Enforcing native access control to indexed documents

US 8,417,693 B2
Filed: 07/14/2005
Issued: 04/09/2013
Est. Priority Date: 07/14/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for processing a search request, comprising:

while crawling for documents, selecting higher levels of access control list information from native levels of access control list information for each document, wherein the selected higher levels of access control list information have a similar semantic for different types of one or more backend repositories, wherein the selected higher levels of access control list information are used to predict a probability of successful impersonation access to the documents, wherein the native levels of access control list information represents access controls implemented at the one or more backend repositories;

mapping the selected higher levels of access control list information to one or more indexed levels of access control list information that are stored in a search index, wherein the indexed levels include a database level and a server level, and wherein, for each of the indexed levels, for each document, information is stored in the search index to indicate a security level of access a user needs to access the document;

generating a pre-filtered list of documents by matching terms of the search request by using the search index;

generating an interim result set of documents from the pre-filtered list of documents by matching the one or more indexed levels of access control list information associated with each said document to one or more security groups associated with the search request, wherein the one or more security groups are associated with a user issuing the search request and who is a member of the one or more security groups;

generating a final result set by performing impersonation for the interim result set of documents by contacting the one or more backend repositories storing the interim result set of documents; and

providing the final result set of documents to the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for processing a search request. One or more indexed levels of access control list information are stored in a search index for each document identified in the search index. An interim result set is generated by matching the one or more indexed levels of access control list information associated with each said document to one or more security groups associated with the search request. A final result set is generated from the interim result set by performing impersonation.

Citations

33 Claims

1. A method for processing a search request, comprising:
- while crawling for documents, selecting higher levels of access control list information from native levels of access control list information for each document, wherein the selected higher levels of access control list information have a similar semantic for different types of one or more backend repositories, wherein the selected higher levels of access control list information are used to predict a probability of successful impersonation access to the documents, wherein the native levels of access control list information represents access controls implemented at the one or more backend repositories;
  
  mapping the selected higher levels of access control list information to one or more indexed levels of access control list information that are stored in a search index, wherein the indexed levels include a database level and a server level, and wherein, for each of the indexed levels, for each document, information is stored in the search index to indicate a security level of access a user needs to access the document;
  
  generating a pre-filtered list of documents by matching terms of the search request by using the search index;
  
  generating an interim result set of documents from the pre-filtered list of documents by matching the one or more indexed levels of access control list information associated with each said document to one or more security groups associated with the search request, wherein the one or more security groups are associated with a user issuing the search request and who is a member of the one or more security groups;
  
  generating a final result set by performing impersonation for the interim result set of documents by contacting the one or more backend repositories storing the interim result set of documents; and
  
  providing the final result set of documents to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving valid user login data for a user; and
      
      determining whether a user profile exists, wherein an existing user profile stores the one or more security groups associated with the user for use in generating the interim result set.
  - 3. The method of claim 2, further comprising:
    - in response to determining that the user profile does not exist,receiving user security credentials for the one or more backend repositories;
      
      storing the user security credentials in the user profile for the user;
      
      for each of one or more backend repositories associated with the user security credentials stored in the user profile;
      
      (1) logging in to said backend repository; and
      
      (2) in response to determining that the log in is successful,(a) extracting the one or more security groups for which the user is a member from said backend repository; and
      
      (b) storing the extracted one or more security groups in the user profile; and
      
      generating a security context for the user with the stored one or more security groups.
  - 4. The method of claim 3, further comprising:
    - in response to determining that the log in is not successful, prompting the user for user credentials to access said backend repository.
  - 5. The method of claim 2, further comprising:
    - in response to determining that the user profile exists,for each of one or more backend repositories associated with user security credentials stored in the user profile;
      
      (1) logging in to said backend repository; and
      
      (2) in response to determining that the log in is successful,(a) extracting the one or more security groups for which the user is a member from said backend repository; and
      
      (b) storing the extracted one or more security groups in the user profile; and
      
      generating a security context for the user with the stored one or more security groups.
  - 6. The method of claim 5, further comprising:
    - in response to determining that the log in is not successful, prompting the user for user credentials to access said backend repository.
  - 7. The method of claim 1, wherein the user is enabled to select documents that are then provided by the backend repositories.
  - 8. The method of claim 1, further comprising:
    - when the final result set contains documents originating from different backend repositories, performing concurrent execution of impersonations with each different backend repository.
  - 9. The method of claim 1, further comprising:
    - when the final result set contains multiple documents from a backend repository, performing a single impersonation for the multiple documents.
  - 10. The method of claim 1, when a page is capable of displaying a predefined number of results and further comprising:
    - performing one or more impersonations to display the predefined number of results or fewer than the predefined number of results on the page.
  - 11. The method of claim 10, further comprising:
    - maintaining a separate offset into the interim result set representing a last successful impersonation.

12. An article of manufacture for processing a search request, wherein the article of manufacture comprises a computer readable storage medium that stores instructions, and wherein the article of manufacture is operable to:
- while crawling for documents, select higher levels of access control list information from native levels of access control list information for each document, wherein the selected higher levels of access control list information have a similar semantic for different types of one or more backend repositories, wherein the selected higher levels of access control list information are used to predict a probability of successful impersonation access to the documents, wherein the native levels of access control list information represents access controls implemented at the one or more backend repositories;
  
  map the selected higher levels of access control list information to one or more indexed levels of access control list information that are stored in a search index, wherein the indexed levels include a database level and a server level, and wherein, for each of the indexed levels, for each document, information is stored in the search index to indicate a security level of access a user needs to access the document;
  
  generate a pre-filtered list of documents by matching terms of the search request by using the search index;
  
  generate an interim result set of documents from the pre-filtered list of documents by matching the one or more indexed levels of access control list information associated with each said document to one or more security groups associated with the search request, wherein the one or more security groups are associated with a user issuing the search request and who is a member of the one or more security groups;
  
  generate a final result set by performing impersonation for the interim result set of documents by contacting the one or more backend repositories storing the interim result set of documents; and
  
  provide the final result set of documents to the user.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The article of manufacture of claim 12, wherein the article of manufacture is operable to:
    - receive valid user login data for a user; and
      
      determine whether a user profile exists, wherein an existing user profile stores the one or more security groups associated with the user for use in generating the interim result set.
  - 14. The article of manufacture of claim 13, wherein the article of manufacture is operable to:
    - in response to determining that the user profile does not exist,receive user security credentials for the one or more backend repositories;
      
      store the user security credentials in the user profile for the user;
      
      for each of one or more backend repositories associated with the user security credentials stored in the user profile;
      
      (1) log in to said backend repository; and
      
      (2) in response to determining that the log in is successful,(a) extract the one or more security groups for which the user is a member from said backend repository; and
      
      (b) store the extracted one or more security groups in the user profile; and
      
      generate a security context for the user with the stored one or more security groups.
  - 15. The article of manufacture of claim 14, wherein the article of manufacture is operable to:
    - in response to determining that the log in is not successful, prompt the user for user credentials to access said backend repository.
  - 16. The article of manufacture of claim 13, wherein the article of manufacture is operable to:
    - in response to determining that the user profile exists,for each of one or more backend repositories associated with user security credentials stored in the user profile;
      
      (1) log in to said backend repository; and
      
      (2) in response to determining that the log in is successful,(a) extract the one or more security groups for which the user is a member from said backend repository; and
      
      (b) store the extracted one or more security groups in the user profile; and
      
      generate a security context for the user with the stored one or more security groups.
  - 17. The article of manufacture of claim 16, wherein the article of manufacture is operable to:
    - in response to determining that the log in is not successful, prompt the user for user credentials to access said backend repository.
  - 18. The article of manufacture of claim 12, wherein the user is enabled to select documents that are then provided by the backend repositories.
  - 19. The article of manufacture of claim 12, wherein the article of manufacture is operable to:
    - when the final result set contains documents originating from different backend repositories, perform concurrent execution of impersonations with each different backend repository.
  - 20. The article of manufacture of claim 12, wherein the article of manufacture is operable to:
    - when the final result set contains multiple documents from a backend repository, perform a single impersonation for the multiple documents.
  - 21. The article of manufacture of claim 12, when a page is capable of displaying a predefined number of results and wherein the article of manufacture is operable to:
    - perform one or more impersonations to display the predefined number of results or fewer than the predefined number of results on the page.
  - 22. The article of manufacture of claim 21, wherein the article of manufacture is operable to:
    - maintaining a separate offset into the interim result set representing a last successful impersonation.

