AUTHORIZED DELEGATION OF PERMISSIONS

摘要

Systems and methods are described for delegating permissions to enable account access to entities not directly associated with the account. The systems determine a delegation profile associated with a secured account of at least one customer. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

主权项

1. A computer implemented method, comprising:
receiving, by one or more computing devices, from an entity, a request for access to one or more resources associated with an account of a customer, the account being maintained by a provider of the one or more resources, the one or more resources accessible to the customer as determined by one or more terms of the account; determining, by the one or more computing devices, an applicable delegation profile for the request, the applicable delegation profile being associated with the account of the customer, the applicable delegation profile associated with one or more permissions for accessing and utilizing the one or more resources; determining, according to a validation policy of the applicable delegation profile, that the entity is authorized to perform one or more actions against the one or more resources as specified by the applicable delegation profile; and providing, by the one or more computing devices, the entity with access to the one or more resources according to the one or more permissions associated with the applicable delegation profile, the access enabling the entity to act as the customer on the one or more resources subject to the one or more permissions.