Entity to authorize delegation of permissions

US 8,966,570 B1
Filed: 03/22/2012
Issued: 02/24/2015
Est. Priority Date: 03/22/2012
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for asynchronous permission delegation, said method comprising:

defining, by a hardware processor, a delegation profile associated with an account, the delegation profile including (a) a validation policy that specifies one or more security principals that are permitted to operate in a security context of the delegation profile under a set of conditions, and (b) an authorization policy specifying permitted actions for the one or more security principals operating in the security context of the delegation profile;

granting permission to at least one user of the account to use the delegation profile;

receiving a request for a set of credentials from a service, the request including information for selecting the delegation profile associated with the account;

providing the request for the set of credentials from the service to a security token service for verification;

verifying, by the security token service, that the service is authorized in the delegation profile as the one of the one or more security principals that are permitted to operate in the security context of the delegation profile;

granting the set of credentials to the service if the service is one of the one or more security principals identified by the validation policy of the delegation profile; and

providing the set of credentials to the service if the service is verified to be one of the one or more security principals identified in the validation policy of the delegation profile as selected based on the information included in the request, the credentials enabling requests to be made in the account within the security context of the delegation profile and subject to the authorization policy of the delegation profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

19 Citations

View as Search Results

30 Claims

1. A computer implemented method for asynchronous permission delegation, said method comprising:
- defining, by a hardware processor, a delegation profile associated with an account, the delegation profile including (a) a validation policy that specifies one or more security principals that are permitted to operate in a security context of the delegation profile under a set of conditions, and (b) an authorization policy specifying permitted actions for the one or more security principals operating in the security context of the delegation profile;
  
  granting permission to at least one user of the account to use the delegation profile;
  
  receiving a request for a set of credentials from a service, the request including information for selecting the delegation profile associated with the account;
  
  providing the request for the set of credentials from the service to a security token service for verification;
  
  verifying, by the security token service, that the service is authorized in the delegation profile as the one of the one or more security principals that are permitted to operate in the security context of the delegation profile;
  
  granting the set of credentials to the service if the service is one of the one or more security principals identified by the validation policy of the delegation profile; and
  
  providing the set of credentials to the service if the service is verified to be one of the one or more security principals identified in the validation policy of the delegation profile as selected based on the information included in the request, the credentials enabling requests to be made in the account within the security context of the delegation profile and subject to the authorization policy of the delegation profile.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the account resides on a service provider that provides network-accessible services, the account being assigned to at least one customer of the service provider, the account being associated with a set of resources and a plurality of principals that use the set of resources.
  - 3. The method of claim 2, wherein the service is one of a plurality of services offered by the service provider.
  - 4. The method of claim 1, wherein the set of credentials is used by the service to make requests in the account in conjunction with a set of additional credentials held by the service.
  - 5. The method of claim 1, wherein the delegation profile further includes an identifier of the principal that is allowed to use the delegation profile;
    - andwherein receiving the request for the set of credentials from the service further includes receiving a unique identifier along with the request from the service, and verifying that the unique identifier matches the identifier in the delegation profile.
  - 6. The method of claim 1, further comprising:
    - logging the one or more actions that were performed by the service in the account while acting under the delegation profile.

7. A computer implemented method for permission delegation, said method comprising:
- creating, by a hardware processor, a delegation profile in an account, the account being maintained by a service provider that provides network accessible services, the account being associated with a set of resources, the delegation profile identifying (a) one or more security principals that are allowed to operate on the resources in the account and (b) a set of permissions for the one or more security principals;
  
  receiving, by the service provider, a request from an entity for a set of credentials that allows access to the account, the request including information for selecting the delegation profile in the account;
  
  verifying whether the entity has been identified in the delegation profile as one of the one or more security principals that are authorized to act under the delegation profile; and
  
