Document access control

US 7,627,569 B2
Filed: 06/30/2005
Issued: 12/01/2009
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

associating, by a computer system, a user with a first set of aliases, each alias in the first set representing a group of one or more members including the user, the user being associated with the first set of aliases prior to a user request pertaining to a document, wherein associating the user with the first set of aliases comprises mapping the user to aliases in which the user is either a direct or indirect member;

associating, by the computer system, the document with a second set of aliases, each alias in the second set representing a group of one or more members having access to the document, wherein associating the document with the second set of aliases comprises mapping the document to an access control list;

upon receiving the user request pertaining to the document, determining whether the first set of aliases associated with the user and the second set of aliases associated with the document have an alias in common by intersecting the first set of aliases associated with the user and the second set of aliases associated with the document without recursively analyzing the first and second sets of aliases;

granting the user access to the document using the computer system if the first and second set of aliases have an alias in common; and

denying the user access to the document using the computer system if the first and second sets of aliases do not have an alias in common; and

taking an action on the first set of aliases when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the first set of aliases.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of this invention control access to documents by identifying a user requesting a document, retrieving a membership list associated with the user, retrieving an access control list (ACL) associated with the document, and intersecting the user'"'"'s membership list and the document'"'"'s ACL to determine if the user has privileges to access to the document. Certain embodiments of this invention filter documents in a search result to return those documents (or a list of those documents) that are accessible to a user.

Citations

12 Claims

1. A computer-implemented method comprising:
- associating, by a computer system, a user with a first set of aliases, each alias in the first set representing a group of one or more members including the user, the user being associated with the first set of aliases prior to a user request pertaining to a document, wherein associating the user with the first set of aliases comprises mapping the user to aliases in which the user is either a direct or indirect member;
  
  associating, by the computer system, the document with a second set of aliases, each alias in the second set representing a group of one or more members having access to the document, wherein associating the document with the second set of aliases comprises mapping the document to an access control list;
  
  upon receiving the user request pertaining to the document, determining whether the first set of aliases associated with the user and the second set of aliases associated with the document have an alias in common by intersecting the first set of aliases associated with the user and the second set of aliases associated with the document without recursively analyzing the first and second sets of aliases;
  
  granting the user access to the document using the computer system if the first and second set of aliases have an alias in common; and
  
  denying the user access to the document using the computer system if the first and second sets of aliases do not have an alias in common; and
  
  taking an action on the first set of aliases when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the first set of aliases.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein the document is one of a web page, an object in a software application or a subset of files shared in an online file-sharing application.

3. A computer-implemented method comprising:
- generating for a user a membership list using a computer system to identify aliases having the user as a direct or indirect member, each alias representing a group of one or more members, the membership list generated prior to a request pertaining to a document from the user;
  
  assigning to the document in a plurality of documents an access control list (ACL) using the computer system to identify aliases whose members have access to the document;
  
  in response to receiving the request pertaining to the document from the user,intersecting the membership list and the ACL using the computer system to determine if the membership list and the ACL have an alias in common without recursively analyzing the membership list and the ACL;
  
  granting the user access to the document if the intersection results in at least one alias in common;
  
  denying the user access to the document if the intersection does not result in at least one alias in common; and
  
  taking an action on the membership list when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the membership list.
- View Dependent Claims (4, 5, 6)
- - 4. The method of claim 3, further comprising in response to the invalidation, recomputing the membership list independent of the request from the user.
  - 5. The method of claim 3, further comprising recomputing the membership list in response to the request from the user for access to the document or another document in the plurality of documents.
  - 6. The method of claim 3, wherein receiving the request comprises receiving the request over a network.

7. A system comprising:
- a processor;
  
  a memory comprising instructions executable by the processor to cause the processor to;
  
  store for each of a plurality of users a membership list to indicate aliases of which the user is a direct or indirect member, each alias representing a group of one or more members, wherein the membership list is computed prior to the user'"'"'s request for a document;
  
  store access control lists (ACLs) identifying aliases whose members have access to individual documents;
  
  receive from a user a request pertaining to the document;
  
  search for the requested document;
  
  determine if an access control list (ACL) associated with the document and a membership list associated with the user have an alias in common by intersecting the ACL associated with the document and the membership list associated with the user without recursively analyzing the membership list associated with the user and the ACL associated with the document;
  
  prevent access to the document by the user if the access control list associated with the document fails to have an alias in common with the membership list associated with the user;
  
  allow access to the document by the user if the ACL associated with the document has an alias in common with the membership list associated with the user; and
  
  take an action on the membership list when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the membership list.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7, wherein the memory further comprises instructions executable by the processor to cause the processor to prevent searching of access-restricted documents.
  - 9. The system of claim 7, wherein the memory further comprises instructions executable by the processor to cause the processor to intersect the membership list associated with the user with the ACL associated with the document to determine whether the document is inaccessible by the user.

10. A computer readable storage medium, having stored thereon a set of instructions, which when executed, perform a method comprising:
- generating for a user a membership list to identify aliases having the user as a direct or indirect member, each alias representing a group of one or more members and the membership list generated prior to the user'"'"'s request for a document;
  
  assigning to the document in a plurality of documents an access control list (ACL) to identify aliases whose members have access to the document;
  
  in response to receiving a request pertaining to the document from the user,intersecting the membership list associated with the user and the ACL associated with the document to determine if the membership list associated with the user and the ACL associated with the document have an alias in common without recursively analyzing the membership list associated with the user and the ACL associated with the document;
  
  granting the user access to the document if the intersection results in at least one alias in common;
  
  denying the user access to the document if the intersection does not result in at least one alias in common; and
  
  taking an action on the membership list when the user is added to or removed from an alias or when an alias containing the user is added to or removed from another alias, the action comprising at least one of invalidating, recomputing and modifying the membership list.
- View Dependent Claims (11, 12)
- - 11. The computer readable storage medium of claim 10, wherein the method further comprises recomputing the membership list independent of the request from the user.
  - 12. The computer readable storage medium of claim 10, wherein granting the user access to the document comprises returning a link to the document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Gafter, Neal
Primary Examiner(s)
Rones; Charles
Assistant Examiner(s)
Khoshnoodi; Fariborz

Application Number

US11/173,865
Publication Number

US 20070005595A1
Time in Patent Office

1,615 Days
Field of Search

707/6, 707/5, 707/1, 707/3, 709/245, 709/217, 709/219, 709/218
US Class Current

1/1
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

Document access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Document access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links