Access control based on operation expiry data

US 10,223,363 B2
Filed: 10/30/2014
Issued: 03/05/2019
Est. Priority Date: 10/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method, implemented at a computer system that includes one or more processors, for controlling access to a particular file of a plurality of files within a file system, the method comprising:

atomically associating, at the computer system, access control information with the particular file such that when the particular file is independently moved or copied, the access control information and the particular file are moved or copied atomically together, wherein the access control information includes operation expiry data that is correlated with at least one location and at least one file operation type, wherein atomically associating the access control information with the particular file Includes at least one of attaching the access control information to the particular file by using a separate file that contains the access control information for the particular file, or modifying properties of the file to include the control information, or providing or the control information in an alternate data stream;

receiving, at the computer system, an operation request to perform an operation of a particular file operation type on the particular file;

identifying, at the computer system, a location associated with the operation request;

identifying within the access control information that is atomically associated with the particular file, at the computer system, the operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type of the operation request; and

using, at the computer system, the identified operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type, to selectively penult or, alternatively, deny the requested operation of the particular file operation type on the particular file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The controlling of access to a file system entity based on location of the requestor and operation expiry data of the file system entity. Operation expiry data and location data are associated with a file system entity (e.g., a file, a directory, a partition, or a disk) such that the file system entity and the operation expiry data and the location data are moved or copied atomically together. Upon receiving a request to perform an operation on the file system entity, the system identifies a location status of the requestor. The system then identifies expiry data that corresponds to the location status, and that is associated with the requested operation. The system then uses the identified expiry data to determine whether or not the requested file operation is to be permitted.

Citations

19 Claims

1. A method, implemented at a computer system that includes one or more processors, for controlling access to a particular file of a plurality of files within a file system, the method comprising:
- atomically associating, at the computer system, access control information with the particular file such that when the particular file is independently moved or copied, the access control information and the particular file are moved or copied atomically together, wherein the access control information includes operation expiry data that is correlated with at least one location and at least one file operation type, wherein atomically associating the access control information with the particular file Includes at least one of attaching the access control information to the particular file by using a separate file that contains the access control information for the particular file, or modifying properties of the file to include the control information, or providing or the control information in an alternate data stream;
  
  receiving, at the computer system, an operation request to perform an operation of a particular file operation type on the particular file;
  
  identifying, at the computer system, a location associated with the operation request;
  
  identifying within the access control information that is atomically associated with the particular file, at the computer system, the operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type of the operation request; and
  
  using, at the computer system, the identified operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type, to selectively penult or, alternatively, deny the requested operation of the particular file operation type on the particular file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method in accordance with claim 1, wherein atomically associating operation expiry data and location data with the particular file comprises:
    - including, at the computer system, the operation expiry data and the location data in the alternate data stream of the particular file.
  - 3. The method in accordance with claim 1, wherein atomically associating the operation expiry data and location data with the particular file comprises including the operation expiry data and the location data as one or more properties of the particular file.
  - 4. The method in accordance with claim 1, wherein using of the identified operation expiry data comprises:
    - determining, at the computer system, that the location is unknown;
      
      in response to determining that the location is unknown, accessing, at the computer system, a default expiry rule set for the requested operation; and
      
      determining, at the computer system, whether to permit or deny the requested operation based on the default rule set.
  - 5. The method in accordance with claim 1, the location being a location of a requestor of the requested operation, the identified operation expiry data being included within the atomically associated operation expiry data for the particular file.
  - 6. The method in accordance with claim 1, wherein using the identified operation expiry data comprises:
    - interpreting, at the computer system, the operation expiry data as indicating that there is no expiry for the requested operation; and
      
      permitting, at the computer system, the operation based on the lack of expiry for the requested operation.
  - 7. The method in accordance with claim 1, wherein using the identified operation expiry data to determine whether the requested operation is permitted on the particular file comprises:
    - interpreting, at the computer system, the operation expiry data as indicating that the requested operation has expired without reference to an expiry time; and
      
      denying, at the computer system, the operation based on the expired state for the requested operation.
  - 8. The method in accordance with claim 1, the method further comprising the following when it is determined that the requested operation is permitted:
    - causing, at the computer system, the requested operation to be performed on the particular file.
  - 9. The method in accordance with claim 8, the causing of the requested operation to be performed comprising:
    - transcoding, at the computer system, the particular file to be a transcoded file that is suitable for an operating system of a requestor of the requested operation.
  - 10. The method in accordance with claim 8, the causing of the requested operation to be performed comprising:
    - transcoding, at the computer system, the particular file to be in a serialization implementation that is implemented by an operating system of a requestor of the requested operation.
  - 11. The method of claim 1, wherein atomically associating the access control information with the particular file includes attaching the access control information to the particular file by using the separate file a side file such that the separate file containing the access control information for the particular file and the particular file are atomically moved or copied together.
  - 12. The method of claim 1, wherein moving or copying the particular file a particular location requires moving or copying the access control information to the particular location.
  - 13. The method of claim 1, wherein atomically associating the access control information with the particular file comprises modifying the particular file so that the particular file is moved or copied atomically together with the access control information.
  - 14. The method of claim 1, wherein atomically associating access control information with the particular file includes modifying the particular file to include the access control information within the particular file.

15. A computer program product comprising one or more computer-readable storage media having thereon one or more computer-executable instructions that are structured such that, when executed by the one or more processors of the computing system, cause the computing system to perform the following in response to receiving an operation request to perform an operation of a particular file operation type on a particular file within a plurality of files that are managed by an operating system, the particular file having access control information atomically associated with the particular file such that when the particular file is independently moved or copied, the access control information, and the particular file are moved or copied atomically together, the access control information comprising at least one operation expiry data that, is correlated with at least one location and at least one file operation type, wherein the access control information is atomically associated with the particular file by at least one of:
- a separate file that contains the access control information for the particular file, or properties of the file that include the control information, or an alternate data stream of the file that contains the access control information;
  
  identifying, at the computing system, a location status associated with the operation request;
  
  identifying within the access control information atomically associated with the particular file, at the computing system, the operation expiry data that corresponds to both the location associated with the operation request, and the particular file operation type of the operation request; and
  
  using, at the computer system, the identified operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type, to permit or deny the requested operation of the particular file operation type on the particular file.
- View Dependent Claims (16, 17)
- - 16. The computer program product in accordance with claim 15, further comprising computer-executable instructions that are structured such that, when executed by the one or more processors of the computing system, cause the computing system to perform the following:
    - identifying, at the computing system, whether there is operation expiry data associated with particular file that is the target of the requested operation, wherein if the operation expiry data is present, the operation expiry data is used to determine whether operations on the particular file are permitted.
  - 17. The computer program product in accordance with claim 16, wherein when operations on the particular file are not permitted by the operation expiry data, file deletion data is referenced to determine whether to delete the particular file, wherein if the file deletion indicates that the particular file should be deleted, the particular file is deleted.

18. A computing system comprising:
- one or more computer-readable storage media having thereon a plurality of file system entities managed by an operating system of the computing system, at least a particular file system entity of the plurality of file system entities having access control information atomically associated with the particular file system entity such that when the particular file system entity is independently moved or copied, the access control information and the particular file system entity are moved or copied atomically together, the access control information comprising at least one operation expiry data that is correlated with at least one location and at least one file operation type, wherein the access control information is atomically associated with the particular file by at least one of;
  
  a separate file that contains the access control information for the particular file, or properties of the file that include the control information, or an alternate data stream of the file that contains the access control information; and
  
  one or more processors;
  
  the one or more computer-readable media further having thereon computer-executable instructions that are configured such that, when executed by the one or more processors, cause the computing system to perform the following in response to receiving an operation request to perform an operation of a particular file operation type on the particular file system entity;
  
  identify, at the computing system, a location associated with the operation request;
  
  identifying, at the computer system, within the access control information atomically associated with the particular file system entity, the operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type of the operation request; and
  
  using, at the computer system, the expiry data that corresponds to both the location associated with the operation request and the particular file operation type, to permit or deny the requested operation of the particular file operation type on the particular file system entity.
- View Dependent Claims (19)
- - 19. The computing system in accordance with claim 18, the particular file system entity being an individual file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Plumb, Graham Charles, Keyes, Warren Leslie
Primary Examiner(s)
Corrielus, Jean M

Application Number

US14/529,063
Publication Number

US 20160124974A1
Time in Patent Office

1,587 Days
Field of Search

707689
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

G06F 21/6218   to a system of files or obj...

G06F 2221/21   Indexing scheme relating to...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2137   Time limited access, e.g. t...

Access control based on operation expiry data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Access control based on operation expiry data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links