Delegated permissions in a distributed electronic environment

US 9,418,213 B1
Filed: 02/06/2013
Issued: 08/16/2016
Est. Priority Date: 02/06/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining, by an application executing on a computing device, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computing device;

providing the at least one credential and information about the application to a Web service provider environment, the Web service provider environment providing a plurality of Web services associated with the identity information, wherein each of the plurality of Web services is associated with a delegation profile assigned by an administrator, the delegation profile defining access rights of a Web service with which the delegation profile is associated, the delegation profile created independently from the providing the at least one credential and information about the application to the Web service provider environment;

receiving one or more Web service credentials from the Web service provider environment, the one or more Web service credentials enabling access to the plurality of Web services according to one or more permissions associated with the delegation profile assigned by the administrator, the one or more Web services including an action to be performed utilizing;

(a) at least one first secured resource in the Web service provider environment that is associated with a provider of the application and (b) at least one second secured resource in the Web service provider environment that is associated with the user, the access enabling the application to use the one or more Web services subject to the one or more permissions;

sending a request to at least one of the one or more Web services, the request associated with the one or more Web service credentials enabling access to the plurality of Web services; and

receiving, by the application, information from (a) the at least one first secured resource in the Web service provider environment that is associated with the provider of the application and (b) the at least one second secured resource in the Web service provider environment that is associated with the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.

Citations

28 Claims

1. A computer-implemented method, comprising:
- obtaining, by an application executing on a computing device, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computing device;
  
  providing the at least one credential and information about the application to a Web service provider environment, the Web service provider environment providing a plurality of Web services associated with the identity information, wherein each of the plurality of Web services is associated with a delegation profile assigned by an administrator, the delegation profile defining access rights of a Web service with which the delegation profile is associated, the delegation profile created independently from the providing the at least one credential and information about the application to the Web service provider environment;
  
  receiving one or more Web service credentials from the Web service provider environment, the one or more Web service credentials enabling access to the plurality of Web services according to one or more permissions associated with the delegation profile assigned by the administrator, the one or more Web services including an action to be performed utilizing;
  
  (a) at least one first secured resource in the Web service provider environment that is associated with a provider of the application and (b) at least one second secured resource in the Web service provider environment that is associated with the user, the access enabling the application to use the one or more Web services subject to the one or more permissions;
  
  sending a request to at least one of the one or more Web services, the request associated with the one or more Web service credentials enabling access to the plurality of Web services; and
  
  receiving, by the application, information from (a) the at least one first secured resource in the Web service provider environment that is associated with the provider of the application and (b) the at least one second secured resource in the Web service provider environment that is associated with the user.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein control of the one or more Web services remains with at least one of the provider of the application or a provider of the Web service provider environment.
  - 3. The computer-implemented method of claim 1, further comprising:
    - providing the one or more Web service credentials to a second application executing on the computing device, the second application obtained from a provider independent of the Web service provider environment; and
      
      sending a second request to at least one of the one or more Web services, the second request associated with the one or more Web service credentials enabling access to the one or more Web services, wherein at least a portion of the one or more Web services is able to process information for the second request according to a second delegation profile corresponding to the identity information and information for at least one of the second application or a provider of the second application.
  - 4. The computer-implemented method of claim 1, further comprising:
    - providing the one or more Web service credentials to a third party, the third party capable of submitting the one or more Web service credentials with one or more requests to obtain access to the one or more Web services.
  - 5. The computer-implemented method of claim 4, wherein a type of access to the one or more Web services granted to the third party upon presenting the one or more Web service credentials is different from a type of access granted to at least one of the user or application upon presenting the one or more Web service credentials.

6. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to:
- obtain, by an application executing on a computing device, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computing device;
  
  provide the at least one credential and information about the application to a Web service provider environment, the Web service provider environment providing a plurality of Web services associated with the identity information, wherein each of the plurality of Web services is associated with a delegation profile assigned by an administrator, the delegation profile defining the access rights of a Web service with which the delegation profile is associated, the delegation profile created independently from the providing the at least one credential and information about the application to the Web service provider environment; and
  
  receive one or more Web service credentials from the Web service provider environment, the one or more Web service credentials enabling access to the plurality of Web services according to one or more permissions associated with a delegation profile assigned by the administrator, the one or more Web services including an action to be performed utilizing;
  
  (a) at least one first secured resource in the Web service provider environment that is associated with a provider of the application and (b) at least one second secured resource in the Web service provider environment that is associated with the user, the access enabling the application to use the plurality of Web services subject to the one or more permissions; and
  
  receive, by the application, information from (a) the at least one first secured resource in the Web service provider environment that is associated with the provider of the application and (b) the at least one second secured resource in the Web service provider environment that is associated with the user.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The non-transitory computer-readable storage medium of claim 6, wherein the instructions when executed further cause the computing system to:
    - send a request to at least one of the one or more Web services, the request associated with the one or more Web service credentials enabling access to the one or more Web services.
  - 8. The non-transitory computer-readable storage medium of claim 6, wherein control of the one or more Web services remains with at least one of the provider of the application or a provider of the Web service provider environment.
  - 9. The non-transitory computer-readable storage medium of claim 6, wherein the instructions when executed further cause the computing system to:
    - provide the one or more Web service credentials to a second application executing on the computing device, the second application obtained from a provider independent of the Web service provider environment; and
      
      send a second request to at least one of the one or more Web services, the second request associated with the one or more Web service credentials enabling access to the one or more Web services, wherein at least a portion of the one or more Web services is able to process information for the second request according to a second delegation profile corresponding to the identity information and information for at least one of the second application or a provider of the second application.
  - 10. The non-transitory computer-readable storage medium of claim 6, wherein the instructions when executed further cause the computing system to:
    - provide the one or more Web service credentials to a third party, the third party capable of submitting the one or more Web service credentials with one or more requests to obtain access to the one or more Web services.
  - 11. The non-transitory computer-readable storage medium of claim 10, wherein a type of access to the one or more Web services granted to the third party upon presenting the one or more Web service credentials is different from a type of access granted to at least one of the user or application upon presenting the one or more Web service credentials.

12. A computer system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the computer system to;
  
  obtain, by an application executing on the computer system, at least one credential generated by a third party identity provider, the at least one credential including identity information for a user of the computer system;
  
  provide the at least one credential and information about the application to a resource provider environment, the resource provider environment providing a plurality of resources associated with the identity information, wherein each of the plurality of resources is associated with a delegation profile assigned by an administrator, the delegation profile defining the access rights of a resource with which the delegation profile is associated, the delegation profile created independently from the providing the at least one credential and information about the application to the resource provider environment;
  
  receive one or more resource credentials from the resource provider environment, the one or more resource credentials enabling access to the plurality of resources according to one or more permissions associated with a delegation profile corresponding to the identity information, the plurality of resources including;
  
  (a) at least one first secured resource in the resource provider environment that is associated with a provider of the application and (b) at least one second secured resource in the resource provider environment that is associated with the user, the access enabling the application to use the plurality of resources subject to the one or more permissions; and
  
  receive, by the application, information from (a) the at least one first secured resource in the resource provider environment that is associated with the provider of the application and (b) the at least one second secured resource in the resource provider environment that is associated with the user.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer system of claim 12, wherein the instructions when executed further cause the computer system to:
    - send a request to at least one of the plurality of resources, the request associated with the one or more resource credentials enabling access to the plurality of resources.
  - 14. The computer system of claim 12, wherein control of the plurality of resources remains with at least one of the provider of the application or a provider of the resource provider environment.
  - 15. The computer system of claim 12, wherein the instructions when executed further cause the computer system to:
    - provide the one or more resource credentials to a second application executing on the computer system, the second application obtained from a provider independent of the resource provider environment; and
      
      send a second request to access at least one of the plurality of resources, the second request associated with the one or more resource credentials enabling the access to the plurality of resources, wherein at least a portion of the plurality of resources are accessed according to a second delegation profile corresponding to the identity information and information for at least one of the second application or a provider of the second application.
  - 16. The computer system of claim 12, wherein the instructions when executed further cause the computer system to:
    - provide the one or more resource credentials to a third party, the third party capable of submitting the one or more resource credentials with one or more requests to obtain access to the plurality of resources.
  - 17. The computer system of claim 16, wherein a type of access to the plurality of resources granted to the third party upon presenting the one or more resource credentials is different from a type of access granted to at least one of the user or application upon presenting the one or more resource credentials.

18. A computer-implemented method, comprising:
- under control of one or more computer systems configured with executable instructions,receiving, from an entity, a request for access to a plurality of resources of a resource provider environment that are associated with a user credential, the user credential generated by a third party identity provider and including identity information for a user;
  
  determining an applicable delegation profile for the request, the applicable delegation profile being associated with the user credential and being determined based at least in part upon identifying information for the entity, the applicable delegation profile associated with one or more permissions for accessing and utilizing the plurality of resources, the applicable delegation profile being assigned by an administrator, the applicable delegation profile defining the access rights of the plurality of resources and created independently from the receiving the request for access to the plurality of resources;
  
  providing the entity with access to the plurality of resources according to the one or more permissions associated with the applicable delegation profile as determined using the user credential, the plurality of resources including;
  
  (a) at least one first secured resource in the resource provider environment that is associated with the entity and (b) at least one second secured resource in the resource provider environment that is associated with the user, the access enabling the entity to use the plurality of resources subject to the one or more permissions,wherein the access to the plurality of resources is provided according to an account being maintained by a provider of the resource provider environment, and the access is provided according to one or more terms of the account, andwherein the account corresponds to one of the user, the entity, the provider, or a third party; and
  
  providing the entity with information from (a) the at least one first secured resource in the resource provider environment that is associated with the entity and (b) the at least one second secured resource in the resource provider environment that is associated with the user.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The computer-implemented method of claim 18, wherein the applicable delegation profile is determined based at least in part upon a relationship of the entity to a holder of the account.
  - 20. The computer-implemented method of claim 19, wherein the permissions of the applicable delegation profile are restricted to a scope that is less than or equal to permissions of the holder of the account.
  - 21. The computer-implemented method of claim 18, wherein the user credential comprises a security token issued by the third party identity provider, the security token including the identity information for the user.
  - 22. The computer-implemented method of claim 18, wherein determining the applicable delegation profile includes analyzing whether the request is:
    - signed by a key associated with the user credential, directed to an endpoint associated with the user credential, or directed to a location identified at least in part using the user credential.
  - 23. The computer-implemented method of claim 18, wherein the entity is provided with the access to the plurality of resources only when the third party identity provider is a federation provider indicated by the applicable delegation profile or when the identity information provided by the third party identity provider includes at least one piece of mandatory information.
  - 24. The computer-implemented method of claim 18, further comprising:
    - sending, from the plurality of resources, a request for access to one or more Web services associated with the user credential, the one or more Web services provided by a provider independent of the plurality of resources; and
      
      receiving access to the one or more Web services according to a delegation profile corresponding to the user credential and information for the plurality of resources.
  - 25. The computer-implemented method of claim 18, further comprising:
    - receiving a subsequent request from a second entity, the subsequent request including the user credential;
      
      determining a second delegation profile for the subsequent request, the second delegation profile being associated with the user credential and being determined based at least in part upon identifying information for the second entity, the second delegation profile associated with one or more permissions for accessing and utilizing the plurality of resources; and
      
      providing the second entity with access to the plurality of resources according to the one or more permissions associated with the second delegation profile.
  - 26. The computer-implemented method of claim 18, wherein determining the applicable delegation profile includes performing a lookup based at least in part upon at least one of an aspect of the entity or an attribute of the request.
  - 27. The computer-implemented method of claim 18, wherein the applicable delegation profile identifies one or more security principals by reference to an authority, and wherein the entity is one of the one or more security principals as identified by the authority.
  - 28. The computer-implemented method of claim 27, wherein the authority identifies the entity using a security mechanism selected from at least one of a public key infrastructure (PKI) certificate, a security assertion markup language (SAML) assertion, or an X509 certificate signed by, or chained to, the authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Popick, Daniel Stephen, Behm, Bradley Jeffery
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US13/760,738
Time in Patent Office

1,287 Days
Field of Search

726/7
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

G06Q 20/06   Private payment circuits, e...

G06Q 2220/00   Business processing using c...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

Delegated permissions in a distributed electronic environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Delegated permissions in a distributed electronic environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links