DISTRIBUTED ACCESS CONTROL FOR DOCUMENT CENTRIC COLLABORATIONS

US 20100158254A1
Filed: 12/18/2008
Published: 06/24/2010
Est. Priority Date: 12/18/2008
Status: Active Grant

First Claim

Patent Images

1. A computer system including instructions stored on a computer-readable medium, the computer system comprising:

an access interest manager configured to provide an expression of access interest of a collaboration participant with respect to a document portion, the access interest specified in terms of an access primitive describing a type of access requested for the document portion;

a document access pattern manager configured to receive access requests from a plurality of collaboration participants including the collaboration participant, each access request including at least one access primitive;

a document authorization manager configured to receive the expression of access interest and to associate the collaboration participant with a common access interest group of the collaboration participants, based on the access requests and on an access control policy specified in terms of access credentials of the common access interest group participants;

a document edition manager configured to update the document portion based on the access primitive; and

a key manager configured to implement a common secret key that is common to the common access interest group for encrypting/decrypting the document portion.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Document collaboration may be implemented by executing an access interest specification phase. The access interest specification phase may include receiving access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one schema portion for access to a corresponding document instance portion based thereon, determining a common access interest group of the collaboration participants, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials, and providing a control data block to the participants of the common access interest group including information for generating a common secret key that is common to the participants of the common access interest group. The document collaboration may further be implemented by executing a collaboration phase. The collaboration phase execution may include encrypting the document instance portion using the access control policy, and providing access to the document instance for access to the document instance portion by an accessing participant of the common access interest group, the access including decryption of the document instance portion using the common secret key.

Citations

20 Claims

1. A computer system including instructions stored on a computer-readable medium, the computer system comprising:
- an access interest manager configured to provide an expression of access interest of a collaboration participant with respect to a document portion, the access interest specified in terms of an access primitive describing a type of access requested for the document portion;
  
  a document access pattern manager configured to receive access requests from a plurality of collaboration participants including the collaboration participant, each access request including at least one access primitive;
  
  a document authorization manager configured to receive the expression of access interest and to associate the collaboration participant with a common access interest group of the collaboration participants, based on the access requests and on an access control policy specified in terms of access credentials of the common access interest group participants;
  
  a document edition manager configured to update the document portion based on the access primitive; and
  
  a key manager configured to implement a common secret key that is common to the common access interest group for encrypting/decrypting the document portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer system of claim 1 wherein the access primitives include operations to view, append, delete, or rename the document portion.
  - 3. The computer system of claim 1 wherein the expression of access interest is made with respect to a document schema of the document.
  - 4. The computer system of claim 3 wherein the access interest manager is configured to provide a graphical user interface including a plurality of elements to allow for receipt of specification of the document schema, the document portion, and the access primitive.
  - 5. The computer system of claim 1 wherein the key manager is configured to receive a control data block that allows for generation of the common secret key.
  - 6. The computer system of claim 1 wherein the document authorization manager and the document access pattern manager are implemented at an authority associated with membership management of the common access interest group, and wherein the membership management is delegated to a collaboration participant of the common access interest group when the authority is unavailable.
  - 7. The computer system of claim 1 wherein the document edition manager comprises:
    - a document envelope generator configured to generate a document envelope containing content updates to the document portion as implemented by collaboration participants of the common access interest group.
  - 8. The computer system of claim 7 wherein the document envelope is encrypted/decrypted using the common secret key.
  - 9. The computer system of claim 1 wherein the document includes an extensible mark-up language (XML) document.

10. A computer program product for executing process models, the computer program product being tangibly embodied on a computer-readable medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
- receive access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one schema portion for access to a corresponding document instance portion based thereon;
  
  determine a common access interest group of the collaboration participants, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials;
  
  provide a control data block to the participants of the common access interest group including information for generating a common secret key that is common to the participants of the common access interest group;
  
  encrypt the document instance portion using the access control policy; and
  
  provide access to the document instance for access to the document instance portion by an accessing participant of the common access interest group, the access including decryption of the document instance portion using the common secret key.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer program product of claim 10 wherein each of the access requests are specified in terms of an access primitive describing a type of access requested for the document instance portion.
  - 12. The computer program product of claim 10 wherein the information for generating the common secret key includes a public key of each of the collaboration participants of the common access interest group.
  - 13. The computer program product of claim 10 wherein the common access interest group and common secret key are updated upon a joining or leaving of a member thereof.
  - 14. The computer program product of claim 13 wherein the updating is asynchronous in that each participant updates the common secret key upon receipt of notification of the updating in conjunction with an access to the document instance portion, and until then continues using the common secret key.
  - 15. The computer program product of claim 10 wherein the control data block includes authority delegation information allowing the accessing participant authority to update the common access interest group.
  - 16. The computer program product of claim 10 wherein the document instance portion is re-encrypted using the common secret key once the accessing is complete.

17. A computer-implemented method of document collaboration comprising:
- executing an access interest specification phase, includingreceiving access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one schema portion for access to a corresponding document instance portion based thereon;
  
  determining a common access interest group of the collaboration participants, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials;
  
  providing a control data block to the participants of the common access interest group including information for generating a common secret key that is common to the participants of the common access interest group; and
  
  executing a collaboration phase, includingencrypting the document instance portion using the access control policy;
  
  providing access to the document instance for access to the document instance portion by an accessing participant of the common access interest group, the access including decryption of the document instance portion using the common secret key.
- View Dependent Claims (18, 19, 20)
- - 18. The computer method of claim 17 wherein each of the access requests are specified in terms of an access primitive describing a type of access requested for the document instance portion.
  - 19. The computer method of claim 17 wherein the access primitives include operations to view, append, delete, or rename the document instance portion.
  - 20. The computer method of claim 17 wherein the common access interest group and common secret key are updated upon a joining or leaving of a member thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Rahaman, Mohammad Ashiqur, Schaad, Andreas

Granted Patent

US 8,689,352 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/282
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2107   File encryption

G06F 2221/2147   Locking files

G06Q 10/10   Office automation; Time man...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 9/0836   using tree structure or hie...

H04L 9/0891   Revocation or update of sec...

H04L 9/3247   involving digital signatures

H04L 9/3265   using certificate chains, t...

H04L 9/50   using hash chains, e.g. blo...

DISTRIBUTED ACCESS CONTROL FOR DOCUMENT CENTRIC COLLABORATIONS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED ACCESS CONTROL FOR DOCUMENT CENTRIC COLLABORATIONS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links