Scoped access control metadata element
First Claim
1. A computing system for controlling access to a plurality of objects, the computing system comprising:
- a processor; and
memory that stores a scoped access control metadata element that controls access to a plurality of objects that are stored in a computer storage medium of the computing system, wherein the scoped access control metadata element comprises;
a resource scope statement that identifies a plurality of objects for which the scoped access control metadata element provides access rights by defining a portion of a directory hierarchy indicating that the scoped access control metadata element provides access rights for a plurality of file objects located at or below the specified portion of the directory hierarchy; and
a rules statement that includes a plurality of rule statements that each define different access control rules for accessing the plurality of objects, including;
a first rule statement that includes;
a first statement scope that identifies a first set of one or more users to whom the first rule statement applies and who may access the plurality of objects, including a rule that defines the first set of one or more users as users that have been authenticated; and
a first grant statement that defines what access rights the first set of one or more users are granted for accessing any one of the plurality of objects; and
a second rule statement that includes;
a second statement scope that identifies a second set of one or more users to whom the second rule statement applies and who may also access the plurality of objects; and
a second grant statement that defines what different access rights the second set of one or more users are granted for accessing any one of the plurality of objects,the computing system further comprising memory that stores computer-executable instructions that, when executed, implement a method, comprising;
receiving a request from a user to access one of the plurality of file objects, the user included in one or more of the first set of one or more users or the second set of one or more users;
determining that the scoped access control metadata element provides access rights to the one of the plurality of file objects; and
granting the user access to the one of the plurality of file objects, as defined by the scoped access control metadata element.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and data structures for communicating object metadata are provided. A generic metadata container is presented that allows object metadata to be described in an extensible manner using protocol-neutral and platform-independent methodologies. A metadata scope refers to a dynamic universe of targets to which the included metadata statements correspond. Metadata properties provide a mechanism to describe the metadata itself, and metadata security can be used to ensure authentic metadata is sent and received. Mechanisms are also provided to allow refinement and replacement of metadata statements. The generic metadata container can be adapted to dynamically define access control rights to a range of objects by a range of users, including granted and denied access rights.
218 Citations
22 Claims
-
1. A computing system for controlling access to a plurality of objects, the computing system comprising:
-
a processor; and memory that stores a scoped access control metadata element that controls access to a plurality of objects that are stored in a computer storage medium of the computing system, wherein the scoped access control metadata element comprises; a resource scope statement that identifies a plurality of objects for which the scoped access control metadata element provides access rights by defining a portion of a directory hierarchy indicating that the scoped access control metadata element provides access rights for a plurality of file objects located at or below the specified portion of the directory hierarchy; and a rules statement that includes a plurality of rule statements that each define different access control rules for accessing the plurality of objects, including; a first rule statement that includes; a first statement scope that identifies a first set of one or more users to whom the first rule statement applies and who may access the plurality of objects, including a rule that defines the first set of one or more users as users that have been authenticated; and a first grant statement that defines what access rights the first set of one or more users are granted for accessing any one of the plurality of objects; and a second rule statement that includes; a second statement scope that identifies a second set of one or more users to whom the second rule statement applies and who may also access the plurality of objects; and a second grant statement that defines what different access rights the second set of one or more users are granted for accessing any one of the plurality of objects, the computing system further comprising memory that stores computer-executable instructions that, when executed, implement a method, comprising; receiving a request from a user to access one of the plurality of file objects, the user included in one or more of the first set of one or more users or the second set of one or more users; determining that the scoped access control metadata element provides access rights to the one of the plurality of file objects; and granting the user access to the one of the plurality of file objects, as defined by the scoped access control metadata element. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer storage medium storing a particular data structure comprising:
-
a scope element that contains criteria for determining a plurality of objects the particular data structure applies to for controlling what users may access the plurality of objects, wherein the criteria of the scope element defines a portion of a directory hierarchy indicating that the particular data structure provides access rights for a plurality of file objects located under the portion of the directory hierarchy; and one or more rule elements that define access rights for accessing the plurality of file objects, including; a first rule element that contains (1) first user rules that define a first set of one or more users to whom the first rule element applies and who may access the plurality of file objects, including a first rule that defines the first set of one or more users as users that have been authenticated, and (2) first access rules that define what access rights the first set of one or more users are granted for accessing any one of the plurality of file objects; and a second rule element that contains (1) second user rules that define a second set of one or more users to whom the second rule element applies and who may also access the plurality of file objects, and (2) second access rules that define what different access rights the second set of one or more users are granted for accessing any one of the plurality of file objects, the computer storage medium further storing computer-executable instructions that, when executed by at least one processor of a computer system, implement a method, comprising; an act of the computer system receiving a request from a user to access the one of the plurality of file objects, the user included in at least the first set of one or more users; an act of the computer system determining that the particular data structure controls what users may access the plurality of file objects, as defined by the criteria of the scope element of the particular data structure; an act of the computer system determining that the user is included in the first set of one or more users and that the user has been authenticated, as defined by the first user rules of the first rule element of the particular data structure; and an act of the computer system granting the user access to the one of the plurality of file objects, as defined by the first access rules of the first rule element of the particular data structure. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A method for determining whether a user has access to a requested object, comprising:
-
receiving, at a computing system which includes at least one processor, a request from a user to access a particular file object; accessing an access control metadata element stored on the computing system to determine whether the user is authorized to access the particular file object, comprising; determining that the access control metadata element provides access rights to the particular file object based on a resource scope statement that identifies a plurality of file objects, including the particular file object, for which the access control metadata element provides access rights by defining a portion of a directory hierarchy indicating that the scoped access control metadata element provides access rights for the plurality of file objects, which are located at or below the specified portion of the directory hierarchy, including the particular file object; determining that the access control metadata element provides access rights for the user based on one or more rule statements, the one or more rule statements including; a first rule statement that includes (i) a first statement scope that identifies a first set of one or more users, including the user, to whom the first rule statement applies, the first statement scope including a first rule that defines the first set of one or more users as users that have been authenticated, and (ii) a first grant statement that defines what access rights the first set of one or more users are granted for accessing any one of the plurality of file objects; and a second rule statement that includes (i) a second statement scope that identifies a second set of one or more users to whom the second rule statement applies, and (ii) a second grant statement that defines what different access rights the second set of one or more users are granted for accessing any one of the plurality of file objects; determining that at least the first rule statement grants the user access to the particular file object based on the first statement scope and the first grant statement; and upon determining that the first rule statement grants the user access to the particular file object, and upon determining that the particular file object is within the plurality of file objects identified by the resource scope statement, granting the user access to the particular file object in accordance with the first grant statement defined in the first rule statement of the access control metadata element. - View Dependent Claims (19, 20, 21, 22)
-
Specification