Entity to authorize delegation of permissions
First Claim
1. A computer-implemented method, comprising:
- receiving, by a computer of a service provider, a request to define a delegation profile from an administrator of a customer account with the service provider;
generating the delegation profile, the delegation profile having an identifier, a validation policy specifying a security principal authorized to assume the delegation profile, and an authorization policy specifying one or more actions the security principal is allowed to perform;
receiving a first request from the security principal to assume the delegation profile;
after authorizing the first request by verifying that the security principal is authorized to assume the delegation profile according to the validation policy, sending one or more delegation credentials usable to authorize the one or more actions to the security principal; and
authorizing a second request to perform at least one of the one or more actions using the one or more delegation credentials, the second request including the one or more delegation credentials.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.
12 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving, by a computer of a service provider, a request to define a delegation profile from an administrator of a customer account with the service provider; generating the delegation profile, the delegation profile having an identifier, a validation policy specifying a security principal authorized to assume the delegation profile, and an authorization policy specifying one or more actions the security principal is allowed to perform; receiving a first request from the security principal to assume the delegation profile; after authorizing the first request by verifying that the security principal is authorized to assume the delegation profile according to the validation policy, sending one or more delegation credentials usable to authorize the one or more actions to the security principal; and authorizing a second request to perform at least one of the one or more actions using the one or more delegation credentials, the second request including the one or more delegation credentials. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing device, comprising:
-
a device processor; and a memory device including instructions operable to be executed by the device processor to perform a set of actions, enabling the computing device to; receive, by a service provider, a request to define a delegation profile from an administrator of a customer account with the service provider; generate the delegation profile, the delegation profile having an identifier, a validation policy specifying a security principal authorized to assume the delegation profile, and an authorization policy specifying one or more actions the security principal is allowed to perform; receive a first request from the security principal to assume the delegation profile; after authorizing the first request by verifying that the security principal is authorized to assume the delegation profile according to the validation policy, send one or more delegation credentials usable to authorize the one or more actions to the security principal; and authorize a second request to perform at least one of the one or more actions using the one or more delegation credentials, the second request including the one or more delegation credentials. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
receive, by a service provider, a request to define a delegation profile from an administrator of a customer account with the service provider; generate the delegation profile, the delegation profile having an identifier, a validation policy specifying a security principal authorized to assume the delegation profile, and an authorization policy specifying one or more actions the security principal is allowed to perform; receive a first request from the security principal to assume the delegation profile; after authorizing the first request by verifying that the security principal is authorized to assume the delegation profile according to the validation policy, send one or more delegation credentials usable to authorize the one or more actions to the security principal; and authorize a second request to perform at least one of the one or more actions using the one or more delegation credentials, the second request including the one or more delegation credentials. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification