Fine-grained access control for synchronized data stores

US 9,330,271 B1
Filed: 10/15/2013
Issued: 05/03/2016
Est. Priority Date: 10/15/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more computing nodes comprising a first one or more storage devices configured to store thereon a collection of items, the one or more computing nodes further configured at least to;

receive information indicative of a first update to a first item in the collection of items, the first item corresponding to an item in a first subcollection of items stored on a first computing device remote to the one or more computing nodes, the first computing device associated with a first user;

receive information indicative of a second update to a second item in the collection of items, the second item corresponding to an item in a second subcollection of items stored on a second computing device remote to the one or more computing nodes, the second computing device associated with a second user;

obtain a verified identity of the first user based at least in part on an identity server selected based at least in part on credentials associated with the first user;

determine to update the first item in the collection of items, based at least in part on information indicative of the verified identity of the first user and based at least in part on the first user having at least a write privilege for the first item of the collection of items;

determine to update the second item in the collection of items, based at least in part on information indicative of a second verified identity of the second user and based at least in part on the second user having at least a write privilege for the second item in the collection of items; and

send information indicative of the update to the second item to the first computing device upon determining that the first user has at least a read privilege for the second item of the collection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A remote distributed data store may be configured to process data updates received through invocation of a common API with reference to a common schema. Local data stores may also be configured to process updates using a common API and schema. Data for multiple users may be stored in a common collection of items maintained by a remote distributed data store. User identity may be verified through a public identity service. User identity and access permissions may be associated with items stored in a remote distributed data store.

Citations

19 Claims

1. A system comprising:
- one or more computing nodes comprising a first one or more storage devices configured to store thereon a collection of items, the one or more computing nodes further configured at least to;
  
  receive information indicative of a first update to a first item in the collection of items, the first item corresponding to an item in a first subcollection of items stored on a first computing device remote to the one or more computing nodes, the first computing device associated with a first user;
  
  receive information indicative of a second update to a second item in the collection of items, the second item corresponding to an item in a second subcollection of items stored on a second computing device remote to the one or more computing nodes, the second computing device associated with a second user;
  
  obtain a verified identity of the first user based at least in part on an identity server selected based at least in part on credentials associated with the first user;
  
  determine to update the first item in the collection of items, based at least in part on information indicative of the verified identity of the first user and based at least in part on the first user having at least a write privilege for the first item of the collection of items;
  
  determine to update the second item in the collection of items, based at least in part on information indicative of a second verified identity of the second user and based at least in part on the second user having at least a write privilege for the second item in the collection of items; and
  
  send information indicative of the update to the second item to the first computing device upon determining that the first user has at least a read privilege for the second item of the collection.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein each item in the first subcollection has a security identifier associated with the first user.
  - 3. The system of claim 2, wherein the first subcollection comprises items associated with the security identifier and excludes items not associated with the security identifier associated with the first user.
  - 4. The system of claim 1, wherein items in the first subcollection are associated with at least one security identifier associated with a client of an operator of the first one or more computing nodes, and the first user is a customer of the client.
  - 5. The system of claim 4, the one or more computing nodes further configured at least to:
    - grant or deny access to an item in the first subcollection based at least in part on the security identifier associated with the client.

6. A method comprising:
- receiving information indicative of a first update to a first item in a collection of items, the first item corresponding to an item in a first subcollection of items stored on a first computing device remote to the one or more computing nodes, the first computing device associated with a first user;
  
  receiving information indicative of a second update to a second item in the collection of items, the second item corresponding to an item in a second subcollection of items stored on a second computing device remote to the one or more computing nodes, the second computing device associated with a second user;
  
  obtain a verified identity of the first user based at least in part on an identity server selected based at least in part on credentials associated with the first user;
  
  determining to update the first item in the collection of items, based at least in part on information indicative of the verified identity of the first user and based at least in part on the first user having at least a write privilege for the first item of the collection of items;
  
  determining to update the second item in the collection of items, based at least in part on information indicative of a second verified identity of the second user and based at least in part on the second user having at least a write privilege for the second item in the collection of items; and
  
  sending information indicative of the update to the second item to the first computing device upon determining that the first user has at least a read privilege for the second item of the collection of items.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The method of claim 6, wherein the collection of items is maintained by a distributed data store.
  - 8. The method of claim 6, wherein the information indicative of the first update comprises the verified identity of the first user.
  - 9. The method of claim 6, wherein the verified identity of the first user is based at least in part on communication between the first computing device and the identity server.
  - 10. The method of claim 6, further comprising:
    - storing an association between an item in the collection of items and the verified identity of the first user.
  - 11. The method of claim 6, further comprising:
    - granting or denying access to an item in the first subcollection based at least in part on the verified identity of the first user.
  - 12. The method of claim 6, wherein the collection of items comprises a plurality of subcollections, each subcollection corresponding to a different verified identity.
  - 13. The method of claim 6, wherein the verified identity of a user is based at least in part on a user, group, or role.

14. A non-transitory computer-readable storage medium having stored thereon instructions that, upon execution by one or more computing devices, cause the one or more computing devices at least to:
- receive information indicative of a first update to a first item in a collection of items, the first item corresponding to an item in a first subcollection of items stored on a first computing device remote to the one or more computing nodes, the first computing device associated with a first user;
  
  receive information indicative of a second update to a second item in the collection of items, the second item corresponding to an item in a second subcollection of items stored on a second computing device remote to the one or more computing nodes, the second computing device associated with a second user;
  
  obtain a verified identity of the first user based at least in part on an identity server selected based at least in part on credentials associated with the first user;
  
  determine to update the first item in the collection of items, based at least in part on information indicative of the verified identity of the first user and based at least in part on the first user having at least a write privilege for the first item of the collection of items;
  
  determine to update the second item in the collection of items, based at least in part on information indicative of a second verified identity of the second user and based at least in part on the second user having at least a write privilege for the second item in the collection of items; and
  
  send information indicative of the update to the second item to the first computing device upon determining that the first user has at least a read privilege for the second item of the collection.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable medium of claim 14, wherein the collection of items comprises a plurality of subcollections, each subcollection corresponding to a different verified identity.
  - 16. The non-transitory computer-readable medium of claim 14, comprising further instructions that, upon execution by the computing device, cause the computing device to at least:
    - grant or denying access to an item in the first subcollection based at least in part on the verified identity of the first user.
  - 17. The non-transitory computer-readable medium of claim 14, wherein the verified identity of a user is based at least in part on a user, group, or role.
  - 18. The non-transitory computer-readable medium of claim 14, wherein the verified identity of the first user is based at least in part on communication between the first computing device and the identity server.
  - 19. The non-transitory computer-readable medium of claim 14, wherein the collection of items is maintained by a distributed data store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Shams, Khawaja Salman, Pandey, Prashant, Sivasubramanian, Swaminathan, Zaki, Omer Ahmed
Primary Examiner(s)
Traore, Fatoumata

Application Number

US14/054,767
Time in Patent Office

931 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/27   Replication, distribution o...

G06F 21/606   by securing the transmissio...

G06F 21/629   to features or functions of...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

Fine-grained access control for synchronized data stores

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Fine-grained access control for synchronized data stores

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links