Hierarchical policy-based shared resource access control
First Claim
1. A computer-implemented method of accessing shared computing resources in a hierarchical system, the method comprising:
- receiving a request from a first user to access a particular file that is contained within a shared file folder in a computing file folder hierarchy of a virtual file system stored in a memory or storage of a computing device, wherein the shared file folder is associated with an access control policy;
responsive to receiving the request from the first user to access the particular file, determining that an effective access control list is not associated with the particular file and generating an effective access control list for the particular file by operations carried out by one or more processors, the operations comprising;
collecting available access control policies for the shared file folder that contains the particular file and for one or more of a plurality of higher file folders that are higher in the computing file folder hierarchy than the shared file folder containing the particular file, andanalyzing permissions specified in the collected access control policies to generate the effective access control list for the particular file, wherein the analyzing comprises combining the permissions specified in the collected access control policies for the shared file folder and the one or more of the plurality of higher file folders that are higher in the computing file folder hierarchy than the shared file folder;
based on the generated effective access control list for the particular file, determining that the first user is authorized to access the particular file;
associating the generated effective access control list with the particular file in an effective access control list data store;
subsequent to generating the effective access control list for the particular file, receiving a subsequent request from a second user to access the particular file; and
responsive to receiving the subsequent request from the second user to access the particular file, determining that the generated effective access control list is associated with the particular file in the effective access control list data store and determining, based on the generated effective access control list, that the second user is authorized to access the particular file.
1 Assignment
0 Petitions
Accused Products
Abstract
Access control for shared computing resources in a hierarchical system is provided herein. An as-needed, “lazy evaluation” approach to access control is described in which an effective access control list for a computing resource is determined after a request is received from a user to access the resource. When resources are shared, access control policies are created and stored in association with the shared resource but are not stored in association with hierarchically related lower-level resources. When an access request for a resource is received, access control policies are collected for levels of a computing resource hierarchy that are higher than the hierarchy level of the resource. An effective access control list is determined based on permissions specified in the collected access control policies. The effective access control list represents an effective propagation of access control policies of higher hierarchy levels to the computing resource.
39 Citations
19 Claims
-
1. A computer-implemented method of accessing shared computing resources in a hierarchical system, the method comprising:
-
receiving a request from a first user to access a particular file that is contained within a shared file folder in a computing file folder hierarchy of a virtual file system stored in a memory or storage of a computing device, wherein the shared file folder is associated with an access control policy; responsive to receiving the request from the first user to access the particular file, determining that an effective access control list is not associated with the particular file and generating an effective access control list for the particular file by operations carried out by one or more processors, the operations comprising; collecting available access control policies for the shared file folder that contains the particular file and for one or more of a plurality of higher file folders that are higher in the computing file folder hierarchy than the shared file folder containing the particular file, and analyzing permissions specified in the collected access control policies to generate the effective access control list for the particular file, wherein the analyzing comprises combining the permissions specified in the collected access control policies for the shared file folder and the one or more of the plurality of higher file folders that are higher in the computing file folder hierarchy than the shared file folder; based on the generated effective access control list for the particular file, determining that the first user is authorized to access the particular file; associating the generated effective access control list with the particular file in an effective access control list data store; subsequent to generating the effective access control list for the particular file, receiving a subsequent request from a second user to access the particular file; and responsive to receiving the subsequent request from the second user to access the particular file, determining that the generated effective access control list is associated with the particular file in the effective access control list data store and determining, based on the generated effective access control list, that the second user is authorized to access the particular file. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. One or more computer-readable storage media storing computer-executable instructions that, when executed, perform a method of accessing shared computing resources in a hierarchical system, the method comprising:
-
receiving a request from a first user to perform a function on a particular computing resource, wherein the particular computing resource is contained within a shared hierarchy level in a computing resource hierarchy; responsive to receiving the request for the first user to perform the function, determining that an effective access control list corresponding to the particular computing resource does not exist and, for hierarchy levels in the computing resource hierarchy that are higher than the shared hierarchy level that contains the computing resource, retrieving one or more access control policies associated with the hierarchy levels; based at least in part on permissions specified in the one or more access control policies associated with the hierarchy levels that are higher than the shared hierarchy level that contains the particular computing resource in combination with permissions specified in an access control policy associated with the shared hierarchy level, determining an effective access control list for the particular computing resource; determining whether the first user is authorized to perform the function on the particular computing resource based at least in part on the effective access control list for the particular computing resource; subsequent to determining the effective access control list for the particular computing resource, receiving a subsequent request from a second user to perform the function on the particular computing resource; and determining whether the second user is authorized to perform the function on the particular computing resource based at least in part on the effective access control list for the particular computing resource. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. One or more server computers implementing an access control system, the system comprising:
-
one or more processors; a memory; a virtual file system, at least part of which is stored in the memory, in which computing resources are shared among a plurality of users, the computing resources organized in a computing resource hierarchy; an access policy generator that, in response to a sharing request to share a first computing resource of the virtual file system with a user of the plurality of users; creates an access control policy associated with the first computing resource, the access control policy specifying that the user is authorized to access the first computing resource; and upon creating the access control policy, stores the access control policy in association with the first computing resource but not in association with other computing resources at a lower hierarchy level than the hierarchy level of the first computing resource; an access manager that; receives, using at least one of the one or more processors, an access request for the user to access a second computing resource of the virtual file system, the second computing resource having a hierarchy level in the computing resource hierarchy; and determines, using at least one of the one or more processors, whether to grant or deny the user access to the second computing resource based at least in part on an effective access control list determined by an analysis engine; a data store storing, at least in part in the memory, one or more previously determined effective access control lists corresponding to at least one computing resource of the computing resource hierarchy; an access policy collector that; retrieves, using at least one of the one or more processors, access control policies for one or more hierarchy levels in the computing resource hierarchy that are above the hierarchy level of the second computing resource, wherein for a particular higher hierarchy level above the hierarchy level of the second computing resource, the access policy collector retrieves a previously determined effective access control list from the data store instead of collecting an access control policy for the particular higher hierarchy level, wherein the previously determined effective access control list comprises permissions specified in the access control policy for the particular higher hierarchy level combined with permissions specified in access control policies for at least one additional hierarchy level that is higher in the computing resource hierarchy than the particular higher hierarchy level; and the analysis engine that; determines, using at least one of the one or more processors, the effective access control list corresponding to the second computing resource based at least in part on permissions specified by the access control policies for the one or more hierarchy levels above the hierarchy level of the second computing resource, including one or more permissions specified in the previously determined effective access control list for the particular higher hierarchy level, in combination with one or more permissions specified in an access control policy for the hierarchy level of the second computing resource. - View Dependent Claims (18, 19)
-
Specification