23. A system for processing a search request, comprising:
- a processor; and
  
  hardware logic causing operations to be performed, the operations comprising;
  
  while crawling for documents, selecting higher levels of access control list information from native levels of access control list information for each document, wherein the selected higher levels of access control list information have a similar semantic for different types of one or more backend repositories, wherein the selected higher levels of access control list information are used to predict a probability of successful impersonation access to the documents, wherein the native levels of access control list information represents access controls implemented at the one or more backend repositories;
  
  mapping the selected higher levels of access control list information to one or more indexed levels of access control list information that are stored in a search index, wherein the indexed levels include a database level and a server level, and wherein, for each of the indexed levels, for each document, information is stored in the search index to indicate a security level of access a user needs to access the document;
  
  generating a pre-filtered list of documents by matching terms of the search request by using the search index;
  
  generating an interim result set of documents from the pre-filtered list of documents by matching the one or more indexed levels of access control list information associated with each said document to one or more security groups associated with the search request, wherein the one or more security groups are associated with a user issuing the search request and who is a member of the one or more security groups;
  
  generating a final result set by performing impersonation for the interim result set of documents by contacting the one or more backend repositories storing the interim result set of documents; and
  
  providing the final result set of documents to the user.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The system of claim 23, wherein the operations further comprise:
    - receiving valid user login data for a user; and
      
      determining whether a user profile exists, wherein an existing user profile stores the one or more security groups associated with the user for use in generating the interim result set.
  - 25. The system of claim 24, wherein the operations further comprise:
    - in response to determining that the user profile does not exist,receiving user security credentials for the one or more backend repositories;
      
      storing the user security credentials in the user profile for the user;
      
      for each of one or more backend repositories associated with the user security credentials stored in the user profile;
      
      (1) logging in to said backend repository; and
      
      (2) in response to determining that the log in is successful,(a) extracting the one or more security groups for which the user is a member from said backend repository; and
      
      (b) storing the extracted one or more security groups in the user profile; and
      
      generating a security context for the user with the stored one or more security groups.
  - 26. The system of claim 25, wherein the operations further comprise:
    - in response to determining that the log in is not successful, prompting the user for user credentials to access said backend repository.
  - 27. The system of claim 24, wherein the operations further comprise:
    - in response to determining that the user profile exists,for each of one or more backend repositories associated with user security credentials stored in the user profile;
      
      (1) logging in to said backend repository; and
      
      (2) in response to determining that the log in is successful,(a) extracting the one or more security groups for which the user is a member from said backend repository; and
      
      (b) storing the extracted one or more security groups in the user profile; and
      
      generating a security context for the user with the stored one or more security groups.
  - 28. The system of claim 27, wherein the operations further comprise:
    - in response to determining that the log in is not successful, prompting the user for user credentials to access said backend repository.
  - 29. The system of claim 23, wherein the user is enabled to select documents that are then provided by the backend repositories.
  - 30. The system of claim 23, wherein the operations further comprise:
    - when the final result set contains documents originating from different backend repositories, performing concurrent execution of impersonations with each different backend repository.
  - 31. The system of claim 23, wherein the operations further comprise:
    - when the final result set contains multiple documents from a backend repository, performing a single impersonation for the multiple documents.
  - 32. The system of claim 23, when a page is capable of displaying a predefined number of results and wherein the operations further comprise:
    - performing one or more impersonations to display the predefined number of results or fewer than the predefined number of results on the page.
  - 33. The system of claim 32, wherein the operations further comprise:
    - maintaining a separate offset into the interim result set representing a last successful impersonation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Lempel, Ronny, Leyba, Todd, McPherson, John A. Jr., Perez, Justo Luis
Primary Examiner(s)
LU, KUEN S
Assistant Examiner(s)
Lee, Rachel J

Application Number

US11/182,334
Publication Number

US 20070016583A1
Time in Patent Office

2,826 Days
Field of Search

707/3
US Class Current

707/722
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 21/6227 where protection concerns t...

Enforcing native access control to indexed documents

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing native access control to indexed documents

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links