Systems and methodologies for managing document access permissions

US 9,805,209 B2
Filed: 07/29/2014
Issued: 10/31/2017
Est. Priority Date: 07/29/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for managing access to objects available via a file server by a user, the method including:

authenticating the user;

based on data indicative of an organisational hierarchy, which provides data indicative of memberships of a plurality of users to a plurality of groups, determining a set of groups to which the user belongs, wherein each membership has an associated permission set, wherein the permission set defines a set of permissions that a given user holds in relation to membership of a given group;

for each user, determining a hierarchy of groups for which that user has membership;

for each user, creating a concatenated list of the hierarchy of groups for which that user has membership, wherein the concatenated list includes, for membership, the permission set associated with that membership;

for each group to which the user belongs, and for each unique combination of groups to which the user belongs, defining a respective access token; and

combining the defined access tokens into a concatenated set of access tokens, such that the concatenated set of access tokens represents an intersection of groups and permission sets, wherein permissions are provided in a subtractive manner rather than an additive manner, wherein a file server accesses the concatenated set of access tokens thereby to determine whether or not to grant the user access to a given object;

wherein;

the objects available via the file server are each uniquely associated with a parent group defined in the organisational hierarchy;

for each object, a subtractive access token is defined based on its parent group in the organisational hierarchy, wherein defining a subtractive access token for a given object includes defining a token that is representative of the parent group and each higher-level group in the organisational hierarchy under which the parent group is nested.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are systems and methodologies for managing document access permissions. Embodiments of the invention have been particularly developed for allowing group-based permission management in a file system. While some embodiments will be described herein with particular reference to that application, it will be appreciated that the invention is not limited to such a field of use, and is applicable in broader contexts.

Citations

14 Claims

1. A computer implemented method for managing access to objects available via a file server by a user, the method including:
- authenticating the user;
  
  based on data indicative of an organisational hierarchy, which provides data indicative of memberships of a plurality of users to a plurality of groups, determining a set of groups to which the user belongs, wherein each membership has an associated permission set, wherein the permission set defines a set of permissions that a given user holds in relation to membership of a given group;
  
  for each user, determining a hierarchy of groups for which that user has membership;
  
  for each user, creating a concatenated list of the hierarchy of groups for which that user has membership, wherein the concatenated list includes, for membership, the permission set associated with that membership;
  
  for each group to which the user belongs, and for each unique combination of groups to which the user belongs, defining a respective access token; and
  
  combining the defined access tokens into a concatenated set of access tokens, such that the concatenated set of access tokens represents an intersection of groups and permission sets, wherein permissions are provided in a subtractive manner rather than an additive manner, wherein a file server accesses the concatenated set of access tokens thereby to determine whether or not to grant the user access to a given object;
  
  wherein;
  
  the objects available via the file server are each uniquely associated with a parent group defined in the organisational hierarchy;
  
  for each object, a subtractive access token is defined based on its parent group in the organisational hierarchy, wherein defining a subtractive access token for a given object includes defining a token that is representative of the parent group and each higher-level group in the organisational hierarchy under which the parent group is nested.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1 including a step of identifying one or more security labels associated with the user, and wherein (iii) includes defining respective access tokens for each unique combination of groups and security labels.
  - 3. A method according to claim 2 wherein the given object is associated with a parent group defined in the organisational hierarchy and one or more security labels, and wherein, based on the parent group, the given object has defined for it a subtractive access token based upon the parent group and the security labels.
  - 4. A method according to claim 1 wherein, in each instance where a user belongs to a group, that user is associated with a permission set for that group.
  - 5. A method according to claim 3 wherein a permission set defines multiple access permission types.
  - 6. A method according to claim 1 including a step of delivering data indicative of the set of access tokens to a software application associated with the user, wherein the file server interacts with that software application when determining whether or not to grant access to a given object.
  - 7. A method according to claim 1 wherein the set of access tokens are provided to a Security Token Service.

8. A computer implemented method for managing access to objects available via a file server by a user, the method including:
- receiving data indicative of an object for ingestion;
  
  receiving data indicative of a user selection of a parent group for the object, wherein the parent group is selected from an organisational hierarchy that includes a plurality of groups organised in a hierarchical framework;
  
  receiving data indicative of one or more security parameters for the document; and
  
  defining access requirements for the document based upon the parent group and the security parameters;
  
  wherein;
  
  the objects available via the file server are each uniquely associated with a parent group defined in the organisational hierarchy;
  
  for each object, a subtractive access token is defined based on its parent group in the organisational hierarchy, wherein defining a subtractive access token for a given object includes defining a token that is representative of the parent group and each higher-level group in the organisational hierarchy under which the parent group is nested.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A method according to claim 8 wherein access to the document by a user is determined by reference to a set of access tokens associated with the user, with access being granted a case that the user has an access token that corresponds to the defined access requirements.
  - 10. A method according to claim 9 wherein the set of access tokens for the user is defined by a method including:
    - based on data indicative of an organisational hierarchy, which provides data indicative of memberships of a plurality of users to a plurality of groups, determining a set of groups to which the user belongs; and
      
      for each group to which the user belongs, and for each unique combination of groups to which the user belongs, defining a respective access token;
      
      combining the defined access tokens into the set of access tokens, which a file server accesses thereby to determine whether or not to grant the user access to a given object.
  - 11. A method according to claim 10 including a step of identifying one or more security labels associated with the user, and wherein (ii) includes defining respective access tokens for each unique combination of groups and security labels.
  - 12. A method according to claim 11 wherein the given object is associated with a parent group defined in the organisational hierarchy and one or more security labels, and wherein, based on the parent group, the given object has defined for it a subtractive access token based upon the parent group and the security labels.
  - 13. A method according to claim 10 wherein, in each instance where a user belongs to a group, that user is associated with a permission set for that group.
  - 14. A method according to claim 13 wherein a permission set defines multiple access permission types.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Berkeley Information Technology Pty Ltd.
Original Assignee
Berkeley Information Technology Pty Ltd.
Inventors
Naglost, Mark Peter, Coles, Scott David, Klein, David, Dahl, Justin
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US14/446,061
Publication Number

US 20150033327A1
Time in Patent Office

1,190 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/101   Access control lists [ACL]

Systems and methodologies for managing document access permissions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methodologies for managing document access permissions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links