Assigning policies for accessing multiple computing resource services
First Claim
1. A computer-implemented method, comprising:
- as implemented by a policy management subsystem of a directory service, the directory service and policy management subsystem hosted by a first computing resource service provider system that comprises one or more computing devices configured with specific executable instructions,receiving, from an end user device, a request to access an executable application hosted by a second computing resource service provider system, the second computing resource service provider system located in a different region than the policy management subsystem, wherein access to the executable application is managed by a directory of the directory service;
receiving user credentials associated with a user from the end user device;
attempting to authenticate the user credentials;
identifying, in response to authentication of the user credentials, one or more policies applicable to the user and one or more policies applicable to a group to which the user belongs, wherein the identified policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed;
receiving, from the end user device, an indication of a selection of one or more policies from the identified policies;
transmitting, to a credential exchange subsystem of the second computing resource service provider system, a request for temporary credentials, wherein the temporary credentials enable the user to initiate execution of the executable application;
receiving the temporary credentials from the credential exchange subsystem; and
providing the end user device with access to the executable application based on the received temporary credentials and according to the selected one or more policies.
1 Assignment
0 Petitions
Accused Products
Abstract
A centralized policy management may allow for one set of credentials to various applications and services offered by a computing resource service provider or other third-party servers. An entity responsible for the administration of a directory made available through a managed directory service may specify one or more policies for users and/or groups of users that utilize the directory. For example, the managed directory service may include a policy management subsystem that manages a set of policies for users and/or groups of users that controls a level of access to applications and services. Administrators can assign one or more policies to a user or a group of users and users can select one or more policies provided to the user by the administrator when attempting to access an application or service.
84 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
as implemented by a policy management subsystem of a directory service, the directory service and policy management subsystem hosted by a first computing resource service provider system that comprises one or more computing devices configured with specific executable instructions, receiving, from an end user device, a request to access an executable application hosted by a second computing resource service provider system, the second computing resource service provider system located in a different region than the policy management subsystem, wherein access to the executable application is managed by a directory of the directory service; receiving user credentials associated with a user from the end user device; attempting to authenticate the user credentials; identifying, in response to authentication of the user credentials, one or more policies applicable to the user and one or more policies applicable to a group to which the user belongs, wherein the identified policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed; receiving, from the end user device, an indication of a selection of one or more policies from the identified policies; transmitting, to a credential exchange subsystem of the second computing resource service provider system, a request for temporary credentials, wherein the temporary credentials enable the user to initiate execution of the executable application; receiving the temporary credentials from the credential exchange subsystem; and providing the end user device with access to the executable application based on the received temporary credentials and according to the selected one or more policies. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
a directory service hosted by a first computing resource service provider system, the directory service comprising; a policy mapping database configured to store policies and mappings of policies to users and groups; and a policy management subsystem comprising one or more computing devices, the policy management subsystem in communication with the policy mapping databases; wherein the policy management subsystem is configured to execute program instructions that direct the policy management subsystem to; receive, from an end user device, a request to access an executable application hosted by a second computing resource service provider system, the second computing resource service provider system located in a different region than the policy management subsystem, wherein access to the executable application is managed by a directory of the directory service; receive user credentials associated with a user from the end user device; attempt to authenticate the user credentials; identify, in response to authentication of the user credentials, one or more policies applicable to the user and one or more policies applicable to a group to which the user belongs based on data in the policy mapping database, wherein the identified policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed; receive, from the end user device, an indication of a selection of one or more policies from the identified policies; request temporary credentials from a subsystem of the second computing resource service provider system, wherein the temporary credentials enable the end user device to initiate execution of the executable application; and provide the end user device with access to the executable application according to the selected one or more policies. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer storage system comprising a non-transitory storage device, said computer storage system having stored thereon executable program instructions that are configured to be executed by a first computing resource service provider system that hosts a directory service, the directory service including a policy management subsystem, wherein the program instructions direct the first computing resource service provider system to at least:
-
receive, from an end user device, a request to access an executable application hosted by a second computing resource service provider system, the second computing resource service provider system located in a different region than the first computing resource service provider system, wherein access to the executable application is managed by a directory of the directory service; receive user credentials associated with a user from the end user device; attempt to authenticate the user credentials; identify, in response to authentication of the user credentials, two or more policies applicable to a group to which the user belongs, wherein the identified policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed; receive, from the end user device, an indication of a selection of one or more policies from the identified policies; request temporary credentials from a subsystem of the second computing resource service provider system; and provide the end user device with access to the executable application according to the selected one or more policies. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification