ACCESS CONTROL POLICIES ASSOCIATED WITH FREEFORM METADATA
First Claim
Patent Images
1. A computer implemented method for using tags to control access to resources, said method comprising:
- under the control of one or more computer systems configured with executable instructions,associating a first access control policy and a second access control policy with a metadata tag, the first access control policy identifying which principals are allowed to assign the metadata tag to at least one computing resource, the second access control policy identifying operations that are allowed or not allowed to be performed on resources associated with the metadata tag;
receiving, from a user using an application programming interface (API), a request to assign the metadata tag to the at least one computing resource;
evaluating the first access control policy and assigning the metadata tag to the computing resource in response to determining that the first access control policy allows the user to assign the metadata tag;
receiving a request to perform an operation on the computing resource;
evaluating the second access control policy associated with the metadata tag; and
authorizing the request to perform the operation on the computing resource based at least in part on evaluation of the second access control policy.
1 Assignment
0 Petitions
Accused Products
Abstract
Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.
-
Citations
23 Claims
-
1. A computer implemented method for using tags to control access to resources, said method comprising:
under the control of one or more computer systems configured with executable instructions, associating a first access control policy and a second access control policy with a metadata tag, the first access control policy identifying which principals are allowed to assign the metadata tag to at least one computing resource, the second access control policy identifying operations that are allowed or not allowed to be performed on resources associated with the metadata tag; receiving, from a user using an application programming interface (API), a request to assign the metadata tag to the at least one computing resource; evaluating the first access control policy and assigning the metadata tag to the computing resource in response to determining that the first access control policy allows the user to assign the metadata tag; receiving a request to perform an operation on the computing resource; evaluating the second access control policy associated with the metadata tag; and authorizing the request to perform the operation on the computing resource based at least in part on evaluation of the second access control policy. - View Dependent Claims (2, 3)
-
4. A computer implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, from a user, a request to access a computing resource, the computing resource having freeform metadata associated therewith; retrieving an access control policy associated with the freeform metadata; and evaluating the access control policy to control access to the computing resource based at least in part on the freeform metadata associated with the computing resource. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
-
12. A computing system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computing system to; receive, from a user, a request to access a computing resource the computing resource having freeform metadata associated therewith; retrieve an access control policy associated with the freeform metadata; and evaluate the access control policy to control access to the computing resource based at least in part on the freeform metadata associated with the computing resource. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
-
receiving, from a user, a request to access a computing resource, the computing resource having freeform metadata associated therewith; retrieving an access control policy associated with the freeform metadata; and evaluating the access control policy to control access to the computing resource based at least in part on the freeform metadata associated with the computing resource. - View Dependent Claims (19, 20, 21, 22, 23)
-
Specification