Custom access controls

US 10,771,586 B1
Filed: 04/01/2013
Issued: 09/08/2020
Est. Priority Date: 04/01/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more computing devices configured to implement a workflow system that comprises a workflow service and a role management service, and computing resources, wherein the workflow system is configured to;

generate, by the workflow service, a first workflow associated with a client, wherein the first workflow specifies a first plurality of actions;

that are performable by the computing resources;

select, by the role management service, one or more permissions that permit the workflow system to use one or more of the computing resources on behalf of the client, wherein the one or more permissions;

are selected based on one or more techniques comprising inspection, instrumentation, or analysis of a program associated with the first plurality of actions, andare required to perform the first plurality of actions;

manage, by the role management service, access keys that correspond to the first plurality of actions;

generate, by the role management service, a first role that comprises first data indicative of the one or more permissions;

generate a second workflow associated with the client, wherein the second workflow specifies a second plurality of actions performable by the computing resources;

generate, by the role management service, a second role that comprises second data indicative of one or more permissions that permit the workflow system to use the computing resources on behalf of the client, wherein the one or more permissions in the second role are required to perform the second plurality of actions;

perform the first plurality of actions using the access keys that correspond to the one or more permissions to use the computing resources in accordance with the first role; and

perform the second plurality of actions using the computing resources in accordance with the second role.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for implementing custom access controls are disclosed. A first task is added to a first workflow. A first role is generated for the first workflow. The first role comprises a first set of one or more permissions for using one or more computing resources. The one or more permissions in the first role are selected based on the first task. The first task is performed using the one or more computing resources in accordance with the first role.

31 Citations

View as Search Results

21 Claims

1. A system, comprising:
- one or more computing devices configured to implement a workflow system that comprises a workflow service and a role management service, and computing resources, wherein the workflow system is configured to;
  
  generate, by the workflow service, a first workflow associated with a client, wherein the first workflow specifies a first plurality of actions;
  
  that are performable by the computing resources;
  
  select, by the role management service, one or more permissions that permit the workflow system to use one or more of the computing resources on behalf of the client, wherein the one or more permissions;
  
  are selected based on one or more techniques comprising inspection, instrumentation, or analysis of a program associated with the first plurality of actions, andare required to perform the first plurality of actions;
  
  manage, by the role management service, access keys that correspond to the first plurality of actions;
  
  generate, by the role management service, a first role that comprises first data indicative of the one or more permissions;
  
  generate a second workflow associated with the client, wherein the second workflow specifies a second plurality of actions performable by the computing resources;
  
  generate, by the role management service, a second role that comprises second data indicative of one or more permissions that permit the workflow system to use the computing resources on behalf of the client, wherein the one or more permissions in the second role are required to perform the second plurality of actions;
  
  perform the first plurality of actions using the access keys that correspond to the one or more permissions to use the computing resources in accordance with the first role; and
  
  perform the second plurality of actions using the computing resources in accordance with the second role.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system as recited in claim 1, wherein the workflow system is further configured to:
    - add a third plurality of actions to the first workflow;
      
      generate a third role for the third plurality of actions, wherein the third role comprises third data indicative of one or more permissions to use the one or more computing resources, wherein the one or more permissions in the third role are required to perform the third plurality of actions, and wherein the one or more permissions in the third role differ from the one or more permissions in the first role; and
      
      perform the third plurality of actions using the one or more computing resources in accordance with the third role.
  - 3. The system as recited in claim 1, wherein the first workflow represents the first plurality of actions and an additional plurality of actions, and wherein the one or more permissions in the first role are required to perform the first plurality of actions and the additional plurality of actions.
  - 4. The system as recited in claim 1, wherein the one or more permissions permit one or more actions by the workflow service on behalf of the client and/or one or more actions by the one or more computing resources on behalf of the client.
  - 5. The system as recited in claim 1, wherein the workflow system is further configured to:
    - receive client input to generate a modified role associated with the second plurality of actions, wherein the modified role is based on the second role, wherein the modified role comprises fourth data indicative of one or more permissions to use the one or more computing resources, and wherein the one or more permissions in the modified role differ from the one or more permissions in the second role; and
      
      perform the second plurality of actions again using the one or more computing resources in accordance with the modified role.

6. A computer-implemented method, comprising:
- performing, by one or more computers configured to implement a workflow system that includes a workflow service and a role management service;
  
  adding a first plurality of actions performable by a plurality of computing resources and requested by a client of the workflow service to a first workflow;
  
  selecting, by the role management service, a first set of one or more permissions that permit the workflow system to use one or more of the computing resources on behalf of the client, and wherein the one or more permissions are selected based on one or more techniques that comprise inspection, instrumentation, or analysis of a program code associated with the first plurality of actions, and are selected based at least in part on the first plurality of actions;
  
  managing, by the role management service, access keys that correspond to the first plurality of actions;
  
  generating a first custom role for the first workflow, wherein the first custom role comprises the first set of one or more permissions; and
  
  performing the first plurality of actions using the access keys that correspond to the one or more permissions to use the one or more computing resources in accordance with the first custom role.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method as recited in claim 6, further comprising:
    - adding a second plurality of actions to a second workflow;
      
      generating a second role for the second workflow, wherein the second role comprises a second set of one or more permissions for using the one or more computing resources, wherein the one or more permissions in the second role are selected further based on the second plurality of actions; and
      
      performing the second plurality of actions using the one or more computing resources accordance with the second role.
  - 8. The method as recited in claim 6, further comprising:
    - adding a third plurality of actions to the first workflow;
      
      generating a third role for the third plurality of actions, wherein the third role comprises a third set of one or more permissions to use the one or more computing resources, wherein the one or more permissions in the third role are selected based on the third plurality of actions; and
      
      performing the third plurality of actions using the one or more computing resources in accordance with the third role.
  - 9. The method as recited in claim 6, further comprising:
    - adding a fourth plurality of actions to the first workflow;
      
      generating a modified first role for the first workflow, wherein the modified first role comprises a modified set of one or more permissions to use the one or more computing resources, wherein the one or more permissions in the modified first role are selected based on the first plurality of actions and the fourth plurality of actions; and
      
      performing the first plurality of actions and the fourth plurality of actions using the one or more computing resources in accordance with the modified first role.
  - 10. The method as recited in claim 6, wherein the one or more permissions permit one or more actions by the workflow service on behalf of the client and/or one or more actions by the one or more computing resources on behalf of the client.
  - 11. The method as recited in claim 6, further comprising:
    - receiving client input to generate a modified first role associated with the first workflow, wherein the modified first role is based on the first role, wherein the modified first role comprises a fifth set of one or more permissions to use the one or more computing resources, and wherein the one or more permissions in the modified first role differ from the one or more permissions in the first role; and
      
      performing the first plurality of actions again using use the one or more computing resources in accordance with the modified first role.

12. A non-transitory, computer-readable storage medium storing program instructions computer-executable to implement a workflow system that includes a workflow service and a role management service, wherein the program instructions are configured to perform:
- adding, by the workflow system, a first plurality of actions to a first workflow based on a request from a client;
  
  selecting, by the role management service, a first set of one or more permissions that permit the workflow system to use one or more computing resources on behalf of the client, wherein the one or more permissions;
  
  are selected based on one or more techniques that comprise inspecting, instrumentation, or analyzing a program code that is associated with the first plurality of actions, andare selected based on access requirements of the first plurality of actions;
  
  managing, by the role management service, access keys that correspond to the first plurality of actions;
  
  generating a first role for the first workflow, wherein the first role comprises the first set of one or more permissions that permit the workflow system to use the one or more computing resources on behalf of the client;
  
  adding a second plurality of actions to a second workflow based on another request from the client;
  
  generating a second role for the second workflow, wherein the second role comprises a second set of one or more permissions for using the one or more computing resources, wherein the one or more permissions in the second role are selected based on access requirements of the second plurality of actions, wherein the access requirements of the second plurality of actions differ from the access requirements of the first plurality of actions;
  
  performing the first plurality of actions using the access keys that correspond to the one or more permissions to use the one or more computing resources in accordance with the first role; and
  
  performing the second plurality of actions using the one or more computing resources in accordance with the second role.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer-readable storage medium as recited in claim 12, wherein the program instructions are computer-executable to perform:
    - adding a third plurality of actions to the first workflow;
      
