System and method for controlling access to web services resources

US 9,413,678 B1
Filed: 05/17/2013
Issued: 08/09/2016
Est. Priority Date: 02/10/2006
Status: Active Grant

First Claim

Patent Images

1. A system, comprising;

one or more processors; and

a memory storing program instructions executable by at least one of the one or more processors to implement an access control service configured to;

manage access control information for a plurality of resources on a network, wherein the access control information comprises a table including one or more access control entries uniquely associated with one or more of the plurality of resources, wherein at least one of the access control entries includes a resource identifier, a principal identifier, and an access type allowed for the principal identifier on the resource identified by the resource identifier;

receive, via the network, access requests from clients of the access control service;

for at least one received access request;

determine whether the access control information includes an access control entry corresponding to a resource specified by the request;

determine, from the access control information, at least one access type for the resource specified by the request that allows an operation specified by the request to be performed on the resource, wherein the allowance of the operation by the access type determined from the access control information is particular to the resource;

responsive to determining that the access control information includes an access control entry corresponding to the specified resource, determine, from the determined access control entry, whether a principal associated with the request has the at least one access type that allows the operation to be performed on the resource; and

allow or not allow the principal to perform the specified operation on the specified resource according to results of said determining whether the principal has the at least one access type for the resource that allows the operation to be performed.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for controlling access to web services resources. A system may include a storage medium configured to store instructions and one or more processors configured to access the storage medium. The instructions may be executable by at least one of the processors to implement a web services access control system (ACS) configured to receive requests. Each request specifies an access operation to be performed with respect to a corresponding resource. Each of the requests is associated with a corresponding principal. For each received request, the ACS may be further configured to determine whether an access control entry exists that is associated with both the resource and principal associated with the request and that specifies an access type sufficient to perform the access operation. If no such entry exists, the ACS may deny the request.

36 Citations

View as Search Results

20 Claims

1. A system, comprising;
- one or more processors; and
  
  a memory storing program instructions executable by at least one of the one or more processors to implement an access control service configured to;
  
  manage access control information for a plurality of resources on a network, wherein the access control information comprises a table including one or more access control entries uniquely associated with one or more of the plurality of resources, wherein at least one of the access control entries includes a resource identifier, a principal identifier, and an access type allowed for the principal identifier on the resource identified by the resource identifier;
  
  receive, via the network, access requests from clients of the access control service;
  
  for at least one received access request;
  
  determine whether the access control information includes an access control entry corresponding to a resource specified by the request;
  
  determine, from the access control information, at least one access type for the resource specified by the request that allows an operation specified by the request to be performed on the resource, wherein the allowance of the operation by the access type determined from the access control information is particular to the resource;
  
  responsive to determining that the access control information includes an access control entry corresponding to the specified resource, determine, from the determined access control entry, whether a principal associated with the request has the at least one access type that allows the operation to be performed on the resource; and
  
  allow or not allow the principal to perform the specified operation on the specified resource according to results of said determining whether the principal has the at least one access type for the resource that allows the operation to be performed.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system as recited in claim 1, wherein, to allow or not allow the principal to perform the specified operation on the specified resource according to results of said determining, the access control service is configured to notify a client corresponding to the request that the principal associated with the request is allowed or not allowed to perform the specified operation on the specified resource.
  - 3. The system as recited in claim 1, wherein the access control information includes an access policy for the resource that indicates one or more operations that can be performed on the resource, one or more access types for the resource, and, for at least one operation, at least one access type that can be assigned to a principal to allow the respective operation to be performed on the resource by the respective principal.
  - 4. The system as recited in claim 3, wherein, to determine the at least one access type that allows the operation to be performed on the resource, the access control service is configured to determine the at least one access type for the operation as indicated by the access policy for the resource.
  - 5. The system as recited in claim 3, wherein the access control information further includes at least one entry indicating a principal, a resource, and one or more access types of the indicated resource that are assigned to the indicated principal.
  - 6. The system as recited in claim 5, wherein, to determine whether a principal associated with the request has the at least one access type that allows the operation to be performed on the resource, the access control service is configured to determine if the access control information includes an entry for the principal associated with the request that indicates the resource specified by the request and the at least one access type that allows the operation specified by the request to be performed on the resource.

7. A method, comprising;
- storing access control information for a plurality of resources on a network, wherein the access control information comprises a table including one or more access control entries uniquely associated with one or more of the plurality of resources, wherein at least one of the access control entries includes a resource identifier, a principal identifier, and an access type allowed for the principal identifier on the resource identified by the resource identifier;
  
  receiving, by an access control service implemented on one or more computing devices, access requests from one or more clients;
  
  for one or more of the received access requests;
  
  determining whether the access control information includes an access control entry corresponding to a resource specified by the request;
  
  determining, from the access control information, an access type for the resource specified by the request that allows an operation specified by the request to be performed on the resource, wherein the allowance of the operation by the access type determined from the access control information is particular to the resource;
  
  responsive to determining that the access control information includes an access control entry corresponding to the specified resource, determining, from the determined access control entry, whether a principal associated with the request has the at least one access type that allows the operation to be performed on the resource; and
  
