Fine-grained structured data store access using federated identity management
First Claim
1. A system, comprising:
- a plurality of compute nodes implementing a database service maintaining data for an application provider, wherein the database service implements a fine-grained access management module to authorize fine-grained access requests from one or more application clients of the application provider directed toward portions of the data;
the fine-grained access management module, configured to;
receive a fine-grained access request for a specified portion of the data maintained at the database service and a delegated access credential for the fine-grained access request from one of the one or more application clients;
request, from a delegation service, verification of the delegated access credential;
receive the verification of the delegated access credential;
receive, from the delegation service, a delegation policy corresponding to the delegated access credential;
evaluate the fine-grained access request according to the delegation policy in order to determine request authorization for the fine-grained access request from the one application client; and
in response to determining that the fine-grained access request is authorized, provide access to the specified portion of the data in order to service the fine-grained access request.
1 Assignment
0 Petitions
Accused Products
Abstract
A structured data store service, such as a database service, may implement fine-grained access to data maintained at the database service using federated identity. Fine grained access requests may be received at a database service for specified data maintained for an application provider from a client of the application provider. An access credential may be also be received. Verification of the access credential may be obtained, and the database service may evaluate the fine-grained access request according to a delegation policy corresponding to the access credential to determine whether the fine-grained request is authorized. If authorized, the fine-grained access request may be service. If not authorized, the fine-grained access request may be denied. In some embodiments, multiple application clients may have the same authorization for data, such as read authorization, while another one or more application clients may have different authorization for the data, such as write authorization.
27 Citations
21 Claims
-
1. A system, comprising:
-
a plurality of compute nodes implementing a database service maintaining data for an application provider, wherein the database service implements a fine-grained access management module to authorize fine-grained access requests from one or more application clients of the application provider directed toward portions of the data; the fine-grained access management module, configured to; receive a fine-grained access request for a specified portion of the data maintained at the database service and a delegated access credential for the fine-grained access request from one of the one or more application clients; request, from a delegation service, verification of the delegated access credential; receive the verification of the delegated access credential; receive, from the delegation service, a delegation policy corresponding to the delegated access credential; evaluate the fine-grained access request according to the delegation policy in order to determine request authorization for the fine-grained access request from the one application client; and in response to determining that the fine-grained access request is authorized, provide access to the specified portion of the data in order to service the fine-grained access request. - View Dependent Claims (2, 3, 4)
-
-
5. A method, comprising:
performing, by a plurality of computing devices; receiving, at a database service, a fine-grained access request for a specified portion of data maintained at the database service for an application provider and a delegated access credential for the fine-grained access request from an application client, wherein the application client is one of one or more application clients of the application provider with different delegated authority from the application provider to access one or more portions of the data; obtaining verification of the delegated access credential from a delegation service; evaluating the fine-grained access request according to a delegation policy received from the delegation service corresponding to the delegated access credential in order to determine client authorization for the fine-grained access request; and in response to determining that the fine-grained access request is authorized, providing access to the specified portion of the data in order to service the fine-grained access request. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
14. A non-transitory, computer-readable storage medium storing program instructions that when executed by one or more computing devices cause the one or more computing devices to implement:
-
receiving, at a structured data store service, a fine-grained access request for a specified portion of data maintained at the structured data store service for an application provider and a delegated access credential for the fine-grained access request from an application client, wherein the application client is one of one or more application clients of the application provider with different delegated authority from the application provider to access one or more portions of the data; requesting verification of the delegated access credential from a delegation service; receiving verification of the delegated access credential from the delegation service; evaluating the fine-grained access request according to a delegation policy received from the delegation service corresponding to the delegated access credential in order to determine client authorization for the fine-grained access request; and in response to determining that the fine-grained access request is authorized, providing access to the specified portion of the data in order to service the fine-grained access request. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification