In the context of computer networking, web services and other computing services provide a way to access software functionality that can be reused for a variety of purposes by different clients. In recent years, numerous service providers have emerged which provide technologies that deliver computation, software, data access, and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers those services. Ordinarily, such network-accessible service providers deliver applications via the internet as a metered service on behalf of an owner of the application. These applications are typically accessed from web browsers, desktop and mobile apps by various end users, while the business software and data are stored on servers at a remote location that is managed by the service provider. In this manner, the owner of the application is relieved of the burden of having to build and maintain the various hardware and software infrastructure needed to run their application(s). In turn, this can cut down on costs and maintenance, improve reliability and scalability, and provide enhanced agility (time-to-market) for deploying new applications.
In this network-accessible service environment, security and identity management have become topics of some attention. For example, it is desirable for clients of the service provider to securely control access to their network-accessible services and resources. They often need to create and manage users on the system, and grant access to various resources for users managed outside of the system, such as users in their own corporate directory. Furthermore, it may be tedious and inconvenient for clients to manually perform all of the security management and a more automated approach is desirable.