Providing selective access to resources
US-2018020005-A1 · Jan 18, 2018 · US
Permissions for hybrid distributed network resources
US10362039B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10362039-B2 |
| Application number | US-201615384182-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 19, 2016 |
| Priority date | Apr 29, 2014 |
| Publication date | Jul 23, 2019 |
| Grant date | Jul 23, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computing resource service provider may receive, from a user client connected to an on-premises network, a security document specifying one or more user roles defining a level of access to customer resources within the on-premises network. In response, the service provider may generate and provide the user client with a cookie specifying the user roles and including an address for an interface within the service provider network. The service provider may receive a request from the user client to access one or more customer resources hosted by the service provider. The request may include the cookie previously provided to the user client. Accordingly, the service provider may extract the user roles from the cookie and determine, based at least in part on these user roles, whether to fulfill the user client request.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: receiving, from a client device connected to an on-premises network, a first token specifying an identity corresponding to a first set of permissions for access to a plurality of off-premises resources and specifying a second set of permissions applicable to at least some off-premises resources of the plurality of off-premises resources; providing, to the client device connected to the on-premises network, a second token specifying the first set of permissions, the first set of permissions determined based at least in part on the second set of permissions; receiving a request from the client device to access the plurality of off-premises resources, the request including the second token; and as a result of receipt of the request, accessing information encoding the first set of permissions from a source different from the second token to determine a manner in which to process the request based at least in part on the accessed information. 2. The computer-implemented method of claim 1 , wherein the first set of permissions for access to the plurality of off-premises resources are managed within the on-premises network. 3. The computer-implemented method of claim 1 , wherein the first set of permissions is changeable between providing the second token to the client device and receipt of the request. 4. The computer-implemented method of claim 1 , further comprising exchanging the second token included in the request with a third token, the third token usable to process the request in the manner. 5. A system, comprising: one or more processors; and memory including instructions that, as a result of being executed by the one or more processors, cause the system to: provide, to a client device connected to an on-premises network, a token specifying a first set of permissions for access to one or more off-premises resources, the token provided in response to having received a token from the client device specifying an identity corresponding to the first set of permissions and specifying a second set of permissions applicable to at least some of the one or more off-premises resources, the first set of permissions determined based at least in part on the second set of permissions; receive a request from the client device to access the one or more off-premises resources, the request including the token; and in response to the request, access information encoding the first set of permissions from a source different from the token to determine a manner in which to process the request based at least in part on the accessed information. 6. The system of claim 5 , wherein the token is provided to the client device by an identity provider operating within the on-premises network, the identity provider configured to utilize a set of credentials from the client device to identify the identity corresponding to the first set of permissions. 7. The system of claim 5 , wherein the token specifying the first set of permissions is a cookie usable to access an interface provided by a computing resource service provider on the off-premises network. 8. The system of claim 5 , wherein the instructions further cause the system to exchange the token included in the request with a second token, the second token usable to process the request in the manner. 9. The system of claim 8 , wherein the second token is a policy document comprising one or more policy statements specifying the first set of permissions, the policy document accessible by one or more services hosted on the off-premises network. 10. The system of claim 8 , wherein the second token is a temporary token configured with an expiration enforceable by one or more components of the off-premises network. 11. The system of claim 5 , wherein the first set of permissions are changeable between providing the token to the client device and receipt of the request. 12. The system of claim 5 , wherein the first set of permissions for access to the one or more off-premises resources are managed within the on-premises network. 13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: receive a first token specifying an identity corresponding to a first set of permissions for access to off-premises resources and specifying a second set of permissions applicable to at least some of the off-premises resources; provide, to a client device connected to an on-premises network, a second token specifying the first set of permissions, the first set of permissions determined based at least in part on the second set of permissions; receive a request from the client device to access the off-premises resources, the request including the second token; and access information encoding the first set of permissions from a source different from the second token to determine a manner in which to process the request based at least in part on the accessed information. 14. The non-transitory computer-readable storage medium of claim 13 , the first set of permissions for access to the off-premises resources are managed within the on-premises network. 15. The non-transitory computer-readable storage medium of claim 13 , wherein the first set of permissions are changeable between providing the second token to the client device and receipt of the request. 16. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to exchange the second token included in the request with a third token, the third token usable to process the request in the manner. 17. The non-transitory computer-readable storage medium of claim 16 , wherein the third token is a policy document comprising one or more policy statements specifying the first set of permissions, the policy document accessible by a service hosted on the off-premises network. 18. The non-transitory computer-readable storage medium of claim 16 , wherein the third token is a temporary token configured with an expiration enforceable by one or more components of the off-premises network. 19. The non-transitory computer-readable storage medium of claim 13 , wherein the second token is an encrypted cookie that, when decrypted, specifies the first set of permissions and is usable to access an interface provided by a computing resource service provider on the off-premises network. 20. The non-transitory computer-readable storage medium of claim 13 , wherein the second token is provided to the client device by an identity provider operating within the on-premises network, the identity provider configured to utilize a set of credentials from the client device to identify the identity corresponding to the first set of permissions.
Assignees
Inventors
Classifications
- H04L63/105Primary
Multiple levels of security · CPC title
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
providing single-sign-on or federations · CPC title
- H04L63/10Primary
for controlling access to devices or network resources · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10362039B2 cover?
- A computing resource service provider may receive, from a user client connected to an on-premises network, a security document specifying one or more user roles defining a level of access to customer resources within the on-premises network. In response, the service provider may generate and provide the user client with a cookie specifying the user roles and including an address for an interfac…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/105. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 23 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).