Assigning policies for accessing multiple computing resource services

US 10,652,235 B1
Filed: 03/04/2019
Issued: 05/12/2020
Est. Priority Date: 09/29/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first computing resource service provider system comprising a plurality of computing devices, the first computing resource service provider system hosting a directory service that comprises a policy mapping database that maps policies to users, the policies specifying access rights of users to applications, including applications not hosted by the first computing resource service provider system;

wherein the directory service manages user access to an application hosted by a second computing resource service provider system that is separate from the first computing resource service provider system;

wherein the directory service is responsive to a request from a user device to access the application by implementing a process that comprises;

authenticating user credentials received from the user device, the user credentials associated with a user;

identifying, based on the policy mapping database, one or more policies applicable to the user, wherein the identified one or more policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed;

determine, based on the one or more policies, that the user device is authorized to initiate execution of the application; and

request temporary credentials from the second computing resource service provider system, wherein the temporary credentials enable the user device to initiate execution of the application.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A centralized policy management may allow for one set of credentials to various applications and services offered by a computing resource service provider or other third-party servers. An entity responsible for the administration of a directory made available through a managed directory service may specify one or more policies for users and/or groups of users that utilize the directory. For example, the managed directory service may include a policy management subsystem that manages a set of policies for users and/or groups of users that controls a level of access to applications and services. Administrators can assign one or more policies to a user or a group of users and users can select one or more policies provided to the user by the administrator when attempting to access an application or service.

58 Citations

18 Claims

1. A system comprising:
- a first computing resource service provider system comprising a plurality of computing devices, the first computing resource service provider system hosting a directory service that comprises a policy mapping database that maps policies to users, the policies specifying access rights of users to applications, including applications not hosted by the first computing resource service provider system;
  
  wherein the directory service manages user access to an application hosted by a second computing resource service provider system that is separate from the first computing resource service provider system;
  
  wherein the directory service is responsive to a request from a user device to access the application by implementing a process that comprises;
  
  authenticating user credentials received from the user device, the user credentials associated with a user;
  
  identifying, based on the policy mapping database, one or more policies applicable to the user, wherein the identified one or more policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to cause to be executed;
  
  determine, based on the one or more policies, that the user device is authorized to initiate execution of the application; and
  
  request temporary credentials from the second computing resource service provider system, wherein the temporary credentials enable the user device to initiate execution of the application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein identifying one or more policies applicable to the user comprises identifying a policy applicable to a group to which the user belongs.
  - 3. The system of claim 1, wherein the process comprises receiving from the user device an indication of a user selection of one of a plurality of policies applicable to the user.
  - 4. The system of claim 1, wherein the directory service comprises a directory that manages access to the application, and the directory service is configured to use data stored in the directory to authenticate the user device.
  - 5. The system of claim 1, wherein the process further comprises:
    - generating, in association with the request, a uniform resource identifier of a user interface that provides access to the application; and
      
      transmitting the uniform resource identifier to the user device.
  - 6. The system of claim 1, wherein the user credentials comprise a username and password.

7. A computer implemented method, comprising:
- by a first computing resource service provider system comprising a plurality of computing devices, the first computing resource service provider system hosting a directory service that comprises a policy mapping database that maps policies to users, the policies specifying access rights of users to applications, including applications not hosted by the first computing resource service provider system;
  
  receiving a request from a user device to access an application hosted by a second computing resource service provider system that is separate from the first computing resource service provider system, wherein the directory service manages user access to the application;
  
  authenticating user credentials received from the user device, the user credentials associated with a user;
  
  identifying, based on the policy mapping database, one or more policies applicable to the user, wherein the identified one or more policies specify which applications, of a plurality of applications managed by the directory service, the user is authorized to access;
  
  determine, based on the one or more policies, that the user device is authorized to initiate execution of the application; and
  
  request temporary credentials from the second computing resource service provider system, wherein the temporary credentials enable the user device to initiate execution of the application.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer implemented method claim 7, wherein identifying one or more policies applicable to the user comprises identifying a policy applicable to a group to which the user belongs.
  - 9. The computer implemented method claim 7, further comprising receiving from the user device an indication of a user selection of one of a plurality of policies applicable to the user.
  - 10. The computer implemented method claim 7, wherein the directory service comprises a directory that manages access to the application, and the method further comprises using data stored in the directory to authenticate the user device.
  - 11. The computer implemented method claim 7, further comprising:
    - generating, in association with the request, a uniform resource identifier of a user interface that provides access to the application; and
      
      transmitting the uniform resource identifier to the user device.
  - 12. The computer implemented method claim 7, wherein the user credentials comprise a username and password.

13. Non-transitory computer storage that comprises executable program instructions that direct one or more computing devices of a first computing resource service provider system to implement a process that comprises:
- implementing a directory service that comprises a directory that manages access to applications, including an application that is hosted on a second computing resource service provider system external to the first computing resource service provider system;
  
  maintaining a policy mapping database that maps policies to users, the policies specifying access rights of users to the applications;
  
  receiving a request from a user device to access the application;
  
  authenticating user credentials received from the user device, the user credentials associated with a user;
  
  identifying, based on the policy mapping database, one or more policies applicable to the user, wherein the identified one or more policies specify which applications managed by the directory service the user is authorized to access; and
  
  determining, based on the one or more policies, that the user is authorized to initiate execution of the application; and
  
  obtain temporary credentials from the second computing resource service provider system, wherein the temporary credentials enable the user device to initiate execution of the application.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer storage of claim 13, wherein identifying one or more policies applicable to the user comprises identifying a policy applicable to a group to which the user belongs.
  - 15. The non-transitory computer storage of claim 13, further comprising receiving from the user device an indication of a user selection of one of a plurality of policies applicable to the user.
  - 16. The non-transitory computer storage of claim 13, wherein the process comprises using data stored in the directory to authenticate the user device.
  - 17. The non-transitory computer storage of claim 13, further comprising:
    - generating, in association with the request, a uniform resource identifier of a user interface that provides access to the application; and
      
      transmitting the uniform resource identifier to the user device.
  - 18. The non-transitory computer storage of claim 13, wherein the user credentials comprise a username and password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Mehta, Gaurang Pankaj, Shah, Shon Kiran, Agrawal, Neelam Satish, Aung, Lawrence Hun-Gi
Primary Examiner(s)
Simitoski, Michael

Application Number

US16/291,511
Time in Patent Office

435 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

Assigning policies for accessing multiple computing resource services

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Assigning policies for accessing multiple computing resource services

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others