System and method for recursive propagating application access control
First Claim
1. A computer-implemented method for managing access control of shared contents on a cloud storage system, the method comprising:
- obtaining, from a user at the cloud storage system, an access authorization indication message indicating that an entity is granted access to a parent folder in a folder hierarchy containing a first file and a child folder, the parent folder being stored at the cloud storage system, the entity being different from a creator of the first file and the entity being a third party application;
modifying, by a processor at the cloud storage system, an access control rule associated with the parent folder, the access control rule specifying that the entity has access to the parent folder based on the access authorization indication message, specifying a file type associated with the first file, and including an application-specific data entry that indicates an access status of the entity; and
asynchronously propagating, by the processor at the cloud storage system, the modified access control rule to the child folder, the asynchronously propagating of the modified access control rule comprising;
receiving an access request from the entity to access a second file in the child folder of the parent folder in the folder hierarchy,responsive to the receiving of the access request from the entity to access the second file in the child folder and determining that an access control rule associated with the child folder does not specify access to files in the child folder for the entity, performing a fallback search based on the folder hierarchy by searching the folder hierarchy for an upper folder of the child folder with an access control rule specifying that the entity has access to the upper folder and also specifying a file type associated with the second file,responsive to finding the upper folder with the access control rule specifying that the entity has access to the upper folder and also specifying the file type associated with the second file, automatically granting, by the processor at the cloud storage system, the entity access to the second file in the child folder and modifying the access control rule associated with the child folder to specify that the entity has access to files in the child folder based on the access control rule of the upper folder, the upper folder being the parent folder, andresponsive to not finding the upper folder having the access control rule specifying that the entity has access to the upper folder and also specifying the file type associated with the second file, automatically denying, by the processor at the cloud storage system, the entity access to the second file in the child folder without user manual configuration of access denial for the second file.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for recursive propagating application access control relate to managing third-party application access to content files and folders on a cloud storage system. The access control system may receive an access authorization indication to grant a third-party entity access to a parent folder containing a first file, and then modify an access control rule associated with the parent folder based on the access authorization indication. The modified access control rule is propagated to a child folder of the parent folder, and thus the third-party entity is granted access to a second file in the child folder based on the modified access control rule. The second file shares a common attribute with the first file, and the modified access control rule specifies the common attribute.
76 Citations
17 Claims
-
1. A computer-implemented method for managing access control of shared contents on a cloud storage system, the method comprising:
-
obtaining, from a user at the cloud storage system, an access authorization indication message indicating that an entity is granted access to a parent folder in a folder hierarchy containing a first file and a child folder, the parent folder being stored at the cloud storage system, the entity being different from a creator of the first file and the entity being a third party application; modifying, by a processor at the cloud storage system, an access control rule associated with the parent folder, the access control rule specifying that the entity has access to the parent folder based on the access authorization indication message, specifying a file type associated with the first file, and including an application-specific data entry that indicates an access status of the entity; and asynchronously propagating, by the processor at the cloud storage system, the modified access control rule to the child folder, the asynchronously propagating of the modified access control rule comprising; receiving an access request from the entity to access a second file in the child folder of the parent folder in the folder hierarchy, responsive to the receiving of the access request from the entity to access the second file in the child folder and determining that an access control rule associated with the child folder does not specify access to files in the child folder for the entity, performing a fallback search based on the folder hierarchy by searching the folder hierarchy for an upper folder of the child folder with an access control rule specifying that the entity has access to the upper folder and also specifying a file type associated with the second file, responsive to finding the upper folder with the access control rule specifying that the entity has access to the upper folder and also specifying the file type associated with the second file, automatically granting, by the processor at the cloud storage system, the entity access to the second file in the child folder and modifying the access control rule associated with the child folder to specify that the entity has access to files in the child folder based on the access control rule of the upper folder, the upper folder being the parent folder, and responsive to not finding the upper folder having the access control rule specifying that the entity has access to the upper folder and also specifying the file type associated with the second file, automatically denying, by the processor at the cloud storage system, the entity access to the second file in the child folder without user manual configuration of access denial for the second file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method for managing access control of shared contents, the method comprising:
-
obtaining, at a cloud storage system, an access authorization indication message indicating that a user grants an entity access to a first folder containing a first file and a second folder, wherein; the first folder is a parent folder of the second folder in a folder hierarchy, and the entity is different from a creator of the first file and is a third party application; modifying, by a processor at the cloud storage system, a first access control list associated with the first folder based on the access authorization indication, wherein a modification to the first access control list includes an access control list entry including user identifying information of the user, entity information, a file content type and an application-specific data entry that indicates an access status of the entity; and asynchronously propagating, by the processor at the cloud storage system, the modified first access control list to the second folder, the asynchronously propagating of the modified first access control list comprising; receiving an access request to access a second file in the second folder from the entity, responsive to the receiving of the access request from the entity to access the second file in the second folder and determining that a second access control list associated with the second folder does not specify access to files in the second folder for the entity, performing a fallback search based on the folder hierarchy by searching the folder hierarchy for an upper folder of the second folder with an access control list specifying that the entity has access to the upper folder and also specifying a file content type associated with the second file, responsive to finding the upper folder with the access control list specifying that the entity has access to the upper folder and also specifying the file content type associated with the second file, automatically granting, by the processor at the cloud storage system, the entity access to the second file in the second folder and modifying the second access control list associated with the second folder to specify that the entity has access to files in the child folder based on the access control list of the upper folder, the upper folder being the first folder that is the parent folder of the second folder, and responsive to not finding the upper folder having the access control list specifying that the entity has access to the upper folder and also specifying the file content type associated with the second file, automatically denying the entity access to the second file without user manual configuration of access denial for the second file. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A computer-implemented method for managing access control of shared contents, the method comprising:
-
obtaining, at a cloud storage system, an access authorization indication message indicating that a user grants an entity access to a first folder containing a first file and a second folder, wherein; the first folder is a parent folder of the second folder in a folder hierarchy and the entity is different from a creator of the first file and is a third party application; verifying, by a processor at the cloud storage system, the user has right to grant access control to the first file in the first folder; modifying a first access control list associated with the first folder based on the access authorization indication, wherein a modification is made to a first application Access Control List (ACL) data entry of the first access control list that includes user identifying information of the user, entity information, a file content type, and an application-specific data entry that indicates an access status of the entity; and asynchronously propagating, by the processor at the cloud storage system, the modified first application ACL data entry to the second folder, the asynchronously propagating of the modified first application ACL data entry comprising; receiving an access request to access a second file in the second folder from the entity, responsive to the receiving of the access request from the entity to access the second file in the second folder and determining that an ACL data entry of a second access control list associated with the second folder does not specify access to files in the second folder for the entity, performing a fallback search based on the folder hierarchy by searching the folder hierarchy for an upper folder of the second folder with an ACL data entry specifying that the entity has access to the upper folder and also specifying a file content type associated with the second file, responsive to finding the upper folder with the ACL data entry specifying that the entity has access to the upper folder and also specifying the file content type associated with the second file, automatically granting, by the processor at the cloud storage system, the entity access to the second file in the second folder and modifying the second access control list associated with the second folder based on the ACL data entry of the upper folder, the upper folder being the first folder that is the parent folder of the second folder, and responsive to not finding the upper folder having the ACL data entry specifying that the entity has access to the upper folder and also specifying the file content type associated with the second file, automatically denying the entity access to the second file without user manual configuration of access denial for the second file in the second folder.
-
Specification