Authorized delegation of permissions

US 9,098,675 B1
Filed: 09/13/2012
Issued: 08/04/2015
Est. Priority Date: 09/13/2012
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

associating, by one or more computing devices, one or more delegation profiles with an account of a customer, the account being maintained by a provider of one or more resources accessible to the customer as determined by one or more terms of the account, each delegation profile defining a validation policy and associated with one or more permissions for accessing and utilizing the one or more resources, each delegation profile set by the customer and providing access to a subset of the one or more resources;

receiving, by the one or more computing devices, from an entity, a request for access to the one or more resources associated with the account, the entity not directly associated with the account of the customer, the request including information usable to select a delegation profile, the information including an identifier of the delegation profile;

obtaining, by the one or more computing devices, identity information for the entity, the identity information generated by an identity verification entity separate from the provider, the entity having a relationship with the identity verification entity enabling the identity verification entity to provide the identity information to the provider on behalf of the entity, the identity information complying with one or more authentication requirements of the provider;

determining, by the one or more computing devices, an applicable delegation profile, from the one or more delegation profiles, based at least on the information usable to select the delegation profile;

processing, by the one or more computing devices, the identity information and the information associated with the applicable delegation profile using at least one rules engine to determine the one or more permissions associated with the applicable delegation profile, the one or more permissions indicating one or more actions the entity is permitted to perform against the one or more resources under the account of the customer;

verifying that the validation policy of the applicable delegation profile specifies that the entity is allowed to use the applicable delegation profile to perform the one or more actions against the one or more resources; and

providing, by the one or more computing devices, the entity with access to the one or more resources as set forth by the one or more permissions associated with the applicable delegation profile, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for delegating permissions to enable account access to entities not directly associated with the account. The systems determine a delegation profile associated with a secured account of at least one customer. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

54 Citations

View as Search Results

32 Claims

1. A computer implemented method, comprising:
- associating, by one or more computing devices, one or more delegation profiles with an account of a customer, the account being maintained by a provider of one or more resources accessible to the customer as determined by one or more terms of the account, each delegation profile defining a validation policy and associated with one or more permissions for accessing and utilizing the one or more resources, each delegation profile set by the customer and providing access to a subset of the one or more resources;
  
  receiving, by the one or more computing devices, from an entity, a request for access to the one or more resources associated with the account, the entity not directly associated with the account of the customer, the request including information usable to select a delegation profile, the information including an identifier of the delegation profile;
  
  obtaining, by the one or more computing devices, identity information for the entity, the identity information generated by an identity verification entity separate from the provider, the entity having a relationship with the identity verification entity enabling the identity verification entity to provide the identity information to the provider on behalf of the entity, the identity information complying with one or more authentication requirements of the provider;
  
  determining, by the one or more computing devices, an applicable delegation profile, from the one or more delegation profiles, based at least on the information usable to select the delegation profile;
  
  processing, by the one or more computing devices, the identity information and the information associated with the applicable delegation profile using at least one rules engine to determine the one or more permissions associated with the applicable delegation profile, the one or more permissions indicating one or more actions the entity is permitted to perform against the one or more resources under the account of the customer;
  
  verifying that the validation policy of the applicable delegation profile specifies that the entity is allowed to use the applicable delegation profile to perform the one or more actions against the one or more resources; and
  
  providing, by the one or more computing devices, the entity with access to the one or more resources as set forth by the one or more permissions associated with the applicable delegation profile, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, wherein determining the applicable delegation profile includes performing a lookup based at least in part upon at least one of an aspect of the entity or an attribute of the request.
  - 3. The computer-implemented method of claim 1, wherein at least a portion of the one or more permissions are applied only when the identity information provided by the identity verification entity includes at least one piece of mandatory information or when the identity verification entity is a federation provider indicated by the applicable delegation profile.

4. A computer implemented method, said method comprising:
- receiving, by one or more computing devices, from an entity, a request for access to one or more resources associated with an account of a customer, the entity not directly associated with the account of the customer, the account being maintained by a provider of the one or more resources accessible to the customer as determined by one or more terms of the account, the request including information usable to select a delegation profile, the delegation profile defining a validation policy, the information including an identifier of the delegation profile;
  
  determining, by the one or more computing devices, an applicable delegation profile based at least on the information usable to select the delegation profile, the applicable delegation profile being associated with the account of the customer, the applicable delegation profile associated with one or more permissions for accessing and utilizing the one or more resources, the delegation profile set by the customer and providing access to a subset of the one or more resources;
  
  obtaining, by the one or more computing devices, identity information for the entity, the identity information generated by an identity provider;
  
  verifying that the validation policy of the applicable delegation profile specifies that the entity is allowed to use the applicable delegation profile to perform one or more actions against the one or more resources;
  
  providing, by the one or more computing devices, the entity with access to the one or more resources according to the one or more permissions associated with the applicable delegation profile as determined using the identity information, the access enabling the entity to act as the customer on the one or more resources subject to the one or more permissions, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 5. The computer-implemented method of claim 4, wherein determining the applicable delegation profile includes determining an endpoint for the request, the endpoint being associated with a wildcard domain name service.
  - 6. The computer-implemented method of claim 4, wherein the identity information includes a security token issued by the identity provider associated with the applicable delegation profile.
  - 7. The computer-implemented method of claim 4, wherein determining the applicable delegation profile includes analyzing whether the request is:
    - signed by a key associated with the customer, directed to an endpoint associated by the customer, or directed to a location identified at least in part using identifying information for the entity.
  - 8. The computer-implemented method of claim 4, wherein the entity is provided with access only when the identity provider is a federation provider indicated by the applicable delegation profile or when the identity information provided by the identity provider includes at least one piece of mandatory information.
  - 9. The computer-implemented method of claim 4, further comprising:
    - passing at least a portion of the identity information and information associated with the applicable delegation profile through at least one rules engine in order to determine the one or more permissions, the one or more permissions indicating one or more actions the entity is permitted to perform against the one or more resources under the account of the customer.
  - 10. The computer-implemented method of claim 9, wherein the one or more permissions are associated with one or more policies for granting access to the one or more resources.
  - 11. The computer-implemented method of claim 4, wherein determining the applicable delegation profile includes performing a lookup based at least in part upon at least one of an aspect of the entity or an attribute of the request.
  - 12. The computer-implemented method of claim 4, wherein the applicable delegation profile identifies one or more security principals by reference to an authority, and wherein the entity is one of the one or more security principals as identified by the authority.
  - 13. The computer-implemented method of claim 12, wherein the authority identifies the entity using at least one security mechanism selected from the group consisting of a public key infrastructure (PKI) certificate, a security assertion markup language (SAML) assertion, or an X509 certificate signed by, or chained to, the authority.
  - 14. The computer-implemented method of claim 4, further comprising:
    - denying the entity access to the one or more resources based at least in part upon quota information for at least one of the entity or the provider, with respect to the account of the customer or the applicable delegation profile.
  - 15. The computer-implemented method of claim 4, wherein the permissions of the applicable delegation profile are determined based at least in part upon one or more rules that map attributes asserted by an identity authority to one or more permissions elements.
  - 16. The computer-implemented method of claim 4, wherein the customer is a developer of an application, and wherein the entity is an end user or device operated by the end user running a copy of the application.
  - 17. The computer-implemented method of claim 4, wherein the permissions of the applicable delegation profile are restricted to a scope that is less than or equal to permissions of the customer on the account.

18. A computer system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the computer system to;
  
  receive, from an entity, a request for access to one or more resources associated with an account of a customer, the entity not directly associated with the account of the customer, the account enabling the customer to access the one or more resources as provided by a resource provider, the request including information usable to select a respective delegation profile, the delegation profile defining a validation policy, the information including an identifier of the respective delegation profile;
  
  determine whether to apply a delegation profile based at least on the information usable to select the respective delegation profile, the delegation profile being associated with the account of the customer, the delegation profile further being associated with one or more permissions for accessing and utilizing the one or more resources, the delegation profile set by the customer and providing access to a subset of the one or more resources;
  
  obtain identity information for the entity, the identity information generated by an identity provider; and
  
  verify that the validation policy of the delegation profile specifies that the entity is allowed to use the delegation profile to perform the one or more actions against the one or more resources;
  
