TECHNIQUES FOR DELEGATION OF ACCESS PRIVILEGES

US 20140310769A1
Filed: 06/26/2014
Published: 10/16/2014
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems configured with executable instructions,receiving information indicating one or more permissions specified by a delegator;

generating credential information encoding the one or more permissions consistent with a policy set maintained independently from the generated credential information, the policy set being modifiable after generating the credential information to revoke access specified by the delegator by at least modifying the policy such that set the one or more permissions specified by the delegator conflicts with the policy set or modifying the policy set that the delegator'"'"'s ability to delegate has been revoked;

receiving, from a delegatee, a request to access a resource, the request including the generated credential information;

determining, based at least in part on the permissions encoded by the received generated credential information and at least in part on the policy set, whether to provide to the delegatee access to the resource; and

providing to the delegatee access to the resources based at least in part on the determination that the policy set still allows the delegator to delegate access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Citations

20 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving information indicating one or more permissions specified by a delegator;
  
  generating credential information encoding the one or more permissions consistent with a policy set maintained independently from the generated credential information, the policy set being modifiable after generating the credential information to revoke access specified by the delegator by at least modifying the policy such that set the one or more permissions specified by the delegator conflicts with the policy set or modifying the policy set that the delegator'"'"'s ability to delegate has been revoked;
  
  receiving, from a delegatee, a request to access a resource, the request including the generated credential information;
  
  determining, based at least in part on the permissions encoded by the received generated credential information and at least in part on the policy set, whether to provide to the delegatee access to the resource; and
  
  providing to the delegatee access to the resources based at least in part on the determination that the policy set still allows the delegator to delegate access.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein:
    - the delegator is governed by a set of one or more permissions that have been delegated to the delegator using other generated credential information;
      
      determining whether to provide the access to the one or more computing resources includes determining whether the delegator is allowed the access to the one or more computing resources at least by the set of one or more permissions that have been delegated to the delegator; and
      
      determining whether to provide the access to the one or more computing resources is contingent on at least a determination that the policy set allows the delegator the access to the one or more computing resources.
  - 3. The computer-implemented method of claim 1, wherein determining to provide access to the resources includes determining whether the policy set still allows the delegator to delegate access.
  - 4. The computer-implemented method of claim 1, wherein at least one or the one or more permissions includes a permission not granted to the delegatee in the policy set.

5. A system, comprising:
- one or more processors; and
  
  memory, including executable instructions that, when executed by the one or more processors, cause the system to at least;
  
  generate, under authority of a delegator, a session credential in response to a first request to initiate a session, the session credential encoding at least one or more permissions and governed at least in part by a policy set, the policy set being modifiable after generating the session credential;
  
  process a revocation of an ability of the delegator to delegate at least some access to the one or more computing resources thereby causing the encoded at least one or more permissions to conflict at least in part with the policy; and
  
  as a result of the session credential being presented by a user in connection with a second request to access the one or more computing resources, where fulfillment of the request is in accordance with the encoded one or more permissions and unaffected by the revocation, enable the user to access the one or more computing resources based at least in part on the session credential.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein the one or more computing resources are accessible by submitting requests to a service that, upon receipt of each of at least a subset of the requests, determines whether the policy set allow fulfillment of the request.
  - 7. The system of claim 5, wherein the instructions that cause the system to determine that the policy set still allows the delegator to delegate access further include instructions, that when executed by the one or more processors, cause the system to encode a claim about the user that is required for access to the one or more computing resources.
  - 8. The system of claim 5, wherein the one or more permissions includes an identifier of one or more users to whom the permissions apply, wherein the user is included in the one or more users.
  - 9. The system of claim 5, wherein the instructions that cause the system to generate the session credential further include instructions, that when executed by the one or more processors, cause the system to receive, from the delegator, information specifying the one or more permissions.
  - 10. The system of claim 5, wherein the one or more policies require delegation of access to the one or more computing resources by multiple delegators and the session credential comprises multiple credentials, each generated in response to an action taken by a different delegator.
  - 11. The system of claim 5, wherein the session credential was generated in response to the delegator having requested initiation of the session.
  - 12. The system of claim 5, wherein the instructions that cause the system to determine that the policy set still allows the delegator to delegate access further include instructions, that when executed by the one or more processors, cause the system to determine whether the request was made within a time period for which the session credential valid.

13. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- receive, from a delegatee, a request to access one or more computing resources and credential information that encodes one or more policies for accessing the one or more computing resources, the credential information generated under authority of a delegator;
  
  determine, whether the requested access to the one or more computing resources is both allowed by the encoded one or more policies and still delegable by the delegator; and
  
  when determined that the requested access to the one or more computing resources is both allowed by the encoded one or more policies and still delegable by the delegator, provide access to the one or more computing resources.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to encode a claim indicating an authentication process completed by a user.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to generated the credential information based at least in part on one or more actions of the delegator.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the computer system to receive the request to access the one or more computing resources further include instructions that cause the computer system to receive, from the delegator, one or more permissions useable in generating the one or more policies.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the instructions that cause the computer system to receive, form the delegator, one or more permissions further include instructions that cause the computer system to receive an identifier of one or more users to whom the permissions apply.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the computer system to provide access to the one or more computing resources further include instructions that cause the computer system to provide greater access to a delegatee than the delegator based at least in part on the credential information.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the computer system to provide access to the one or more computing resources further include instructions that cause the computer system to communicate with a system external to the computer system.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to modify the policy set by at least modifying information contained in a centralized policy management service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
O'Neill, Kevin Ross, Roth, Gregory B., Brandwine, Eric Jason, Pratt, Brian Irl, Behm, Bradley Jeffery, Fitch, Nathan R.

Granted Patent

US 11,102,189 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

H04L 9/3213   using tickets or tokens, e....

TECHNIQUES FOR DELEGATION OF ACCESS PRIVILEGES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR DELEGATION OF ACCESS PRIVILEGES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links