Fine-grained structured data store access using federated identity management

摘要

A structured data store service, such as a database service, may implement fine-grained access to data maintained at the database service using federated identity. Fine grained access requests may be received at a database service for specified data maintained for an application provider from a client of the application provider. An access credential may be also be received. Verification of the access credential may be obtained, and the database service may evaluate the fine-grained access request according to a delegation policy corresponding to the access credential to determine whether the fine-grained request is authorized. If authorized, the fine-grained access request may be service. If not authorized, the fine-grained access request may be denied. In some embodiments, multiple application clients may have the same authorization for data, such as read authorization, while another one or more application clients may have different authorization for the data, such as write authorization.

主权项

1. A system, comprising:
a plurality of compute nodes implementing a database service maintaining data for an application provider, wherein the database service implements a fine-grained access management module to authorize fine-grained access requests from one or more application clients of the application provider directed toward portions of the data; the fine-grained access management module, configured to:
receive a fine-grained access request for a specified portion of the data maintained at the database service and a delegated access credential for the fine-grained access request from one of the one or more application clients;request, from a delegation service, verification of the delegated access credential;receive the verification of the delegated access credential;receive, from the delegation service, a delegation policy corresponding to the delegated access credential;evaluate the fine-grained access request according to the delegation policy in order to determine request authorization for the fine-grained access request from the one application client; andin response to determining that the fine-grained access request is authorized, provide access to the specified portion of the data in order to service the fine-grained access request.