Assigning policies for accessing multiple computing resource services
First Claim
1. A system comprising:
- a first computing resource service provider system comprising a plurality of computing devices, the first computing resource service provider system hosting a directory service that comprises a policy mapping database that maps policies to users, the policies specifying access rights of users to applications, including applications not hosted by the first computing resource service provider system;
wherein the directory service manages user access to an application hosted by a second computing resource service provider system that is separate from the first computing resource service provider system;
wherein the directory service is responsive to a request from a user device to access the application by implementing a process that comprises;
authenticating user credentials received from the user device, the user credentials associated with a user;
identifying, based on the policy mapping database, one or more policies applicable to the user, wherein the identified one or more policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed;
determine, based on the one or more policies, that the user device is authorized to initiate execution of the application; and
request temporary credentials from the second computing resource service provider system, wherein the temporary credentials enable the user device to initiate execution of the application.
0 Assignments
0 Petitions
Accused Products
Abstract
A centralized policy management may allow for one set of credentials to various applications and services offered by a computing resource service provider or other third-party servers. An entity responsible for the administration of a directory made available through a managed directory service may specify one or more policies for users and/or groups of users that utilize the directory. For example, the managed directory service may include a policy management subsystem that manages a set of policies for users and/or groups of users that controls a level of access to applications and services. Administrators can assign one or more policies to a user or a group of users and users can select one or more policies provided to the user by the administrator when attempting to access an application or service.
58 Citations
18 Claims
-
1. A system comprising:
-
a first computing resource service provider system comprising a plurality of computing devices, the first computing resource service provider system hosting a directory service that comprises a policy mapping database that maps policies to users, the policies specifying access rights of users to applications, including applications not hosted by the first computing resource service provider system; wherein the directory service manages user access to an application hosted by a second computing resource service provider system that is separate from the first computing resource service provider system; wherein the directory service is responsive to a request from a user device to access the application by implementing a process that comprises; authenticating user credentials received from the user device, the user credentials associated with a user; identifying, based on the policy mapping database, one or more policies applicable to the user, wherein the identified one or more policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed; determine, based on the one or more policies, that the user device is authorized to initiate execution of the application; and request temporary credentials from the second computing resource service provider system, wherein the temporary credentials enable the user device to initiate execution of the application. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method, comprising:
by a first computing resource service provider system comprising a plurality of computing devices, the first computing resource service provider system hosting a directory service that comprises a policy mapping database that maps policies to users, the policies specifying access rights of users to applications, including applications not hosted by the first computing resource service provider system; receiving a request from a user device to access an application hosted by a second computing resource service provider system that is separate from the first computing resource service provider system, wherein the directory service manages user access to the application; authenticating user credentials received from the user device, the user credentials associated with a user; identifying, based on the policy mapping database, one or more policies applicable to the user, wherein the identified one or more policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to access; determine, based on the one or more policies, that the user device is authorized to initiate execution of the application; and request temporary credentials from the second computing resource service provider system, wherein the temporary credentials enable the user device to initiate execution of the application. - View Dependent Claims (8, 9, 10, 11, 12)
-
13. Non-transitory computer storage that comprises executable program instructions that direct one or more computing devices of a first computing resource service provider system to implement a process that comprises:
-
implementing a directory service that comprises a directory that manages access to applications, including an application that is hosted on a second computing resource service provider system external to the first computing resource service provider system; maintaining a policy mapping database that maps policies to users, the policies specifying access rights of users to the applications; receiving a request from a user device to access the application; authenticating user credentials received from the user device, the user credentials associated with a user; identifying, based on the policy mapping database, one or more policies applicable to the user, wherein the identified one or more policies specify which applications managed by the directory service the user is authorized to access; and determining, based on the one or more policies, that the user is authorized to initiate execution of the application; and obtain temporary credentials from the second computing resource service provider system, wherein the temporary credentials enable the user device to initiate execution of the application. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification