Offline access in a document control system

US 7,930,757 B2
Filed: 10/31/2003
Issued: 04/19/2011
Est. Priority Date: 10/31/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a request from a client to take an action with respect to a first electronic document, the action unrelated to a second electronic document; and

synchronizing offline access information with the client, in response to the request, to pre-authorize the client, to allow actions by a user as a member of a group of users, by sending to the client an update to offline access information retained at the client, the update comprising a first key associated with the group, the first key being useable at the client to access the second electronic document while offline by decrypting a second key in the second electronic document.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and techniques to provide offline access in a document control system. In general, in one implementation, the technique includes: receiving a request from a client, and pre-authorizing the client, in response to the request, to allow actions by a user as a member of a group of users by sending to the client offline access information including a first key associated with the group, the first key being useable at the client to access an electronic document by decrypting a second key in the electronic document. Receiving a request can involve receiving a request from the client to take an action with respect to a second document. The technique can also include verifying the user at the client as an authenticated user, and the offline access information can include user-specific keys, group-specific keys, a policy, and a document revocation list.

152 Citations

66 Claims

1. A computer-implemented method comprising:
- receiving a request from a client to take an action with respect to a first electronic document, the action unrelated to a second electronic document; and
  
  synchronizing offline access information with the client, in response to the request, to pre-authorize the client, to allow actions by a user as a member of a group of users, by sending to the client an update to offline access information retained at the client, the update comprising a first key associated with the group, the first key being useable at the client to access the second electronic document while offline by decrypting a second key in the second electronic document.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein synchronizing offline access information with the client comprises comparing a time of last recorded client-synchronization with a time of last change in user-group information for the user.
  - 3. The method of claim 1, wherein synchronizing offline access information with the client comprises:
    - receiving user-group information for the user from the client; and
      
      comparing current user-group information for the user with the received user-group information for the user from the client.
  - 4. The method of claim 1, wherein the client allows actions with respect to the second electronic document based on document-permissions information residing in the second electronic document.
  - 5. The method of claim 1, wherein the offline access information update further comprises document-permissions information associated with multiple documents, including the second electronic document, and the client allows actions with respect to the second electronic document based on the document-permissions information.
  - 6. The method of claim 1, wherein synchronizing offline access information with the client comprises synchronizing silently in a background process without the user being aware of the update.
  - 7. The method of claim 1, wherein the request requires authentication, the method further comprising verifying the user at the client as an authenticated user.
  - 8. The method of claim 1, wherein the offline access information update further comprises:
    - at least one user-specific key;
      
      at least one group-specific key, including the first key; and
      
      at least one set of document-permissions information associated with multiple documents.
  - 9. The method of claim 8, further comprising receiving an offline audit log from the client.
  - 10. The method of claim 8, wherein the at least one set of document-permissions information comprises one or more policies associated with the first document, and the offline access information update further comprises a document revocation list.
  - 11. The method of claim 8, wherein the offline access information update further comprises at least one set of document-permissions information, associated with a specific document, selected based on synchronization prioritization info oration.

12. A computer-implemented method comprising:
- receiving a request to take an action with respect to a first electronic document, the action unrelated to a second electronic document;
  
  synchronizing offline access information with a document control server in response to the request, when online, to pre-authorize offline access to the second electronic document, the synchronizing comprising receiving an update to offline access information retained locally, the update comprising a first key associated with a group of users of the document control server; and
  
  allowing access to the second electronic document, when offline, by performing operations comprising using the first key to decrypt a second key in the second electronic document and governing actions with respect to the second electronic document based on document-permissions information associated with the second electronic document.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein governing actions with respect to the second electronic document comprises obtaining the document-permissions information from the second electronic document.
  - 14. The method of claim 12, wherein governing actions with respect to the second electronic document comprises:
    - identifying a document policy reference in the second electronic document; and
      
      obtaining locally retained document-permissions information based on the document policy reference.
  - 15. The method of claim 12, wherein the offline access information update comprises at least one user-specific key, at least one group-specific key, including the first key, at least one set of document-permissions information associated with multiple documents, and a document revocation list.
  - 16. The method of claim 12, further comprising preventing access to the second document, when offline, if a difference between a current time and a receipt time of the offline access information exceeds a server-synchronization-frequency parameter.
  - 17. The method of claim 16, wherein the server-synchronization-frequency parameter is specific to the document.
  - 18. The method of claim 12, further comprising:
    - maintaining an offline audit log; and
      
      uploading the offline audit log when online.

