Authorized delegation of permissions
First Claim
1. A computer implemented method, comprising:
- associating, by one or more computing devices, one or more delegation profiles with an account of a customer, the account being maintained by a provider of one or more resources accessible to the customer as determined by one or more terms of the account, each delegation profile defining a validation policy and associated with one or more permissions for accessing and utilizing the one or more resources, each delegation profile set by the customer and providing access to a subset of the one or more resources;
receiving, by the one or more computing devices, from an entity, a request for access to the one or more resources associated with the account, the entity not directly associated with the account of the customer, the request including information usable to select a delegation profile, the information including an identifier of the delegation profile;
obtaining, by the one or more computing devices, identity information for the entity, the identity information generated by an identity verification entity separate from the provider, the entity having a relationship with the identity verification entity enabling the identity verification entity to provide the identity information to the provider on behalf of the entity, the identity information complying with one or more authentication requirements of the provider;
determining, by the one or more computing devices, an applicable delegation profile, from the one or more delegation profiles, based at least on the information usable to select the delegation profile;
processing, by the one or more computing devices, the identity information and the information associated with the applicable delegation profile using at least one rules engine to determine the one or more permissions associated with the applicable delegation profile, the one or more permissions indicating one or more actions the entity is permitted to perform against the one or more resources under the account of the customer;
verifying that the validation policy of the applicable delegation profile specifies that the entity is allowed to use the applicable delegation profile to perform the one or more actions against the one or more resources; and
providing, by the one or more computing devices, the entity with access to the one or more resources as set forth by the one or more permissions associated with the applicable delegation profile, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described for delegating permissions to enable account access to entities not directly associated with the account. The systems determine a delegation profile associated with a secured account of at least one customer. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.
54 Citations
32 Claims
-
1. A computer implemented method, comprising:
-
associating, by one or more computing devices, one or more delegation profiles with an account of a customer, the account being maintained by a provider of one or more resources accessible to the customer as determined by one or more terms of the account, each delegation profile defining a validation policy and associated with one or more permissions for accessing and utilizing the one or more resources, each delegation profile set by the customer and providing access to a subset of the one or more resources; receiving, by the one or more computing devices, from an entity, a request for access to the one or more resources associated with the account, the entity not directly associated with the account of the customer, the request including information usable to select a delegation profile, the information including an identifier of the delegation profile; obtaining, by the one or more computing devices, identity information for the entity, the identity information generated by an identity verification entity separate from the provider, the entity having a relationship with the identity verification entity enabling the identity verification entity to provide the identity information to the provider on behalf of the entity, the identity information complying with one or more authentication requirements of the provider; determining, by the one or more computing devices, an applicable delegation profile, from the one or more delegation profiles, based at least on the information usable to select the delegation profile; processing, by the one or more computing devices, the identity information and the information associated with the applicable delegation profile using at least one rules engine to determine the one or more permissions associated with the applicable delegation profile, the one or more permissions indicating one or more actions the entity is permitted to perform against the one or more resources under the account of the customer; verifying that the validation policy of the applicable delegation profile specifies that the entity is allowed to use the applicable delegation profile to perform the one or more actions against the one or more resources; and providing, by the one or more computing devices, the entity with access to the one or more resources as set forth by the one or more permissions associated with the applicable delegation profile, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources. - View Dependent Claims (2, 3)
-
-
4. A computer implemented method, said method comprising:
-
receiving, by one or more computing devices, from an entity, a request for access to one or more resources associated with an account of a customer, the entity not directly associated with the account of the customer, the account being maintained by a provider of the one or more resources accessible to the customer as determined by one or more terms of the account, the request including information usable to select a delegation profile, the delegation profile defining a validation policy, the information including an identifier of the delegation profile; determining, by the one or more computing devices, an applicable delegation profile based at least on the information usable to select the delegation profile, the applicable delegation profile being associated with the account of the customer, the applicable delegation profile associated with one or more permissions for accessing and utilizing the one or more resources, the delegation profile set by the customer and providing access to a subset of the one or more resources; obtaining, by the one or more computing devices, identity information for the entity, the identity information generated by an identity provider; verifying that the validation policy of the applicable delegation profile specifies that the entity is allowed to use the applicable delegation profile to perform one or more actions against the one or more resources; providing, by the one or more computing devices, the entity with access to the one or more resources according to the one or more permissions associated with the applicable delegation profile as determined using the identity information, the access enabling the entity to act as the customer on the one or more resources subject to the one or more permissions, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computer system to; receive, from an entity, a request for access to one or more resources associated with an account of a customer, the entity not directly associated with the account of the customer, the account enabling the customer to access the one or more resources as provided by a resource provider, the request including information usable to select a respective delegation profile, the delegation profile defining a validation policy, the information including an identifier of the respective delegation profile; determine whether to apply a delegation profile based at least on the information usable to select the respective delegation profile, the delegation profile being associated with the account of the customer, the delegation profile further being associated with one or more permissions for accessing and utilizing the one or more resources, the delegation profile set by the customer and providing access to a subset of the one or more resources; obtain identity information for the entity, the identity information generated by an identity provider; and verify that the validation policy of the delegation profile specifies that the entity is allowed to use the delegation profile to perform the one or more actions against the one or more resources; provide the entity with access to the one or more resources as set forth by the one or more permissions associated with the delegation profile, and as determined using the identity information, when the delegation profile is applied to the request, the access enabling the entity to act as the customer on the one or more resources subject to the one or more permissions, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
-
26. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computing system, cause the computing system to:
-
receive, from an entity, a request for access to one or more resources associated with an account of a customer, the entity not directly associated with the account of the customer, the account being maintained by a provider of the one or more resources accessible to the customer as determined by one or more terms of the account, the request including information usable to select a delegation profile, the delegation profile defining a validation policy, the information including an identifier of the delegation profile; determine an applicable delegation profile based at least on the information usable to select the delegation profile, the applicable delegation profile being associated with the account of the customer, the applicable delegation profile associated with one or more permissions for accessing and utilizing the one or more resources, the delegation profile set by the customer and providing access to a subset of the one or more resources; obtain identity information for the entity generated by a third party identification service; verify that the validation policy of the applicable delegation profile specifies that the entity is allowed to use the applicable delegation profile to perform one or more actions against the one or more resources; and provide the entity with access to the one or more resources as set forth by the one or more permissions associated with the applicable delegation profile as determined using the identity information for the entity, the access enabling the entity to act on the one or more resources as the customer subject to the one or more permissions, wherein providing the entity with access to the one or more resources includes providing credentials usable by the entity to obtain access to the subset of the one or more resources. - View Dependent Claims (27, 28)
-
-
29. A computer-implemented method, comprising:
-
obtaining, by an application executing on a computing device, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computing device; providing, in a request for access, the at least one credential and an indication of a delegation profile to a Web service provider environment, the delegation profile defining a validation policy, the Web service provider environment providing one or more Web services associated with an account of a provider of the application, one or more Web services accessible to the provider as determined by one or more terms of the account, wherein the indication of the delegation profile comprises information usable to select a respective delegation profile, the information including an identifier of the delegation profile, wherein the respective delegation profile includes a validation policy, the validation policy specifying that the application is allowed to use the respective delegation profile to access the one or more Web services; receiving one or more Web service credentials from the Web service provider environment in response to the request for access, the one or more Web service credentials enabling access to the one or more Web services according to one or more permissions associated with the delegation profile and as determined using the identity information, the delegation profile providing access to a subset of the one or more Web services, the access enabling the application to use the one or more Web services subject to the one or more permissions, the delegation profile being determined based on at least the information usable to select the respective delegation profile; and sending a request to at least one of the one or more Web services, the request associated with the one or more Web service credentials enabling access to the one or more Web services. - View Dependent Claims (30, 31, 32)
-
Specification