Managing Security Groups for Data Instances

US 20100251339A1
Filed: 03/31/2009
Published: 09/30/2010
Est. Priority Date: 03/31/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of recovering managing security permissions for a data environment using a separate control environment, comprising:

under control of one or more computer systems configured with executable instructions,receiving, to the control environment, a request from a customer to update a control security group for a data instance in the data environment;

if the control security group does not exist, creating at least one control security group in the control environment and associating each control security group with a native security group in the data environment corresponding to the data instance;

updating at least one permission for the control security group in response to the request, the permission determining an access level of each member of the control security group to the data instance; and

storing each updated permission for use in determining subsequent access to the data instance by a member of the control security group,wherein access to the data instance through the data environment is controlled by the permissions of the control security group and requests updating the control security group are restricted to being processed by the control environment, andwherein each permission of the control security group is capable of being updated using the control environment without affecting an availability of the data instance in the data environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access level and security group information can be updated for a data instance without having to take down or recycle the instance. A data instance created in a data environment will have at least one default security group. Permissions can be applied to the default security group to limit access via the data environment. A control security group can be created in a control environment and associated with the default security group. Permissions can be applied and updated with respect to the control security group without modifying the default security group, such that the data instance does not need to be recycled or otherwise made unavailable. Requests to perform actions with respect to the control security groups are made via the control environment, while allowing native access to the data via the data environment.

221 Citations

25 Claims

1. A computer-implemented method of recovering managing security permissions for a data environment using a separate control environment, comprising:
- under control of one or more computer systems configured with executable instructions,receiving, to the control environment, a request from a customer to update a control security group for a data instance in the data environment;
  
  if the control security group does not exist, creating at least one control security group in the control environment and associating each control security group with a native security group in the data environment corresponding to the data instance;
  
  updating at least one permission for the control security group in response to the request, the permission determining an access level of each member of the control security group to the data instance; and
  
  storing each updated permission for use in determining subsequent access to the data instance by a member of the control security group,wherein access to the data instance through the data environment is controlled by the permissions of the control security group and requests updating the control security group are restricted to being processed by the control environment, andwherein each permission of the control security group is capable of being updated using the control environment without affecting an availability of the data instance in the data environment.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, wherein:
    - multiple control security groups are associated with the data instance for the customer, each control security group having at least one of a different set of permissions and a different set of members.
  - 3. The computer-implemented method of claim 1, wherein:
    - updating the control security group includes at least one of adding a new control security group, deleting the control security group, adding at least one user, deleting at least one user, updating a password for the control security group, and modifying an access level of the control security group to the data instance in the data environment.

4. A computer-implemented method of cloning a data instance in a data environment using a separate control environment, comprising:
- under control of one or more computer systems configured with executable instructions,receiving, to the control environment, a request from a customer to update a control security group for a data instance in the data environment, the control security group being associated with a native security group for the data instance in the data environment;
  
  updating the control security group in response to the request, the control security group determining an access level of each member of the control security group to the data instance; and
  
  storing the updated control security group for use in determining subsequent access to the data instance by a member of the control security group,wherein the updating of the control security group does not change the association of the control security group to the native security group, such that the updating does not impact an availability of the data instance in the data environment.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The computer-implemented method of claim 4, wherein:
    - requests affecting the control security group are restricted to being processed by the control environment.
  - 6. The computer-implemented method of claim 4, wherein:
    - the request is a Web services call received to an externally-facing application programming interface (API) of the control environment.
  - 7. The computer-implemented method of claim 4, wherein:
    - updating the control security group includes at least one of adding a new control security group, deleting the control security group, adding at least one user, deleting at least one user, updating a password for the control security group, and modifying an access level of the control security group to the data instance in the data environment.
  - 8. The computer-implemented method of claim 4, wherein:
    - the request is received to a Web services layer including components operable to perform at least one task selected from the group consisting of authenticating users based on credentials, authorizing users, throttling user requests, and marshalling or unmarshalling requests and responses.
  - 9. The computer-implemented method of claim 4, further comprising:
    - in response to receiving the request, storing information for the request to a job queue.
  - 10. The computer-implemented method of claim 9, further comprising:
    - in response to detecting the information stored in the job queue, assembling and executing a workflow to manage updating the control security group.
  - 11. The computer-implemented method of claim 4, wherein:
    - information for the updated control security group is communicated to a host manager for the data instance in the data environment.
  - 12. The computer-implemented method of claim 4, further comprising:
    - providing separate interfaces in the control environment enabling a user to submit requests to add, delete, and modify user information for a control security group.

