Controlling Access by Web Applications to Resources on Servers
First Claim
Patent Images
1. A system that facilitates granting a third-party application access to a user resource located on a network system, the system comprising:
- a user-based access control list (ACL) checking utility configured to determine whether a first user has permission to access the user resource;
a token-grant server checking utility configured to determine whether a token grant server has authenticated the third-party application with the network system;
a resource-based ACL checking utility configured to determine whether the third-party application has permission to access the user resource on behalf of the first user, based at least in part on metadata associated with the user resource, wherein the metadata includes information indicating whether a second user has used the third-party application to access the user resource, wherein the first user is not the second user; and
an authentication-fulfillment utility configured to fulfill the third-party application access request upon receiving affirmative determinations in all of the determinations made by the system, the fulfillment including enabling an authentication of the third-party application and granting the third-party application permission to access the user resource.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are shown for providing third-party applications access to user resources based on user actions and processes that provide the third-party applications with the correct security tokens. The scope of access granted in various implementations of the disclosure is all documents which the user has already opened with the third-party application.
156 Citations
24 Claims
-
1. A system that facilitates granting a third-party application access to a user resource located on a network system, the system comprising:
-
a user-based access control list (ACL) checking utility configured to determine whether a first user has permission to access the user resource; a token-grant server checking utility configured to determine whether a token grant server has authenticated the third-party application with the network system; a resource-based ACL checking utility configured to determine whether the third-party application has permission to access the user resource on behalf of the first user, based at least in part on metadata associated with the user resource, wherein the metadata includes information indicating whether a second user has used the third-party application to access the user resource, wherein the first user is not the second user; and an authentication-fulfillment utility configured to fulfill the third-party application access request upon receiving affirmative determinations in all of the determinations made by the system, the fulfillment including enabling an authentication of the third-party application and granting the third-party application permission to access the user resource. - View Dependent Claims (2, 3, 5, 6, 7, 8, 9, 10, 11)
-
-
4. (canceled)
-
12. A computer implemented method that facilitates granting a third-party application access to one or more user resources located on a web-based storage system, the method comprising:
-
determining whether a first user is on a user-based access control list (ACL) granting the first user access to the one or more user resources; determining whether an authorization access token has been granted by a token-grant server granting the third-party application limited access to the one or more resources; determining whether the third-party application is on a resource-specific ACL, indicating that a second user has used the third-party application to access the one or more resources, wherein the first user is not the second user; determining whether the third-party application has been installed by the first user; and in response to an affirmative determination for each of the determinings, fulfilling the third-party application access request, the fulfilling including enabling an authentication of the third-party application and granting the third-party application permission to access the one or more user resources. - View Dependent Claims (13, 15, 16, 17, 18, 19, 20, 21)
-
-
14. (canceled)
-
22. A tangible, machine-readable, non-transitory storage medium having stored thereon program instructions that facilitate granting a third-party application access to one or more user resources located on a web-based storage system, the instructions when executed by a machine cause the machine to perform operations comprising:
-
determining whether a first user is on a user-based access control list (ACL) granting the first user access to the one or more user resources; determining whether an authorization access token has been granted by a token-grant server granting the third-party application limited access to the one or more resources; determining whether the third-party application is on a resource-specific ACL, indicating that a second user has used the third-party application to access the one or more resources, wherein the first user is not the second user; determining whether the third-party application has been installed by the first user; and in response to an affirmative determination for each of the determinings, fulfilling the third-party application access request, the fulfilling including enabling an authentication of the third-party application and granting the third-party application permission to access the one or more user resources. - View Dependent Claims (23, 24)
-
Specification