Systems and methodologies for managing document access permissions
First Claim
Patent Images
1. A computer implemented method for managing access to objects available via a file server by a user, the method including:
- authenticating the user;
based on data indicative of an organisational hierarchy, which provides data indicative of memberships of a plurality of users to a plurality of groups, determining a set of groups to which the user belongs, wherein each membership has an associated permission set, wherein the permission set defines a set of permissions that a given user holds in relation to membership of a given group;
for each user, determining a hierarchy of groups for which that user has membership;
for each user, creating a concatenated list of the hierarchy of groups for which that user has membership, wherein the concatenated list includes, for membership, the permission set associated with that membership;
for each group to which the user belongs, and for each unique combination of groups to which the user belongs, defining a respective access token; and
combining the defined access tokens into a concatenated set of access tokens, such that the concatenated set of access tokens represents an intersection of groups and permission sets, wherein permissions are provided in a subtractive manner rather than an additive manner, wherein a file server accesses the concatenated set of access tokens thereby to determine whether or not to grant the user access to a given object;
wherein;
the objects available via the file server are each uniquely associated with a parent group defined in the organisational hierarchy;
for each object, a subtractive access token is defined based on its parent group in the organisational hierarchy, wherein defining a subtractive access token for a given object includes defining a token that is representative of the parent group and each higher-level group in the organisational hierarchy under which the parent group is nested.
2 Assignments
0 Petitions
Accused Products
Abstract
Described herein are systems and methodologies for managing document access permissions. Embodiments of the invention have been particularly developed for allowing group-based permission management in a file system. While some embodiments will be described herein with particular reference to that application, it will be appreciated that the invention is not limited to such a field of use, and is applicable in broader contexts.
-
Citations
14 Claims
-
1. A computer implemented method for managing access to objects available via a file server by a user, the method including:
-
authenticating the user; based on data indicative of an organisational hierarchy, which provides data indicative of memberships of a plurality of users to a plurality of groups, determining a set of groups to which the user belongs, wherein each membership has an associated permission set, wherein the permission set defines a set of permissions that a given user holds in relation to membership of a given group; for each user, determining a hierarchy of groups for which that user has membership; for each user, creating a concatenated list of the hierarchy of groups for which that user has membership, wherein the concatenated list includes, for membership, the permission set associated with that membership; for each group to which the user belongs, and for each unique combination of groups to which the user belongs, defining a respective access token; and combining the defined access tokens into a concatenated set of access tokens, such that the concatenated set of access tokens represents an intersection of groups and permission sets, wherein permissions are provided in a subtractive manner rather than an additive manner, wherein a file server accesses the concatenated set of access tokens thereby to determine whether or not to grant the user access to a given object; wherein; the objects available via the file server are each uniquely associated with a parent group defined in the organisational hierarchy; for each object, a subtractive access token is defined based on its parent group in the organisational hierarchy, wherein defining a subtractive access token for a given object includes defining a token that is representative of the parent group and each higher-level group in the organisational hierarchy under which the parent group is nested. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer implemented method for managing access to objects available via a file server by a user, the method including:
-
receiving data indicative of an object for ingestion; receiving data indicative of a user selection of a parent group for the object, wherein the parent group is selected from an organisational hierarchy that includes a plurality of groups organised in a hierarchical framework; receiving data indicative of one or more security parameters for the document; and defining access requirements for the document based upon the parent group and the security parameters; wherein; the objects available via the file server are each uniquely associated with a parent group defined in the organisational hierarchy; for each object, a subtractive access token is defined based on its parent group in the organisational hierarchy, wherein defining a subtractive access token for a given object includes defining a token that is representative of the parent group and each higher-level group in the organisational hierarchy under which the parent group is nested. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification