Access control using impersonization
First Claim
Patent Images
1. A system comprising:
- an authentication computer system that processes an authentication request by verifying an electronic signature of a first request and provides an authentication response having information identifying a set of computer resources being a cause of the authentication request;
a first computer resource that receives the first request and, as a result, submits the authentication request to the authentication computer system, receives the authentication response and, as part of fulfilling the first request, uses the authentication response to submit a second request;
a policy evaluation computer system that evaluates, based at least in part on the information identifying the set of computer resources, a set of policies applicable to the second request to determine a policy determination;
a second computer resource that receives the second request and processes the second request in accordance with the policy determination; and
a third computer resource that processes a third request originating from the second computer resource and triggered by the second request, by the first request, and by the authentication request, the processing in accordance with a policy based at least in part on a user profile associated with the authentication request and information identifying a set of computer resources that triggered the third request, including the first and second computer resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.
-
Citations
24 Claims
-
1. A system comprising:
-
an authentication computer system that processes an authentication request by verifying an electronic signature of a first request and provides an authentication response having information identifying a set of computer resources being a cause of the authentication request; a first computer resource that receives the first request and, as a result, submits the authentication request to the authentication computer system, receives the authentication response and, as part of fulfilling the first request, uses the authentication response to submit a second request; a policy evaluation computer system that evaluates, based at least in part on the information identifying the set of computer resources, a set of policies applicable to the second request to determine a policy determination; a second computer resource that receives the second request and processes the second request in accordance with the policy determination; and a third computer resource that processes a third request originating from the second computer resource and triggered by the second request, by the first request, and by the authentication request, the processing in accordance with a policy based at least in part on a user profile associated with the authentication request and information identifying a set of computer resources that triggered the third request, including the first and second computer resource. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method, comprising:
-
receiving, from a first entity on behalf of a service provider account, a first request to perform one or more operations in connection with one or more computer resources and, as a result, submitting an authentication request to an authentication system identifying a set of computer resource services being a cause of the authentication request, including a first computer resource service; fulfilling the first request by receiving an authentication response based at least in part on the authentication request having information identifying a set of computer resource services being a cause of the authentication request; using the authentication response to submit a second request to a second computer resource service, the fulfilling the first request further based at least in part on a policy specifying one or more conditions for fulfillability of the second request submitted as part of fulfillment of the first request, the one or more conditions based at least in part on an entity submitting the second request; based at least in part on the policy, processing the second request from the first computer resource service to perform one or more operations by the second computer resource service; and based at least in part on the policy, processing the third request from the second computer resource service to perform one or more operations by a third computer resource service. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
for a pending second request triggered by a first request, determine a first set of one or more intermediate services, including a first service, that caused submission of the second request by submission of the first request; determine, based at least in part on the determined first set of one or more intermediate services, whether fulfillment of the second request complies with a set of policies applicable to the second request, the set of policies applicable to the second request including at least a policy that identifies at least a subset of the first set of one or more intermediate services; cause the second request to be processed based at least in part on whether fulfillment of the second request complies with the set of policies applicable to the second request; for a pending third request, determine a second set of one or more intermediate services, including a second service, that caused submission of the third request triggered by the second request; determine, based at least in part on the determined second set of one or more intermediate services, whether fulfillment of the third request complies with a set of policies applicable to the third request, the set of policies applicable to the third request including at least a policy that identifies one or more authorized computer resources including at least a subset of the second set of one or more intermediate services; and cause the pending third request to be processed by a third service, based at least in part on whether fulfillment of the third request complies with the set of policies applicable to the third request including a determination that each of the second set of one or more intermediate services is an authorized computer resource identified by the policy. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification