Access controls on the use of freeform metadata
First Claim
Patent Images
1. A computer implemented method for controlling association of metadata with computing resources, the method comprising:
- associating an access control list with the metadata, the access control list specifying principals that are allowed to assign, modify, or delete the metadata and for which computing resources the principals are allowed to assign, modify or delete the metadata, wherein the metadata is usable to determine whether to grant or deny operations on corresponding computing resources;
receiving, from a first user, a first request to assign one of the metadata to at least one computing resource;
in response to receiving the first request, evaluating the access control list to determine whether the first user matches at least one of the principals specified in the access control list;
associating the one of the metadata with the at least one computing resource upon determining that the first user matches at least one of the principals specified in the access control list;
receiving a second request from a second user to perform an operation on the at least one computing resource, wherein the second user is associated with an access control policy, the access control policy specifying operations permitted by the second user on the at least one computing resource based at least in part on the one of the metadata;
identifying a reference to the one of the metadata in the access control policy; and
resolving the second request based at least in part on the one of the metadata specifying an access condition for the access control policy.
1 Assignment
0 Petitions
Accused Products
Abstract
Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.
18 Citations
22 Claims
-
1. A computer implemented method for controlling association of metadata with computing resources, the method comprising:
-
associating an access control list with the metadata, the access control list specifying principals that are allowed to assign, modify, or delete the metadata and for which computing resources the principals are allowed to assign, modify or delete the metadata, wherein the metadata is usable to determine whether to grant or deny operations on corresponding computing resources; receiving, from a first user, a first request to assign one of the metadata to at least one computing resource; in response to receiving the first request, evaluating the access control list to determine whether the first user matches at least one of the principals specified in the access control list; associating the one of the metadata with the at least one computing resource upon determining that the first user matches at least one of the principals specified in the access control list; receiving a second request from a second user to perform an operation on the at least one computing resource, wherein the second user is associated with an access control policy, the access control policy specifying operations permitted by the second user on the at least one computing resource based at least in part on the one of the metadata; identifying a reference to the one of the metadata in the access control policy; and resolving the second request based at least in part on the one of the metadata specifying an access condition for the access control policy. - View Dependent Claims (2)
-
-
3. A computer implemented method, comprising:
-
receiving, from a user, a first request to apply a tag from available tags to at least one computing resource, the available tags associated with corresponding policies and usable to determine whether to grant or deny operations on corresponding computing resources, wherein the first request is associated with a first policy, and wherein at least one of the corresponding policies indicates one or more principals that are permitted to apply the tag to the at least one computing resource; in response to receiving the first request, evaluating the first policy to determine whether the user is permitted to apply the tag to the at least one computing resource, wherein evaluating the first policy includes determining whether the user matches the one or more principals; associating the tag with the at least one computing resource upon determining that the user is permitted to apply the tag; receiving a second request to perform an operation on the at least one computing resource, the second request associated with a second policy of the corresponding policies and which specifies operations permitted on the at least one computing resource based at least in part on a respective tag associated with the at least one computing resource; identifying a reference to the tag in the second policy; and resolving the second request based at least in part on the tag specifying an access condition in the second policy. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computing system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computing system to; receive, from a user, a first request to apply a tag from available tags to at least one computing resource, the available tags associated with corresponding policies and usable to determine whether to grant or deny operations on corresponding computing resources, wherein the first request is associated with a first policy, and wherein at least one of the corresponding policies indicates one or more principals that are permitted to apply the tag to the at least one computing resource; in response to receiving the first request, evaluate the first policy to determine whether the user is permitted to apply the tag to the at least one computing resource, wherein evaluating the first policy includes determining whether the user matches the one or more principals; associate the tag with the at least one computing resource upon determining that the user is permitted to apply the tag; receive a second request to perform an operation on the at least one computing resource, the second request associated with a second policy of the corresponding policies and which specifies operations permitted on the at least one computing resource based at least in part on a respective tag associated with the at least one computing resource; identify a reference to the tag in the second policy; and resolve the second request based at least in part on the tag specifying an access condition in the second policy. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
-
receiving, from a user, a first request to apply a tag from available tags to at least one computing resource, the available tags associated with corresponding policies, wherein the first request is associated with a first policy, and wherein at least one of the corresponding policies indicates one or more principals that are permitted to apply the tag to the at least one computing resource; in response to receiving the first request, evaluating the first policy to determine whether the user is permitted to apply the tag to the at least one computing resource, wherein evaluating the first policy includes determining whether the user matches the one or more principals; associating the tag with the at least one computing resource upon determining that the user is permitted to apply the tag; receiving a second request to perform an operation on the at least one computing resource, the second request associated with a second policy of the corresponding policies and which specifies operations permitted on the at least one computing resource based at least in part on a respective tag associated with the at least one computing resource; identify a reference to the tag in the second policy; and resolving the second request based at least in part on the tag specifying an access condition in the second policy. - View Dependent Claims (19, 20, 21, 22)
-
Specification