Fine-grained structured data store access using federated identity management

US 11,762,970 B2
Filed: 02/13/2017
Issued: 09/19/2023
Est. Priority Date: 12/16/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more hardware processors; and

memory storing program instructions that when executed implement a delegation service to;

receive one or more initial requests from an application provider to establish a delegation policy for accessing application data of an application stored in a database, and in response;

create and store the delegation policy, wherein the delegation policy specifies (a) one or more users, accounts, or clients of the application that are authorized to use the delegation policy, and (b) authorization rules that allow access to fine-grained access requests to read or write different subsets of a table in the database for individual ones of the one or more users, accounts, or clients, wherein the fine-grained access requests correspond an application programming interface (API) of the application;

after the establishment of delegation policy, receive a first request from a client of the application for a delegated access credential to access the database, wherein the first request includes an identity credential that identifies a user of the application, and in response;

verify the identity credential with an identity provider that issued the identity credential;

issue the delegated access credential for the user, wherein the delegated access credential is associated with at least one of the one or more authorization rules in the delegation policy; and

send the delegated access credential to the client; and

after the issuance of the delegated access credential, receive a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response;

verify the delegated access credential; and

in response to the verification of the delegated access credential, send the delegation policy to the database, wherein the database is configured to use the delegation policy to determine whether an access request to the table submitted with the delegated access credential is authorized.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A structured data store service, such as a database service, may implement fine-grained access to data maintained at the database service using federated identity. Fine grained access requests may be received at a database service for specified data maintained for an application provider from a client of the application provider. An access credential may be also be received. Verification of the access credential may be obtained, and the database service may evaluate the fine-grained access request according to a delegation policy corresponding to the access credential to determine whether the fine-grained request is authorized. If authorized, the fine-grained access request may be service. If not authorized, the fine-grained access request may be denied. In some embodiments, multiple application clients may have the same authorization for data, such as read authorization, while another one or more application clients may have different authorization for the data, such as write authorization.

39 Citations

20 Claims

1. A system, comprising:
- one or more hardware processors; and
  
  memory storing program instructions that when executed implement a delegation service to;
  
  receive one or more initial requests from an application provider to establish a delegation policy for accessing application data of an application stored in a database, and in response;
  
  create and store the delegation policy, wherein the delegation policy specifies (a) one or more users, accounts, or clients of the application that are authorized to use the delegation policy, and (b) authorization rules that allow access to fine-grained access requests to read or write different subsets of a table in the database for individual ones of the one or more users, accounts, or clients, wherein the fine-grained access requests correspond an application programming interface (API) of the application;
  
  after the establishment of delegation policy, receive a first request from a client of the application for a delegated access credential to access the database, wherein the first request includes an identity credential that identifies a user of the application, and in response;
  
  verify the identity credential with an identity provider that issued the identity credential;
  
  issue the delegated access credential for the user, wherein the delegated access credential is associated with at least one of the one or more authorization rules in the delegation policy; and
  
  send the delegated access credential to the client; and
  
  after the issuance of the delegated access credential, receive a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response;
  
  verify the delegated access credential; and
  
  in response to the verification of the delegated access credential, send the delegation policy to the database, wherein the database is configured to use the delegation policy to determine whether an access request to the table submitted with the delegated access credential is authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the delegated access credential includes an identification of the delegation policy.
  - 3. The system of claim 1, wherein the identity provider is a social media service, email service, or e-commerce service.
  - 4. The system of claim 3, wherein the program instructions are further executable to cause the delegation service to:
    - deny a third request for another delegated access credential based at least in part on a determination that another identity credential included in the third request is not verified.
  - 5. The system of claim 1, wherein the program instructions are further executable to cause the delegation service to create the delegation policy to specify an authorization rule to restrict access to specified columns, fields, or attributes in the table.
  - 6. The system of claim 1, wherein the identity credential comprises a public certificate, and the program instructions are further executable to cause the delegation service to select the delegation policy for the delegated access credential based at least in part on the public certificate.
  - 7. The system of claim 1, wherein the program instructions are further executable to cause the delegation service tostore the delegation policy in a key value data store.
  - 8. The system of claim 1, wherein the program instructions are further executable to cause the delegation service to create the delegation policy to specify an authorization rule that authorizes access to an individual row of the table corresponding to an individual user of the application.
  - 9. The system of claim 1, wherein the program instructions are further executable to cause the delegation service to create the delegation policy to specify an authorization rule that includes a conditional statement.

10. A computer-implemented method, comprising:
- performing, by a delegation service implemented by one or more computers;
  
  receiving one or more initial requests from an application provider to establish a delegation policy for accessing application data of an application stored in a database, and in response;
  
  creating and storing the delegation policy, wherein the delegation policy specifies (a) one or more users, accounts, or clients of the application that are authorized to use the delegation policy, and (b) authorization rules that allow access to fine-grained access requests to read or write different subsets of a table in the database for individual ones of the one or more users, accounts, or clients, wherein the fine-grained access requests correspond an application programming interface (API) of the application;
  
  after the establishment of delegation policy, receiving a first request from a client of the application for a delegated access credential to access the database, wherein the first request includes an identity credential that identifies a user of the application, and in response;
  
  verifying the identity credential with an identity provider that issued the identity credential;
  
  issuing the delegated access credential for the user, wherein the delegated access credential is associated with at least one of the one or more authorization rules in the delegation policy; and
  
  sending the delegated access credential to the client; and
  
  after the issuance of the delegated access credential, receiving a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response;
  
  verifying the delegated access credential; and
  
  in response to the verification of the delegated access credential, sending the delegation policy to the database, wherein the database is configured to use the delegation policy to determine whether an access request to the table is submitted with the delegated access credential is authorized.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the delegated access credential includes an identification of the delegation policy.
  - 12. The method of claim 10, further comprising causing the delegation policy to expire based at least in part on the passage of a specified period of time.
  - 13. The method of claim 10, wherein the identity provider is a social media service, email service, or e-commerce service.
  - 14. The method of claim 13, further comprising:
    - receiving a third request for another delegated access credential, the third request including another identity credential;
      
      determining from an identity provider that the other identity credential is not validated; and
      
      denying the third request for the other delegated access credential.
  - 15. The method of claim 13, wherein the identity credential comprises a public certificate, the method further comprising:
    - determining the delegation policy for the delegated access credential based at least in part on the public certificate.

16. A non-transitory computer-readable storage medium storing program instructions that when executed by one or more hardware processors cause the one or more hardware processors to implement a delegation service and cause the delegation service to:
- receive one or more initial requests from an application provider to establish a delegation policy for accessing application data of an application stored in a database, and in response;
  
  create and store the delegation policy, wherein the delegation policy specifies (a) one or more users, accounts, or clients of the application that are authorized to use the delegation policy, and (b) authorization rules that allow access to fine-grained access requests to read or write different subsets of a table in the database for individual ones of the one or more users, accounts, or clients, wherein the fine-grained access requests correspond an application programming interface (API) of the application;
  
  after the establishment of delegation policy, receive a first request from a client of the application for a delegated access credential to access the database, wherein the first request includes an identity credential that identifies a user of the application, and in response;
  
  verify the identity credential with an identity provider that issued the identity credential;
  
  issue the delegated access credential for the user, wherein the delegated access credential is associated with at least one of the one or more authorization rules in the delegation policy; and
  
  send the delegated access credential to the client; and
  
  after the issuance of the delegated access credential, receive a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response;
  
  verify the delegated access credential; and
  
  in response to the verification of the delegated access credential, send the delegation policy to the database, wherein the database is configured to use the delegation policy to determine whether an access request to the table submitted with the delegated access credential is authorized.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the identity provider is a social media service, email service, or e-commerce service.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein the program instructions when executed by the one or more hardware processors further cause the one or hardware more processors to update the delegation policy to specify an authorization rule that includes a conditional statement.
  - 19. The non-transitory computer-readable storage medium of claim 16, wherein the program instructions when executed by the one or more hardware processors further cause the one or more hardware processors to:
    - store the delegation policy in a key value data store.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the program instructions when executed by the one or more hardware processors further cause the one or more hardware processors to cause the delegation policy to expire based at least in part on the passage of a specified period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Yanacek, David Craig, Pandey, Prashant
Primary Examiner(s)
Reyes, Mariela
Assistant Examiner(s)
Mina, Fatima P

Application Number

US15/431,708
Publication Number

US 20170155686A1
Time in Patent Office

2,409 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/1767   Concurrency control, e.g. o...

G06F 16/1774   Locking methods, e.g. locki...

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/205   involving negotiation or de...

Fine-grained structured data store access using federated identity management

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Fine-grained structured data store access using federated identity management

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links