Entity to authorize delegation of permissions

US 10,110,587 B2
Filed: 05/31/2017
Issued: 10/23/2018
Est. Priority Date: 03/22/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by one or more computing devices, a request from a security principal specifying a delegation profile of a user account associated with a service;

authorizing, by the one or more computing devices, the request by verifying that the security principal is authorized for the delegation profile according to a validation policy, the validation policy specifying a security principal authorized for the delegation profile, the delegation profile specifying one or more actions the security principal is allowed to perform with respect to the user account;

transmitting, by the one or more computing devices, one or more delegation credentials to the security principal, the one or more delegation credentials transmitted to authorize the security principal to perform the one or more actions with respect to the user account; and

authorizing the security principal to perform the one or more actions with respect to the user account based at least in part on the one or more delegation credentials.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, by one or more computing devices, a request from a security principal specifying a delegation profile of a user account associated with a service;
  
  authorizing, by the one or more computing devices, the request by verifying that the security principal is authorized for the delegation profile according to a validation policy, the validation policy specifying a security principal authorized for the delegation profile, the delegation profile specifying one or more actions the security principal is allowed to perform with respect to the user account;
  
  transmitting, by the one or more computing devices, one or more delegation credentials to the security principal, the one or more delegation credentials transmitted to authorize the security principal to perform the one or more actions with respect to the user account; and
  
  authorizing the security principal to perform the one or more actions with respect to the user account based at least in part on the one or more delegation credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein verifying that the security principal is authorized to assume the delegation profile comprises verifying that the security principal is specified in the delegation profile by way of a security token service.
  - 3. The computer-implemented method of claim 2, comprising providing the one or more delegation credentials to the security principal by way of the security token service.
  - 4. The computer-implemented method of claim 1, wherein the delegation profile includes an identifier and an authorization policy.
  - 5. The computer-implemented method of claim 1, wherein the delegation profile includes respective names for each of a plurality of security principals authorized for the delegation profile.
  - 6. The computer-implemented method of claim 1, wherein authorizing the security principal to perform the one or more actions comprises authorizing a reading of data, a modification of data, an accessing of secured resources in the user account, or any combination thereof.
  - 7. The computer-implemented method of claim 1, wherein the security principal authorized for the delegation profile is external to the user account.
  - 8. The computer-implemented method of claim 1, comprising receiving a second request from the security principal specifying the delegation profile, the second request including the one or more delegation credentials.
  - 9. The computer-implemented method of claim 8, comprising authorizing the second request to perform the one or more actions utilizing the one or more delegation credentials.

10. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- receive a request from a security principal specifying a delegation profile of a user account associated with a service;
  
  authorize the request by verifying that a security principal is authorized for the delegation profile according to a validation policy, the validation policy specifying a security principal authorized for the delegation profile, the delegation profile specifying one or more actions the security principal is allowed to perform with respect to the user account;
  
  transmit one or more delegation credentials to the security principal, the delegation credentials transmitted to authorize the security principal to perform the one or more actions with respect to the user account; and
  
  authorize the security principal to perform the one or more actions with respect to the user account based at least in part on the delegation credentials.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The non-transitory computer-readable storage medium of claim 10, wherein the instructions comprise instructions to verify that the security principal is authorized for the delegation profile by verifying that the security principal is specified in the delegation profile by way of a security token service.
  - 12. The non-transitory computer-readable storage medium of claim 10, wherein the security principal authorized for the delegation profile is external to the user account.
  - 13. The non-transitory computer-readable storage medium of claim 10, wherein the delegation profile includes an identifier and an authorization policy.
  - 14. The non-transitory computer-readable storage medium of claim 10, wherein the instructions comprise instructions to authorize a second request to perform the one or more actions utilizing the one or more delegation credentials, the second request including the one or more delegation credentials.

15. A system, comprising:
- at least one processor; and
  
  at least one memory device including instructions, that when executed, cause the system to;
  
  receive a request from a security principal specifying a delegation profile of a user account associated with a service;
  
  authorize the request by verifying that the security principal is authorized for the delegation profile according to a validation policy, the validation policy specifying a security principal authorized for the delegation profile, the delegation profile specifying one or more actions the security principal is allowed to perform with respect to the user account; and
  
  transmit one or more delegation credentials to the security principal, the one or more delegation credentials transmitted to authorize the security principal to perform the one or more actions with respect to the user account; and
  
  authorize the security principal to perform the one or more actions with respect to the user account based at least in part on the one or more delegation credentials.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the instructions, when executed, cause the system to verify that the security principal is authorized by verifying that the security principal is specified in the delegation profile by way of a security token service.
  - 17. The system of claim 15, wherein the security principal authorized for the delegation profile is external to the user account.
  - 18. The system of claim 15, wherein the delegation profile includes an identifier and an authorization policy.
  - 19. The system of claim 15, wherein the instructions, when executed, cause the system to perform a reading of data, a modification of data, an accessing of secured resources in the user account, or any combination thereof, as the one or more actions.
  - 20. The system of claim 15, wherein the instructions, when executed, cause the system to authorize a second request to perform the one or more actions utilizing the one or more delegation credentials, the second request including the one or more delegation credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Fitch, Nathan R., O'Neill, Kevin Ross, Baer, Graeme D., Behm, Bradley Jeffery, Pratt, Brian Irl
Primary Examiner(s)
Brown, Anthony

Application Number

US15/610,295
Publication Number

US 20170272423A1
Time in Patent Office

510 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

Entity to authorize delegation of permissions

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Entity to authorize delegation of permissions

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links