Distributed access control for document centric collaborations

US 8,689,352 B2
Filed: 12/18/2008
Issued: 04/01/2014
Est. Priority Date: 12/18/2008
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

at least one processor;

non-transitory computer-readable storage medium including instructions executable by the at least one processor, the instructions configured to implement,a document access pattern manager configured to receive access requests from a plurality of collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one of a first schema portion for access to a first document instance portion and a second schema portion for access to a second document instance portion;

a document authorization manager configured to determine a first common access interest group of the collaboration participants related to the first document instance portion and a second common access interest group of the collaboration participants related to the second document instance portion, based on the access requests and on an access control policy specified in terms of access credentials; and

a key manager configured to provide a first control data block to the participants of the first common access interest group, the first control data block including information for generating a first common secret key that is common to the participants of the first common access interest group,the key manager configured to provide a second control data block to the participants of the second common access interest group, the second control data block including information for generating a second common secret key that is common to the participants of the second common access interest group,wherein at least one of the first and second control data blocks includes authority delegation information for authorizing a collaboration participant within a respective common access interest group to operate as a new authority to manage access control of a respective document instance portion, the authority delegation information including a chain of certificates including a certificate from an owner of at least a portion of the document instance that authorizes the collaboration participate to operate as the new authority.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Document collaboration may be implemented by executing an access interest specification phase. The access interest specification phase may include receiving access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one schema portion for access to a corresponding document instance portion based thereon, determining a common access interest group of the collaboration participants, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials, and providing a control data block to the participants of the common access interest group including information for generating a common secret key that is common to the participants of the common access interest group. The document collaboration may further be implemented by executing a collaboration phase. The collaboration phase execution may include encrypting the document instance portion using the access control policy, and providing access to the document instance for access to the document instance portion by an accessing participant of the common access interest group, the access including decryption of the document instance portion using the common secret key.

31 Citations

View as Search Results

17 Claims

1. A computer system comprising:
- at least one processor;
  
  non-transitory computer-readable storage medium including instructions executable by the at least one processor, the instructions configured to implement,a document access pattern manager configured to receive access requests from a plurality of collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one of a first schema portion for access to a first document instance portion and a second schema portion for access to a second document instance portion;
  
  a document authorization manager configured to determine a first common access interest group of the collaboration participants related to the first document instance portion and a second common access interest group of the collaboration participants related to the second document instance portion, based on the access requests and on an access control policy specified in terms of access credentials; and
  
  a key manager configured to provide a first control data block to the participants of the first common access interest group, the first control data block including information for generating a first common secret key that is common to the participants of the first common access interest group,the key manager configured to provide a second control data block to the participants of the second common access interest group, the second control data block including information for generating a second common secret key that is common to the participants of the second common access interest group,wherein at least one of the first and second control data blocks includes authority delegation information for authorizing a collaboration participant within a respective common access interest group to operate as a new authority to manage access control of a respective document instance portion, the authority delegation information including a chain of certificates including a certificate from an owner of at least a portion of the document instance that authorizes the collaboration participate to operate as the new authority.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer system of claim 1 wherein each of the access requests are specified in terms of an access primitive describing a type of access requested for the first or second document instance portion, and the access primitive includes operations to view, append, delete, or rename the first or second document portion.
  - 3. The computer system of claim 1 wherein the document authorization manager and the document access pattern manager are implemented at an authority associated with membership management of the first or second common access interest group, and wherein the membership management is delegated to a collaboration participant of the first or second common access interest group when the authority is unavailable.
  - 4. The computer system of claim 1 further comprising:
    - a document envelope generator configured to generate a document envelope containing content updates to the first or second document instance portion as implemented by collaboration participants of the first or second common access interest group.
  - 5. The computer system of claim 4 wherein the document envelope is encrypted/decrypted using the first or second common secret key.
  - 6. The computer system of claim 1 wherein the document instance includes an extensible mark-up language (XML) document.

