Fine-grained structured data store access using federated identity management
First Claim
1. A system, comprising:
- one or more hardware processors; and
memory storing program instructions that when executed implement a delegation service to;
receive one or more initial requests from an application provider to establish a delegation policy for accessing application data of an application stored in a database, and in response;
create and store the delegation policy, wherein the delegation policy specifies (a) one or more users, accounts, or clients of the application that are authorized to use the delegation policy, and (b) authorization rules that allow access to fine-grained access requests to read or write different subsets of a table in the database for individual ones of the one or more users, accounts, or clients, wherein the fine-grained access requests correspond an application programming interface (API) of the application;
after the establishment of delegation policy, receive a first request from a client of the application for a delegated access credential to access the database, wherein the first request includes an identity credential that identifies a user of the application, and in response;
verify the identity credential with an identity provider that issued the identity credential;
issue the delegated access credential for the user, wherein the delegated access credential is associated with at least one of the one or more authorization rules in the delegation policy; and
send the delegated access credential to the client; and
after the issuance of the delegated access credential, receive a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response;
verify the delegated access credential; and
in response to the verification of the delegated access credential, send the delegation policy to the database, wherein the database is configured to use the delegation policy to determine whether an access request to the table submitted with the delegated access credential is authorized.
0 Assignments
0 Petitions
Accused Products
Abstract
A structured data store service, such as a database service, may implement fine-grained access to data maintained at the database service using federated identity. Fine grained access requests may be received at a database service for specified data maintained for an application provider from a client of the application provider. An access credential may be also be received. Verification of the access credential may be obtained, and the database service may evaluate the fine-grained access request according to a delegation policy corresponding to the access credential to determine whether the fine-grained request is authorized. If authorized, the fine-grained access request may be service. If not authorized, the fine-grained access request may be denied. In some embodiments, multiple application clients may have the same authorization for data, such as read authorization, while another one or more application clients may have different authorization for the data, such as write authorization.
39 Citations
20 Claims
-
1. A system, comprising:
-
one or more hardware processors; and memory storing program instructions that when executed implement a delegation service to; receive one or more initial requests from an application provider to establish a delegation policy for accessing application data of an application stored in a database, and in response; create and store the delegation policy, wherein the delegation policy specifies (a) one or more users, accounts, or clients of the application that are authorized to use the delegation policy, and (b) authorization rules that allow access to fine-grained access requests to read or write different subsets of a table in the database for individual ones of the one or more users, accounts, or clients, wherein the fine-grained access requests correspond an application programming interface (API) of the application; after the establishment of delegation policy, receive a first request from a client of the application for a delegated access credential to access the database, wherein the first request includes an identity credential that identifies a user of the application, and in response; verify the identity credential with an identity provider that issued the identity credential; issue the delegated access credential for the user, wherein the delegated access credential is associated with at least one of the one or more authorization rules in the delegation policy; and send the delegated access credential to the client; and after the issuance of the delegated access credential, receive a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response; verify the delegated access credential; and in response to the verification of the delegated access credential, send the delegation policy to the database, wherein the database is configured to use the delegation policy to determine whether an access request to the table submitted with the delegated access credential is authorized. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method, comprising:
performing, by a delegation service implemented by one or more computers; receiving one or more initial requests from an application provider to establish a delegation policy for accessing application data of an application stored in a database, and in response; creating and storing the delegation policy, wherein the delegation policy specifies (a) one or more users, accounts, or clients of the application that are authorized to use the delegation policy, and (b) authorization rules that allow access to fine-grained access requests to read or write different subsets of a table in the database for individual ones of the one or more users, accounts, or clients, wherein the fine-grained access requests correspond an application programming interface (API) of the application; after the establishment of delegation policy, receiving a first request from a client of the application for a delegated access credential to access the database, wherein the first request includes an identity credential that identifies a user of the application, and in response; verifying the identity credential with an identity provider that issued the identity credential; issuing the delegated access credential for the user, wherein the delegated access credential is associated with at least one of the one or more authorization rules in the delegation policy; and sending the delegated access credential to the client; and after the issuance of the delegated access credential, receiving a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response; verifying the delegated access credential; and in response to the verification of the delegated access credential, sending the delegation policy to the database, wherein the database is configured to use the delegation policy to determine whether an access request to the table is submitted with the delegated access credential is authorized. - View Dependent Claims (11, 12, 13, 14, 15)
-
16. A non-transitory computer-readable storage medium storing program instructions that when executed by one or more hardware processors cause the one or more hardware processors to implement a delegation service and cause the delegation service to:
-
receive one or more initial requests from an application provider to establish a delegation policy for accessing application data of an application stored in a database, and in response; create and store the delegation policy, wherein the delegation policy specifies (a) one or more users, accounts, or clients of the application that are authorized to use the delegation policy, and (b) authorization rules that allow access to fine-grained access requests to read or write different subsets of a table in the database for individual ones of the one or more users, accounts, or clients, wherein the fine-grained access requests correspond an application programming interface (API) of the application; after the establishment of delegation policy, receive a first request from a client of the application for a delegated access credential to access the database, wherein the first request includes an identity credential that identifies a user of the application, and in response; verify the identity credential with an identity provider that issued the identity credential; issue the delegated access credential for the user, wherein the delegated access credential is associated with at least one of the one or more authorization rules in the delegation policy; and send the delegated access credential to the client; and after the issuance of the delegated access credential, receive a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response; verify the delegated access credential; and in response to the verification of the delegated access credential, send the delegation policy to the database, wherein the database is configured to use the delegation policy to determine whether an access request to the table submitted with the delegated access credential is authorized. - View Dependent Claims (17, 18, 19, 20)
-
Specification