      generating a third role for the third plurality of actions, wherein the third role comprises a third set of one or more permissions to use the one or more computing resources, wherein the one or more permissions in the third role are selected based on access requirements of the third plurality of actions; and
      
      performing the third plurality of actions using the one or more computing resources in accordance with the third role.
  - 14. The computer-readable storage medium as recited in claim 12, wherein the program instructions are computer-executable to perform:
    - adding a fourth plurality of actions to the first workflow;
      
      generating a modified first role for the first workflow, wherein the modified first role comprises a modified set of one or more permissions to use the one or more computing resources, wherein the one or more permissions in the modified first role are selected based on the access requirements of the first plurality of actions and access requirements of the fourth plurality of actions; and
      
      performing the first plurality of actions and the fourth plurality of actions using the one or more computing resources in accordance with the modified first role.
  - 15. The computer-readable storage medium as recited in claim 12, wherein the one or more permissions permit one or more actions by the workflow service on behalf of the client and/or one or more actions by the one or more computing resources on behalf of the client.
  - 16. The computer-readable storage medium as recited in claim 12, wherein the program instructions are computer-executable to perform:
    - receiving client input to generate a modified second role associated with the second workflow, wherein the modified second role is based on the second role, wherein the modified second role comprises a fifth set of one or more permissions to use the one or more computing resources, and wherein one or more permissions in the modified second role differ from the one or more permissions in the second role; and
      
      performing the second plurality of actions again using use the one or more computing resources in accordance with the modified second role.

17. A system, comprising:
- at least one processor;
  
  a memory coupled to the at least one processor, wherein the memory stores program instructions, wherein the program instructions are executable by the at least one processor to implement a workflow system that includes a workflow service and a role management service, the workflow system configured to;
  
  generate, by the workflow service, a first workflow comprising a first plurality of actions of the workflow service, wherein the first plurality of actions represents a first task requested by a client of the workflow service;
  
  select, by the role management service, a first set of one or more permissions that permit the workflow system to use one or more computing resources on behalf of the client, and wherein the one or more permissions;
  
  are selected based on one or more techniques that comprise inspection, instrumentation, or analysis of a program code associated with the first plurality of actions, andare selected based at least in part on access requirements of the first task;
  
  manage, by the role management service, access keys that correspond to the first plurality of actions;
  
  generate a first custom role for the first workflow, wherein the first custom role comprises the first set of one or more permissions; and
  
  perform the first task using the access keys that correspond to the one or more permissions, wherein the first task uses the one or more computing resources in accordance with the first custom role.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system as recited in claim 17, wherein the first workflow represents the first task and an additional task, and wherein the one or more permissions in the first role are selected based on the access requirements of the first task and access requirements of the additional task.
  - 19. The system as recited in claim 17, wherein the one or more permissions permit one or more actions by a workflow service on behalf of the client and/or one or more actions by the one or more computing resources on behalf of the client.
  - 20. The system as recited in claim 17, wherein the program instructions are further executable by the at least one processor to:
    - add a third task to the first workflow;
      
      generate a modified first role for the first workflow in response to adding the third task to the first workflow, wherein the modified first role comprises one or more modified permissions to use the one or more computing resources, wherein the one or more modified permissions in the modified first role are selected based on the access requirements of the first task and access requirements of the third task; and
      
      perform the first task and the third task using the one or more computing resources in accordance with the modified first role.
  - 21. The system as recited in claim 17, wherein the program instructions are further executable by the at least one processor to:
    - add a second plurality of actions to a second workflow, wherein the second plurality of actions represents a second task requested by the client;
      
      generate a second role for the second workflow, wherein the second role comprises one or more second permissions that permit the workflow system to use the one or more computing resources, wherein the one or more second permissions in the second role differ from the one or more permissions in the first role; and
      
      perform the second task, wherein the second task uses the one or more computing resources in accordance with the second role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Pratt, Brian Irl, Shih, Kathryn Marie, Ward, Patrick James
Primary Examiner(s)
Duong, Oanh

Application Number

US13/854,669
Time in Patent Office

2,717 Days
Field of Search

709223, 709226, 705 713, 705 726, 705 727, 718100, 726 28
US Class Current
CPC Class Codes

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

H04L 67/60   Scheduling or organising th...

Custom access controls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Custom access controls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links