requesting workload (e.g., user, application, etc.) as well as those tagged to the requested data or resource, given a relevant tenant-specific policy. An access decision is provided in response to the access request, and the access decision can be enforced by a tenant-specific enforcement system.

According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to determine, for each of a plurality of members in a group, a respective least privilege level for a resource and determine, based on the determined respective least privilege levels, a privilege level to be assigned to the group for the resource. The instructions may also cause the processor to assign the determined privilege level to the group for the resource and apply the assigned privilege level to the members of the group for the resource.

In some examples, an access control policy controller in a computer network may receive a request to create an access control policy that permits a role to perform one or more functions in the computer network. The access control policy controller may determine one or more operations performed on one or more objects in the computer network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the computer network. The access control policy controller may create the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the computer network.

Technology for interoperability is disclosed by enabling the sharing of user context or preferences for a computing experience across computing devices, operating systems, applications, or locations. A platform and application programming interface (API) are provided for computer applications and services to store and retrieve context data associated with a computing experience. Access to the context data for sharing may be managed by an access controller, which enables a user to manage access permissions for the sharing of the context data. The context data may be defined according to a common schema, which specifies the information for sharing and may be communicated using common communication channels or protocols. Thus context data may be shared across nearly any application or service including those developed in different computer programming languages or operating on different types of computing devices or devices running different operating systems or by different software developers.

A system, method and computer-readable media for managing a compute environment are disclosed. The method includes importing identity information from an identity manager into a module performs workload management and scheduling for a compute environment and, unless a conflict exists, modifying the behavior of the workload management and scheduling module to incorporate the imported identity information such that access to and use of the compute environment occurs according to the imported identity information. The compute environment may be a cluster or a grid wherein multiple compute environments communicate with multiple identity managers.

Methods and systems disclosed herein relate generally to evaluating resource loads to determine when to transform queues and to specific techniques for transforming at least part of queues so as to correspond to alternative resources

A method of executing computer-readable code for interaction with one or more data resources on a data processing platform, the method performed using one or more processors, comprising: receiving a request message including an identifier identifying executable code stored in a data repository; determining, using the identifier, an execution environment of a plurality of stored execution environments mapped to the identified executable code, wherein determining the execution environment mapped to the identified executable code comprises: accessing mapping data identifying a mapping between the identifier and the execution environment of the plurality of stored execution environments, the mapping data including configuration data associated with the identifier, wherein the configuration data identifies one or more convention-based data libraries particular to the execution environment; configuring the determined execution environment to access the one or more convention-based data libraries during execution; executing the identified executable code using the determined execution environment; and passing requests made with the identified executable code to the one or more data resources via a proxy.

A computer system receives, in a first messaging conversation by a first messaging application of a plurality of applications, information identifying a first shared content item. In response to receiving the information identifying the first shared content item, in accordance with a determination that the first shared content item is of a first type, the computer system automatically makes the first shared content item available within a first application of the plurality of applications, the first application is associated with content of the first type. In accordance with a determination that the first shared content item is of a second type, the computer system automatically makes the first shared content item available within a second application of the plurality of applications, wherein the second application is associated with content of the second type.

Discussed herein are techniques for migrating an application from a source cloud environment (SCE) to a target cloud environment (TCE). Responsive to a request received by an application migration service (AMS) to migrate an application executed in a first compute instance in the SCE to a second compute instance in the TCE, the AMS authenticates credentials of a user with respect to the SCE. Upon the credentials being successfully authenticated, the AMS generates a public key and a private key. The public key is transmitted to a service manager that injects the public key in the application executed in the first compute instance and the private key is assigned to a source agent. The source agent obtains one or more artifacts and configuration information that enable execution of the application based on the private key, which are installed by a target agent in the second compute instance in the TCE.