FINE-GRAINED STRUCTURED DATA STORE ACCESS USING FEDERATED IDENTITY MANAGEMENT
0 Assignments
0 Petitions
Accused Products
Abstract
A structured data store service, such as a database service, may implement fine-grained access to data maintained at the database service using federated identity. Fine grained access requests may be received at a database service for specified data maintained for an application provider from a client of the application provider. An access credential may be also be received. Verification of the access credential may be obtained, and the database service may evaluate the fine-grained access request according to a delegation policy corresponding to the access credential to determine whether the fine-grained request is authorized. If authorized, the fine-grained access request may be service. If not authorized, the fine-grained access request may be denied. In some embodiments, multiple application clients may have the same authorization for data, such as read authorization, while another one or more application clients may have different authorization for the data, such as write authorization.
-
Citations
41 Claims
-
1-21. -21. (canceled)
-
22. A system, comprising:
-
one or more hardware processors; and memory storing program instructions that when executed implement a delegation service to; send, in response to a first request from a client, a delegated access credential to the client to permit access to a database, wherein the delegated access credential is associated with a delegation policy allowing access to only a sub-set of a table in the database; and send, in response to a second request from the database including the delegated access credential, the delegation policy to the database. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A computer-implemented method, comprising:
-
sending, in response to a first request from a client, a delegated access credential to the client to permit access to a database, wherein the delegated access credential is associated with a delegation policy allowing access to only a sub-set of a table in the database; and sending, in response to a second request from the database including the delegated access credential, the delegation policy to the database. - View Dependent Claims (32, 33, 34, 35, 36)
-
-
37. A non-transitory computer-readable storage medium storing program instructions that when executed by one or more hardware processors cause the one or more hardware processors to:
-
send, in response to a first request from a client, a delegated access credential to the client to permit access to a database, wherein the delegated access credential is associated with a delegation policy allowing access to only a sub-set of a table in the database; and send, in response to a second request from the database including the delegated access credential, the delegation policy to the database. - View Dependent Claims (38, 39, 40, 41)
-
Specification