Assigning policies for accessing multiple computing resource services

US 10,257,184 B1
Filed: 09/29/2014
Issued: 04/09/2019
Est. Priority Date: 09/29/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

as implemented by a policy management subsystem of a directory service, the directory service and policy management subsystem hosted by a first computing resource service provider system that comprises one or more computing devices configured with specific executable instructions,receiving, from an end user device, a request to access an executable application hosted by a second computing resource service provider system, the second computing resource service provider system located in a different region than the policy management subsystem, wherein access to the executable application is managed by a directory of the directory service;

receiving user credentials associated with a user from the end user device;

attempting to authenticate the user credentials;

identifying, in response to authentication of the user credentials, one or more policies applicable to the user and one or more policies applicable to a group to which the user belongs, wherein the identified policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed;

receiving, from the end user device, an indication of a selection of one or more policies from the identified policies;

transmitting, to a credential exchange subsystem of the second computing resource service provider system, a request for temporary credentials, wherein the temporary credentials enable the user to initiate execution of the executable application;

receiving the temporary credentials from the credential exchange subsystem; and

providing the end user device with access to the executable application based on the received temporary credentials and according to the selected one or more policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A centralized policy management may allow for one set of credentials to various applications and services offered by a computing resource service provider or other third-party servers. An entity responsible for the administration of a directory made available through a managed directory service may specify one or more policies for users and/or groups of users that utilize the directory. For example, the managed directory service may include a policy management subsystem that manages a set of policies for users and/or groups of users that controls a level of access to applications and services. Administrators can assign one or more policies to a user or a group of users and users can select one or more policies provided to the user by the administrator when attempting to access an application or service.

84 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- as implemented by a policy management subsystem of a directory service, the directory service and policy management subsystem hosted by a first computing resource service provider system that comprises one or more computing devices configured with specific executable instructions,receiving, from an end user device, a request to access an executable application hosted by a second computing resource service provider system, the second computing resource service provider system located in a different region than the policy management subsystem, wherein access to the executable application is managed by a directory of the directory service;
  
  receiving user credentials associated with a user from the end user device;
  
  attempting to authenticate the user credentials;
  
  identifying, in response to authentication of the user credentials, one or more policies applicable to the user and one or more policies applicable to a group to which the user belongs, wherein the identified policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed;
  
  receiving, from the end user device, an indication of a selection of one or more policies from the identified policies;
  
  transmitting, to a credential exchange subsystem of the second computing resource service provider system, a request for temporary credentials, wherein the temporary credentials enable the user to initiate execution of the executable application;
  
  receiving the temporary credentials from the credential exchange subsystem; and
  
  providing the end user device with access to the executable application based on the received temporary credentials and according to the selected one or more policies.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein attempting to authenticate the user credentials comprises:
    - transmitting a request to the directory service to authenticate the user credentials; and
      
      receiving results of an authentication performed by the directory service.
  - 3. The computer-implemented method of claim 1, wherein identifying one or more policies applicable to a group to which the user belongs comprises:
    - identifying a first group associated with the user in the directory;
      
      andquerying a policy mapping database to identify one or more policies associated with the first group.
  - 4. The computer-implemented method of claim 3, wherein the user credentials comprise a username and a password stored in the directory.
  - 5. The computer-implemented method of claim 1, wherein identifying one or more policies applicable to the user and one or more policies applicable to a group to which the user belongs comprises querying a policy mapping database that includes a mapping of users and groups to policies.
  - 6. The computer-implemented method of claim 5, wherein the policy mapping database includes a first policy and a second policy that are mapped to the user or the group.

7. A system comprising:
- a directory service hosted by a first computing resource service provider system, the directory service comprising;
  
  a policy mapping database configured to store policies and mappings of policies to users and groups; and
  
  a policy management subsystem comprising one or more computing devices, the policy management subsystem in communication with the policy mapping databases;
  
  wherein the policy management subsystem is configured to execute program instructions that direct the policy management subsystem to;
  
  receive, from an end user device, a request to access an executable application hosted by a second computing resource service provider system, the second computing resource service provider system located in a different region than the policy management subsystem, wherein access to the executable application is managed by a directory of the directory service;
  
  receive user credentials associated with a user from the end user device;
  
  attempt to authenticate the user credentials;
  
  identify, in response to authentication of the user credentials, one or more policies applicable to the user and one or more policies applicable to a group to which the user belongs based on data in the policy mapping database, wherein the identified policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed;
  
  receive, from the end user device, an indication of a selection of one or more policies from the identified policies;
  
  request temporary credentials from a subsystem of the second computing resource service provider system, wherein the temporary credentials enable the end user device to initiate execution of the executable application; and
  
  provide the end user device with access to the executable application according to the selected one or more policies.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, wherein the program instructions further direct the policy management subsystem attempt to authenticate the user credentials by requesting the directory service to authenticate the user credentials based on data present in the directory.
  - 9. The system of claim 7, wherein the program instructions further direct the policy management subsystem to:
    - identify a first group associated with the user in the directory;
      
      andquery the policy mapping database to identify one or more policies associated with the first group.
  - 10. The system of claim 9, wherein the user credentials comprise a username and a password stored in the directory.
  - 11. The system of claim 7, wherein the program instructions further direct the policy management subsystem to query the policy mapping database for policies that are mapped to the user and the group to identify the one or more policies applicable to the user and the one or more policies applicable to the group.
  - 12. The system of claim 11, wherein the policy mapping database includes a first policy and a second policy that are mapped to the user or the group.
  - 13. The system of claim 7, wherein the program instructions further direct the policy management subsystem to generate a uniform resource identifier of a user interface that provides access to the executable application.

14. A non-transitory computer storage system comprising a non-transitory storage device, said computer storage system having stored thereon executable program instructions that are configured to be executed by a first computing resource service provider system that hosts a directory service, the directory service including a policy management subsystem, wherein the program instructions direct the first computing resource service provider system to at least:
- receive, from an end user device, a request to access an executable application hosted by a second computing resource service provider system, the second computing resource service provider system located in a different region than the first computing resource service provider system, wherein access to the executable application is managed by a directory of the directory service;
  
  receive user credentials associated with a user from the end user device;
  
  attempt to authenticate the user credentials;
  
  identify, in response to authentication of the user credentials, two or more policies applicable to a group to which the user belongs, wherein the identified policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed;
  
  receive, from the end user device, an indication of a selection of one or more policies from the identified policies;
  
  request temporary credentials from a subsystem of the second computing resource service provider system; and
  
  provide the end user device with access to the executable application according to the selected one or more policies.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer storage system of claim 14, wherein the executable program instructions further direct the first computing resource service provider system to at least:
    - identify a first policy applicable to the user based on a query to a policy mapping database that includes mappings of policies to users and groups; and
      
      receive, from the end user device, an indication of a selection of the first policy.
  - 16. The non-transitory computer storage system of claim 15, wherein the executable program instructions further direct the first computing resource service provider system to at least provide the end user device with access to the executable application according to the first policy.
  - 17. The non-transitory computer storage system of claim 14, wherein the executable program instructions further direct the first computing resource service provider system to generate a uniform resource identifier of a user interface that provides access to the executable application.
  - 18. The non-transitory computer storage system of claim 14, wherein the executable program instructions further direct the first computing resource service provider system to at least:
    - identify a first group and a second group associated with the user in the directory;
      
      andquery a policy mapping database to identify one or more policies associated with the first group and one or more policies associated with the second group.
  - 19. The non-transitory computer storage system of claim 18, wherein the user credentials comprise a username and a password stored in the directory.
  - 20. The non-transitory computer storage system of claim 14, wherein the executable program instructions further direct the first computing resource service provider system to at least query a policy mapping database that includes a mapping of users and groups to policies to identify the one or more policies applicable to the group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Mehta, Gaurang Pankaj, Shah, Shon Kiran, Agrawal, Neelam Satish, Aung, Lawrence Hun-Gi
Primary Examiner(s)
Simitoski, Michael

Application Number

US14/500,432
Time in Patent Office

1,653 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

Assigning policies for accessing multiple computing resource services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

84 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Assigning policies for accessing multiple computing resource services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others