19. A computer-implemented method comprising:
- encrypting an electronic document; and
  
  incorporating into the encrypted electronic document an address of a document control server, document-permissions information, and an encryption key useable in decrypting the encrypted electronic document, the encryption key being encrypted with a key generated by, and associated with a group of users of, the document control server;
  
  wherein the encryption key comprises a session key generated by the document control server, encrypting the electronic document comprises encrypting the electronic document using a document key, and incorporating comprises incorporating into the encrypted electronic document a document security payload comprising the document key and the document-permissions information, the document security payload being encrypted using the session key.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, wherein the document security payload further comprises a document identifier assigned by the document control server, and incorporating further comprises incorporating into the encrypted electronic document a copy of the session key encrypted using a public key associated with the document control server.
  - 21. The method of claim 19, wherein the document-permissions information specifies access permissions at a level of granularity smaller than the electronic document.

22. A software product tangibly embodied in a machine-readable storage device, the software product comprising instructions operable to cause one or more data processing apparatus to perform operations comprising:
- receiving a request from a client to take an action with respect to a first electronic document, the request unrelated to a second electronic document; and
  
  synchronizing offline access information with the client, in response to the request, to pre-authorize the client, to allow actions by a user as a member of a group of users, by sending to the client an update to offline access information retained at the client, the update comprising a first key associated with the group, the first key being useable at the client to access the second electronic document while offline by decrypting a second key in the second electronic document.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. The software product of claim 22, wherein synchronizing offline access information with the client comprises comparing a time of last recorded client-synchronization with a time of last change in user-group information for the user.
  - 24. The software product of claim 22, wherein synchronizing offline access information with the client comprises:
    - receiving user-group information for the user from the client; and
      
      comparing current user-group information for the user with the received user-group information for the user from the client.
  - 25. The software product of claim 22, wherein the client allows actions with respect to the second electronic document based on document-permissions information residing in the second electronic document.
  - 26. The software product of claim 22, wherein the offline access information update further comprises document-permissions information associated with multiple documents, including the second electronic document, and the client allows actions with respect to the second electronic document based on the document-permissions information.
  - 27. The software product of claim 22, wherein synchronizing offline access information with the client comprises synchronizing silently in a background process without the user being aware of the update.
  - 28. The software product of claim 22, wherein the request requires authentication, and the operations further comprise verifying the user at the client as an authenticated user.
  - 29. The software product of claim 22, wherein the offline access information update further comprises:
    - at least one user-specific key;
      
      at least one group-specific key, including the first key; and
      
      at least one set of document-permissions information associated with multiple documents.
  - 30. The software product of claim 29, wherein the operations further comprise receiving an offline audit log from the client.
  - 31. The software product of claim 29, wherein the at least one set of document-permissions information comprises one or more policies associated with the first document, and the offline access information update further comprises a document revocation list.
  - 32. The software product of claim 29, wherein the offline access information update further comprises at least one set of document-permissions information associated with a specific document, and the operations further comprise selecting the document-specific document-permissions information based on synchronization prioritization information.

33. A software product tangibly embodied in a machine-readable storage device, the software product comprising instructions operable to cause one or more data processing apparatus to perform operations comprising:
- receiving a request to take an action with respect to a first electronic document, the action unrelated to a second electronic document;
  
  synchronizing offline access information with a document control server in response to the request, when online, to pre-authorize offline access to the second electronic document, the synchronizing comprising receiving an update to offline access information retained locally, the update comprising a first key associated with a group of users of the document control server; and
  
  allowing access to the second electronic document, when offline, by performing operations comprising using the first key to decrypt a second key in the second electronic document and governing actions with respect to the second electronic document based on document-permissions information associated with the second electronic document.
- View Dependent Claims (34, 35, 36, 37, 38, 39)
- - 34. The software product of claim 33, wherein governing actions with respect to the second electronic document comprises obtaining the document-permissions information from the second electronic document.
  - 35. The software product of claim 33, wherein governing actions with respect to the second electronic document comprises:
    - identifying a document policy reference in the second electronic document; and
      
      obtaining locally retained document-permissions information based on the document policy reference.
  - 36. The software product of claim 33, wherein the offline access information update comprises at least one user-specific key, at least one group-specific key, including the first key, at least one set of document-permissions information associated with multiple documents, and a document revocation list.
  - 37. The software product of claim 33, wherein the operations further comprise preventing access to the second electronic document, when offline, if a difference between a current time and a receipt time of the offline access information exceeds a server-synchronization-frequency parameter.
  - 38. The software product of claim 37, wherein the server-synchronization-frequency parameter is specific to the second electronic document.
  - 39. The software product of claim 33, wherein the operations further comprise:
    - maintaining an offline audit log; and
      
      uploading the offline audit log when online.

40. A software product tangibly embodied in a machine-readable storage device, the software product comprising instructions operable to cause one or more data processing apparatus to perform operations comprising:
- encrypting an electronic document; and
  
  incorporating into the encrypted electronic document an address of a document control server, document-permissions information, and an encryption key useable in decrypting the encrypted electronic document, the encryption key being encrypted with a key generated by, and associated with a group of users of, the document control server;
  
  wherein the encryption key comprises a session key generated by the document control server, encrypting the electronic document comprises encrypting the electronic document using a document key, and incorporating comprises incorporating into the encrypted electronic document a document security payload comprising the document key and the document-permissions information, the document security payload being encrypted using the session key.
- View Dependent Claims (41, 42)
- - 41. The software product of claim 40, wherein the document security payload further comprises a document identifier assigned by the document control server, and incorporating further comprises incorporating into the encrypted electronic document a copy of the session key encrypted using a public key associated with the document control server.
  - 42. The software product of claim 40, wherein the document-permissions information specifies access permissions at a level of granularity smaller than the electronic document.

43. A system comprising:
- a document control server that;
  
  receives a client request to take an action with respect to a first electronic document, the client request unrelated to a second electronic document; and
  
  synchronizes offline access information with the client in response to the client request, to pre-authorize offline access to the second electronic document by sending an update to the offline access information retained at the client, the update comprising a first key associated with a group, the first key being useable at the client to access the second electronic document by decrypting a second key in the second electronic document; and
  
  the client that stores the first key in a memory and allows access to the second electronic document, when offline, by a user as a member of the group, using the first key to decrypt the second key in the second electronic document and governing actions with respect to the second electronic document based on document-permissions information associated with the second electronic document.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 44. The system of claim 43, wherein the second electronic document comprises the document-permissions information.
  - 45. The system of claim 44, wherein the second key comprises a session key generated by the document control server, and the second electronic document further comprises a document security payload comprising a document key and the document-permissions information, the document security payload being encrypted using the session key.
  - 46. The system of claim 43, wherein the offline access information update further comprises:
    - at least one user-specific key;
      
      at least one group-specific key, including the first key; and
      
      at least one set of document-permissions information associated with multiple documents.
  - 47. The system of claim 43, wherein the client comprises an agent that periodically contacts the document control server to synchronize the offline access information.
  - 48. The system of claim 43, wherein the document control server comprises:
    - a server core with configuration and logging components;
      
      an internal services component that provides functionality across dynamically loaded methods; and
      
      dynamically loaded external service providers, including one or more access control service providers.
  - 49. The system of claim 43, further comprising:
    - a business logic tier comprising a cluster of document control servers, including the document control server;
      
      an application tier including the client comprising a viewer client, a securing client, and an administration client; and
      
      a load balancer that routes client requests to the document control servers.
  - 50. The system of claim 43, wherein the document control server synchronizes offline access information with the client silently in a background process without the user being aware of the update.
  - 51. The system of claim 50, wherein the document control server comprises a permissions-broker server including a translation component, the second document comprises a document secured previously by the permissions-broker server, and the translation component being operable to translate first document-permissions information in a first permissions-definition format into second document-permissions information in a second permissions-definition format in response to the request being received from the client.
  - 52. The system of claim 50, wherein the server comprises a permissions-broker server operable to identify information associated with the second document in response to the request, the associated information being retained at the server and indicating a third electronic document different from and associated with the second document, the server being operable to relate information concerning the third electronic document to the client to facilitate the action to be taken.
  - 53. The system of claim 50, wherein the server comprises a permissions-broker server operable to obtain and send, in response to the request, a software program comprising instructions operable to cause one or more data processing apparatus to perform operations effecting an authentication procedure, and the client uses the authentication program to identify a current user and control the action with respect to the second document based on the current user and document-permissions information associated with the second document.

54. A system comprising:
- server means for receiving client requests to take an action with respect to a first electronic document, the action unrelated to a second electronic document;
  
  server means for transparently synchronizing offline access information for the second electronic document in response to the client requests to pre-authorize the client, to allow offline actions by a user as a member of a group of users, by sending to the client an update to offline access information retained at the client, the update comprising a first key associated with the group, the first key being useable at the client to access the second electronic document while offline by decrypting a second key in the second electronic document; and
  
  client means for storing the first key in a memory and accessing the second electronic document using the offline access information.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 55. The system of claim 54, further comprising:
    - server means for dynamically obtaining and sending authentication processes in response to client requests to take actions with respect to electronic documents; and
      
      client means for interfacing with a received authentication process to identify a current user and for controlling actions with respect to electronic documents based on the current user and document-permissions information.
  - 56. The system of claim 54 further comprising server means for comparing a time of last recorded client-synchronization with a time of last change in user-group information for the user.
  - 57. The system of claim 56, further comprising server means for incorporating into the encrypted electronic document a copy of the session key encrypted using a public key associated with the document control server, and wherein the document security payload further comprises a document identifier assigned by the document control server.
  - 58. The method of claim 56, wherein the document-permissions information specifies access permissions at a level of granularity smaller than the electronic document.
  - 59. The system of claim 54 wherein the server means for transparently synchronizing offline access information with the client is configured to:
    - receive user-group information for the user from the client; and
      
      compare current user-group information for the user with the received user-group information for the user from the client.
  - 60. The system of claim 54 further comprising client means for allowing actions with respect to the second electronic document based on document-permissions information residing in the second electronic document.
  - 61. The system of claim 54 wherein the offline access information update further comprises document-permissions information associated with multiple documents, including the second electronic document.
  - 62. The system of claim 54, wherein the offline access information update further comprises:
    - at least one user-specific key;
      
      at least one group-specific key, including the first key; and
      
      at least one set of document-permissions information associated with multiple documents.
  - 63. The system of claim 54, further comprising server means for receiving an offline audit log from the client.
  - 64. The system of claim 54, wherein the at least one set of document-permissions information comprises one or more policies associated with the first document, and the offline access information update further comprises a document revocation list.
  - 65. The system of claim 54, wherein the offline access information update further comprises at least one set of document-permissions information, associated with a specific document, selected based on synchronization prioritization information.

66. A system comprising:
- server means for encrypting an electronic document; and
  
  server means for incorporating into the encrypted electronic document an address of a document control server, document-permissions information, and an encryption key useable in decrypting the encrypted electronic document, the encryption key being encrypted with a key generated by, and associated with a group of users of, the document control server;
  
  wherein the encryption key comprises a session key generated by the document control server, encrypting the electronic document comprises encrypting the electronic document using a document key, and incorporating comprises incorporating into the encrypted electronic document a document security payload comprising the document key and the document-permissions information, the document security payload being encrypted using the session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Shapiro, William M., Herbach, Jonathan D., Donahue, James
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US10/699,124
Publication Number

US 20050097061A1
Time in Patent Office

2,727 Days
Field of Search

726/27, 726/29, 705/51, 705/67, 713/160
US Class Current

726/27
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2115   Third party

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2139   Recurrent verification

G06F 2221/2147   Locking files

G06Q 20/3674   involving authentication

H04L 2209/60   Digital content management,...

H04L 9/0833   involving conference or gro...

H04L 9/0891   Revocation or update of sec...

Offline access in a document control system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

152 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Offline access in a document control system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

152 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links