Permissions decisions in a service provider environment

US 9,712,542 B1
Filed: 06/27/2014
Issued: 07/18/2017
Est. Priority Date: 06/27/2014
Status: Active Grant

First Claim

Patent Images

1. A computer system, comprising:

at least one processor; and

memory including instructions that, when executed by the at least one processor, cause the computer system to;

receive an indication of a request to subscribe to an appliance by a customer, the appliance being provided by an appliance provider, the appliance being associated with a delegation profile, and the customer having a first level of access to a customer virtual network;

enable the delegation profile based at least in part on the request for the customer to subscribe to the appliance, the delegation profile including an identifier, a validation policy that specifies the customer as being permitted to assume the delegation profile, and an authorization policy that specifies one or more permissions for accessing and utilizing one or more resources by the customer, the customer having an account maintained by a provider of the one or more resources accessible to the customer;

receive, from the appliance provider, a request for a set of credentials to access the one or more resources associated with the account, the request including a reference to the delegation profile;

verify that the customer is currently subscribed to the appliance; and

provide the appliance provider with access to the one or more resources as set forth by the one or more permissions in the authorization policy, including a second level of access less than the first level of access to the customer virtual network, upon verification that the customer is subscribed to the appliance.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Accordingly, approaches for delegating security rights and privileges for services and resources in an electronic and/or multi-tenant environment are provided. In particular, various embodiments provide approaches for dynamically determining and authorizing delegation of permissions to perform actions in, on, or against one or more secured accounts, where those accounts may be associated with a number of different entities and/or resource providers.

Citations

16 Claims

1. A computer system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the computer system to;
  
  receive an indication of a request to subscribe to an appliance by a customer, the appliance being provided by an appliance provider, the appliance being associated with a delegation profile, and the customer having a first level of access to a customer virtual network;
  
  enable the delegation profile based at least in part on the request for the customer to subscribe to the appliance, the delegation profile including an identifier, a validation policy that specifies the customer as being permitted to assume the delegation profile, and an authorization policy that specifies one or more permissions for accessing and utilizing one or more resources by the customer, the customer having an account maintained by a provider of the one or more resources accessible to the customer;
  
  receive, from the appliance provider, a request for a set of credentials to access the one or more resources associated with the account, the request including a reference to the delegation profile;
  
  verify that the customer is currently subscribed to the appliance; and
  
  provide the appliance provider with access to the one or more resources as set forth by the one or more permissions in the authorization policy, including a second level of access less than the first level of access to the customer virtual network, upon verification that the customer is subscribed to the appliance.
- View Dependent Claims (2, 3, 4)
- - 2. The computer system of claim 1, wherein the instructions when executed further cause the computing system to:
    - in response to receiving the indication of the request to subscribe to the appliance, enable a license to use the appliance for at least a period of time.
  - 3. The computer system of claim 2, wherein the instructions when executed further cause the computing system to:
    - determine that the license to the appliance has expired; and
      
      disable use of the delegation profile.
  - 4. The computer system of claim 1, wherein the instructions when executed to determine the one or more permissions further cause the computing system to:
    - determine the one or more permissions by one of receiving an indication of a selection of the one or more permissions from the customer, using a default set of the one or more permissions, using a set of permissions requested by the appliance provider, determining at least one action to be performed by the appliance, or mapping the at least one action to at least one permission.

5. A computer-implemented method, comprising:
- receiving a request for credentials to enable a first party to make a change in virtual infrastructure associated with a second party to run an appliance, the virtual infrastructure having a first level of access to the second party virtual network;
  
  enabling the delegation profile based at least in part on receipt of a request from the second party to acquire the appliance, the delegation profile including an identifier, a validation policy that specifies the second party as being permitted to assume the delegation profile, and an authorization policy that specifies one or more permissions for the second party to access and utilize one or more resources;
  
  validating that the second party has been provided the appliance; and
  
  providing the credentials to the first party to access the virtual infrastructure associated with the second party, the access being subject to one or more permissions associated with the delegation profile and including a second level of access less than the first level of access to the second party virtual network, upon validation that the second party has been provided the appliance.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The computer-implemented method of claim 5, wherein validating that the second party has been provided the appliance further comprises:
    - determining that the second party has a valid subscription to use the appliance.
  - 7. The computer-implemented method of claim 5, further comprising:
    - metering use of the appliance by the second party.
  - 8. The computer-implemented method of claim 5, further comprising:
    - receiving an indication of a request to use the appliance by the second party; and
      
      enabling a license to use the appliance for at least a period of time.
  - 9. The computer-implemented method of claim 5, further comprising:
    - receiving an indication that the second party is not permitted to access the appliance; and
      
      denying a request by the first party to obtain credentials to access the virtual infrastructure associated with the second party.
  - 10. The computer-implemented method of claim 9, wherein the indication includes at least one of an indication that the second party no longer desires to use the appliance or an indication that a license period associated with a license to use the appliance has expired.
  - 11. The computer-implemented method of claim 5, further comprising:
    - determining an update of a license to use the appliance, the update corresponding to a change in at least one feature of the appliance; and
      
      adjusting at least one permission of the one or more permissions based at least in part on the update of the license.
  - 12. The computer-implemented method of claim 5, wherein the one or more permissions are determined based at least in part on one or more rules that map determined actions of the appliance to one or more permission elements.
  - 13. The computer-implemented method of claim 5, wherein the one or more permissions are determined by one of:
    - receiving an indication of a selection of the one or more permissions from the second party;
      
      using a set of permissions requested by the second party;
      
      using a default set of the one or more permissions associated with the appliance in response to no permissions being received by the second party;
      
      ordetermining at least one action to be performed by the appliance and mapping the at least one action to at least one permission.
  - 14. The computer-implemented method of claim 13, wherein the selection of the one or more permission is performed by one of a text input, a selection of a permission element in a drop-down menu, or detecting no input by the second party.

15. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to:
- receive a request from an appliance provider to configure resources of a customer of a service provider to run an appliance, the customer having a first level of access to a customer virtual network;
  
  receive a request from the customer to purchase the appliance; and
  
  enable use of a delegation profile by the appliance provider, the delegation profile associated with an identifier, a validation policy that specifies the customer as being permitted to assume the delegation profile, and an authorization policy that specifies one or more permissions for accessing and utilizing one or more resources by the customer;
  
  determine, using the delegation policy, that the appliance provider is authorized to configure the resources of the customer based at least in part on the customer having purchased a subscription to the appliance; and
  
  grant the request to configure the resources of the customer, including a second level of access less than the first level of access to the customer virtual network, upon determination that the customer has purchased a subscription to the appliance.
- View Dependent Claims (16)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the instructions when executed further cause the computer system to:
    - determine that the customer has unsubscribed to the appliance; and
      
      disable use of the delegation profile by the appliance provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason
Primary Examiner(s)
Turchen, James

Application Number

US14/317,524
Time in Patent Office

1,117 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/1086   Superdistribution

G06F 21/604   Tools and structures for ma...

H04L 41/50   Network service management,...

H04L 63/08   for authentication of entit...

H04L 63/108   when the policy decisions a...

H04L 67/10   in which an application is ...

Permissions decisions in a service provider environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Permissions decisions in a service provider environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links