| CPC G06F 21/62 (2013.01) [G06F 21/604 (2013.01); G06F 21/6209 (2013.01)] | 20 Claims |
|
1. A system, comprising:
at least one processor; and
at least one memory coupled to the at least one processor, comprising instructions that, in response to execution by the processor, cause a security interceptor of the system to perform operations, comprising:
receiving a request associated with an account to perform a query operation with respect to a group of computing resources, and a first scope of the query operation that identifies an amount of the group of computing resources being requested;
identifying an attribute-based access control policy comprising a permission policy and a condition policy that is associated with performing the query operation with respect to the group of computing resources with the first scope of the query operation, wherein the permission policy comprises a first Boolean expression of one or more permissions, and wherein the condition policy comprises a second Boolean expression of one or more conditions;
determining whether the account satisfies the permission policy with respect to the query operation, wherein determining whether the account satisfies the condition policy evaluates to true based on account attributes of the account and resource attributes of the group of computing resources in the first scope of the query operation; and
in response to determining that the account satisfies the condition policy, sending an indication of the request as constrained by the first scope and a second scope that is based on the condition policy to a service that is configured to process the request, the service performing the query operation as constrained by the first scope and the second scope with respect to the group of computing resources to produce a result, and responding to the request with the result.
|