13. A system for controlling a data environment using a separate control environment, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive, to the control environment, a request from a customer to update a control security group for a data instance in the data environment, the control security group being associated with a native security group for the data instance in the data environment;
  
  update the control security group in response to the request, the control security group determining an access level of each member of the control security group to the data instance; and
  
  storing the updated control security group for use in determining subsequent access to the data instance by a member of the control security group,wherein the updating of the control security group does not change the association of the control security group to the native security group, such that the updating does not impact an availability of the data instance in the data environment.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein:
    - requests affecting the control security group are restricted to being processed by the control environment.
  - 15. The system of claim 13, wherein:
    - updating the control security group includes at least one of adding a new control security group, deleting the control security group, adding at least one user, deleting at least one user, updating a password for the control security group, and modifying an access level of the control security group to the data instance in the data environment.
  - 16. The system of claim 13, wherein the memory further includes instructions that, when executed by the at least one processor, cause the system to:
    - in response to receiving the request, store information for the request to a job queue.
  - 17. The system of claim 16, wherein the memory further includes instructions that, when executed by the at least one processor, cause the system to:
    - in response to detecting the information stored in the job queue, assemble and execute a workflow to manage updating the control security group.
  - 18. The system of claim 13, wherein:
    - information for the updated control security group is communicated to a host manager for the data instance in the data environment.
  - 19. The system of claim 13, wherein:
    - multiple control security groups are associated with the data instance for the customer, each control security group having at least one of a different set of permissions and a different set of members.

20. A computer program product embedded in a computer-readable medium and including instructions that, when executed by at least one computing device, cause the at least one computing device to:
- receive, to the control environment, a request from a customer to update a control security group for a data instance in the data environment, the control security group being associated with a native security group for the data instance in the data environment;
  
  update the control security group in response to the request, the control security group determining an access level of each member of the control security group to the data instance; and
  
  storing the updated control security group for use in determining subsequent access to the data instance by a member of the control security group,wherein the updating of the control security group does not change the association of the control security group to the native security group, such that the updating does not impact an availability of the data instance in the data environment.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The computer program product of claim 20, wherein:
    - requests affecting the control security group are restricted to being processed by the control environment.
  - 22. The computer program product of claim 20, wherein:
    - updating the control security group includes at least one of adding a new control security group, deleting the control security group, adding at least one user, deleting at least one user, updating a password for the control security group, and modifying an access level of the control security group to the data instance in the data environment.
  - 23. The computer program product of claim 20, further including instructions that, when executed by at least one computing device, cause the at least one computing device to:
    - in response to receiving the request, store information for the request to a job queue.
  - 24. The computer program product of claim 23, further including instructions that, when executed by at least one computing device, cause the at least one computing device to:
    - in response to detecting the information stored in the job queue, assemble and execute a workflow to manage updating the control security group.
  - 25. The computer program product of claim 20, wherein:
    - information for the updated control security group is communicated to a host manager for the data instance in the data environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McAlister, Grant Alexander MacDonald

Granted Patent

US 9,705,888 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/604 Tools and structures for ma...

H04L 63/104 Grouping of entities

Managing Security Groups for Data Instances

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

221 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Managing Security Groups for Data Instances

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

221 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links