Controlling access to electronic documents
First Claim
1. A method performed in a document management system of controlling access to an electronic document, comprising:
- receiving at a document management system a request from a first user for an electronic document at a first user location, the document management system storing a rendition of the electronic document in a document repository, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document;
authenticating the first user at the document management system using the set of access policies for the electronic document;
verifying that the first user is authorized to obtain the electronic document, and then passing an encrypted rendition of the electronic document to the first user;
receiving at the document management system a request from a second user for access to the encrypted rendition, where the second user received the encrypted rendition from the first user;
authenticating the second user at the document management system using the set of access policies to establish which operations the second user is allowed to perform on the encrypted rendition;
creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including the set of access policies for controlling access to the encrypted rendition of the electronic document, the voucher further including an electronic key operable to decrypt the encrypted rendition of the electronic document; and
passing the electronic voucher to the second user located at a second user location.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus, including computer program products, for controlling access to an electronic document. A document management system receives a request from a first user at a first user location for an electronic document. The first user is authenticated using a set of access policies for the electronic document, to verify that the first user is authorized to obtain the electronic document. If so, an encrypted rendition is passed to the first user. A request for access to the encrypted rendition from a second user is then received. The second user is authenticated, using the set of access policies, to establish which operations the second user may perform on the encrypted rendition. A voucher including an electronic key for decrypting the encrypted rendition and the set of access policies is created at the document management system. The voucher is passed to the second user location.
-
Citations
72 Claims
-
1. A method performed in a document management system of controlling access to an electronic document, comprising:
-
receiving at a document management system a request from a first user for an electronic document at a first user location, the document management system storing a rendition of the electronic document in a document repository, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document; authenticating the first user at the document management system using the set of access policies for the electronic document; verifying that the first user is authorized to obtain the electronic document, and then passing an encrypted rendition of the electronic document to the first user; receiving at the document management system a request from a second user for access to the encrypted rendition, where the second user received the encrypted rendition from the first user; authenticating the second user at the document management system using the set of access policies to establish which operations the second user is allowed to perform on the encrypted rendition; creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including the set of access policies for controlling access to the encrypted rendition of the electronic document, the voucher further including an electronic key operable to decrypt the encrypted rendition of the electronic document; and passing the electronic voucher to the second user located at a second user location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of accessing an electronic document, comprising:
-
requesting, from a document management system, access to an electronic document for a user at a user location, one or more renditions of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document, wherein requesting access to an electronic document for a user at a user location includes providing authentication information to authenticate the user to the document management system; receiving at the user location an electronic voucher from the document management system for the electronic document, the electronic voucher including a set of access policies for accessing an encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, and an electronic key operable to decrypt the encrypted rendition of the electronic document; and using the electronic key of the electronic voucher at the user location to decrypt the encrypted rendition of the electronic document according to the set of access policies for accessing the encrypted rendition of the electronic document. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for controlling access to an electronic document, comprising:
-
receiving at a document management system a request from a user for access to an electronic document at a user location, a rendition of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document; authenticating the user at the document management system to verify that the user is authorized to access the electronic document;
wherein,when the user is authorized to access the electronic document, creating, at the document management system, an encrypted rendition of the electronic document using the rendition of the electronic document that is stored in the document repository; creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including a set of access policies for controlling access to the encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, the voucher further including an electronic key operable to decrypt an encrypted rendition of the electronic document; and passing the encrypted rendition of the electronic document and the electronic voucher to the user location.
-
-
25. A computer program product, tangibly embodied in a machine-readable storage device, for controlling access to an electronic document, comprising instructions operable to cause a programmable processor to:
-
receive at a document management system a request from a first user for an electronic document at a first user location, the document management system storing a rendition of the electronic document in a document repository, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document; authenticate the first user at the document management system using the set of access policies for the electronic document; verify that the first user is authorized to obtain the electronic document, and then pass an encrypted rendition of the electronic document to the first user; receive at the document management system a request from a second user for access to the encrypted rendition, where the second user received the encrypted rendition from the first user; authenticate the second user at the document management system using the set of access policies to establish which operations the second user is allowed to perform on the encrypted rendition; create, at the document management system, a voucher for accessing the encrypted rendition, the voucher including the set of access policies for controlling access to the encrypted rendition of the electronic document, the voucher further including an electronic key operable to decrypt the encrypted rendition of the electronic document; and pass the electronic voucher to the second user located at a second user location. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A computer program product, tangibly embodied in a machine-readable storage device, for accessing an electronic document, comprising instructions operable to cause a programmable processor to:
-
request, from a document management system, access to an electronic document for a user at a user location, one or more renditions of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document, wherein requesting access to an electronic document for a user at a user location includes providing authentication information to authenticate the user to the document management system; receive at the user location an electronic voucher from the document management system for the electronic document, the electronic voucher including a set of access policies for accessing the encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, and an electronic key operable to decrypt the encrypted rendition of the electronic document; and use the electronic key of the electronic voucher at the user location to decrypt the encrypted rendition of the electronic document according to the set of access policies for accessing the encrypted rendition of the electronic document. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A computer program product, tangibly embodied in a machine-readable storage device, for controlling access to an electronic document, comprising instructions operable to cause a programmable processor to:
-
receive at a document management system a request from a user for access to an electronic document at a user location, a rendition of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document; authenticate the user at the document management system to verify that the user is authorized to access the electronic document;
wherein,when the user is authorized to access the electronic document, create, at the document management system, an encrypted rendition of the electronic document using the rendition of the electronic document that is stored in the document repository; create, at the document management system, a voucher for accessing the encrypted rendition, the voucher including a set of access policies for controlling access to the encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, the voucher further including an electronic key operable to decrypt an encrypted rendition of the electronic document; and pass the encrypted rendition of the electronic document and the electronic voucher to the user location.
-
-
49. A system, comprising:
-
means for receiving at a document management system a request from a first user for an electronic document at a first user location, the document management system storing a rendition of the electronic document in a document repository, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document; means for authenticating the first user at the document management system using the set of access policies for the electronic document, means for verifying that the first user is authorized to obtain the electronic document, and then passing an encrypted rendition of the electronic document to the first user; means for receiving at the document management system a request from a second user for access to the encrypted rendition, where the second user received the encrypted rendition from the first user; means for authenticating the second user at the document management system using the set of access policies to establish which operations the second user is allowed to perform on the encrypted rendition; means for creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including the set of access policies for controlling access to the encrypted rendition of the electronic document, the voucher further including an electronic key operable to decrypt the encrypted rendition of the electronic document; and means for passing the electronic voucher to the second user located at a second user location. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
-
-
61. A system, comprising:
-
means for requesting, from a document management system, access to an electronic document for a user at a user location, one or more renditions of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document, wherein requesting access to an electronic document for a user at a user location includes providing authentication information to authenticate the user to the document management system; means for receiving at the user location an electronic voucher from the document management system for the electronic document, the electronic voucher including a set of access policies for accessing an encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, and an electronic key operable to decrypt the encrypted rendition of the electronic document; and means for using the electronic key of the electronic voucher at the user location to decrypt the encrypted rendition of the electronic document according to the set of access policies for accessing the encrypted rendition of the electronic document. - View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
-
-
72. A system, comprising:
-
means for receiving at a document management system a request from a user for access to an electronic document at a user location, a rendition of the electronic document being stored in a document repository in the document management system, the document management system maintaining a set of access policies for the electronic document, the set of access policies including access policies for a plurality of users, each user having an identity on the document management system, the document management system authenticating users based on the users'"'"' identities, the document having multiple renditions, the access policies applying to the document and the multiple renditions of the document; means for authenticating the user at the document management system to verify that the user is authorized to access the electronic document;
wherein,when the user is authorized to access the electronic document, the system further comprises; means for creating, at the document management system, an encrypted rendition of the electronic document using the rendition of the electronic document that is stored in the document repository; means for creating, at the document management system, a voucher for accessing the encrypted rendition, the voucher including a set of access policies for controlling access to the encrypted rendition of the electronic document, the set of access policies including access policies for a plurality of users, the voucher further including an electronic key operable to decrypt an encrypted rendition of the electronic document; and means for passing the encrypted rendition of the electronic document and the electronic voucher to the user location.
-
Specification