  providing results of said determining whether the principal has access type for the resource that allows the operation to be performed to a client corresponding to the access request.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method as recited in claim 7, wherein the resource specified by at least one access request is a data object accessible via a web service on the network, wherein the operation specified by the request is an operation performed by the web service to store, retrieve, or modify a specified data object.
  - 9. The method as recited in claim 7, wherein the resource specified by at least one access request is a service on the network, wherein the operation specified by the request is a particular function performed by the service.
  - 10. The method as recited in claim 7, wherein said determining, from the access control information, whether a principal associated with the request has the access type that allows the operation to be performed on the resource comprises:
    - locating, in the access control information, an access policy for the specified resource, wherein the access policy associates particular operations for the resource with particular access types for the resource; and
      
      determining, from the access policy for the resource, the access type associated with the specified operation.
  - 11. The method as recited in claim 7, wherein said determining, from the access control information, whether a principal associated with the request has the access type that allows the operation to be performed on the resource comprises searching the access control information for an access control entry that assigns the access type required for performing the operation on the resource to the principal.
  - 12. The method as recited in claim 7, wherein the access control information includes:
    - at least one access policy that indicates one or more operations that can be performed on at least one of the plurality of resources, one or more access types for the at least one resource, and, for at least one operation, at least one access type that can be assigned to a principal to allow the respective operation to be performed on the at least one resource by the respective principal; and
      
      at least one entry indicating at least one principal, at least one resource, and one or more access types of the indicated at least one resource that are assigned to the indicated at least one principal.
  - 13. The method as recited in claim 7, wherein said determining, from the access control information, whether a principal associated with the request has the access type that allows the operation to be performed on the resource comprises:
    - determining, from the access control information, whether the principal is a member of a group of principals; and
      
      in response to said determining that the principal is a member of a group of principals, searching the access control information for an access control entry that assigns the access type required for performing the operation on the resource to the members of the group of principals.

14. A network, comprising;
- one or more devices implementing a plurality of resources on the network; and
  
  one or more computing devices implementing an access control service on the network configured to;
  
  store and retrieve access control information for the plurality of resources on the network, wherein the access control information comprises a table including one or more access control entries uniquely associated with one or more of the plurality of resources, wherein at least one of the access control entries includes a resource identifier, a principal identifier, and an access type allowed for the principal identifier on the resource identified by the resource identifier;
  
  receive and process requests from a plurality of clients of the access control service;
  
  for at least one received request;
  
  determine whether the access control information includes an access control entry corresponding to a resource specified by the request;
  
  determine, from the access control information, an access type required for performing an operation specified by the request on the resource specified by the request, wherein the required access type determined from the access control information is particular to the resource;
  
  responsive to determining that the access control information includes an access control entry corresponding to the specified resource, determine, from the determined access control entry, that a principal associated with the request has the determined access type required for performing the specified operation on the specified resource; and
  
  notify a client corresponding to the request that the principal associated with the request is allowed to perform the specified operation on the specified resource.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The network as recited in claim 14, wherein the access control service is further configured to, for at least one other request:
    - determine, from the access control information, that a principal associated with the other request does not have the determined access type required for performing an operation specified by the other request on a resource specified by the other request; and
      
      notify a client corresponding to the other request that the principal associated with the other request is not allowed to perform the operation specified by the other request on the resource specified by the other request.
  - 16. The network as recited in claim 14, wherein the resource specified by the request is a data object accessible via a web service on the network, wherein the operation specified by the request is an operation performed by the web service to store, retrieve, or modify a specified data object.
  - 17. The network as recited in claim 14, wherein the resource specified by the request is a service on the network, wherein the operation specified by the request is a particular function performed by the service.
  - 18. The network as recited in claim 14, wherein, to determine, from the access control information, an access type required for performing an operation specified by the request on a resource specified by the request, the access control service is configured to:
    - locate, in the access control information, an access policy for the specified resource, wherein the access policy associates particular operations for the resource with particular access types for the resource; and
      
      determine, from the access policy for the resource, the access type associated with the specified operation.
  - 19. The network as recited in claim 14, wherein, to determine, from the access control information, that a principal specified by the request has the determined access type required for performing the specified operation on the specified resource, the access control service is configured to locate, in the access control information, an access control entry that indicates the entity specified by the request, the resource specified by the request, and the determined access type required for performing the specified operation on the specified resource.
  - 20. The network as recited in claim 14, wherein the access control information includes:
    - at least one access policy that indicates one or more operations that can be performed on at least one of the plurality of resources, one or more access types for the at least one resource, and, for at least one operation, at least one access type that can be assigned to a principal to allow the respective operation to be performed on the at least one resource by the respective principal; and
      
      at least one entry indicating at least one principal, at least one resource, and one or more access types of the indicated at least one resource that are assigned to the indicated at least one principal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Geller, Alan S., Singh, Rahul
Primary Examiner(s)
Christensen, Scott B

Application Number

US13/897,266
Time in Patent Office

1,180 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 9/468   Specific access rights for ...

H04L 47/70   Admission control; Resource...

H04L 63/101   Access control lists [ACL]

H04L 67/10   in which an application is ...

H04L 9/3239   involving non-keyed hash fu...

System and method for controlling access to web services resources

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for controlling access to web services resources

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links