DELEGATED PERMISSIONS IN A DISTRIBUTED ELECTRONIC ENVIRONMENT

摘要

Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.

主权项

1. A method comprising:
obtaining, on an application executing on a computing device, a user credential associated with a user; providing, by the application to a first provider of web services, the user credential; securing, in the application and from the first provider, access to a first web service and to associated web service credentials, the access based at least in part on the user credentials, wherein:
the web service credentials are associated with the user credential; andthe web service credentials comprise access rights to first resources; providing, from the application to a second provider of web services, the user credential and a copy of the web service credentials; and securing, in the application and from the second provider, access to a second web service and to data corresponding to both the user and to the first web service, wherein the data is accessible on second resources controlled via the second web service.