| 摘要 |
Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential. |
| 主权项 |
1. A computer implemented method, comprising:
receiving, from an entity, a request for access to one or more resources, the request associated with a user credential, the user credential comprising a cryptographic token generated by a third party identity provider, the cryptographic token including identity information for the entity and a specified user independent from the entity to authenticate the entity; generating, by one or more computer systems, an applicable delegation profile for the request based at least in part on the user credential and the identity information for the entity, the applicable delegation profile comprising permissions for accessing the one or more resources and identifiers for one of the specified user or principals permitted to access the one or more resources according to the permissions; identifying one or more parties to provide an amount of funding based at least in part upon the request and the applicable delegation profile, the one or more parties to provide the amount of funding not associated with the specific user or principals permitted to access the one or more resources; determining whether the amount of funding is provided for the access in response to the identification of the one or more parties; authenticating, by the one or more computer systems, the entity based at least in part on the user credential and the determination that the amount of funding is provided, the user credential mapped to the identifiers for one of the specific user or principals permitted to access the one or more resources; and providing, by the one or more computer systems, the entity with access to the one or more resources according to the applicable delegation profile based at least in part on the authentication of the entity, the access enabling the entity to act as the specified user on the one or more resources subject to the permissions. |
