Hierarchical policy-based shared resource access control

US 9,800,584 B1
Filed: 11/02/2016
Issued: 10/24/2017
Est. Priority Date: 08/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of accessing shared computing resources, the method comprising:

receiving a request to access a computing resource in a computing resource hierarchy stored in a memory or storage of a computing device;

generating, by operations carried out by one or more processors, an effective access control list for the computing resource, wherein generating the effective access control list comprises;

collecting available access control policies for one or more parent computing resources of the computing resource in the computing resource hierarchy, andanalyzing the permissions specified in the collected access control policies to generate the effective access control list, wherein the analyzing comprises propagating the permissions specified in the available access control policies for the one or more parent computing resources and storing the propagated permissions in the effective access control list;

determining, based at least in part on the generated effective access control list for the computing resource, whether to grant the requested access to the computing resource;

receiving a subsequent request to access the computing resource;

identifying the generated effective access control list associated with the computing resource; and

determining, based at least in part on the generated effective access control list, whether to grant the subsequent requested access to the computing resource, wherein the determining comprises analyzing the propagated permissions for the one or more parent computing resources in the generated effective access control list.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control for shared computing resources in a hierarchical system is provided herein. An as-needed, “lazy evaluation” approach to access control is described in which an effective access control list for a computing resource is determined after a request is received from a user to access the resource. When resources are shared, access control policies are created and stored in association with the shared resource but are not stored in association with hierarchically related lower-level resources. When an access request for a resource is received, access control policies are collected for levels of a computing resource hierarchy that are higher than the hierarchy level of the resource. An effective access control list is determined based on permissions specified in the collected access control policies. The effective access control list represents an effective propagation of access control policies of higher hierarchy levels to the computing resource.

Citations

20 Claims

1. A computer-implemented method of accessing shared computing resources, the method comprising:
- receiving a request to access a computing resource in a computing resource hierarchy stored in a memory or storage of a computing device;
  
  generating, by operations carried out by one or more processors, an effective access control list for the computing resource, wherein generating the effective access control list comprises;
  
  collecting available access control policies for one or more parent computing resources of the computing resource in the computing resource hierarchy, andanalyzing the permissions specified in the collected access control policies to generate the effective access control list, wherein the analyzing comprises propagating the permissions specified in the available access control policies for the one or more parent computing resources and storing the propagated permissions in the effective access control list;
  
  determining, based at least in part on the generated effective access control list for the computing resource, whether to grant the requested access to the computing resource;
  
  receiving a subsequent request to access the computing resource;
  
  identifying the generated effective access control list associated with the computing resource; and
  
  determining, based at least in part on the generated effective access control list, whether to grant the subsequent requested access to the computing resource, wherein the determining comprises analyzing the propagated permissions for the one or more parent computing resources in the generated effective access control list.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the request and the subsequent request are received from one or more user computers over a network.
  - 3. The computer-implemented method of claim 1, wherein the computing resource hierarchy is accessed through a web service.
  - 4. The computer-implemented method of claim 1, wherein the computing resource is a file and the computing resource hierarchy comprises a virtual file system.
  - 5. The computer-implemented method of claim 1, wherein:
    - the request to access the computing resource identifies a user for which access is requested;
      
      collecting the available access control policies for the one or more parent computing resources comprises collecting access control policies that are associated with the identified user; and
      
      the method further comprises storing the generated effective access control list in association with the computing resource and the identified user.
  - 6. The computer-implemented method of claim 1, further comprising:
    - detecting that a new access control policy has been established for one of the one or more parent computing resources; and
      
      deleting the generated effective access control list associated with the computing resource.

7. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by one or more processors, perform operations, the operations comprising:
- receiving a request to perform a function on a particular computing resource, wherein the computing resource is contained within a hierarchy level in a computing resource hierarchy;
  
  retrieving one or more access control policies associated with one or more parent computing resources of the particular computing resource, wherein the one or more parent computing resources are contained within hierarchy levels in the computing resource hierarchy that are higher than the hierarchy level containing the particular computing resource;
  
  determining an effective access control list for the particular computing resource, wherein the effective access control list comprises a propagation of permissions associated with the retrieved one or more access control policies;
  
  determining whether the request to perform the function on the particular computing resource is authorized based on the effective access control list for the particular computing resource;
  
  receiving another request to perform the function; and
  
  determining whether the another request is authorized using the effective access control list for the particular computing resource, wherein the determining comprises analyzing the propagation of permissions in the effective access control list.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 8. The one or more non-transitory computer-readable storage media of claim 7, wherein the request and the another request to perform the function on the particular computing resource are received from one or more user computers via a network.
  - 9. The one or more non-transitory computer-readable storage media of claim 7, wherein:
    - the computing resource hierarchy is part of a virtual file system; and
      
