Access control systems and methods using visibility tokens with automatic propagation

US 20060294192A1
Filed: 06/27/2005
Published: 12/28/2006
Est. Priority Date: 06/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method for sharing content items among a plurality of users, the method comprising:

defining a first user token and a first content token, the first user token and the first content token each representing a first visibility policy for determining which of the plurality of users are granted access to content items posted by a first one of the plurality of users, wherein the first user token and the first content token are matching tokens;

associating the first user token with each user who is granted access to content items according to the first visibility policy;

receiving a visibility instruction for a first content item from the first user, the visibility instruction indicating that the first content item should be shared according to the first visibility policy; and

in response to the visibility instruction, associating the first content token with the first content item in an index of content items, wherein when one of the plurality of users requests access to the first content item, the request is granted or denied based on whether the first content token matches a user token associated with the requesting user.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control systems and methods regulate access to shared content items in a corpus using visibility tokens. A user provides other users with access to a content item by associating a content token with the content item and associating a matching user token with each user who is to be granted access. A user who attempts to access the content item succeeds only if that user has a user token matching the content token associated with the content item. User tokens can be propagated automatically from one user to another, e.g., based on trust relationships among the users. Content tokens can be indexed with content items so that when a user searches the corpus, a search engine can detect matches between user tokens and content tokens and filter the search results based on whether they are visible to the querying user.

Citations

24 Claims

1. A method for sharing content items among a plurality of users, the method comprising:
- defining a first user token and a first content token, the first user token and the first content token each representing a first visibility policy for determining which of the plurality of users are granted access to content items posted by a first one of the plurality of users, wherein the first user token and the first content token are matching tokens;
  
  associating the first user token with each user who is granted access to content items according to the first visibility policy;
  
  receiving a visibility instruction for a first content item from the first user, the visibility instruction indicating that the first content item should be shared according to the first visibility policy; and
  
  in response to the visibility instruction, associating the first content token with the first content item in an index of content items, wherein when one of the plurality of users requests access to the first content item, the request is granted or denied based on whether the first content token matches a user token associated with the requesting user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the content items include annotations created by the users, wherein each annotation is associated with a subject document to which the annotation relates.
  - 3. The method of claim 2 wherein the subject document is a Web page.
  - 4. The method of claim 1 wherein the first user token and the first content token are identical tokens.
  - 5. The method of claim 1 further comprising:
    - receiving a query from a querying one of the plurality of users; and
      
      in response to the query, selecting one or more content items from the index to return as search hits, wherein the first content item is not selected as a search hit unless the querying user is associated with a user token that matches the first content token.
  - 6. The method of claim 1 further comprising:
    - defining a second user token and a second content token, the second user token and the second content token each representing a second visibility policy for determining whether a particular one of the plurality of users is granted access to content items posted by the first user, wherein the second user token and the second content token are matching tokens; and
      
      associating the second user token with each user who is granted access to content items according to the second visibility policy;
  - 7. The method of claim 6 wherein the second user token also matches the first content token but the first user token does not match the second content token.
  - 8. The method of claim 6 further comprising:
    - receiving a visibility instruction for a second content item from the first user, the second visibility instruction indicating that the second content item should be shared according to the second visibility policy; and
      
      in response to the visibility instruction for the second content item, associating the second content token with the second content item in the index of content items, wherein when one of the plurality of users requests access to the second content item, the request is granted or denied based on whether the second content token matches a user token associated with the user.
  - 9. The method of claim 1 wherein the act of associating the first user token with each user who is granted access to content items according to the first visibility policy is performed automatically.
  - 10. The method of claim 9 wherein the first visibility policy is defined by reference to a maximum degree of separation in a trust network connecting the first user to others of the plurality of users.
  - 11. The method of claim 9 wherein the maximum degree of separation is at least one and the act of associating the first user token with each user who is granted access to content items according to the first visibility policy includes:
    - accessing trust network data for the trust network to identify one or more users who are friends of the first user; and
      
      associating the first user token with each of the friends of the first user.
  - 12. The method of claim 11 wherein the maximum degree of separation is at least two and the act of associating the first user token with each user who is granted access to content items according to the first visibility policy further includes:
    - accessing trust network data for the trust network to identify one or more users who are friends of the friends of the first user; and
      
      associating the first user token with each of the friends of the friends of the first user.

13. A method of searching a corpus of shared content items posted by a plurality of users, the method comprising:
- receiving a query from a querying one of the plurality of users, wherein the querying user is associated with a set of user tokens, each user token representing a visibility policy under which the querying user is granted access to content items posted by one of the plurality of users;
  
  accessing an index of the shared content items, wherein each shared content item in the index is associated with a content token that represents a visibility policy for determining which of the plurality of users are granted access to content items posted by one of the plurality of users;
  
  identifying, from the index, at least one of the shared content items as a search hit that satisfies the query, applying a visibility filter to each of the search hits, wherein the visibility filter is satisfied in the event that the search hit is associated with a content token that matches a user token in the set of user tokens associated with the querying user, and returning to the querying user a list of search hits that satisfy the visibility filter.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13 wherein the acts of receiving the query and returning the list of search hits are performed by a front end module configured to communicate with a user system and the acts of accessing the index, identifying the search hits and applying the visibility filter are performed by a search engine communicably coupled to the front end module.
  - 15. The method of claim 13 wherein the act of applying the visibility filter includes:
    - building a hash table based on the one or more user tokens associated with the querying user; and
      
      for each search hit, comparing the content tokens associated with the search hit to the user tokens using the hash table.
  - 16. The method of claim 15 further comprising retrieving the content tokens associated with one of the search hits from the index.
  - 17. The method of claim 15 further comprising retrieving the content tokens associated with one of the search hits from a visibility token cache.
  - 18. The method of claim 13 wherein the act of applying the visibility filter includes:
    - constructing a visibility bit vector based on the set of user tokens associated with the querying user, wherein each bit in the visibility bit vector corresponds to one of the shared content items in the corpus and wherein the value of each bit indicates whether the corresponding one of the shared content items has an associated content token that matches any of the user tokens in the set of user tokens; and
      
      for each search hit, using the value of the corresponding bit in the bit vector to determine whether the shared content item is visible to the querying user.
  - 19. The method of claim 18 further comprising:
    - storing the visibility bit vector in association with the set of user tokens in a visibility filter cache from which the visibility bit vector is retrievable by reference to the set of user tokens; and
      
      in response to a subsequent query from the querying user, retrieving the visibility bit vector from the visibility filter cache.

20. A method of searching a corpus of shared content items posted by a plurality of users, the method comprising:
- receiving a query from a querying one of the plurality of users, wherein the querying user is associated with a set of user tokens, each user token representing a visibility policy under which the querying user is granted access to content items posted by one of the plurality of users;
  
  reformulating the query to include the received query and a logical OR of the one or more user tokens associated with the querying user;
  
  accessing an index of the corpus of shared content items, wherein each shared content item in the index is associated with a content token that represents a visibility policy for determining which of the plurality of users are granted access to content items posted by one of the plurality of users;
  
  processing the reformulated query by reference to the index, thereby identifying one or more visible search hits from the corpus of shared content items, wherein each visible search hit is a content item from the corpus that satisfies the received query and that is associated with a content token that matches a user token in the set of user tokens associated with the querying user; and
  
  retiring a listing of the visible search hits to the user.
- View Dependent Claims (21)
- - 21. The method of claim 20 wherein the acts of receiving the query and returning the listing of the visible search hits are performed by a front end module configured to communicate with a user system and the acts of reformulating the query, accessing the index and processing the reformulated query are performed by a search engine communicably coupled to the front end module.

22. A computer system for sharing content items among a plurality of users, the system comprising:
- a user data store configured to store a user record for each of the plurality of users, wherein the user record for each user includes one or more user tokens associated with that user, each user token representing a visibility policy under which that user is granted access to content items posted by one of the plurality of users;
  
  a content data store configured to store an item record for each of the shared content items, wherein each item record includes one or more content tokens, each content token representing a visibility policy for determining which of the plurality of users are granted access to content items posted by one of the plurality of users;
  
  posting control logic configured to receive a visibility instruction for a first one of the shared content items from a first one of the plurality of users, the visibility instruction indicating that the first content item should be shared according to a first visibility policy, and to store a first content token in the item record for the first shared content item, the first content token representing the first visibility policy; and
  
  access control logic configured to receive a request from a requesting one of the plurality of users to access the first shared content item and to grant access in the event that one of the user tokens in the user record for the requesting user matches a content token associated with the first content item.
- View Dependent Claims (23)
- - 23. The computer system of claim 22 wherein the user record for each user further includes trust network data identifying one or more other users as being friends of that user and wherein each user token represents a visibility policy that is defined by reference to a maximum degree of separation in the trust network from a posting user, the system further comprising:
    - token propagation control logic configured to automatically determine which user records should include each user token based on the visibility policy and the trust network data and to automatically add user tokens to user records based on the automatic determination.

24. A computer system for searching a corpus of shared content items posted by a plurality of users, the system comprising:
- a user data store configured to store a user record for each of the plurality of users, wherein the user record for each user includes one or more user tokens associated with that user, each user token representing a visibility policy under which that user is granted access to content items posted by one of the plurality of users;
  
  a content data store configured to store an item record for each of the shared content items, wherein each item record includes one or more content tokens, each content token representing a visibility policy for determining which of the plurality of users are granted access to content items posted by one of the plurality of users;
  
  a front end module configured to receive a query from a querying one of the plurality of users, to extract from the user data store a set of user tokens associated with the querying user, and to return a search report including a listing of search hits to the querying user; and
  
  a search engine communicably coupled to the front end module and configured to receive the query and the set of user tokens from the front end module, to identify content items that satisfy the query and that are visible to the querying user, and to return the identified content items as search hits to the front end module, wherein the search engine is further configured to determine whether a content item is visible to the querying user by determining whether the content item is associated with a content token that matches a user token in the set of user tokens.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Slack Technologies LLC (Salesforce.com, Inc.)
Original Assignee
Yahoo! Inc. (Apollo Global Management, Inc.)
Inventors
Xu, Zhichen, Wang, John, Walters, Chad, Mao, Jianchang, Meltzer, Albert

Granted Patent

US 7,594,258 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/213
CPC Class Codes

H04L 63/102 Entity profiles

H04L 67/306 User profiles

Access control systems and methods using visibility tokens with automatic propagation

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Access control systems and methods using visibility tokens with automatic propagation

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links