Method, an apparatus, a computer system, a security component and a computer readable medium for defining access rights in metadata-based file arrangement

US 9,576,148 B2
Filed: 01/29/2015
Issued: 02/21/2017
Est. Priority Date: 09/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method for a dynamic content management system comprising a metadata-based folder hierarchy, said dynamic content management system storing electronic objects being defined by metadata having at least one property with a value, wherein at least one property of the metadata of an electronic object defines an access right for said electronic object, the method comprising:

determining effective access rights for a first electronic object bydetermining one or more other electronic objects being referred to by a metadata value of said first electronic object;

retrieving security components of said one or more other electronic objects being referred to by the metadata value of said first electronic object;

processing the security components of said one or more other electronic objects according to a predefined set of rules; and

propagating the access right of the first electronic object by the security components to be the effective access rights for the first electronic object;

identifying a person having access rights for the first electronic object by resolving a person identity from a property value of an object, which property value is indicated by a pseudo-user, wherein a pseudo-user comprises at least a first metadata item and a second metadata item, wherein the first metadata item indicates the object where the user identity can be retrieved, and wherein the second metadata item indicates a property in said object, the value of which property contains the person identity of a person being authorized to access said electronic object.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for a computer system storing electronic objects being defined by metadata items. The method comprises deriving access rights from one or more security components originating from respective metadata items of at least one object, and determining the effective access rights for the object by means of the security components. The invention also relates to a method for a computer system storing electronic objects being defined by metadata items, wherein access rights for an object are determined by means of one or more pseudo-users. The invention also relates to an apparatus, a computer system and a computer readable medium comprising a computer program stored therein for carrying out the methods.

28 Citations

21 Claims

1. A method for a dynamic content management system comprising a metadata-based folder hierarchy, said dynamic content management system storing electronic objects being defined by metadata having at least one property with a value, wherein at least one property of the metadata of an electronic object defines an access right for said electronic object, the method comprising:
- determining effective access rights for a first electronic object bydetermining one or more other electronic objects being referred to by a metadata value of said first electronic object;
  
  retrieving security components of said one or more other electronic objects being referred to by the metadata value of said first electronic object;
  
  processing the security components of said one or more other electronic objects according to a predefined set of rules; and
  
  propagating the access right of the first electronic object by the security components to be the effective access rights for the first electronic object;
  
  identifying a person having access rights for the first electronic object by resolving a person identity from a property value of an object, which property value is indicated by a pseudo-user, wherein a pseudo-user comprises at least a first metadata item and a second metadata item, wherein the first metadata item indicates the object where the user identity can be retrieved, and wherein the second metadata item indicates a property in said object, the value of which property contains the person identity of a person being authorized to access said electronic object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the first object comprises its own access control list, wherein the effective access rights for said first object are determined by combining the security components with a first object'"'"'s own access control list according to the predefined set of rules.
  - 3. The method according to claim 1, wherein said one or more other objects originate directly from the first object'"'"'s metadata value.
  - 4. The method according to claim 1, wherein said one or more other objects originate indirectly from the first object'"'"'s metadata value.
  - 5. The method according to claim 1, further comprising:
    - combining more than one security components, wherein the effective access rights for the first object are determined as an intersection of more than one security components.
  - 6. The method according to claim 1, further comprising:
    - combining more than one security components, wherein the effective access rights are determined according to one of the following rules;
      
      one security component overrides the other security component, each security component supplements the effective access rights, one security component restricts the other security component, one security component defines the maximum effective access rights, one security component defines the minimum effective access rights, or any combination thereof.
  - 7. The method according to claim 1, further comprising defining effective access rights by means of one or more pseudo-users.
  - 8. The method according to claim 7, further comprising:
    - identifying a person having access rights for the object by resolving a person identity from a property value of the first electronic object, which property is indicated by a pseudo-user.
  - 9. The method according to claim 7, further comprising:
    - identifying a person having access rights for the object by resolving a person identity from a property value of an object referred by the first electronic object, which property is indicated by a pseudo-user.

10. An apparatus comprising a processor, memory including computer program code, the memory and the computer program code configured to, with the processor, cause the apparatus to perform at least the following:
- to store electronic objects in a dynamic content management system comprising a metadata-based folder hierarchy, wherein the electronic objects are being defined by metadata having at least one property with value, wherein at least one property of the metadata of an electronic object defines an access right for said electronic object;
  
  to determine effective access rights for a first electronic object bydetermining one or more other electronic objects referred by a metadata value of said first electronic object;
  
  retrieving security components of said one or more other electronic objects referred by the metadata value of said first electronic object;
  
  processing the security components of said one or more other electronic objects according to a predefined set of rules; and
  
  propagating the access right of the first electronic object by the security components to be the effective access rights for the first electronic object;
  
  to identify a person having access rights for the first electronic object by resolving a person identity from a property value of an object, which property value is indicated by a pseudo-user, wherein a pseudo-user comprises at least a first metadata item and a second metadata item, wherein the first metadata item indicates the object where the user identity can be retrieved, and wherein the second metadata item indicates a property in said object, the value of which property contains the person identity of a person being authorized to access said electronic object.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus according to claim 10, wherein the first object comprises its own access control list, wherein the effective access rights for said first object are determined by combining the security components with the first object'"'"'s own access control list according to the predefined set of rules.
  - 12. The apparatus according to claim 10, wherein said one or more other objects originate directly from the first object'"'"'s metadata value.
  - 13. The apparatus according to claim 10, wherein said one or more other objects originate indirectly from the first object'"'"'s metadata value.
  - 14. The apparatus according to claim 10, further comprising computer program code configured to, with the processor, cause the apparatus to perform at least the following:
    - combine more than one security components, wherein the effective access rights for the first object are determined as an intersection of more than one security components.
  - 15. The apparatus according to claim 10, further comprising computer program code configured to, with the processor, cause the apparatus to perform at least the following:
    - combine more than one security components, wherein the effective access rights are determined according to one of the following rules;
      
      one security component overrides the other security component, each security component supplements the effective access rights, one security component restricts the other security component, one security component defines the maximum effective access rights, one security component defines the minimum effective access rights, or any combination thereof.
  - 16. The apparatus according to claim 10, further being configured to define effective access rights by means of one or more pseudo-users.
  - 17. The apparatus according to claim 16, further comprising computer program code configured to, with the processor, cause the apparatus to perform at least the following:
    - identify a person having access rights for the object by resolving a person identity from a property value of the first electronic object, which property is indicated by a pseudo-user.
  - 18. The apparatus according to claim 16, further comprising computer program code configured to, with the processor, cause the apparatus to perform at least the following:
    - identifying a person having access rights for the object by resolving a person identity from a property value of an object referred by the first electronic object, which property is indicated by a pseudo-user.

19. A computer system comprising:
- at least one processor,at least one memory including computer program code,the memory and the computer program code configured to, with said at least one processor, cause the computer system at least to perform;
  
  to store electronic objects in a dynamic content management system comprising a metadata-based folder hierarchy, wherein the electronic objects are being defined by metadata having at least one property with value, wherein at least one property of the metadata of an electronic object defines an access right for said electronic object;
  
  to determine effective access rights for a first electronic object bydetermining one or more other electronic objects referred by a metadata value of said first electronic object;
  
  retrieving security components of said one or more other electronic objects referred by the metadata value of said first electronic object;
  
  processing the security components of said one or more other electronic objects according to a predefined set of rules; and
  
  propagating the access right of the first electronic object by the security components to be the effective access rights for the first electronic object;
  
  to identify a person having access rights for the first electronic object by resolving a person identity from a property value of an object, which property value is indicated by a pseudo-user, wherein a pseudo-user comprises at least a first metadata item and a second metadata item, wherein the first metadata item indicates the object where the user identity can be retrieved, and wherein the second metadata item indicates a property in said object, the value of which property contains the person identity of a person being authorized to access said electronic object.
- View Dependent Claims (20)
- - 20. The computer system according to claim 19, further comprising a client and a server.

21. A non-transitory computer readable medium comprising computer program instructions stored thereon, wherein said instructions, when executed, are forto store electronic objects in a dynamic content management system comprising a metadata-based folder hierarchy, wherein the electronic objects are being defined by metadata having at least one property with value, wherein at least one property of the metadata of an electronic object defines an access right for said electronic object;
- to determine effective access rights for a first electronic object bydetermining one or more other electronic objects referred by a metadata value of said first electronic object;
  
  retrieving security components of said one or more other electronic objects referred by the metadata value of said first electronic object;
  
  processing the security components of said one or more other electronic objects according to a predefined set of rules; and
  
  propagating the access right of the first electronic object by the security components to be the effective access rights for the first electronic object;
  
  to identify a person having access rights for the first electronic object by resolving a person identity from a property value of an object, which property value is indicated by a pseudo-user, wherein a pseudo-user comprises at least a first metadata item and a second metadata item, wherein the first metadata item indicates the object where the user identity can be retrieved, and wherein the second metadata item indicates a property in said object, the value of which property contains the person identity of a person being authorized to access said electronic object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
M-Files Oy
Original Assignee
M-Files Oy
Inventors
Laitkorpi, Markku, Nivala, Antti, Lepola, Juha, Metsapelto, Ari, Partanen, Timo
Primary Examiner(s)
Hershley, Mark E

Application Number

US14/608,738
Publication Number

US 20150143549A1
Time in Patent Office

754 Days
Field of Search

707/785
US Class Current

1/1
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 16/176   Support for shared access t...

G06F 16/51   Indexing; Data structures t...

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

Method, an apparatus, a computer system, a security component and a computer readable medium for defining access rights in metadata-based file arrangement

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method, an apparatus, a computer system, a security component and a computer readable medium for defining access rights in metadata-based file arrangement

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links