7. A computer program product for executing process models, the computer program product being tangibly embodied on a non-transitory computer-readable medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
- receive access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one of a first schema portion for access to a first document instance portion and a second schema portion for access to a second document instance portion;
  
  determine a first common access interest group of the collaboration participants related to the first document instance portion and a second common access interest group of the collaboration participants related to the second document instance portion, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials;
  
  provide a first control data block to the participants of the first common access interest group, the first control data block including information for generating a first common secret key that is common to the participants of the first common access interest group,provide a second control data block to the participants of the second common access interest group, the second control data block including information for generating a second common secret key that is common to the participants of the second common access interest group, wherein at least one of the first and second control data blocks includes authority delegation information for authorizing a collaboration participant within a respective common access interest group to operate as a new authority to manage access control of a respective document instance portion, the authority delegation information including a chain of certificates including a certificate from an owner of at least a portion of the document instance that authorizes the collaboration participate to operate as the new authority;
  
  encrypt the first and second document instance portions using the access control policy;
  
  provide first access to the document instance for access to the first document instance portion by an accessing participant of the first common access interest group, the first access including decryption of the first document instance portion using the first common secret key; and
  
  provide second access to the document instance for access to the second document instance portion by an accessing participant of the second common access interest group, the second access including decryption of the second document instance portion using the second common secret key.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer program product of claim 7 wherein each of the access requests are specified in terms of an access primitive describing a type of access requested for the first document instance portion or the second document instance portion.
  - 9. The computer program product of claim 7 wherein the information for generating the first common secret key includes a public key of each of the collaboration participants of the first common access interest group, and the information for generating the second common secret key includes a public key for each of the collaboration participants of the second common access interest group.
  - 10. The computer program product of claim 7 wherein the first or second common access interest group and the first or second common secret key are updated upon a joining or leaving of a member thereof.
  - 11. The computer program product of claim 10 wherein the updating is asynchronous in that each participant updates the first or second common secret key upon receipt of notification of the updating in conjunction with an access to the first or second document instance portion, and until then continues using the first or second common secret key.
  - 12. The computer program product of claim 7 wherein the authority delegation information includes information allowing the accessing participant authority to update the first or second common access interest group upon a joining or leaving of a member thereof.
  - 13. The computer program product of claim 7 wherein the first document instance portion is re-encrypted using the first common secret key once the first accessing is complete, and the second document instance portion is re-encrypted using the second common secret key once the second accessing is complete.

14. A computer-implemented-method of document collaboration that is performed by one or more processors, the computer method comprising:
- executing an access interest specification phase, includingreceiving access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one of a first schema portion for access to a first document instance portion and a second schema portion for access to a second document instance portion;
  
  determining a first common access interest group of the collaboration participants related to the first document instance portion and a second common access interest group of the collaboration participants related to the second document instance portion, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials;
  
  providing a first control data block to the participants of the first common access interest group, the first control data block including information for generating a first common secret key that is common to the participants of the first common access interest group,providing a second control data block to the participants of the second common access interest group, the second control data block including information for generating a second common secret key that is common to the participants of the second common access interest group, wherein at least one of the first and second control data blocks includes authority delegation information for authorizing a collaboration participant within a respective common access interest group to operate as a new to manage access control of a respective document instance portion, the authority delegation information including a chain of certificates including a certificate from an owner of at least a portion of the document instance that authorizes the collaboration participate to operate as the new authority; and
  
  executing a collaboration phase, includingencrypting the first and second document instance portions using the access control policy;
  
  providing first access to the document instance for access to the first document instance portion by an accessing participant of the first common access interest group, the first access including decryption of the first document instance portion using the first common secret key;
  
  providing second access to the document instance for access to the second document instance portion by an accessing participant of the second common access interest, group, the second access including decryption of the second document instance portion using the second common secret key.
- View Dependent Claims (15, 16, 17)
- - 15. The computer method of claim 14 wherein each of the access requests are specified in terms of an access primitive describing a type of access requested for the first or second document instance portion.
  - 16. The computer method of claim 14 wherein the access primitives include operations to view, append, delete, or rename the first or second document instance portion.
  - 17. The computer method of claim 14 wherein the first or second common access interest group and the first or second common secret key are updated upon a joining or leaving of a member thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Schaad, Andreas, Rahaman, Mohammad Ashiqur
Primary Examiner(s)
Vaughan, Michael R

Application Number

US12/339,026
Publication Number

US 20100158254A1
Time in Patent Office

1,930 Days
Field of Search

None
US Class Current

726/28
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2107   File encryption

G06F 2221/2147   Locking files

G06Q 10/10   Office automation; Time man...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 9/0836   using tree structure or hie...

H04L 9/0891   Revocation or update of sec...

H04L 9/3247   involving digital signatures

H04L 9/3265   using certificate chains, t...

H04L 9/50   using hash chains, e.g. blo...

Distributed access control for document centric collaborations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed access control for document centric collaborations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links