Hierarchical policy-based shared resource access control

US 10,154,039 B1
Filed: 09/15/2017
Issued: 12/11/2018
Est. Priority Date: 08/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method carried out by one or more processors, of accessing shared computing resources, the method comprising:

generating, by the one or more processors, an access control list for a computing resource in a computing resource hierarchy in response to receiving a first request, wherein the access control list is generated after receiving the first request and wherein the generating the access control list comprises collecting available access control policies associated with one or more parent computing resources of the computing resource, the collecting comprising;

retrieving access control policies for the one or more parent computing resources that are contained within hierarchy levels in the computing resource hierarchy that are higher than a hierarchy level containing the computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy;

providing, by the one or more processors, the access control list for the computing resource in a response to the first request;

saving, by the one or more processors, the access control list for the computing resource; and

providing, by the one or more processors, the access control list for the computing resource in response to a subsequent request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control for shared computing resources in a hierarchical system is provided herein. An as-needed, “lazy evaluation” approach to access control is described in which an effective access control list for a computing resource is determined after a request is received from a user to access the resource. When resources are shared, access control policies are created and stored in association with the shared resource but are not stored in association with hierarchically related lower-level resources. When an access request for a resource is received, access control policies are collected for levels of a computing resource hierarchy that are higher than the hierarchy level of the resource. An effective access control list is determined based on permissions specified in the collected access control policies. The effective access control list represents an effective propagation of access control policies of higher hierarchy levels to the computing resource.

25 Citations

View as Search Results

18 Claims

1. A computer-implemented method carried out by one or more processors, of accessing shared computing resources, the method comprising:
- generating, by the one or more processors, an access control list for a computing resource in a computing resource hierarchy in response to receiving a first request, wherein the access control list is generated after receiving the first request and wherein the generating the access control list comprises collecting available access control policies associated with one or more parent computing resources of the computing resource, the collecting comprising;
  
  retrieving access control policies for the one or more parent computing resources that are contained within hierarchy levels in the computing resource hierarchy that are higher than a hierarchy level containing the computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy;
  
  providing, by the one or more processors, the access control list for the computing resource in a response to the first request;
  
  saving, by the one or more processors, the access control list for the computing resource; and
  
  providing, by the one or more processors, the access control list for the computing resource in response to a subsequent request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the first request and the subsequent request are received from one or more user computers over a network.
  - 3. The computer-implemented method of claim 1, wherein the computing resource hierarchy is accessed through a web service.
  - 4. The computer-implemented method of claim 1, wherein the computing resource is a file and the computing resource hierarchy comprises a virtual file system.
  - 5. The computer-implemented method of claim 1, wherein the generating the access control list further comprises:
    - analyzing permissions specified in the collected access control policies.
  - 6. The computer-implemented method of claim 5, wherein:
    - the first request identifies a user for which access is requested;
      
      collecting the available access control policies for the one or more parent computing resources comprises collecting access control policies that are associated with the identified user; and
      
      the saving the access control policy comprises storing the generated effective access control list in association with the computing resource and the identified user.
  - 7. The computer-implemented method of claim 1, wherein:
    - the first request is a request to perform a function on the computing resource; and
      
      the method further comprises determining, based at least in part on the access control list, that the performing of the function is authorized.

8. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed, perform operations, the operations comprising:
- receiving a first request to perform a function on a computing resource in a computing resource hierarchy;
  
  generating an access control list for the computing resource, wherein the access control list is generated after receiving the first request, the generating comprising retrieving one or more access control policies associated with one or more parent computing resources of the computing resource in the computing resource hierarchy, the retrieving comprising;
  
  retrieving access control policies for the one or more parent computing resources that are contained within hierarchy levels in the computing resource hierarchy that are higher than a hierarchy level containing the computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy;
  
  determining whether the first request to perform the function on the computing resource is authorized based on the access control list for the computing resource;
  
  saving the access control list for the computing resource;
  
  receiving a subsequent request to perform the function on the computing resource; and
  
  determining whether the subsequent request is authorized using the saved access control list for the computing resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The one or more computer-readable storage media of claim 8, wherein the one or more parent computing resources comprise:
    - a first parent computing resource of the computing resource that is in a direct hierarchical relationship with the computing resource; and
      
      a second parent computing resource that is in a direct hierarchical relationship with the first parent computing resource.
  - 10. The one or more computer-readable storage media of claim 8, wherein the operations further comprise:
    - detecting a change to one of the one or more access control policies associated with the one or more parent computing resources; and
      
      deleting the access control policy for the computing resource.
  - 11. The one or more computer-readable storage media of claim 8, wherein the retrieving the one or more access control policies associated with the one or more parent computing resources further comprises:
    - searching for a previously determined access control list associated with a first parent computing resource of the computing resource;
      
      if the first parent computing resource is associated with a previously determined access control list, retrieving the previously determined access control list; and
      
      otherwise, retrieving an access control policy for the first parent computing resource and repeating the searching for a previously determined access control list for a second parent computing resource, wherein the second parent computing resource is a parent of the first parent computing resource.
  - 12. The one or more computer-readable storage media of claim 8, wherein:
    - the computing resource hierarchy is part of a virtual file system; and
      
      generating the access control list comprises accessing the virtual file system through a web service.
  - 13. The one or more computer-readable storage media of claim 8, wherein:
    - the operations further comprise identifying a user associated with the first request to perform the function on the computing resource; and
      
      associating the access control list with the computing resource and the identified user.
  - 14. The one or more computer-readable storage media of claim 13, wherein:
    - the operations further comprise examining an organization hierarchy comprising groups and sub-groups of users; and
      
      retrieving the access control policies related to one or more of the groups and/or sub-groups in the organization hierarchy of which the identified user is a member.
  - 15. The one or more computer-readable storage media of claim 8, wherein the first request and the subsequent request to perform the function on the computing resource are received from one or more user computers via a network.
  - 16. The one or more computer-readable storage media of claim 8, wherein the access control list represents an effective propagation of one or more access control policies associated with one or more parent computing resources to the computing resource.

17. One or more server computers implementing an access control system, the system comprising:
- one or more processors;
  
  one or more memories;
  
  a computing resource hierarchy comprising computing resources in multiple hierarchy levels;
  
  a computing resource access manager that;
  
  provides an access control list for a child computing resource in the computing resource hierarchy in response to receiving a first access request, wherein the access control list is generated after receiving the first request and wherein the access control list is generated by an analysis engine;
  
  saves the access control list; and
  
  provides the access control list for the child computing resource in response to receiving a subsequent access request; and
  
  the analysis engine, wherein;
  
  the generating the access control list resource comprises retrieving one or more access control policies associated with one or more parent computing resources of the child computing resource in the computing resource hierarchy, the retrieving comprising;
  
  retrieving access control policies for the one or more computing resources contained within levels in the computing resource hierarchy that are higher than a hierarchy level containing the child computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein the access manager is configured to receive the first access request from a user computer via a computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Andruschuk, Borislav, Fowler, Kevin
Primary Examiner(s)
Zhao, Don G

Application Number

US15/706,349
Time in Patent Office

452 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Hierarchical policy-based shared resource access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical policy-based shared resource access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links