Managing security groups for data instances
First Claim
1. A computer-implemented method of managing security permissions, comprising:
- under control of one or more computer systems configured with executable instructions,provisioning a data instance in a data environment that includes a first distributed computing system configured to provide native access to data instances for a plurality of customers, wherein a separate control environment includes a second distributed computing system that is separate from and configured to manage the data environment, wherein the data environment that includes the first distributed computing system and the separate control environment that includes the second distributed computing system are both part of a service provider network;
generating a native security group for the data instance;
generating, by the separate control environment, at least one control security group for the data instance and associating the at least one control security group with the native security group for the data instance;
receiving, by the separate control environment, a request from a customer to update one or more permissions of the at least one control security group of the data instance;
subsequent to receipt of the request, updating at least one permission for the at least one control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group;
storing, in the separate control environment, the at least one permission for use in determining subsequent access to the data instance by at least one member of the at least one control security group; and
controlling access to the data instance via the data environment based at least in part upon the at least one permission stored in the separate control environment.
1 Assignment
0 Petitions
Accused Products
Abstract
Access level and security group information can be updated for a data instance without having to take down or recycle the instance. A data instance created in a data environment will have at least one default security group. Permissions can be applied to the default security group to limit access via the data environment. A control security group can be created in a control environment and associated with the default security group. Permissions can be applied and updated with respect to the control security group without modifying the default security group, such that the data instance does not need to be recycled or otherwise made unavailable. Requests to perform actions with respect to the control security groups are made via the control environment, while allowing native access to the data via the data environment.
159 Citations
24 Claims
-
1. A computer-implemented method of managing security permissions, comprising:
under control of one or more computer systems configured with executable instructions, provisioning a data instance in a data environment that includes a first distributed computing system configured to provide native access to data instances for a plurality of customers, wherein a separate control environment includes a second distributed computing system that is separate from and configured to manage the data environment, wherein the data environment that includes the first distributed computing system and the separate control environment that includes the second distributed computing system are both part of a service provider network; generating a native security group for the data instance; generating, by the separate control environment, at least one control security group for the data instance and associating the at least one control security group with the native security group for the data instance; receiving, by the separate control environment, a request from a customer to update one or more permissions of the at least one control security group of the data instance; subsequent to receipt of the request, updating at least one permission for the at least one control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group; storing, in the separate control environment, the at least one permission for use in determining subsequent access to the data instance by at least one member of the at least one control security group; and controlling access to the data instance via the data environment based at least in part upon the at least one permission stored in the separate control environment. - View Dependent Claims (2, 3)
-
4. A computer-implemented method of managing a data instance, comprising:
under control of one or more computer systems configured with executable instructions, provisioning the data instance in a data environment, the data environment comprising a first distributed computing system for providing native access to data instances for a plurality of customers; receiving, by a separate control environment, a request from a customer to update a control security group for the data instance, the separate control environment comprising a second distributed computing system that is separate from the first distributed computing system of the data environment and that is configured to enable management of the data instances, wherein the data environment comprising the first distributed computing system and the separate control environment comprising the second distributed computing system are both part of a service provider network, the control security group being associated with a native security group for the data instance in the data environment; updating the control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group; and controlling access to the data instance via the data environment based at least in part upon the updated control security group. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
-
13. A system for controlling a data environment using a separate control environment, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; provision a data instance in the data environment, the data environment comprising a first distributed computing system for providing native access to data instances for a plurality of customers; receive, by the separate control environment, a request from a customer to update a control security group for the data instance, the separate control environment comprising a second distributed computing system, that is separate from the first distributed computing system of the data environment and that is configured to enable management of the data instances, wherein the data environment comprising the first distributed computing system and the separate control environment comprising the second distributed computing system are both part of a service provider network, the control security group being associated with a native security group for the data instance in the data environment; update the control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group; and control access to the data instance via the data environment based at least in part upon the updated control security group. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A computer program product embedded in a non-transitory computer-readable medium and including instructions that, when executed by at least one computing device, cause the at least one computing device to:
-
provision a data instance in a data environment, the data environment comprising a first distributed computing system for providing native access to data instances for a plurality of customers; receive, by a separate control environment, a request from a customer to update a control security group for the data instance, the separate control environment comprising a second distributed computing system, that is separate from the first distributed computing system of the data environment and that is configured to enable management of the data instances, wherein the data environment comprising the first distributed computing system and the separate control environment comprising the second distributed computing system are both part of a service provider network, the control security group being associated with a native security group for the data instance in the data environment; update the control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group; and control access to the data instance via the data environment based at least in part upon the updated control security group. - View Dependent Claims (21, 22, 23, 24)
-
Specification