Entity to authorize delegation of permissions

US 9,686,261 B2
Filed: 02/23/2015
Issued: 06/20/2017
Est. Priority Date: 03/22/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a computer of a service provider, a request to define a delegation profile from an administrator of a customer account with the service provider;

generating the delegation profile, the delegation profile having an identifier, a validation policy specifying a security principal authorized to assume the delegation profile, and an authorization policy specifying one or more actions the security principal is allowed to perform;

receiving a first request from the security principal to assume the delegation profile;

after authorizing the first request by verifying that the security principal is authorized to assume the delegation profile according to the validation policy, sending one or more delegation credentials usable to authorize the one or more actions to the security principal; and

authorizing a second request to perform at least one of the one or more actions using the one or more delegation credentials, the second request including the one or more delegation credentials.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

12 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- receiving, by a computer of a service provider, a request to define a delegation profile from an administrator of a customer account with the service provider;
  
  generating the delegation profile, the delegation profile having an identifier, a validation policy specifying a security principal authorized to assume the delegation profile, and an authorization policy specifying one or more actions the security principal is allowed to perform;
  
  receiving a first request from the security principal to assume the delegation profile;
  
  after authorizing the first request by verifying that the security principal is authorized to assume the delegation profile according to the validation policy, sending one or more delegation credentials usable to authorize the one or more actions to the security principal; and
  
  authorizing a second request to perform at least one of the one or more actions using the one or more delegation credentials, the second request including the one or more delegation credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the security principal is a user account within the customer account.
  - 3. The computer-implemented method of claim 1, wherein the security principal is a web service operated by the service provider.
  - 4. The computer-implemented method of claim 1, wherein receiving the request to assume the delegation profile further comprises receiving the request to assume the delegation profile via a web service application program interface.
  - 5. The computer-implemented method of claim 1, further comprising:
    - authorizing, based at least in part on security principal credentials associated with the security principal, the first request.
  - 6. The computer-implemented method of claim 5, wherein the security principal credentials are usable to perform a set of actions different in scope than the one or more actions specified in the delegation profile.
  - 7. The computer-implemented method of claim 1, further comprising:
    - logging that at least one of the one or more actions were performed by the security principal while acting under the delegation profile.
  - 8. The computer-implemented method of claim 1, wherein the one or more actions comprise at least one of reading data, modifying data, or accessing secured resources in the customer account.

9. A computing device, comprising:
- a device processor; and
  
  a memory device including instructions operable to be executed by the device processor to perform a set of actions, enabling the computing device to;
  
  receive, by a service provider, a request to define a delegation profile from an administrator of a customer account with the service provider;
  
  generate the delegation profile, the delegation profile having an identifier, a validation policy specifying a security principal authorized to assume the delegation profile, and an authorization policy specifying one or more actions the security principal is allowed to perform;
  
  receive a first request from the security principal to assume the delegation profile;
  
  after authorizing the first request by verifying that the security principal is authorized to assume the delegation profile according to the validation policy, send one or more delegation credentials usable to authorize the one or more actions to the security principal; and
  
  authorize a second request to perform at least one of the one or more actions using the one or more delegation credentials, the second request including the one or more delegation credentials.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computing device of claim 9, wherein the security principal is a user account within the customer account.
  - 11. The computing device of claim 9, wherein the security principal is a web service operated by the service provider.
  - 12. The computing device of claim 9, further comprising instructions to authorize, based at least in part on security principal credentials associated with the security principal, the first request.
  - 13. The computing device of claim 12, wherein the security principal credentials are usable to perform a set of actions different in scope than the one or more actions specified in the delegation profile.
  - 14. The computing device of claim 9, further comprising instructions to log that at least one of the one or more actions were performed by the security principal while acting under the delegation profile.

15. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- receive, by a service provider, a request to define a delegation profile from an administrator of a customer account with the service provider;
  
  generate the delegation profile, the delegation profile having an identifier, a validation policy specifying a security principal authorized to assume the delegation profile, and an authorization policy specifying one or more actions the security principal is allowed to perform;
  
  receive a first request from the security principal to assume the delegation profile;
  
  after authorizing the first request by verifying that the security principal is authorized to assume the delegation profile according to the validation policy, send one or more delegation credentials usable to authorize the one or more actions to the security principal; and
  
  authorize a second request to perform at least one of the one or more actions using the one or more delegation credentials, the second request including the one or more delegation credentials.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the security principal is a user account within the customer account.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the security principal is a web service operated by the service provider.
  - 18. The non-transitory computer-readable storage medium of claim 15, further comprising instructions to authorize, based at least in part on security principal credentials associated with the security principal, the first request.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the security principal credentials are usable to perform a set of actions different in scope than the one or more actions specified in the delegation profile.
  - 20. The non-transitory computer-readable storage medium of claim 15, further comprising instructions to log that at least one of the one or more actions were performed by the security principal while acting under the delegation profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Fitch, Nathan R., Baer, Graeme D., Pratt, Brian Irl, O'Neill, Kevin Ross, Behm, Bradley Jeffery
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US14/629,332
Publication Number

US 20150304294A1
Time in Patent Office

848 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H05K 999/99   dummy group

Entity to authorize delegation of permissions

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Entity to authorize delegation of permissions

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links