Dynamic access control list for managed content

US 8,719,903 B1
Filed: 03/30/2006
Issued: 05/06/2014
Est. Priority Date: 03/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to managed content, comprising:

receiving an indication that a user requests an access right associated with a content item during a current session;

determining, using a processor and based on an access control policy that the user is a potential member of a group to which the access right has been granted, based at least in part on a list of potential members of the group, wherein the group is a dynamic group;

determining the potential member is considered a currently valid member of the group based at least in part on a context data associated with the user, current session, and a membership criteria;

allowing the potential member to access the content item in a manner associated with the access right;

wherein the access control policy is enforced by a content management system used by a plurality of applications to access content items; and

wherein the access control policy is applied equally to the plurality of applications.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Dynamic control of access to managed content is disclosed. In some embodiments, an ACL includes a “dynamic” group having an associated list of potential members. In any given session and/or at any point in time, whether a user is considered a currently valid member of the group, and therefore allowed access to managed content in accordance with an access right or privilege granted to the group with respect to one or more content items is determined, e.g., based on application context (what operation the user is trying to perform, etc.) and/or other context information (time of date, location of system from which access was requested, etc.).

Citations

20 Claims

1. A method of controlling access to managed content, comprising:
- receiving an indication that a user requests an access right associated with a content item during a current session;
  
  determining, using a processor and based on an access control policy that the user is a potential member of a group to which the access right has been granted, based at least in part on a list of potential members of the group, wherein the group is a dynamic group;
  
  determining the potential member is considered a currently valid member of the group based at least in part on a context data associated with the user, current session, and a membership criteria;
  
  allowing the potential member to access the content item in a manner associated with the access right;
  
  wherein the access control policy is enforced by a content management system used by a plurality of applications to access content items; and
  
  wherein the access control policy is applied equally to the plurality of applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as recited in claim 1, wherein determining that the user is to be considered a currently valid member of the group includes receiving an indication that the current session associated with the user is to be considered to be associated with the group.
  - 3. A method as recited in claim 2, wherein the list includes at least one of the user, a role associated with the user, and a group of which the user is a member.
  - 4. A method as recited in claim 3, wherein the context data comprises an application context data.
  - 5. A method as recited in claim 4, wherein the context data comprises one or more of the following:
    - a time of day associated with the current session;
      
      a day of the week associated with the current session;
      
      a physical computing system;
      
      a physical location of a computing system, wherein the physical location is associated with the current session;
      
      a physical location of the user, wherein the physical location is associated with the current session; and
      
      a characteristic of a network via which the user is requesting access, wherein the characteristic is associated with the current session.
  - 6. A method as recited in claim 5, wherein the determination that the user is to be considered a currently valid member of the group is made in connection with establishing a content management session associated with the user.
  - 7. A method as recited in claim 6, wherein the content management session is the current session.
  - 8. A method as recited in claim 7, further comprising:
    - determining that the potential member should no longer be considered a currently valid member of the group based at least in part on the membership criteria and a revised context data; and
      
      allowing the potential member access in a manner associated with the access right only to the extent the user is determined to be entitled to such access despite not being considered a currently valid member of the group.
  - 9. A method as recited in claim 8, wherein determining that the user should no longer be considered a currently valid member of the group includes determining that the user is no longer to be considered a currently valid member of the group with respect to the current session associated with the user, with respect to which session the user was previously considered to be a currently valid member of the group.
  - 10. A method as recited in claim 9, wherein the group comprises a required group of which the user must be considered a currently valid member in order to access the content item and the method further comprises denying the user access to the content item if it is determined that the user should not be considered a currently valid member of the group.
  - 11. A method as recited in claim 7, further comprising:
    - determining that the user should no longer be considered a currently valid member of the group based at least in part on the membership criteria and a revised context data; and
      
      denying the potential member access in a manner associated with the access right.
  - 12. A method as recited in claim 11, wherein determining that the user should no longer be considered a currently valid member of the group includes determining that the user is no longer to be considered a currently valid member of the group with respect to the current session associated with the user, with respect to which session the user was previously considered to be a currently valid member of the group.
  - 13. A method as recited in claim 12, wherein the group comprises a required group of which the user must be considered a currently valid member in order to access the content item and the method further comprises denying the user access to the content item if it is determined that the user should not be considered a currently valid member of the group.

14. A content management system, comprising:
- a processor configured to;
  
  receive an indication that a user requests an access right associated with a content item during a current session;
  
  determine, based on a control access policy that the user is a potential member of a dynamic group to which the access right has been granted, based at least in part on a list of potential members of the group, wherein the group is a dynamic group;
  
  determine the potential member is considered a currently valid member of the group based at least in part on a context data associated with the user, current session, and a membership criteria;
  
  allow the potential member to access the content item in a manner associated with the access right;
  
  wherein the access control policy is enforced by a content management system used by a plurality of applications to access content items; and
  
  wherein the access control policy is applied equally to the plurality of applications; and
  
  a data storage device configured to store the content item.
- View Dependent Claims (15, 16, 17)
- - 15. A system as recited in claim 14, wherein the context data comprises one or more of the following:
    - a time of day associated with the current session;
      
      a day of the week associated with the current session;
      
      a physical computing system;
      
      a physical location of a computing system, wherein the physical location is associated with the current session;
      
      a physical location of the user, wherein the physical location is associated with the current session; and
      
      a characteristic of a network via which the user is requesting access, wherein the characteristic is associated with the current session.
  - 16. A system as recited in claim 14, wherein the determination that the user is to be considered a currently valid member of the group is made in connection with establishing at the content management system a session associated with the user.
  - 17. A system as recited in claim 14, wherein the group comprises a required group of which the user must be considered a currently valid member in order to access the content item and the processor is further configured to deny the user access to the content item if it is determined that the user should not be considered a currently valid member of the group.

18. A computer program product for managing content, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving an indication that a user requests an access right associated with a content item during a current session;
  
  determining, based on an access control policy, that the user is a potential member of a group to which the access right has been granted, based at least in part on a list of potential members of the group, wherein the group is a dynamic group;
  
  determining the potential member is considered a currently valid member of the group based at least in part on a context data associated with the user, current session, and a membership criteria;
  
  allowing the potential member to access the content item in a manner associated with the access right;
  
  wherein the access control policy is enforced by a content management system used by a plurality of applications to access content items; and
  
  wherein the access control policy is applied equally to the plurality of applications.
- View Dependent Claims (19, 20)
- - 19. A computer program product as recited in claim 18, wherein the context data comprises one or more of the following:
    - a time of day associated with the current session;
      
      a day of the week associated with the current session;
      
      a physical computing system;
      
      a physical location of a computing system, wherein the physical location is associated with the current session;
      
      a physical location of the user, wherein the physical location is associated with the current session; and
      
      a characteristic of a network via which the user is requesting access, wherein the characteristic is associated with the current session.
  - 20. A computer program product as recited in claim 18, wherein the group comprises a required group of which the user must be considered a currently valid member in order to access the content item and the computer program product further comprises computer instructions for denying the user access to the content item if it is determined that the user should not be considered a currently valid member of the group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Open Text Corporation
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Kilday, Roger W.
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US11/393,624
Time in Patent Office

2,959 Days
Field of Search

726/1, 726/3, 726/4, 726/5, 726/6, 726/7, 726/9
US Class Current

726/4
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/104   Grouping of entities

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

H04W 12/082   using revocation of authori...

Dynamic access control list for managed content

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic access control list for managed content

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links