Distributed access control for document centric collaborations
First Claim
1. A computer system comprising:
- at least one processor;
non-transitory computer-readable storage medium including instructions executable by the at least one processor, the instructions configured to implement,a document access pattern manager configured to receive access requests from a plurality of collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one of a first schema portion for access to a first document instance portion and a second schema portion for access to a second document instance portion;
a document authorization manager configured to determine a first common access interest group of the collaboration participants related to the first document instance portion and a second common access interest group of the collaboration participants related to the second document instance portion, based on the access requests and on an access control policy specified in terms of access credentials; and
a key manager configured to provide a first control data block to the participants of the first common access interest group, the first control data block including information for generating a first common secret key that is common to the participants of the first common access interest group,the key manager configured to provide a second control data block to the participants of the second common access interest group, the second control data block including information for generating a second common secret key that is common to the participants of the second common access interest group,wherein at least one of the first and second control data blocks includes authority delegation information for authorizing a collaboration participant within a respective common access interest group to operate as a new authority to manage access control of a respective document instance portion, the authority delegation information including a chain of certificates including a certificate from an owner of at least a portion of the document instance that authorizes the collaboration participate to operate as the new authority.
2 Assignments
0 Petitions
Accused Products
Abstract
Document collaboration may be implemented by executing an access interest specification phase. The access interest specification phase may include receiving access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one schema portion for access to a corresponding document instance portion based thereon, determining a common access interest group of the collaboration participants, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials, and providing a control data block to the participants of the common access interest group including information for generating a common secret key that is common to the participants of the common access interest group. The document collaboration may further be implemented by executing a collaboration phase. The collaboration phase execution may include encrypting the document instance portion using the access control policy, and providing access to the document instance for access to the document instance portion by an accessing participant of the common access interest group, the access including decryption of the document instance portion using the common secret key.
31 Citations
17 Claims
-
1. A computer system comprising:
-
at least one processor; non-transitory computer-readable storage medium including instructions executable by the at least one processor, the instructions configured to implement, a document access pattern manager configured to receive access requests from a plurality of collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one of a first schema portion for access to a first document instance portion and a second schema portion for access to a second document instance portion; a document authorization manager configured to determine a first common access interest group of the collaboration participants related to the first document instance portion and a second common access interest group of the collaboration participants related to the second document instance portion, based on the access requests and on an access control policy specified in terms of access credentials; and a key manager configured to provide a first control data block to the participants of the first common access interest group, the first control data block including information for generating a first common secret key that is common to the participants of the first common access interest group, the key manager configured to provide a second control data block to the participants of the second common access interest group, the second control data block including information for generating a second common secret key that is common to the participants of the second common access interest group, wherein at least one of the first and second control data blocks includes authority delegation information for authorizing a collaboration participant within a respective common access interest group to operate as a new authority to manage access control of a respective document instance portion, the authority delegation information including a chain of certificates including a certificate from an owner of at least a portion of the document instance that authorizes the collaboration participate to operate as the new authority. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product for executing process models, the computer program product being tangibly embodied on a non-transitory computer-readable medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
-
receive access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one of a first schema portion for access to a first document instance portion and a second schema portion for access to a second document instance portion; determine a first common access interest group of the collaboration participants related to the first document instance portion and a second common access interest group of the collaboration participants related to the second document instance portion, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials; provide a first control data block to the participants of the first common access interest group, the first control data block including information for generating a first common secret key that is common to the participants of the first common access interest group, provide a second control data block to the participants of the second common access interest group, the second control data block including information for generating a second common secret key that is common to the participants of the second common access interest group, wherein at least one of the first and second control data blocks includes authority delegation information for authorizing a collaboration participant within a respective common access interest group to operate as a new authority to manage access control of a respective document instance portion, the authority delegation information including a chain of certificates including a certificate from an owner of at least a portion of the document instance that authorizes the collaboration participate to operate as the new authority; encrypt the first and second document instance portions using the access control policy; provide first access to the document instance for access to the first document instance portion by an accessing participant of the first common access interest group, the first access including decryption of the first document instance portion using the first common secret key; and
provide second access to the document instance for access to the second document instance portion by an accessing participant of the second common access interest group, the second access including decryption of the second document instance portion using the second common secret key. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A computer-implemented-method of document collaboration that is performed by one or more processors, the computer method comprising:
-
executing an access interest specification phase, including receiving access requests from collaboration participants for access to a document instance, the access requests specified using a document schema of the document instance and referencing at least one of a first schema portion for access to a first document instance portion and a second schema portion for access to a second document instance portion; determining a first common access interest group of the collaboration participants related to the first document instance portion and a second common access interest group of the collaboration participants related to the second document instance portion, based on the access requests, access credentials of the collaboration participants, and on an access control policy specified in terms of the access credentials; providing a first control data block to the participants of the first common access interest group, the first control data block including information for generating a first common secret key that is common to the participants of the first common access interest group, providing a second control data block to the participants of the second common access interest group, the second control data block including information for generating a second common secret key that is common to the participants of the second common access interest group, wherein at least one of the first and second control data blocks includes authority delegation information for authorizing a collaboration participant within a respective common access interest group to operate as a new to manage access control of a respective document instance portion, the authority delegation information including a chain of certificates including a certificate from an owner of at least a portion of the document instance that authorizes the collaboration participate to operate as the new authority; and executing a collaboration phase, including encrypting the first and second document instance portions using the access control policy; providing first access to the document instance for access to the first document instance portion by an accessing participant of the first common access interest group, the first access including decryption of the first document instance portion using the first common secret key; providing second access to the document instance for access to the second document instance portion by an accessing participant of the second common access interest, group, the second access including decryption of the second document instance portion using the second common secret key. - View Dependent Claims (15, 16, 17)
-
Specification