      retrieving the one or more access control policies associated with the one or more parent computing resources of the particular computing resource comprises accessing the virtual file system through a web service.
  - 10. The one or more non-transitory computer-readable storage media of claim 9, wherein the function is at least one of:
    - accessing the particular computing resource with read access;
      
      accessing the particular computing resource with write access;
      
      moving the particular computing resource;
      
      sharing the particular computing resource;
      
      viewing activity of the particular computing resource;
      
      adding comments to the particular computing resource;
      
      or downloading the particular computing resource.
  - 11. The one or more non-transitory computer-readable storage media of claim 7, wherein the one or more parent computing resources comprise:
    - a first parent computing resource that is in a hierarchy level above the hierarchy level of the particular computing resource and is in a direct hierarchical relationship with the particular computing resource; and
      
      a second parent computing resource that is in another hierarchy level above the hierarchy level of the first parent computing resource and is in a direct hierarchical relationship with the first parent computing resource.
  - 12. The one or more non-transitory computer-readable storage media of claim 7, wherein the effective access control list represents an effective propagation of the one or more access control policies associated with one or more parent computing resources to the particular computing resource.
  - 13. The one or more non-transitory computer-readable storage media of claim 7, wherein the operations further comprise:
    - detecting a change to one of the one or more access control policies associated with the one or more parent computing resources; and
      
      deleting the effective access control policy for the particular computing resource.
  - 14. The one or more non-transitory computer-readable storage media of claim 7, wherein retrieving the one or more access control policies associated with the one or more parent computing resources comprises:
    - searching for a previously determined effective access control list associated with a first parent computing resource of the particular computing resource;
      
      if the first parent computing resource is associated with a previously determined effective access control list, retrieving the previously determined effective access control list; and
      
      otherwise, retrieving an access control policy for the first parent computing resource and repeating the searching for a previously determined effective access control list for a second parent computing resource, wherein the second parent computing resource is a parent of the first parent computing resource.
  - 15. The one or more non-transitory computer-readable storage media of claim 7, wherein:
    - the operations further comprise identifying a user associated with the request to perform the function on the particular computing resource; and
      
      wherein retrieving the access control policies associated with one or more parent computing resources comprises retrieving access control policies related to the identified user.
  - 16. The one or more non-transitory computer-readable storage media of claim 15, wherein:
    - the operations further comprise examining an organization hierarchy comprising groups and sub-groups of users; and
      
      wherein retrieving the access control policies associated with one or more parent computing resources further comprises retrieving access control policies related to one or more of the groups and/or sub-groups in the organization hierarchy of which the identified user is a member.
  - 17. The one or more non-transitory computer-readable storage media of claim 7, wherein retrieving the one or more access control policies associated with the one or more parent computing resources comprises:
    - retrieving access control policies for parent computing resources that are contained within hierarchy levels in the computing resource hierarchy that are higher than the hierarchy level containing the particular computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy.

18. One or more server computers implementing an access control system, the system comprising:
- one or more processors;
  
  one or more memories;
  
  a computing resource hierarchy comprising computing resources in multiple hierarchy levels;
  
  an access policy collector that;
  
  retrieves, using at least one of the one or more processors, access control policies for one or more parent computing resources in hierarchy levels in the computing resource hierarchy that are above a hierarchy level of a target computing resource; and
  
  retrieves, using at least one of the one or more processors, a previously determined access control list for a particular parent computing resource if a previously determined effective access control list exists;
  
  an analysis engine that;
  
  determines, using at least one of the one or more processors, an effective access control list for the target computing resource, wherein the effective access control list comprises a propagation of permissions specified by the access control policies retrieved by the access policy collector, including one or more permissions specified in the previously determined effective access control list for the particular parent computing resource; and
  
  an access manager that;
  
  receives, using at least one of the one or more processors, an access request for a user to access a target computing resource in the computing resource hierarchy; and
  
  determines, using at least one of the one or more processors, whether to grant or deny the user access to the target computing resource based, at least in part, on the effective access control list, wherein the determining comprises analyzing the propagation of permissions in the effective access control list.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the access manager is configured to receive the access request from a user computer via a computer network.
  - 20. The system of claim 18, further comprising a data store storing one or more previously determined effective access control lists corresponding to at least one computing resource of the computing resource hierarchy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Andruschuk, Borislav, Fowler, Kevin
Primary Examiner(s)
Zhao, Don

Application Number

US15/341,895
Time in Patent Office

356 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Hierarchical policy-based shared resource access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical policy-based shared resource access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links