TECHNIQUES FOR DELEGATION OF ACCESS PRIVILEGES
First Claim
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving information indicating one or more permissions specified by a delegator;
generating credential information encoding the one or more permissions consistent with a policy set maintained independently from the generated credential information, the policy set being modifiable after generating the credential information to revoke access specified by the delegator by at least modifying the policy such that set the one or more permissions specified by the delegator conflicts with the policy set or modifying the policy set that the delegator'"'"'s ability to delegate has been revoked;
receiving, from a delegatee, a request to access a resource, the request including the generated credential information;
determining, based at least in part on the permissions encoded by the received generated credential information and at least in part on the policy set, whether to provide to the delegatee access to the resource; and
providing to the delegatee access to the resources based at least in part on the determination that the policy set still allows the delegator to delegate access.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving information indicating one or more permissions specified by a delegator; generating credential information encoding the one or more permissions consistent with a policy set maintained independently from the generated credential information, the policy set being modifiable after generating the credential information to revoke access specified by the delegator by at least modifying the policy such that set the one or more permissions specified by the delegator conflicts with the policy set or modifying the policy set that the delegator'"'"'s ability to delegate has been revoked; receiving, from a delegatee, a request to access a resource, the request including the generated credential information; determining, based at least in part on the permissions encoded by the received generated credential information and at least in part on the policy set, whether to provide to the delegatee access to the resource; and providing to the delegatee access to the resources based at least in part on the determination that the policy set still allows the delegator to delegate access. - View Dependent Claims (2, 3, 4)
-
5. A system, comprising:
-
one or more processors; and memory, including executable instructions that, when executed by the one or more processors, cause the system to at least; generate, under authority of a delegator, a session credential in response to a first request to initiate a session, the session credential encoding at least one or more permissions and governed at least in part by a policy set, the policy set being modifiable after generating the session credential; process a revocation of an ability of the delegator to delegate at least some access to the one or more computing resources thereby causing the encoded at least one or more permissions to conflict at least in part with the policy; and as a result of the session credential being presented by a user in connection with a second request to access the one or more computing resources, where fulfillment of the request is in accordance with the encoded one or more permissions and unaffected by the revocation, enable the user to access the one or more computing resources based at least in part on the session credential. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
receive, from a delegatee, a request to access one or more computing resources and credential information that encodes one or more policies for accessing the one or more computing resources, the credential information generated under authority of a delegator; determine, whether the requested access to the one or more computing resources is both allowed by the encoded one or more policies and still delegable by the delegator; and when determined that the requested access to the one or more computing resources is both allowed by the encoded one or more policies and still delegable by the delegator, provide access to the one or more computing resources. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification