Permissions decisions in a service provider environment
First Claim
Patent Images
1. A computer system, comprising:
- at least one processor; and
memory including instructions that, when executed by the at least one processor, cause the computer system to;
receive an indication of a request to subscribe to an appliance by a customer, the appliance being provided by an appliance provider, the appliance being associated with a delegation profile, and the customer having a first level of access to a customer virtual network;
enable the delegation profile based at least in part on the request for the customer to subscribe to the appliance, the delegation profile including an identifier, a validation policy that specifies the customer as being permitted to assume the delegation profile, and an authorization policy that specifies one or more permissions for accessing and utilizing one or more resources by the customer, the customer having an account maintained by a provider of the one or more resources accessible to the customer;
receive, from the appliance provider, a request for a set of credentials to access the one or more resources associated with the account, the request including a reference to the delegation profile;
verify that the customer is currently subscribed to the appliance; and
provide the appliance provider with access to the one or more resources as set forth by the one or more permissions in the authorization policy, including a second level of access less than the first level of access to the customer virtual network, upon verification that the customer is subscribed to the appliance.
1 Assignment
0 Petitions
Accused Products
Abstract
Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Accordingly, approaches for delegating security rights and privileges for services and resources in an electronic and/or multi-tenant environment are provided. In particular, various embodiments provide approaches for dynamically determining and authorizing delegation of permissions to perform actions in, on, or against one or more secured accounts, where those accounts may be associated with a number of different entities and/or resource providers.
-
Citations
16 Claims
-
1. A computer system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computer system to; receive an indication of a request to subscribe to an appliance by a customer, the appliance being provided by an appliance provider, the appliance being associated with a delegation profile, and the customer having a first level of access to a customer virtual network; enable the delegation profile based at least in part on the request for the customer to subscribe to the appliance, the delegation profile including an identifier, a validation policy that specifies the customer as being permitted to assume the delegation profile, and an authorization policy that specifies one or more permissions for accessing and utilizing one or more resources by the customer, the customer having an account maintained by a provider of the one or more resources accessible to the customer; receive, from the appliance provider, a request for a set of credentials to access the one or more resources associated with the account, the request including a reference to the delegation profile; verify that the customer is currently subscribed to the appliance; and provide the appliance provider with access to the one or more resources as set forth by the one or more permissions in the authorization policy, including a second level of access less than the first level of access to the customer virtual network, upon verification that the customer is subscribed to the appliance. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
receiving a request for credentials to enable a first party to make a change in virtual infrastructure associated with a second party to run an appliance, the virtual infrastructure having a first level of access to the second party virtual network; enabling the delegation profile based at least in part on receipt of a request from the second party to acquire the appliance, the delegation profile including an identifier, a validation policy that specifies the second party as being permitted to assume the delegation profile, and an authorization policy that specifies one or more permissions for the second party to access and utilize one or more resources; validating that the second party has been provided the appliance; and providing the credentials to the first party to access the virtual infrastructure associated with the second party, the access being subject to one or more permissions associated with the delegation profile and including a second level of access less than the first level of access to the second party virtual network, upon validation that the second party has been provided the appliance. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to:
-
receive a request from an appliance provider to configure resources of a customer of a service provider to run an appliance, the customer having a first level of access to a customer virtual network; receive a request from the customer to purchase the appliance; and enable use of a delegation profile by the appliance provider, the delegation profile associated with an identifier, a validation policy that specifies the customer as being permitted to assume the delegation profile, and an authorization policy that specifies one or more permissions for accessing and utilizing one or more resources by the customer; determine, using the delegation policy, that the appliance provider is authorized to configure the resources of the customer based at least in part on the customer having purchased a subscription to the appliance; and grant the request to configure the resources of the customer, including a second level of access less than the first level of access to the customer virtual network, upon determination that the customer has purchased a subscription to the appliance. - View Dependent Claims (16)
-
Specification