Enforcing access control on resources at a location other than the source location
First Claim
1. In a networked computing environment having a first data storage location and an indexing system, wherein the first data storage location employs a first access control system to control access to documents stored at the first data storage location, and wherein the indexing system employs a second access control system to control access to documents stored at the indexing system, a method for indexing documents while preserving access security for the indexed documents, the method comprising:
- maintaining, at the first data storage location, a stored copy of a first document and access control information defining user access privileges to the first document in accordance with the first access control system;
indexing the first document at the indexing system so as to create a reference to the first document in the indexing system; and
if the first and second access control systems are compatible, retrieving from the first data storage location the access control information associated with the first document and storing the access control information in the indexing system in association with the reference to the first document, otherwise, storing, at the indexing system in association with the reference to the first document, document source location information identifying the first data storage location as the source of the first document.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for enforcing access control on secured documents that are stored outside of the direct control of the original application that would normally store and govern access to the documents. Access security can be enforced at a search engine associated with an indexing system that compiles references to documents at any number of network locations. The search engine discloses to the requesting user only those documents that the user is authorized to read. If a document is identified for potential disclosure to a user, and the document'"'"'s source location has an access control system that is not directly interoperable with a native access control system of the search engine, a security provider at the search engine enforces access control. The security provider, in cooperation with the source location of the document, converts the user context that identifies the requesting user to a format that can be used by the security provider. The security provider also retrieves the access control information from the document'"'"'s source location. The security provider then applies the user context to the access control information to determine if the user is authorized to read the document.
256 Citations
9 Claims
-
1. In a networked computing environment having a first data storage location and an indexing system, wherein the first data storage location employs a first access control system to control access to documents stored at the first data storage location, and wherein the indexing system employs a second access control system to control access to documents stored at the indexing system, a method for indexing documents while preserving access security for the indexed documents, the method comprising:
-
maintaining, at the first data storage location, a stored copy of a first document and access control information defining user access privileges to the first document in accordance with the first access control system;
indexing the first document at the indexing system so as to create a reference to the first document in the indexing system; and
if the first and second access control systems are compatible, retrieving from the first data storage location the access control information associated with the first document and storing the access control information in the indexing system in association with the reference to the first document, otherwise, storing, at the indexing system in association with the reference to the first document, document source location information identifying the first data storage location as the source of the first document. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
receiving, at the indexing system, a query from a user, wherein the user is identified by a user context that is compatible with the access control system of the indexing system;
identifying, by the indexing system, references contained in the indexing system that satisfy the query;
for each reference identified as satisfying the query, determining, by the indexing system, whether the user has access privileges to the document to which the reference refers; and
returning, by the indexing system to the user, a response to the query listing only references to those documents to which the user is determined by the indexing system to have access privileges.
-
-
3. The method of claim 2, wherein the determining step comprises:
-
for each reference in the indexing system having been identified as satisfying the query and having access control information associated with it, comparing the user context with the access control information associated with the reference to determine whether the user has access privileges to the document to which the reference refers; and
for each reference having been identified as satisfying the query and having document source location information associated with it, receiving, by the indexing system from the first data storage location, the access control information associated with the document to which the reference refers;
translating the user context to a translated user context that is compatible with the access control system of the first data storage location; and
comparing the translated user context with the access control information received from the first data storage location to determine whether the user has access privileges to the document to which the reference refers.
-
-
4. The method of claim 2, wherein the determining step comprises:
-
for each reference in the indexing system having been identified as satisfying the query and having access control information associated with it, comparing the user context with the access control information associated with the reference to determine whether the user has access privileges to the document to which the reference refers; and
for each reference having been identified as satisfying the query and having document source location information associated with it, translating the user context to a translated user context that is compatible with the access control system of the first data storage location;
transmitting, by the indexing system to the first data storage location, a request for the document to which the reference refers, wherein the indexing system impersonates the user by making the request in the name of the translated user context; and
comparing, by the first data storage location, the translated user context with the access control information associated with the document to which the reference refers to determine whether the user has access privileges to such document.
-
-
5. The method of claim 3 or 4, wherein the translating step is performed by the indexing system.
-
6. The method of claim 3 or 4, wherein the translating step is performed by the first data storage location.
-
7. The method of claim 3 or 4 further comprising, for each reference having been identified as satisfying the query and having document source location information associated with it, caching the translated user context and the access control information associated with the document to which the reference refers so as to create a cached access control information.
-
8. The method of claim 7 further comprising periodically expunging the cached access control information in accordance with predefined cache expungement criteria.
-
9. A computer-readable medium having computer-executable instructions for performing the steps of claim 1, 2, 3 or 4.
Specification