Document access control
First Claim
Patent Images
1. A computer-implemented method comprising:
- associating, by a computer system, a user with a first set of aliases, each alias in the first set representing a group of one or more members including the user, the user being associated with the first set of aliases prior to a user request pertaining to a document, wherein associating the user with the first set of aliases comprises mapping the user to aliases in which the user is either a direct or indirect member;
associating, by the computer system, the document with a second set of aliases, each alias in the second set representing a group of one or more members having access to the document, wherein associating the document with the second set of aliases comprises mapping the document to an access control list;
upon receiving the user request pertaining to the document, determining whether the first set of aliases associated with the user and the second set of aliases associated with the document have an alias in common by intersecting the first set of aliases associated with the user and the second set of aliases associated with the document without recursively analyzing the first and second sets of aliases;
granting the user access to the document using the computer system if the first and second set of aliases have an alias in common; and
denying the user access to the document using the computer system if the first and second sets of aliases do not have an alias in common; and
taking an action on the first set of aliases when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the first set of aliases.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of this invention control access to documents by identifying a user requesting a document, retrieving a membership list associated with the user, retrieving an access control list (ACL) associated with the document, and intersecting the user'"'"'s membership list and the document'"'"'s ACL to determine if the user has privileges to access to the document. Certain embodiments of this invention filter documents in a search result to return those documents (or a list of those documents) that are accessible to a user.
-
Citations
12 Claims
-
1. A computer-implemented method comprising:
-
associating, by a computer system, a user with a first set of aliases, each alias in the first set representing a group of one or more members including the user, the user being associated with the first set of aliases prior to a user request pertaining to a document, wherein associating the user with the first set of aliases comprises mapping the user to aliases in which the user is either a direct or indirect member; associating, by the computer system, the document with a second set of aliases, each alias in the second set representing a group of one or more members having access to the document, wherein associating the document with the second set of aliases comprises mapping the document to an access control list; upon receiving the user request pertaining to the document, determining whether the first set of aliases associated with the user and the second set of aliases associated with the document have an alias in common by intersecting the first set of aliases associated with the user and the second set of aliases associated with the document without recursively analyzing the first and second sets of aliases; granting the user access to the document using the computer system if the first and second set of aliases have an alias in common; and denying the user access to the document using the computer system if the first and second sets of aliases do not have an alias in common; and taking an action on the first set of aliases when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the first set of aliases. - View Dependent Claims (2)
-
-
3. A computer-implemented method comprising:
-
generating for a user a membership list using a computer system to identify aliases having the user as a direct or indirect member, each alias representing a group of one or more members, the membership list generated prior to a request pertaining to a document from the user; assigning to the document in a plurality of documents an access control list (ACL) using the computer system to identify aliases whose members have access to the document; in response to receiving the request pertaining to the document from the user, intersecting the membership list and the ACL using the computer system to determine if the membership list and the ACL have an alias in common without recursively analyzing the membership list and the ACL; granting the user access to the document if the intersection results in at least one alias in common; denying the user access to the document if the intersection does not result in at least one alias in common; and taking an action on the membership list when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the membership list. - View Dependent Claims (4, 5, 6)
-
-
7. A system comprising:
-
a processor; a memory comprising instructions executable by the processor to cause the processor to; store for each of a plurality of users a membership list to indicate aliases of which the user is a direct or indirect member, each alias representing a group of one or more members, wherein the membership list is computed prior to the user'"'"'s request for a document; store access control lists (ACLs) identifying aliases whose members have access to individual documents; receive from a user a request pertaining to the document; search for the requested document; determine if an access control list (ACL) associated with the document and a membership list associated with the user have an alias in common by intersecting the ACL associated with the document and the membership list associated with the user without recursively analyzing the membership list associated with the user and the ACL associated with the document; prevent access to the document by the user if the access control list associated with the document fails to have an alias in common with the membership list associated with the user; allow access to the document by the user if the ACL associated with the document has an alias in common with the membership list associated with the user; and take an action on the membership list when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the membership list. - View Dependent Claims (8, 9)
-
-
10. A computer readable storage medium, having stored thereon a set of instructions, which when executed, perform a method comprising:
-
generating for a user a membership list to identify aliases having the user as a direct or indirect member, each alias representing a group of one or more members and the membership list generated prior to the user'"'"'s request for a document; assigning to the document in a plurality of documents an access control list (ACL) to identify aliases whose members have access to the document; in response to receiving a request pertaining to the document from the user, intersecting the membership list associated with the user and the ACL associated with the document to determine if the membership list associated with the user and the ACL associated with the document have an alias in common without recursively analyzing the membership list associated with the user and the ACL associated with the document; granting the user access to the document if the intersection results in at least one alias in common; denying the user access to the document if the intersection does not result in at least one alias in common; and taking an action on the membership list when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the membership list. - View Dependent Claims (11, 12)
-
Specification