System and method for controlling access to web services resources
First Claim
1. A system, comprising;
- one or more processors; and
a memory storing program instructions executable by at least one of the one or more processors to implement an access control service configured to;
manage access control information for a plurality of resources on a network, wherein the access control information comprises a table including one or more access control entries uniquely associated with one or more of the plurality of resources, wherein at least one of the access control entries includes a resource identifier, a principal identifier, and an access type allowed for the principal identifier on the resource identified by the resource identifier;
receive, via the network, access requests from clients of the access control service;
for at least one received access request;
determine whether the access control information includes an access control entry corresponding to a resource specified by the request;
determine, from the access control information, at least one access type for the resource specified by the request that allows an operation specified by the request to be performed on the resource, wherein the allowance of the operation by the access type determined from the access control information is particular to the resource;
responsive to determining that the access control information includes an access control entry corresponding to the specified resource, determine, from the determined access control entry, whether a principal associated with the request has the at least one access type that allows the operation to be performed on the resource; and
allow or not allow the principal to perform the specified operation on the specified resource according to results of said determining whether the principal has the at least one access type for the resource that allows the operation to be performed.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method for controlling access to web services resources. A system may include a storage medium configured to store instructions and one or more processors configured to access the storage medium. The instructions may be executable by at least one of the processors to implement a web services access control system (ACS) configured to receive requests. Each request specifies an access operation to be performed with respect to a corresponding resource. Each of the requests is associated with a corresponding principal. For each received request, the ACS may be further configured to determine whether an access control entry exists that is associated with both the resource and principal associated with the request and that specifies an access type sufficient to perform the access operation. If no such entry exists, the ACS may deny the request.
36 Citations
20 Claims
-
1. A system, comprising;
-
one or more processors; and a memory storing program instructions executable by at least one of the one or more processors to implement an access control service configured to; manage access control information for a plurality of resources on a network, wherein the access control information comprises a table including one or more access control entries uniquely associated with one or more of the plurality of resources, wherein at least one of the access control entries includes a resource identifier, a principal identifier, and an access type allowed for the principal identifier on the resource identified by the resource identifier; receive, via the network, access requests from clients of the access control service; for at least one received access request; determine whether the access control information includes an access control entry corresponding to a resource specified by the request; determine, from the access control information, at least one access type for the resource specified by the request that allows an operation specified by the request to be performed on the resource, wherein the allowance of the operation by the access type determined from the access control information is particular to the resource; responsive to determining that the access control information includes an access control entry corresponding to the specified resource, determine, from the determined access control entry, whether a principal associated with the request has the at least one access type that allows the operation to be performed on the resource; and allow or not allow the principal to perform the specified operation on the specified resource according to results of said determining whether the principal has the at least one access type for the resource that allows the operation to be performed. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method, comprising;
-
storing access control information for a plurality of resources on a network, wherein the access control information comprises a table including one or more access control entries uniquely associated with one or more of the plurality of resources, wherein at least one of the access control entries includes a resource identifier, a principal identifier, and an access type allowed for the principal identifier on the resource identified by the resource identifier; receiving, by an access control service implemented on one or more computing devices, access requests from one or more clients; for one or more of the received access requests; determining whether the access control information includes an access control entry corresponding to a resource specified by the request; determining, from the access control information, an access type for the resource specified by the request that allows an operation specified by the request to be performed on the resource, wherein the allowance of the operation by the access type determined from the access control information is particular to the resource; responsive to determining that the access control information includes an access control entry corresponding to the specified resource, determining, from the determined access control entry, whether a principal associated with the request has the at least one access type that allows the operation to be performed on the resource; and providing results of said determining whether the principal has access type for the resource that allows the operation to be performed to a client corresponding to the access request. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A network, comprising;
-
one or more devices implementing a plurality of resources on the network; and one or more computing devices implementing an access control service on the network configured to; store and retrieve access control information for the plurality of resources on the network, wherein the access control information comprises a table including one or more access control entries uniquely associated with one or more of the plurality of resources, wherein at least one of the access control entries includes a resource identifier, a principal identifier, and an access type allowed for the principal identifier on the resource identified by the resource identifier; receive and process requests from a plurality of clients of the access control service; for at least one received request; determine whether the access control information includes an access control entry corresponding to a resource specified by the request; determine, from the access control information, an access type required for performing an operation specified by the request on the resource specified by the request, wherein the required access type determined from the access control information is particular to the resource; responsive to determining that the access control information includes an access control entry corresponding to the specified resource, determine, from the determined access control entry, that a principal associated with the request has the determined access type required for performing the specified operation on the specified resource; and notify a client corresponding to the request that the principal associated with the request is allowed to perform the specified operation on the specified resource. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification