Hierarchical policy-based shared resource access control

US 9,516,028 B1
Filed: 08/06/2014
Issued: 12/06/2016
Est. Priority Date: 08/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of accessing shared computing resources in a hierarchical system, the method comprising:

receiving a request from a first user to access a particular file that is contained within a shared file folder in a computing file folder hierarchy of a virtual file system stored in a memory or storage of a computing device, wherein the shared file folder is associated with an access control policy;

responsive to receiving the request from the first user to access the particular file, determining that an effective access control list is not associated with the particular file and generating an effective access control list for the particular file by operations carried out by one or more processors, the operations comprising;

collecting available access control policies for the shared file folder that contains the particular file and for one or more of a plurality of higher file folders that are higher in the computing file folder hierarchy than the shared file folder containing the particular file, andanalyzing permissions specified in the collected access control policies to generate the effective access control list for the particular file, wherein the analyzing comprises combining the permissions specified in the collected access control policies for the shared file folder and the one or more of the plurality of higher file folders that are higher in the computing file folder hierarchy than the shared file folder;

based on the generated effective access control list for the particular file, determining that the first user is authorized to access the particular file;

associating the generated effective access control list with the particular file in an effective access control list data store;

subsequent to generating the effective access control list for the particular file, receiving a subsequent request from a second user to access the particular file; and

responsive to receiving the subsequent request from the second user to access the particular file, determining that the generated effective access control list is associated with the particular file in the effective access control list data store and determining, based on the generated effective access control list, that the second user is authorized to access the particular file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control for shared computing resources in a hierarchical system is provided herein. An as-needed, “lazy evaluation” approach to access control is described in which an effective access control list for a computing resource is determined after a request is received from a user to access the resource. When resources are shared, access control policies are created and stored in association with the shared resource but are not stored in association with hierarchically related lower-level resources. When an access request for a resource is received, access control policies are collected for levels of a computing resource hierarchy that are higher than the hierarchy level of the resource. An effective access control list is determined based on permissions specified in the collected access control policies. The effective access control list represents an effective propagation of access control policies of higher hierarchy levels to the computing resource.

39 Citations

View as Search Results

19 Claims

1. A computer-implemented method of accessing shared computing resources in a hierarchical system, the method comprising:
- receiving a request from a first user to access a particular file that is contained within a shared file folder in a computing file folder hierarchy of a virtual file system stored in a memory or storage of a computing device, wherein the shared file folder is associated with an access control policy;
  
  responsive to receiving the request from the first user to access the particular file, determining that an effective access control list is not associated with the particular file and generating an effective access control list for the particular file by operations carried out by one or more processors, the operations comprising;
  
  collecting available access control policies for the shared file folder that contains the particular file and for one or more of a plurality of higher file folders that are higher in the computing file folder hierarchy than the shared file folder containing the particular file, andanalyzing permissions specified in the collected access control policies to generate the effective access control list for the particular file, wherein the analyzing comprises combining the permissions specified in the collected access control policies for the shared file folder and the one or more of the plurality of higher file folders that are higher in the computing file folder hierarchy than the shared file folder;
  
  based on the generated effective access control list for the particular file, determining that the first user is authorized to access the particular file;
  
  associating the generated effective access control list with the particular file in an effective access control list data store;
  
  subsequent to generating the effective access control list for the particular file, receiving a subsequent request from a second user to access the particular file; and
  
  responsive to receiving the subsequent request from the second user to access the particular file, determining that the generated effective access control list is associated with the particular file in the effective access control list data store and determining, based on the generated effective access control list, that the second user is authorized to access the particular file.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, further comprising storing the effective access control list for the particular file in the effective access control list data store, the effective access control list stored in association with either the particular file or the file folder that contains the particular file.
  - 3. The computer-implemented method of claim 1, wherein the effective access control list of the particular file represents an effective propagation of access control policies of higher-level file folders to at least one of the particular file or the file folder that contains the file.
  - 4. The computer-implemented method of claim 1, wherein the method is performed in the virtual file system accessed through a web service.
  - 5. The computer-implemented method of claim 1, wherein the one or more of the plurality of higher file folders that are higher in the computing file folder hierarchy from which access control policies are collected include at least one folder containing the shared file folder.
  - 6. The computer-implemented method of claim 1, wherein the effective access control list for the particular file comprises:
    - one or more permissions found in an access control policy for the shared file folder associated and one or more permissions found in two or more access control policies for two or more file folders higher in the computing file folder hierarchy than the shared file folder.

7. One or more computer-readable storage media storing computer-executable instructions that, when executed, perform a method of accessing shared computing resources in a hierarchical system, the method comprising:
- receiving a request from a first user to perform a function on a particular computing resource, wherein the particular computing resource is contained within a shared hierarchy level in a computing resource hierarchy;
  
  responsive to receiving the request for the first user to perform the function, determining that an effective access control list corresponding to the particular computing resource does not exist and, for hierarchy levels in the computing resource hierarchy that are higher than the shared hierarchy level that contains the computing resource, retrieving one or more access control policies associated with the hierarchy levels;
  
  based at least in part on permissions specified in the one or more access control policies associated with the hierarchy levels that are higher than the shared hierarchy level that contains the particular computing resource in combination with permissions specified in an access control policy associated with the shared hierarchy level, determining an effective access control list for the particular computing resource;
  
  determining whether the first user is authorized to perform the function on the particular computing resource based at least in part on the effective access control list for the particular computing resource;
  
  subsequent to determining the effective access control list for the particular computing resource, receiving a subsequent request from a second user to perform the function on the particular computing resource; and
  
  determining whether the second user is authorized to perform the function on the particular computing resource based at least in part on the effective access control list for the particular computing resource.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The one or more computer-readable storage media of claim 7, wherein the method further comprises storing the effective access control list in a data store.
  - 9. The one or more computer-readable storage media of claim 7, wherein the retrieving one or more access control policies associated with the hierarchy levels that are higher than the hierarchy level of the particular computing resource comprises retrieving all available access control policies.
  - 10. The one or more computer-readable storage media of claim 7, wherein the particular computing resource is a file or a file folder in a virtual file system, and wherein the function is at least one of:
    - accessing with read access;
      
      accessing with write access;
      
      moving the particular computing resource;
      
      sharing the particular computing resource;
      
      viewing activity of the particular computing resource;
      
      adding comments to the particular computing resource;
      
      downloading;
      
      or emailing.
  - 11. The one or more computer-readable storage media of claim 7, wherein the method further comprises:
    - prior to receiving the request from the first user to perform a function on the particular computing resource;
      
      receiving a request from a third user to share the hierarchy level that contains the computing resource with the first user;
      
      creating an access control policy associated with the shared hierarchy level, the access control policy specifying that the first user is authorized to access the shared hierarchy level; and
      
      upon creating the access control policy, storing the access control policy only in association with the shared hierarchy level.
  - 12. The one or more computer-readable storage media of claim 11, wherein the effective access control list for the particular computing resource includes one or more permissions specified in an access control policy stored in association with a hierarchy level above the shared hierarchy level.
  - 13. The one or more computer-readable storage media of claim 7, wherein determining whether the first user is authorized to perform the function on the particular computing resource based at least in part on the effective access control list comprises:
    - determining that the effective access control list does not include a permission authorizing the first user to perform the function; and
      
      determining that the first user is not authorized to perform the function.
  - 14. The one or more computer-readable storage media of claim 7, wherein retrieving one or more access control policies associated with the hierarchy levels comprises:
    - retrieving available access control policies associated with a first file folder containing the particular computing resource;
      
      retrieving available access control policies associated with a second file folder containing the first file folder; and
      
      retrieving available access control policies associated with a third file folder containing the second file folder.
  - 15. The one or more computer-readable storage media of claim 14, wherein the retrieving one or more access control policies associated with the hierarchy levels further comprises retrieving available access control policies for all hierarchy levels higher than the third file folder and lower than or equal to a top hierarchy level.
  - 16. The one or more computer-readable storage media of claim 7, wherein the access control list for the particular computing resource comprises:
    - one or more permissions found in an access control policy associated with the shared hierarchy level and two or more permissions found in two or more access control policies associated with hierarchy levels higher in the hierarchy than the shared hierarchy level.

17. One or more server computers implementing an access control system, the system comprising:
- one or more processors;
  
  a memory;
  
  a virtual file system, at least part of which is stored in the memory, in which computing resources are shared among a plurality of users, the computing resources organized in a computing resource hierarchy;
  
  an access policy generator that, in response to a sharing request to share a first computing resource of the virtual file system with a user of the plurality of users;
  
  creates an access control policy associated with the first computing resource, the access control policy specifying that the user is authorized to access the first computing resource; and
  
  upon creating the access control policy, stores the access control policy in association with the first computing resource but not in association with other computing resources at a lower hierarchy level than the hierarchy level of the first computing resource;
  
  an access manager that;
  
  receives, using at least one of the one or more processors, an access request for the user to access a second computing resource of the virtual file system, the second computing resource having a hierarchy level in the computing resource hierarchy; and
  
  determines, using at least one of the one or more processors, whether to grant or deny the user access to the second computing resource based at least in part on an effective access control list determined by an analysis engine;
  
  a data store storing, at least in part in the memory, one or more previously determined effective access control lists corresponding to at least one computing resource of the computing resource hierarchy;
  
  an access policy collector that;
  
  retrieves, using at least one of the one or more processors, access control policies for one or more hierarchy levels in the computing resource hierarchy that are above the hierarchy level of the second computing resource, wherein for a particular higher hierarchy level above the hierarchy level of the second computing resource, the access policy collector retrieves a previously determined effective access control list from the data store instead of collecting an access control policy for the particular higher hierarchy level, wherein the previously determined effective access control list comprises permissions specified in the access control policy for the particular higher hierarchy level combined with permissions specified in access control policies for at least one additional hierarchy level that is higher in the computing resource hierarchy than the particular higher hierarchy level; and
  
  the analysis engine that;
  
  determines, using at least one of the one or more processors, the effective access control list corresponding to the second computing resource based at least in part on permissions specified by the access control policies for the one or more hierarchy levels above the hierarchy level of the second computing resource, including one or more permissions specified in the previously determined effective access control list for the particular higher hierarchy level, in combination with one or more permissions specified in an access control policy for the hierarchy level of the second computing resource.
- View Dependent Claims (18, 19)
- - 18. The one or more server computers of claim 17, wherein the second computing resource is a file, and wherein the effective access control list represents an effective propagation of access control policies of higher-level file folders to at least one of the file or a file folder containing the file.
  - 19. The one or more server computers of claim 17, wherein the previously determined access control list comprises:
    - one or more permissions for the at least one hierarchy level above the hierarchy level of the second computing resource and one or more permissions for one or more hierarchy levels above the at least one hierarchy level above the hierarchy level of the second computing resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Fowler, Kevin, Andruschuk, Borislav
Primary Examiner(s)
Zhao, Don

Application Number

US14/453,368
Time in Patent Office

853 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Hierarchical policy-based shared resource access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Hierarchical policy-based shared resource access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others