| 发明名称 |
ENTITY TO AUTHORIZE DELEGATION OF PERMISSIONS |
| 摘要 |
Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile. |
| 申请公布号 |
US2015304294(A1) |
申请公布日期 |
2015.10.22 |
| 申请号 |
US201514629332 |
申请日期 |
2015.02.23 |
| 申请人 |
Amazon Technologies, Inc. |
发明人 |
Roth Gregory B.;Fitch Nathan R.;O'Neill Kevin Ross;Baer Graeme D.;Behm Bradley Jeffery;Pratt Brian Irl |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A computer implemented method for asynchronous permission delegation, said method comprising:
under the control of one or more computer systems configured with executable instructions, defining a delegation profile associated with an account, the delegation profile including (a) a validation policy that specifies one or more security principals that are permitted to operate in a security context of the delegation profile under a set of conditions, and (b) an authorization policy specifying permitted actions for the one or more security principals operating in the security context of the delegation profile; granting permission to at least one user of the account to use the delegation profile; receiving a request for a set of credentials from at least one service, the request indicating the delegation profile; providing the set of credentials to the service if the service is verified to be one of the one or more security principals identified in the validation policy of the delegation profile, the credentials enabling requests to be made in the account within the security context of the delegation profile and subject to the authorization policy of the delegation profile. receiving, from an entity, a request for access to a resource in the account, the request indicating the delegation profile; providing access to the entity if the entity is verified to be one of the one or more security principals identified in the delegation profile, the access enabling the entity to act on the resources in the account as the one or more security principals identified by the delegation profile subject to the permissions specified in the delegation profile. |
| 地址 |
Reno NV US |
