Delegated permissions in a distributed electronic environment
First Claim
1. A computer-implemented method, comprising:
- obtaining, by an application executing on a computing device, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computing device;
providing the at least one credential and information about the application to a Web service provider environment, the Web service provider environment providing a plurality of Web services associated with the identity information, wherein each of the plurality of Web services is associated with a delegation profile assigned by an administrator, the delegation profile defining access rights of a Web service with which the delegation profile is associated, the delegation profile created independently from the providing the at least one credential and information about the application to the Web service provider environment;
receiving one or more Web service credentials from the Web service provider environment, the one or more Web service credentials enabling access to the plurality of Web services according to one or more permissions associated with the delegation profile assigned by the administrator, the one or more Web services including an action to be performed utilizing;
(a) at least one first secured resource in the Web service provider environment that is associated with a provider of the application and (b) at least one second secured resource in the Web service provider environment that is associated with the user, the access enabling the application to use the one or more Web services subject to the one or more permissions;
sending a request to at least one of the one or more Web services, the request associated with the one or more Web service credentials enabling access to the plurality of Web services; and
receiving, by the application, information from (a) the at least one first secured resource in the Web service provider environment that is associated with the provider of the application and (b) the at least one second secured resource in the Web service provider environment that is associated with the user.
1 Assignment
0 Petitions
Accused Products
Abstract
Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.
-
Citations
28 Claims
-
1. A computer-implemented method, comprising:
-
obtaining, by an application executing on a computing device, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computing device; providing the at least one credential and information about the application to a Web service provider environment, the Web service provider environment providing a plurality of Web services associated with the identity information, wherein each of the plurality of Web services is associated with a delegation profile assigned by an administrator, the delegation profile defining access rights of a Web service with which the delegation profile is associated, the delegation profile created independently from the providing the at least one credential and information about the application to the Web service provider environment; receiving one or more Web service credentials from the Web service provider environment, the one or more Web service credentials enabling access to the plurality of Web services according to one or more permissions associated with the delegation profile assigned by the administrator, the one or more Web services including an action to be performed utilizing;
(a) at least one first secured resource in the Web service provider environment that is associated with a provider of the application and (b) at least one second secured resource in the Web service provider environment that is associated with the user, the access enabling the application to use the one or more Web services subject to the one or more permissions;sending a request to at least one of the one or more Web services, the request associated with the one or more Web service credentials enabling access to the plurality of Web services; and receiving, by the application, information from (a) the at least one first secured resource in the Web service provider environment that is associated with the provider of the application and (b) the at least one second secured resource in the Web service provider environment that is associated with the user. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to:
-
obtain, by an application executing on a computing device, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computing device; provide the at least one credential and information about the application to a Web service provider environment, the Web service provider environment providing a plurality of Web services associated with the identity information, wherein each of the plurality of Web services is associated with a delegation profile assigned by an administrator, the delegation profile defining the access rights of a Web service with which the delegation profile is associated, the delegation profile created independently from the providing the at least one credential and information about the application to the Web service provider environment; and receive one or more Web service credentials from the Web service provider environment, the one or more Web service credentials enabling access to the plurality of Web services according to one or more permissions associated with a delegation profile assigned by the administrator, the one or more Web services including an action to be performed utilizing;
(a) at least one first secured resource in the Web service provider environment that is associated with a provider of the application and (b) at least one second secured resource in the Web service provider environment that is associated with the user, the access enabling the application to use the plurality of Web services subject to the one or more permissions; andreceive, by the application, information from (a) the at least one first secured resource in the Web service provider environment that is associated with the provider of the application and (b) the at least one second secured resource in the Web service provider environment that is associated with the user. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A computer system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computer system to; obtain, by an application executing on the computer system, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computer system; provide the at least one credential and information about the application to a resource provider environment, the resource provider environment providing a plurality of resources associated with the identity information, wherein each of the plurality of resources is associated with a delegation profile assigned by an administrator, the delegation profile defining the access rights of a resource with which the delegation profile is associated, the delegation profile created independently from the providing the at least one credential and information about the application to the resource provider environment; receive one or more resource credentials from the resource provider environment, the one or more resource credentials enabling access to the plurality of resources according to one or more permissions associated with a delegation profile corresponding to the identity information, the plurality of resources including;
(a) at least one first secured resource in the resource provider environment that is associated with a provider of the application and (b) at least one second secured resource in the resource provider environment that is associated with the user, the access enabling the application to use the plurality of resources subject to the one or more permissions; andreceive, by the application, information from (a) the at least one first secured resource in the resource provider environment that is associated with the provider of the application and (b) the at least one second secured resource in the resource provider environment that is associated with the user. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A computer-implemented method, comprising:
under control of one or more computer systems configured with executable instructions, receiving, from an entity, a request for access to a plurality of resources of a resource provider environment that are associated with a user credential, the user credential generated by a third party identity provider and including identity information for a user; determining an applicable delegation profile for the request, the applicable delegation profile being associated with the user credential and being determined based at least in part upon identifying information for the entity, the applicable delegation profile associated with one or more permissions for accessing and utilizing the plurality of resources, the applicable delegation profile being assigned by an administrator, the applicable delegation profile defining the access rights of the plurality of resources and created independently from the receiving the request for access to the plurality of resources; providing the entity with access to the plurality of resources according to the one or more permissions associated with the applicable delegation profile as determined using the user credential, the plurality of resources including;
(a) at least one first secured resource in the resource provider environment that is associated with the entity and (b) at least one second secured resource in the resource provider environment that is associated with the user, the access enabling the entity to use the plurality of resources subject to the one or more permissions,wherein the access to the plurality of resources is provided according to an account being maintained by a provider of the resource provider environment, and the access is provided according to one or more terms of the account, and wherein the account corresponds to one of the user, the entity, the provider, or a third party; and providing the entity with information from (a) the at least one first secured resource in the resource provider environment that is associated with the entity and (b) the at least one second secured resource in the resource provider environment that is associated with the user. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
Specification