Substitution of requests or results in access control systems

US 9,553,757 B1
Filed: 05/21/2013
Issued: 01/24/2017
Est. Priority Date: 05/21/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for managing access to data resources, the method comprising:

receiving a user-defined access control policy for managing access to one or more data resources, the user-defined access control policy specifying one or more conditions and one of;

a substitution result or a substitution request to be applied when the one or more conditions are satisfied;

receiving, from a client, an application programming interface (API) request to access the one or more data resources, the request being associated with an unfiltered result including all available information; and

evaluating the user-defined access control policy by a policy evaluation engine to determine whether the API request satisfies the one or more conditions specified in the user-defined access control policy;

wherein, in response to determining that the API request satisfies the one or more conditions, the policy evaluation engine is configured to;

cause the substitution result specified in the user-defined access control policy to be returned to the client in response to the API request, the substitution result comprising a filtered subset of the unfiltered result, orcause the substitution request, specified in the user-defined access control policy, to be executed instead of the API request and a result of the substitution request to be returned to the client in response to the API request, the result of the substitution request comprising a filtered subset of the unfiltered result; and

return, separate from the filtered subset, an indication to the client in response to the API request, indicating that the API request has completed successfully with all unfiltered information pertinent to the API request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches are described for allowing an access control policy to specify that a substitute operation be executed when a request for access matches certain conditions specified in the access control policy (e.g., when the identity of the requestor matches a specified identity in the policy). For example, the access control may specify that a substitute result should be provided to a requestor in response to a request for access or a substitute request should be executed instead of executing the received request and the results of the substitute request should be provided to the requestor in response to the request. The substitute result or the result of the substitute request may appear to the requestor as though their original request for access succeeded but the content of the result may be different than what would have been generated if the access control policy allowed the request to proceed.

16 Citations

View as Search Results

20 Claims

1. A computer implemented method for managing access to data resources, the method comprising:
- receiving a user-defined access control policy for managing access to one or more data resources, the user-defined access control policy specifying one or more conditions and one of;
  
  a substitution result or a substitution request to be applied when the one or more conditions are satisfied;
  
  receiving, from a client, an application programming interface (API) request to access the one or more data resources, the request being associated with an unfiltered result including all available information; and
  
  evaluating the user-defined access control policy by a policy evaluation engine to determine whether the API request satisfies the one or more conditions specified in the user-defined access control policy;
  
  wherein, in response to determining that the API request satisfies the one or more conditions, the policy evaluation engine is configured to;
  
  cause the substitution result specified in the user-defined access control policy to be returned to the client in response to the API request, the substitution result comprising a filtered subset of the unfiltered result, orcause the substitution request, specified in the user-defined access control policy, to be executed instead of the API request and a result of the substitution request to be returned to the client in response to the API request, the result of the substitution request comprising a filtered subset of the unfiltered result; and
  
  return, separate from the filtered subset, an indication to the client in response to the API request, indicating that the API request has completed successfully with all unfiltered information pertinent to the API request.
- View Dependent Claims (2)
- - 2. The computer implemented method of claim 1, wherein causing the substitution request to be executed instead of the API request further comprises:
    - causing a read or write operation on a first data resource to be replaced with a read or write operation on a second data resource, wherein the second data resource is a redacted version of the first data resource.

3. A computer implemented method, comprising:
- obtaining an access control policy specifying one or more conditions and one of;
  
  a substitution result or a substitution request to be applied when the one or more conditions are satisfied;
  
  receiving, from a client, a request to access one or more resources, the request being associated with an unfiltered result including all available information;
  
  evaluating the access control policy to determine whether the request satisfies the one or more conditions specified in the access control policy;
  
  in response to determining that the request satisfies the one or more conditions specified in the access control policy, performing one of;
  
  causing the substitution result specified in the access control policy to be returned to the client in response to the request, the substitution result comprising a filtered subset of the unfiltered result;
  
  orcausing the substitution request specified in the access control policy to be executed instead of the request, the result of the substitution request comprising a filtered subset of the unfiltered result; and
  
  returning an indication to the client, separate from the filtered subset, that the request was executed successfully with all unfiltered information pertinent to the request.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10)
- - 4. The computer implemented method of claim 3, further comprising:
    - generating the substitution request based at least in part on the access control policy and the received request to access the one or more resources.
  - 5. The computer implemented method of claim 4, wherein generating the substitute request further comprises replacing a first resource specified in the request to access the one or more resources with a second resource.
  - 6. The computer implemented method of claim 3, wherein at least one of the substitution requests or the substitution result is embedded in the access control policy.
  - 7. The computer implemented method of claim 3, further comprising:
    - determining an identity of the client that initiated the request to access the one or more resources; and
      
      determining that the request satisfies the one or more conditions based at least in part on the identity of the client.
  - 8. The computer implemented method of claim 3, wherein causing the substitution request to be executed further comprises performing at least one of:
    - replacing a read operation of a first resource with a read operation of a second resource;
      
      replacing a write operation of the first resource with a write operation of the second resource;
      
      replacing a request to list available resources with a request to list a predetermined fixed list of resources that is different from the list of available resources;
      
      replacing a request to terminate a virtual machine with a request to suspend the virtual machine;
      
      orreplacing a request to launch a virtual machine of a first type with a request to launch a virtual machine of a second type.
  - 9. The computer implemented method of claim 3, wherein causing the substitute request to be executed further comprises:
    - causing a read operation on a document to be replaced with a read operation on a redacted version of the document.
  - 10. The computer implemented method of claim 3, wherein the request is an application programming interface (API) request received by a web service from a user over a network to access the one or more resources provisioned for the user in a multitenant computing environment.

11. A computing device, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the computing device to;
  
  obtain an access control policy specifying an identity and a substitute operation;
  
  receive, from a client, a request to access one or more resources, the request being associated with an unfiltered result including all available information;
  
  determine an identity of the client;
  
  evaluate the access control policy to determine whether the identity of the client matches the identity specified in the access control policy;
  
  in response to determining that the identity of the client matches the identity specified in the access control policy, execute the substitute operation specified in the access control policy, a result of the substitute operation comprising a filtered subset of the unfiltered result; and
  
  provide to the client an indication, separate from the filtered subset, indicating that the request was executed successfully with all unfiltered information pertinent to the request.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computing device of claim 11, wherein executing the substitute operation further comprises:
    - returning a substitution result specified in the access control policy to the client in response to the request.
  - 13. The computing device of claim 11, wherein executing the substitute operation further comprises:
    - generating the substitution request based at least in part on the access control policy and the received request to access the one or more resources.
  - 14. The computing device of claim 13, wherein generating the substitute request further comprises replacing a first resource specified in the request to access the one or more resources with a second resource.
  - 15. The computing device of claim 11, wherein executing the substitute operation further comprises performing at least one of:
    - replacing a read operation of a first resource with a read operation of a second resource;
      
      replacing a write operation of the first resource with a write operation of the second resource;
      
      replacing a request to list available resources with a request to list a predetermined fixed list of resources that is different from the list of available resources;
      
      replacing a request to terminate a virtual machine with a request to suspend the virtual machine;
      
      orreplacing a request to launch a virtual machine of a first type with a request to launch a virtual machine of a second type.

16. A non-transitory computer readable storage medium storing one or more sequences of instructions executed by one or more processors to:
- obtain an access control policy specifying an identity and a substitute operation;
  
  receive, from a client, a request to access one or more resources, the request being associated with an unfiltered result including all available information;
  
  determine an identity of the client;
  
  evaluate the access control policy to determine whether the identity of the client matches the identity specified in the access control policy;
  
  in response to determining that the identity of the client matches the identity specified in the access control policy, execute the substitute operation specified in the access control policy, a result of the substitute operation comprising a filtered subset of the unfiltered result; and
  
  provide to the client an indication, separate from the filtered subset, indicating that the request was executed successfully with all unfiltered information pertinent to the request.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein executing the substitute operation further comprises:
    - returning a substitution result specified in the access control policy to the client in response to the request.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein executing the substitute operation further comprises:
    - generating the substitution request based at least in part on the access control policy and the received request to access the one or more resources.
  - 19. The non-transitory computer readable storage medium of claim 18, wherein generating the substitute request further comprises replacing a first resource specified in the request to access the one or more resources with a second resource.
  - 20. The non-transitory computer readable storage medium of claim 16, wherein executing the substitute operation further comprises performing at least one of:
    - replacing a read operation of a first resource with a read operation of a second resource;
      
      replacing a write operation of the first resource with a write operation of the second resource;
      
      replacing a request to list available resources with a request to list a predetermined fixed list of resources that is different from the list of available resources;
      
      replacing a request to terminate a virtual machine with a request to suspend the virtual machine;
      
      orreplacing a request to launch a virtual machine of a first type with a request to launch a virtual machine of a second type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek
Primary Examiner(s)
Keehn, Richard G

Application Number

US13/899,360
Time in Patent Office

1,344 Days
Field of Search

709/225
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

Substitution of requests or results in access control systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Substitution of requests or results in access control systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links