| 发明名称 | Token-based debugging of access control policies | ||
| 摘要 | Methods and systems for allowing system administrators to effectively debug access control issues experience by users without comprising security. In some embodiment, when a user's request to access services provided by a service provider is denied, the user may be issued a token that encodes some of debugging information useful for determining the cause of the denial of access. The debugging information may be encoded such that it is inaccessible to the user. Subsequently, the user may give the token to an administrator. The administrator may submit the token to the service provider, which may decode the token and provide the administrator access to debugging information that is useful for debugging access control policies causing the denial of access. | ||
| 申请公布号 | US9053343(B1) | 申请公布日期 | 2015.06.09 |
| 申请号 | US201213677212 | 申请日期 | 2012.11.14 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Fuller Erik James;Brown David Everard;Greenfield James Alfred Gordon;DeSantis Peter Nicholas |
| 分类号 | G06F21/00;H04L29/06;G06F21/62;H04W12/04;H04W12/06 | 主分类号 | G06F21/00 |
| 代理机构 | Kilpatrick Townsend & Stockton LLP | 代理人 | Kilpatrick Townsend & Stockton LLP |
| 主权项 | 1. A computer-implemented method for debugging access control policies, comprising: receiving a first request from a first computing device of a first user to access one or more computing resources; determining that the first request is denied according to one or more access control policies; after determining that the first request is denied, generating a token that identifies detailed information regarding evaluation of the one or more access control policies and regarding a reason for the determining that the first request is denied; providing the token to the first computing device, the detailed information configured to be inaccessible to the first user based at least in part on the token; receiving a second request from a second computing device of a second user to access the detailed information, the second request specifying at least the token provided to the first computing device; and after receipt of the second request, providing access to at least a portion of the detailed information to the second user, the at least a portion of the detailed information determined based at least in part on the token specified in the second request and information indicating that the token is accessible to the second user. | ||
| 地址 | Reno NV US | ||