Attribute-based access control using a dynamic expression engine

What is claimed is: 1. A computer implemented method of managing access to resources of a cloud platform that are made available to a tenant organization of the cloud platform comprising: retrieving, at a computing device of the cloud platform, context data and policies for a requestor and an identified resource, where the requestor is external to the cloud platform and is associated with an entity that is separate from the tenant organization and provides services to the tenant organization through the cloud platform in connection with a predefined role assigned to the requestor, wherein the requestor's access to resources of the cloud platform is determined based on the context data, policies, role and resource; combining, by the computing device, the policies with context data into a combined data structure, where the context data includes parameters of the policies to enable evaluation of dynamic expressions in the policies; generating, by the computing device, in response to receiving a request from the requestor for the identified resource, resource permissions for the requestor using the combined data structure by evaluating the parameters of the policies in the context data that are applicable to the role of the requestor and the identified resource; and returning, by the computing device, the resource permissions to the requestor. 2. The method of claim 1 , further comprising: receiving the request for the identified resource from the requestor, the request including an identifier for the resource and requestor information. 3. The method of claim 1 , further comprising: checking a context cache for the context data for the requestor and the identified resource; determining that the context data is present in the context cache; and loading the context data in response to the determining. 4. The method of claim 1 , wherein the role assigned to the requestor can be specific to any one or more of a tenant organization of the cloud platform, or a workplace of a tenant organization. 5. The method of claim 1 , wherein the resource permissions are provided to an application programming interface (API) of the cloud platform to be enforced for functions of the API. 6. A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor, will cause said processor to perform operations to manage access to resources of a cloud platform that are made available to a tenant organization of the cloud platform, the operations comprising: retrieving context data and policies for a requestor and an identified resource, where the requestor is external to the cloud platform and is associated with an entity that is separate from the tenant organization and provides services to the tenant organization through the cloud platform in connection with a predefined role assigned to the requestor, wherein the requestor's access to resources of the cloud platform is determined based on the context data, policies, role and resource; combining the policies with context data into a combined data structure, where the context data includes parameters of the policies to enable evaluation of dynamic expressions in the policies; generating in response to receiving a request from the requestor for the identified resource, resource permissions for the requestor using the combined data structure by evaluating the parameters of the policies in the context data that are applicable to the role of the requestor and the identified resource; and returning the resource permissions to the requestor. 7. The non-transitory machine-readable medium of claim 6 , the operations further comprising: receiving the request for the identified resource from the requestor, the request including an identifier for the resource and requestor information. 8. The non-transitory machine-readable medium of claim 6 , the operations further comprising: checking a context cache for the context data for the requestor and the identified resource; determining that the context data is present in the context cache; and loading the context data in response to the determining. 9. The non-transitory machine-readable medium of claim 6 , wherein the role assigned to the requestor can be specific to any one or more of a tenant organization of the cloud platform, or a workplace of a tenant organization. 10. The non-transitory machine-readable medium of claim 6 , wherein the resource permissions are provided to an application programming interface (API) of the cloud platform to be enforced for functions of the API. 11. A computing device in a cloud platform, the computing device implementing a method of managing access to resources of a cloud platform that are made available to a tenant organization of the cloud platform comprising: a non-transitory machine-readable medium having stored therein a permissions manager; and one or more processors coupled to the non-transitory machine-readable medium, the one or more processors configurable to execute the permissions manager to retrieve context data and policies for a requestor and an identified resource, where the requestor is external to the cloud platform and is associated with an entity that is separate from the tenant organization and provides services to the tenant organization through the cloud platform in connection with a predefined role assigned to the requestor, wherein the requestor's access to resources of the cloud platform is determined based on the context data, policies, role and resource; to combine the policies with context data into a combined data structure, where the context data includes parameters of the policies to enable evaluation of dynamic expressions in the policies; to generate in response to receiving a request from the requestor for the identified resource, resource permissions for the requestor using the combined data structure by evaluating the parameters of the policies in the context data that are applicable to the role of the requestor and the identified resource; and to return the resource permissions to the requestor. 12. The computing device of claim 11 , wherein the permissions manager is further to receive the request for the identified resource from the requestor, the request including an identifier for the resource and requestor information. 13. The computing device of claim 11 , wherein the permission manager is further to check a context cache for the context data for the requestor and the identified resource, to determine that the context data is present in the context cache, and to load the context data in response to the determining. 14. The computing device of claim 11 , wherein the role assigned to the requestor can be specific to any one or more of a tenant organization of the cloud platform, or a workplace of a tenant organization. 15. The computing device of claim 11 , wherein the resource permissions are provided to an application programming interface (API) of the cloud platform to be enforced for functions of the API.