Access control using impersonization
First Claim
Patent Images
1. A system, comprising:
- memory to store instructions that, if executed by one or more processors of the system, cause the system to;
send a first request and an authentication response associated with the first request, the authentication response including information identifying a set of computing resource devices to be accessed;
utilize the authentication response, based at least in part on fulfilling the first request, to send a second request;
process the second request according to a policy determination, the policy determination is determined by at least evaluating a set of policies applicable to the second request based at least in part on the first request and the authentication response; and
send a third request, the third request being processed according to a policy of the policy determination, processing the policy is based at least in part on a user profile associated with the authentication response that triggered the third request, including the first request and the second request.
1 Assignment
0 Petitions
Accused Products
Abstract
A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.
-
Citations
20 Claims
-
1. A system, comprising:
memory to store instructions that, if executed by one or more processors of the system, cause the system to; send a first request and an authentication response associated with the first request, the authentication response including information identifying a set of computing resource devices to be accessed; utilize the authentication response, based at least in part on fulfilling the first request, to send a second request; process the second request according to a policy determination, the policy determination is determined by at least evaluating a set of policies applicable to the second request based at least in part on the first request and the authentication response; and send a third request, the third request being processed according to a policy of the policy determination, processing the policy is based at least in part on a user profile associated with the authentication response that triggered the third request, including the first request and the second request. - View Dependent Claims (2, 3, 4, 5)
-
6. A computer-implemented method, comprising:
-
sending a first request and an authentication response associated with the first request, the authentication response including information identifying a set of computing resource services to be accessed; utilizing the authentication response, based at least in part on fulfilling the first request, to send a second request; processing the second request according to a policy determination, the policy determination is determined by at least evaluating a set of policies applicable to the second request based at least in part on the first request and the authentication response; and sending a third request, the third request being processed according to a policy of the policy determination, processing the policy is based at least in part on a user profile associated with the authentication response that triggered the third request, including the first request and the second request. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium having stored thereon instructions that, if executed by one or more processors of a computer system, cause the computer system to:
-
send a first request and an authentication response associated with the first request, the authentication response including information identifying a set of computing resource devices to be accessed; utilize the authentication response, based at least in part on fulfilling the first request, to send a second request; process the second request according to a policy determination, the policy determination is determined by at least evaluating a set of policies applicable to the second request based at least in part on the first request and the authentication response; and send a third request, the third request being processed according to a policy of the policy determination, processing the policy is based at least in part on a user profile associated with the authentication response that triggered the third request, including the first request and the second request. - View Dependent Claims (18, 19, 20)
-
Specification