Controlling access to electronic documents

US 7,434,048 B1
Filed: 09/09/2003
Issued: 10/07/2008
Est. Priority Date: 09/09/2003
Status: Active Grant

First Claim

Patent Images

1. A method performed in a document management system of controlling access to an electronic document, comprising:

receiving at a document management system a request from a first user for an electronic document at a first user location, the document management system storing a rendition of the electronic document in a document repository, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document;

authenticating the first user at the document management system using the set of access policies for the electronic document;

verifying that the first user is authorized to obtain the electronic document, and then passing an encrypted rendition of the electronic document to the first user;

receiving at the document management system a request from a second user for access to the encrypted rendition, where the second user received the encrypted rendition from the first user;

authenticating the second user at the document management system using the set of access policies to establish which operations the second user is allowed to perform on the encrypted rendition;

creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including the set of access policies for controlling access to the encrypted rendition of the electronic document, the voucher further including an electronic key operable to decrypt the encrypted rendition of the electronic document; and

passing the electronic voucher to the second user located at a second user location.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, for controlling access to an electronic document. A document management system receives a request from a first user at a first user location for an electronic document. The first user is authenticated using a set of access policies for the electronic document, to verify that the first user is authorized to obtain the electronic document. If so, an encrypted rendition is passed to the first user. A request for access to the encrypted rendition from a second user is then received. The second user is authenticated, using the set of access policies, to establish which operations the second user may perform on the encrypted rendition. A voucher including an electronic key for decrypting the encrypted rendition and the set of access policies is created at the document management system. The voucher is passed to the second user location.

Citations

72 Claims

1. A method performed in a document management system of controlling access to an electronic document, comprising:
- receiving at a document management system a request from a first user for an electronic document at a first user location, the document management system storing a rendition of the electronic document in a document repository, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document;
  
  authenticating the first user at the document management system using the set of access policies for the electronic document;
  
  verifying that the first user is authorized to obtain the electronic document, and then passing an encrypted rendition of the electronic document to the first user;
  
  receiving at the document management system a request from a second user for access to the encrypted rendition, where the second user received the encrypted rendition from the first user;
  
  authenticating the second user at the document management system using the set of access policies to establish which operations the second user is allowed to perform on the encrypted rendition;
  
  creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including the set of access policies for controlling access to the encrypted rendition of the electronic document, the voucher further including an electronic key operable to decrypt the encrypted rendition of the electronic document; and
  
  passing the electronic voucher to the second user located at a second user location.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - creating, at the document management system, the encrypted rendition using the rendition that is stored in the document repository.
  - 3. The method of claim 1, wherein creating a voucher comprises:
    - obtaining the set of access policies for the second user from an access control list that is associated with the electronic document; and
      
      including the obtained set of access policies in the electronic voucher.
  - 4. The method of claim 1, wherein the set of access policies for the electronic document identify one or more of the following operations:
    - adding content to the rendition, adding comments to the rendition, applying a digital signature to the rendition, saving the rendition, printing the rendition, importing form data into the rendition, exporting form data from the rendition, and transmitting the rendition to another user.
  - 5. The method of claim 1, where the set of access policies include:
    - a list of application rights.
  - 6. The method of claim 1, further comprising:
    - including expiration information in the electronic voucher prior to passing the electronic voucher to the second user location.
  - 7. The method of claim 6, wherein the expiration information includes one or more of:
    - a predetermined number of access operations before the voucher expires, a particular time period before the voucher expires, and a particular time when the voucher expires.
  - 8. The method of claim 1, wherein:
    - passing the encrypted rendition includes providing the encrypted rendition from a location other than the document repository.
  - 9. The method of claim 1, wherein the rendition is a Portable Document Format document.
  - 10. The method of claim 1, further comprising:
    - recording information relating to the request in an audit trail for the electronic document.
  - 11. The method of claim 1, wherein the first user and the second user are the same individual.
  - 12. The method of claim 1, wherein the first user location and the second user location are identical.

13. A method of accessing an electronic document, comprising:
- requesting, from a document management system, access to an electronic document for a user at a user location, one or more renditions of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document, wherein requesting access to an electronic document for a user at a user location includes providing authentication information to authenticate the user to the document management system;
  
  receiving at the user location an electronic voucher from the document management system for the electronic document, the electronic voucher including a set of access policies for accessing an encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, and an electronic key operable to decrypt the encrypted rendition of the electronic document; and
  
  using the electronic key of the electronic voucher at the user location to decrypt the encrypted rendition of the electronic document according to the set of access policies for accessing the encrypted rendition of the electronic document.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method of claim 13, further comprising:
    - determining whether the encrypted rendition of the electronic document is available at the user location;
      
      wherein, if it is determined that the encrypted rendition is available at the user location, requesting access includes;
      
      extracting from the encrypted rendition a reference to the document repository where one or more renditions of the electronic document are stored; and
      
      requesting access to the rendition from the document repository identified by the extracted reference.
  - 15. The method of claim 14, wherein:
    - the encrypted rendition includes a document identifier and the reference to the document repository includes a path for accessing the document repository over a computer network; and
      
      requesting access includes;
      
      retrieving the document identifier and the path from the encrypted rendition; and
      
      sending an access request to the document repository specified by the retrieved path, the access request including the document identifier.
  - 16. The method of claim 13, wherein the set of access policies include information indicating that a user at the user location is authorized to perform one or more of the following operations:
    - adding content to the electronic document, adding comments to the electronic document, applying a digital signature to the electronic document, saving the electronic document, printing the electronic document, importing form data into the electronic document, exporting form data from the electronic document, and transmitting the electronic document to another user.
  - 17. The method of claim 13, further comprising:
    - verifying, at the user location, that one or more requested operations are allowed by the set of access policies for the electronic document.
  - 18. The method of claim 13, wherein:
    - the electronic voucher further includes a set of application rights, the application rights being operable to enable one or more disabled operations in an electronic document software application at the user location.
  - 19. The method of claim 13, wherein the rendition is a Portable Document Format document.
  - 20. The method of claim 13, further comprising:
    - storing the received voucher at the user location.
  - 21. The method of claim 13, wherein receiving an electronic voucher comprises:
    - determining whether an electronic voucher is stored locally at the user location; and
      
      if the electronic voucher is stored locally, retrieving the electronic voucher from the local storage;
      
      if the electronic voucher is not stored locally, requesting an electronic voucher from the document management system.
  - 22. The method of claim 13, further comprising:
    - receiving an encrypted rendition of the electronic document.
  - 23. The method of claim 13, wherein:
    - the voucher includes expiration information including one or more of;
      
      a predetermined number of access operations before the voucher expires, a particular time period before the voucher expires, and a particular time when the voucher expires.

24. A method for controlling access to an electronic document, comprising:
- receiving at a document management system a request from a user for access to an electronic document at a user location, a rendition of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document;
  
  authenticating the user at the document management system to verify that the user is authorized to access the electronic document;
  
  wherein,when the user is authorized to access the electronic document,creating, at the document management system, an encrypted rendition of the electronic document using the rendition of the electronic document that is stored in the document repository;
  
  creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including a set of access policies for controlling access to the encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, the voucher further including an electronic key operable to decrypt an encrypted rendition of the electronic document; and
  
  passing the encrypted rendition of the electronic document and the electronic voucher to the user location.

25. A computer program product, tangibly embodied in a machine-readable storage device, for controlling access to an electronic document, comprising instructions operable to cause a programmable processor to:
- receive at a document management system a request from a first user for an electronic document at a first user location, the document management system storing a rendition of the electronic document in a document repository, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document;
  
  authenticate the first user at the document management system using the set of access policies for the electronic document;
  
  verify that the first user is authorized to obtain the electronic document, and then pass an encrypted rendition of the electronic document to the first user;
  
  receive at the document management system a request from a second user for access to the encrypted rendition, where the second user received the encrypted rendition from the first user;
  
  authenticate the second user at the document management system using the set of access policies to establish which operations the second user is allowed to perform on the encrypted rendition;
  
  create, at the document management system, a voucher for accessing the encrypted rendition, the voucher including the set of access policies for controlling access to the encrypted rendition of the electronic document, the voucher further including an electronic key operable to decrypt the encrypted rendition of the electronic document; and
  
  pass the electronic voucher to the second user located at a second user location.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The computer program product of claim 25, further comprising instructions to:
    - create, at the document management system, the encrypted rendition using the rendition that is stored in the document repository.
  - 27. The computer program product of claim 25, wherein the instructions to create a voucher comprise instructions to:
    - obtain the set of access policies for the second user from an access control list that is associated with the electronic document; and
      
      include the obtained set of access policies in the electronic voucher.
  - 28. The computer program product of claim 25, wherein the set of access policies for the electronic document identify one or more of the following operations:
    - adding content to the rendition, adding comments to the rendition, applying a digital signature to the rendition, saving the rendition, printing the rendition, importing form data into the rendition, exporting form data from the rendition, and transmitting the rendition to another user.
  - 29. The computer program product of claim 25, where the set of access policies include:
    - a list of application rights.
  - 30. The computer program product of claim 25, further comprising instructions to:
    - include expiration information in the electronic voucher prior to passing the electronic voucher to the second user location.
  - 31. The computer program product of claim 30, wherein the expiration information includes one or more of:
    - a predetermined number of access operations before the voucher expires, a particular time period before the voucher expires, and a particular time when the voucher expires.
  - 32. The computer program product of claim 25, wherein:
    - the instructions to pass the encrypted rendition include instructions to provide the encrypted rendition from a location other than the document repository.
  - 33. The computer program product of claim 25, wherein the rendition is a Portable Document Format document.
  - 34. The computer program product of claim 25, further comprising instructions to:
    - record information relating to the request in an audit trail for the electronic document.
  - 35. The computer program product of claim 25, wherein the first user and the second user are the same individual.
  - 36. The computer program product of claim 25, wherein the first user location and the second user location are identical.

37. A computer program product, tangibly embodied in a machine-readable storage device, for accessing an electronic document, comprising instructions operable to cause a programmable processor to:
- request, from a document management system, access to an electronic document for a user at a user location, one or more renditions of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document, wherein requesting access to an electronic document for a user at a user location includes providing authentication information to authenticate the user to the document management system;
  
  receive at the user location an electronic voucher from the document management system for the electronic document, the electronic voucher including a set of access policies for accessing the encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, and an electronic key operable to decrypt the encrypted rendition of the electronic document; and
  
  use the electronic key of the electronic voucher at the user location to decrypt the encrypted rendition of the electronic document according to the set of access policies for accessing the encrypted rendition of the electronic document.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 38. The computer program product of claim 37, further comprising instructions to:
    - determine whether the encrypted rendition of the electronic document is available at the user location;
      
      wherein, if it is determined that the encrypted rendition is available at the user location, requesting access includes instructions to;
      
      extract from the encrypted rendition a reference to the document repository where one or more renditions of the electronic document are stored; and
      
      request access to the rendition from the document repository identified by the extracted reference.
  - 39. The computer program product of claim 38, wherein:
    - the encrypted rendition includes a document identifier and the reference to the document repository includes a path for accessing the document repository over a computer network; and
      
      the instructions to request access include instructions to;
      
      retrieve the document identifier and the path from the encrypted rendition; and
      
      send an access request to the document repository specified by the retrieved path, the access request including the document identifier.
  - 40. The computer program product of claim 37, wherein the set of access policies include information indicating that a user at the user location is authorized to perform one or more of the following operations:
    - adding content to the electronic document, adding comments to the electronic document, applying a digital signature to the electronic document, saving the electronic document, printing the electronic document, importing form data into the electronic document, exporting form data from the electronic document, and transmitting the electronic document to another user.
  - 41. The computer program product of claim 37, further comprising instructions to:
    - verify, at the user location, that one or more requested operations are allowed by the set of access policies for the electronic document.
  - 42. The computer program product of claim 37, wherein:
    - the electronic voucher further includes a set of application rights, the application rights being operable to enable one or more disabled operations in an electronic document software application at the user location.
  - 43. The computer program product of claim 37, wherein the rendition is a Portable Document Format document.
  - 44. The computer program product of claim 37, further comprising instructions to:
    - store the received voucher at the user location.
  - 45. The computer program product of claim 37, wherein the instructions to receive an electronic voucher comprise instructions to:
    - determine whether an electronic voucher is stored locally at the user location; and
      
      if the electronic voucher is stored locally, retrieving the electronic voucher from the local storage;
      
      if the electronic voucher is not stored locally, request an electronic voucher from the document management system.
  - 46. The computer program product of claim 37, further comprising instructions to:
    - receive an encrypted rendition of the electronic document.
  - 47. The computer program product of claim 37, wherein:
    - the voucher includes expiration information including one or more of;
      
      a predetermined number of access operations before the voucher expires, a particular time period before the voucher expires, and a particular time when the voucher expires.

48. A computer program product, tangibly embodied in a machine-readable storage device, for controlling access to an electronic document, comprising instructions operable to cause a programmable processor to:
- receive at a document management system a request from a user for access to an electronic document at a user location, a rendition of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document;
  
  authenticate the user at the document management system to verify that the user is authorized to access the electronic document;
  
  wherein,when the user is authorized to access the electronic document,create, at the document management system, an encrypted rendition of the electronic document using the rendition of the electronic document that is stored in the document repository;
  
  create, at the document management system, a voucher for accessing the encrypted rendition, the voucher including a set of access policies for controlling access to the encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, the voucher further including an electronic key operable to decrypt an encrypted rendition of the electronic document; and
  
  pass the encrypted rendition of the electronic document and the electronic voucher to the user location.

49. A system, comprising:
- means for receiving at a document management system a request from a first user for an electronic document at a first user location, the document management system storing a rendition of the electronic document in a document repository, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document;
  
  means for authenticating the first user at the document management system using the set of access policies for the electronic document,means for verifying that the first user is authorized to obtain the electronic document, and then passing an encrypted rendition of the electronic document to the first user;
  
  means for receiving at the document management system a request from a second user for access to the encrypted rendition, where the second user received the encrypted rendition from the first user;
  
  means for authenticating the second user at the document management system using the set of access policies to establish which operations the second user is allowed to perform on the encrypted rendition;
  
  means for creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including the set of access policies for controlling access to the encrypted rendition of the electronic document, the voucher further including an electronic key operable to decrypt the encrypted rendition of the electronic document; and
  
  means for passing the electronic voucher to the second user located at a second user location.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 50. The system of claim 49, further comprising:
    - means for creating, at the document management system, the encrypted rendition using the rendition that is stored in the document repository.
  - 51. The system of claim 49, wherein creating a voucher comprises:
    - obtaining the set of access policies for the second user from an access control list that is associated with the electronic document; and
      
      including the obtained set of access policies in the electronic voucher.
  - 52. The system of claim 49, wherein the set of access policies for the electronic document identify one or more of the following operations:
    - adding content to the rendition, adding comments to the rendition, applying a digital signature to the rendition, saving the rendition, printing the rendition, importing form data into the rendition, exporting form data from the rendition, and transmitting the rendition to another user.
  - 53. The system of claim 49, where the set of access policies include:
    - a list of application rights.
  - 54. The system of claim 49, further comprising:
    - means for including expiration information in the electronic voucher prior to passing the electronic voucher to the second user location.
  - 55. The system of claim 54, wherein the expiration information includes one or more of:
    - a predetermined number of access operations before the voucher expires, a particular time period before the voucher expires, and a particular time when the voucher expires.
  - 56. The system of claim 49, wherein:
    - passing the encrypted rendition includes providing the encrypted rendition from a location other than the document repository.
  - 57. The system of claim 49, wherein the rendition is a Portable Document Format document.
  - 58. The system of claim 49, further comprising:
    - means for recording information relating to the request in an audit trail for the electronic document.
  - 59. The system of claim 49, wherein the first user and the second user are the same individual.
  - 60. The system of claim 49, wherein the first user location and the second user location are identical.

61. A system, comprising:
- means for requesting, from a document management system, access to an electronic document for a user at a user location, one or more renditions of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document, wherein requesting access to an electronic document for a user at a user location includes providing authentication information to authenticate the user to the document management system;
  
  means for receiving at the user location an electronic voucher from the document management system for the electronic document, the electronic voucher including a set of access policies for accessing an encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, and an electronic key operable to decrypt the encrypted rendition of the electronic document; and
  
  means for using the electronic key of the electronic voucher at the user location to decrypt the encrypted rendition of the electronic document according to the set of access policies for accessing the encrypted rendition of the electronic document.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
- - 62. The system of claim 61, further comprising:
    - means for determining whether the encrypted rendition of the electronic document is available at the user location;
      
      wherein, if it is determined that the encrypted rendition is available at the user location, requesting access includes;
      
      extracting from the encrypted rendition a reference to the document repository where one or more renditions of the electronic document are stored; and
      
      requesting access to the rendition from the document repository identified by the extracted reference.
  - 63. The system of claim 62, wherein:
    - the encrypted rendition includes a document identifier and the reference to the document repository includes a path for accessing the document repository over a computer network; and
      
      requesting access includes;
      
      retrieving the document identifier and the path from the encrypted rendition; and
      
      sending an access request to the document repository specified by the retrieved path, the access request including the document identifier.
  - 64. The system of claim 61, wherein the set of access policies include information indicating that a user at the user location is authorized to perform one or more of the following operations:
    - adding content to the electronic document, adding comments to the electronic document, applying a digital signature to the electronic document, saving the electronic document, printing the electronic document, importing form data into the electronic document, exporting form data from the electronic document, and transmitting the electronic document to another user.
  - 65. The system of claim 61, further comprising:
    - means for verifying, at the user location, that one or more requested operations are allowed by the set of access policies for the electronic document.
  - 66. The system of claim 61, wherein:
    - the electronic voucher further includes a set of application rights, the application rights being operable to enable one or more disabled operations in an electronic document software application at the user location.
  - 67. The system of claim 61, wherein the rendition is a Portable Document Format document.
  - 68. The system of claim 61, further comprising:
    - means for storing the received voucher at the user location.
  - 69. The system of claim 61, wherein receiving an electronic voucher comprises:
    - determining whether an electronic voucher is stored locally at the user location; and
      
      if the electronic voucher is stored locally, retrieving the electronic voucher from the local storage;
      
      if the electronic voucher is not stored locally, requesting an electronic voucher from the document management system.
  - 70. The system of claim 61, further comprising:
    - means for receiving an encrypted rendition of the electronic document.
  - 71. The system of claim 61, wherein:
    - the voucher includes expiration information including one or more of;
      
      a predetermined number of access operations before the voucher expires, a particular time period before the voucher expires, and a particular time when the voucher expires.

72. A system, comprising:
- means for receiving at a document management system a request from a user for access to an electronic document at a user location, a rendition of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document;
  
  means for authenticating the user at the document management system to verify that the user is authorized to access the electronic document;
  
  wherein,when the user is authorized to access the electronic document, the system further comprises;
  
  means for creating, at the document management system, an encrypted rendition of the electronic document using the rendition of the electronic document that is stored in the document repository;
  
  means for creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including a set of access policies for controlling access to the encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, the voucher further including an electronic key operable to decrypt an encrypted rendition of the electronic document; and
  
  means for passing the encrypted rendition of the electronic document and the electronic voucher to the user location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Donahue, James, Shapiro, Bill
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
PAN, JOSEPH T

Application Number

US10/659,874
Time in Patent Office

1,855 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 713/165, 380/200, 380/201, 380/255, 380/277, 726/2, 707/9, 707/10, 715/500
US Class Current

713/165
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2209/60   Digital content management,...

H04L 63/0428   wherein the data content is...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

Controlling access to electronic documents

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

72 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to electronic documents

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

72 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links