  issuing the set of credentials to the entity if the entity is verified to be one of the one or more security principals identified in the delegation profile selected in the account based on the information included in the request, the set of credentials enabling the entity to act on the resources in the account as the one or more security principals identified by the delegation profile subject to the permissions specified in the delegation profile.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 8. The method of claim 7, wherein the entity is at least one user of a second account on the service provider.
  - 9. The method of claim 7, wherein the entity is at least one service that resides externally with respect to the account.
  - 10. The method of claim 7, wherein creating the delegation profile on the account further includes:
    - granting explicit permission to one or more users of the account, the permission allowing the one or more users to provide references to the delegation profile to external entities that reside outside of the account.
  - 11. The method of claim 7, wherein the authorized user of the account is associated with a unique identifier on the entity, and wherein the entity provides the unique identifier along with the reference to the delegation profile upon submitting the request for the credentials.
  - 12. The method of claim 7, wherein the service provider offers an interface to create the delegation profile based on input received from an administrator associated with the account.
  - 13. The method of claim 12, wherein the permissions of the delegation profile are restricted to a scope that is less than or equal to the permissions of a caller invoking the interface.
  - 14. The method of claim 7, wherein the entity is a service and wherein the one or more security principals identified in the delegation profile are associated with resources that are modeled within the service.
  - 15. The method of claim 14, wherein the resources are able to perform one or more actions within the account, the actions being subject to the permissions identified in the delegation profile.
  - 16. The method of claim 14, wherein the service receives a request to associate the delegation profile with a resource modeled within the service, the request received from a user of the account.
  - 17. The method of claim 16 wherein upon receiving the request, the service verifies that the user has permissions to specify the delegation profile to the service.
  - 18. The method of claim 14 wherein the service is operated by a second service provider, the second service provider being separate and independent from the service provider.

19. A computing system including at least one storage memory containing instructions and one or more hardware processors that execute the instructions to perform a set of operations comprising:
- defining a delegation profile associated with an account on a service provider, the delegation profile including (a) a validation policy that identifies one or more security principals that are allowed to operate on resources of the account and (b) an authorization policy that identifies a set of permissions for the one or more security principals;
  
  receiving, from an external entity, a request for a set of credentials that allow access to the account, the request including information for selecting the delegation profile associated with the account;
  
  verifying whether the external entity has been identified in the delegation profile as one of the one or more security principals that are authorized to act under the delegation profile; and
  
  issuing the set of credentials to the external entity if the external entity is verified to be one of the one or more security principals identified in the delegation profile as selected based on the information included in the request, the set of credentials enabling the external entity to act on the resources in the account as the one or more security principals identified by the delegation profile subject to the permissions specified in the authorization policy of the delegation profile.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The computing system of claim 19, wherein the external entity is at least one user of a second account on the service provider.
  - 21. The computing system of claim 19, wherein the external entity is at least one service that resides externally with respect to the account.
  - 22. The computing system of claim 19, wherein defining the delegation profile on the account further includes:
    - granting explicit permission to one or more users of the account, allowing the one or more users to provide references to the delegation profile to external entities that reside outside of the account.
  - 23. The computing system of claim 19, wherein the service provider offers an interface to create the delegation profile based on input received from an administrator associated with the account.
  - 24. The computing system of claim 19, wherein providing access to the entity further includes:
    - receiving an assertion of an active identity in the account from the entity and associating requests made by the entity with the active identity in the account.

25. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
- constructing a delegation profile in at least one of a plurality of accounts on a service provider, the delegation profile identifying (a) one or more principals that are allowed to act on resources in the account and (b) a set of permissions for the one or more principals;
  
  receiving a request from an entity for a set of credentials that allows access to the account, the request including information for selecting the delegation profile in at least one of the plurality of accounts;
  
  verifying whether the entity was identified as one of the one or more principals in the delegation profile selected in at least one of the plurality of accounts based on the information included in the request;
  
  issuing the set of credentials to the entity if the entity has been verified to have been identified in the delegation profile as the one of the one or more principals; and
  
  providing access to the entity if the entity is verified to be one of the one or more security principals identified in the delegation profile, the access enabling the entity to act on the resources in the account as the one or more security principals identified by the delegation profile subject to the permissions specified in the delegation profile.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The non-transitory computer readable storage medium of claim 25, wherein the entity is at least one user of a second account of the plurality of accounts on the service provider.
  - 27. The non-transitory computer readable storage medium of claim 25, wherein the entity is at least one service that resides externally with respect to the account.
  - 28. The non-transitory computer readable storage medium of claim 25, wherein an authorized user of the account is associated with a unique identifier on the entity, and wherein the entity provides the unique identifier along with the reference to the delegation profile upon submitting the request for the credentials.
  - 29. The non-transitory computer readable storage medium of claim 25, wherein the service provider offers an interface to create the delegation profile based on input received from an administrator associated with the account.
  - 30. The non-transitory computer readable storage medium of claim 29, wherein the permissions of the delegation profile are restricted to a scope that is less than or equal to the permissions of a caller invoking the interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Fitch, Nathan R., O'Neill, Kevin Ross, Baer, Graeme D., Behm, Bradley Jeffery, Pratt, Brian Irl
Primary Examiner(s)
Pyzocha, Michael
Assistant Examiner(s)
Brown, Demaris

Application Number

US13/427,622
Time in Patent Office

1,069 Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H05K 999/99   dummy group

Entity to authorize delegation of permissions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Entity to authorize delegation of permissions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links