  provide the entity with access to the one or more resources as set forth by the one or more permissions associated with the delegation profile, and as determined using the identity information, when the delegation profile is applied to the request, the access enabling the entity to act as the customer on the one or more resources subject to the one or more permissions, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The computer system of claim 18, wherein the entity being provided with access to the one or more resources further contingent upon the entity meeting at least one identity verification criterion, the at least one identity verification criterion including at least one of the request including a security token issued by the identity provider associated with the delegation profile, the request being signed by a key associated with the customer, the request being directed to an endpoint associated with the customer, or the request being directed to a location identified at least in part using the identity information for the entity.
  - 20. The computer system of claim 19, wherein the instructions when executed further cause the computing system to contact the identity provider to obtain the identity information for the entity, wherein the at least one identity verification criterion includes the identity verification entity being a federation provider indicated by the delegation profile.
  - 21. The computer system of claim 18, wherein the delegation profile identifies one or more security principals by reference to an authority, and wherein the entity is one of the one or more security principals as identified by the authority.
  - 22. The computer system of claim 21, wherein the authority identifies the entity using at least one security mechanism selected from the group consisting of a public key infrastructure (PKI) certificate, a security assertion markup language (SAML) assertion, or an X509 certificate signed by, or chained to, the authority.
  - 23. The computer system of claim 18, wherein the permissions of the delegation profile are determined based at least in part upon one or more rules that map attributes asserted by an identity authority to one or more permissions elements.
  - 24. The computer system of claim 18, wherein the customer is a developer of an application, and wherein the entity is an end user or device operated by the end user running a copy of the application.
  - 25. The computer system of claim 18, wherein obtaining the identity information for the entity includes at least one of receiving an encrypted token with the request or interacting with an endpoint associated with at least one of the customer or the identity provider.

26. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computing system, cause the computing system to:
- receive, from an entity, a request for access to one or more resources associated with an account of a customer, the entity not directly associated with the account of the customer, the account being maintained by a provider of the one or more resources accessible to the customer as determined by one or more terms of the account, the request including information usable to select a delegation profile, the delegation profile defining a validation policy, the information including an identifier of the delegation profile;
  
  determine an applicable delegation profile based at least on the information usable to select the delegation profile, the applicable delegation profile being associated with the account of the customer, the applicable delegation profile associated with one or more permissions for accessing and utilizing the one or more resources, the delegation profile set by the customer and providing access to a subset of the one or more resources;
  
  obtain identity information for the entity generated by a third party identification service;
  
  verify that the validation policy of the applicable delegation profile specifies that the entity is allowed to use the applicable delegation profile to perform one or more actions against the one or more resources; and
  
  provide the entity with access to the one or more resources as set forth by the one or more permissions associated with the applicable delegation profile as determined using the identity information for the entity, the access enabling the entity to act on the one or more resources as the customer subject to the one or more permissions, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources.
- View Dependent Claims (27, 28)
- - 27. The non-transitory computer-readable storage medium of claim 26, wherein the one or more permissions associated with the applicable delegation profile are determined based at least in part upon one or more rules that map attributes asserted by an identity authority to one or more permissions elements.
  - 28. The non-transitory computer-readable storage medium of claim 26, wherein the customer is a developer of an application, and wherein the entity is an end user or device operated by the end user running a copy of the application.

29. A computer-implemented method, comprising:
- obtaining, by an application executing on a computing device, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computing device;
  
  providing, in a request for access, the at least one credential and an indication of a delegation profile to a Web service provider environment, the delegation profile defining a validation policy, the Web service provider environment providing one or more Web services associated with an account of a provider of the application, one or more Web services accessible to the provider as determined by one or more terms of the account, wherein the indication of the delegation profile comprises information usable to select a respective delegation profile, the information including an identifier of the delegation profile, wherein the respective delegation profile includes a validation policy, the validation policy specifying that the application is allowed to use the respective delegation profile to access the one or more Web services;
  
  receiving one or more Web service credentials from the Web service provider environment in response to the request for access, the one or more Web service credentials enabling access to the one or more Web services according to one or more permissions associated with the delegation profile and as determined using the identity information, the delegation profile providing access to a subset of the one or more Web services, the access enabling the application to use the one or more Web services subject to the one or more permissions, the delegation profile being determined based on at least the information usable to select the respective delegation profile; and
  
  sending a request to at least one of the one or more Web services, the request associated with the one or more Web service credentials enabling access to the one or more Web services.
- View Dependent Claims (30, 31, 32)
- - 30. The computer-implemented method of claim 29, wherein obtaining the at least one credential generated by the third party identity provider includes at least one of locating a copy of the at least one credential stored on the computing device or receiving the at least one credential in response to the application sending federated identity information, received from the user, to the third party identity provider.
  - 31. The computer-implemented method of claim 29, wherein the access to the one or more Web services is restricted to one or more user-specific resources within the account of the provider with the Web service provider environment.
  - 32. The computer-implemented method of claim 29, wherein access to the one or more Web services includes access within the account of the provider of the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Behm, Bradley Jeffery
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Brown, Demaris

Application Number

US13/614,867
Time in Patent Office

1,055 Days
Field of Search

726/4
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 2221/2115   Third party

G06Q 50/01   Social networking

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 67/53   using third party service p...

H04L 9/3263   involving certificates, e.g...

Authorized delegation of permissions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Authorized delegation of permissions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links