Entity to authorize delegation of permissions
First Claim
1. A computer implemented method for asynchronous permission delegation, said method comprising:
- defining, by a hardware processor, a delegation profile associated with an account, the delegation profile including (a) a validation policy that specifies one or more security principals that are permitted to operate in a security context of the delegation profile under a set of conditions, and (b) an authorization policy specifying permitted actions for the one or more security principals operating in the security context of the delegation profile;
granting permission to at least one user of the account to use the delegation profile;
receiving a request for a set of credentials from a service, the request including information for selecting the delegation profile associated with the account;
providing the request for the set of credentials from the service to a security token service for verification;
verifying, by the security token service, that the service is authorized in the delegation profile as the one of the one or more security principals that are permitted to operate in the security context of the delegation profile;
granting the set of credentials to the service if the service is one of the one or more security principals identified by the validation policy of the delegation profile; and
providing the set of credentials to the service if the service is verified to be one of the one or more security principals identified in the validation policy of the delegation profile as selected based on the information included in the request, the credentials enabling requests to be made in the account within the security context of the delegation profile and subject to the authorization policy of the delegation profile.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.
19 Citations
30 Claims
-
1. A computer implemented method for asynchronous permission delegation, said method comprising:
-
defining, by a hardware processor, a delegation profile associated with an account, the delegation profile including (a) a validation policy that specifies one or more security principals that are permitted to operate in a security context of the delegation profile under a set of conditions, and (b) an authorization policy specifying permitted actions for the one or more security principals operating in the security context of the delegation profile; granting permission to at least one user of the account to use the delegation profile; receiving a request for a set of credentials from a service, the request including information for selecting the delegation profile associated with the account; providing the request for the set of credentials from the service to a security token service for verification; verifying, by the security token service, that the service is authorized in the delegation profile as the one of the one or more security principals that are permitted to operate in the security context of the delegation profile; granting the set of credentials to the service if the service is one of the one or more security principals identified by the validation policy of the delegation profile; and providing the set of credentials to the service if the service is verified to be one of the one or more security principals identified in the validation policy of the delegation profile as selected based on the information included in the request, the credentials enabling requests to be made in the account within the security context of the delegation profile and subject to the authorization policy of the delegation profile. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method for permission delegation, said method comprising:
-
creating, by a hardware processor, a delegation profile in an account, the account being maintained by a service provider that provides network accessible services, the account being associated with a set of resources, the delegation profile identifying (a) one or more security principals that are allowed to operate on the resources in the account and (b) a set of permissions for the one or more security principals; receiving, by the service provider, a request from an entity for a set of credentials that allows access to the account, the request including information for selecting the delegation profile in the account; verifying whether the entity has been identified in the delegation profile as one of the one or more security principals that are authorized to act under the delegation profile; and issuing the set of credentials to the entity if the entity is verified to be one of the one or more security principals identified in the delegation profile selected in the account based on the information included in the request, the set of credentials enabling the entity to act on the resources in the account as the one or more security principals identified by the delegation profile subject to the permissions specified in the delegation profile. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computing system including at least one storage memory containing instructions and one or more hardware processors that execute the instructions to perform a set of operations comprising:
-
defining a delegation profile associated with an account on a service provider, the delegation profile including (a) a validation policy that identifies one or more security principals that are allowed to operate on resources of the account and (b) an authorization policy that identifies a set of permissions for the one or more security principals; receiving, from an external entity, a request for a set of credentials that allow access to the account, the request including information for selecting the delegation profile associated with the account; verifying whether the external entity has been identified in the delegation profile as one of the one or more security principals that are authorized to act under the delegation profile; and issuing the set of credentials to the external entity if the external entity is verified to be one of the one or more security principals identified in the delegation profile as selected based on the information included in the request, the set of credentials enabling the external entity to act on the resources in the account as the one or more security principals identified by the delegation profile subject to the permissions specified in the authorization policy of the delegation profile. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
-
constructing a delegation profile in at least one of a plurality of accounts on a service provider, the delegation profile identifying (a) one or more principals that are allowed to act on resources in the account and (b) a set of permissions for the one or more principals; receiving a request from an entity for a set of credentials that allows access to the account, the request including information for selecting the delegation profile in at least one of the plurality of accounts; verifying whether the entity was identified as one of the one or more principals in the delegation profile selected in at least one of the plurality of accounts based on the information included in the request; issuing the set of credentials to the entity if the entity has been verified to have been identified in the delegation profile as the one of the one or more principals; and providing access to the entity if the entity is verified to be one of the one or more security principals identified in the delegation profile, the access enabling the entity to act on the resources in the account as the one or more security principals identified by the delegation profile subject to the permissions specified in the delegation profile. - View Dependent Claims (26, 27, 28, 29, 30)
-
Specification