WO2017020947A1 - Accès à un document - Google Patents

Accès à un document Download PDF

Info

Publication number
WO2017020947A1
WO2017020947A1 PCT/EP2015/067807 EP2015067807W WO2017020947A1 WO 2017020947 A1 WO2017020947 A1 WO 2017020947A1 EP 2015067807 W EP2015067807 W EP 2015067807W WO 2017020947 A1 WO2017020947 A1 WO 2017020947A1
Authority
WO
WIPO (PCT)
Prior art keywords
document
searcher
access
access control
documents
Prior art date
Application number
PCT/EP2015/067807
Other languages
English (en)
Inventor
Helen Balinsky
Alexander BALINSKY
Boris DADACHEV
Steven Simske
Original Assignee
Hewlett-Packard Development Company L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company L.P. filed Critical Hewlett-Packard Development Company L.P.
Priority to PCT/EP2015/067807 priority Critical patent/WO2017020947A1/fr
Publication of WO2017020947A1 publication Critical patent/WO2017020947A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/33Querying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/93Document management systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • Access control policies are rules implemented by organizations to restrict and delimit access to those who have appropriate access permissions to information and services in the organization.
  • Access control policies may comprise complex sets of rules and restrictions which create data "silos", whereby users who do not have appropriate access permissions will not be able to access, and may not even be aware of the existence of, certain information that is available within an organization. While such access control policies are important to have, in order to control access to and preserve the confidentiality of certain information, a user who is given a task may be unable to discover information that is relevant to the task, due to the access control policies. If the user is not aware of the existence of the information, they may not be motivated to request access to it.
  • an information owner may not be aware of the task assigned to the user and may not in that case be motivated to change the access permissions for the user. This can lead to inefficiencies and loss of productivity where, for example, a user ends up re-creating certain information when it could instead have been accessed from another part of the organisation.
  • Figure 1 is a schematic block diagram of a system for generating search results according to an example
  • Figure 2 is a schematic block diagram of an apparatus for requesting access to a document in a document repository, according to an example;
  • Figure 3 is a schematic block diagram of an access control module according to an example
  • Figure 4 is a flow diagram of a method of generating document information and providing access to documents according to an example
  • Figure 5 is a flow diagram of a method of receiving a request to access a document and forwarding the request to a document owner according to an example
  • Figure 6 is a flow diagram of a method of granting permission to access a document and retrieving the document according to an example
  • Figure 7 is a flow diagram of a method of implementing instructions to restrict information in a document being sent to a searcher according to an example.
  • Figure 8 is a schematic block diagram of an exemplary computer system.
  • Access control policies are widely deployed in online and enterprise environments to restrict access to services and information (including information, data and content) to those users who have appropriate access permissions. For example, in large enterprise organizations, a highly complex set of access control policies may be implemented to control user access and protect sensitive information.
  • Access control policies create data "silos", or pockets of data, which may be relevant for a user who does not have appropriate access and/or is not aware of the existence of the relevant information. Indeed, it may be the case that an access control policy erroneously or unnecessarily restricts access to information. This can result in a user being unaware of relevant data.
  • a user accessing for example, a cloud service may be assigned a default set of access permissions without any (or at least with apparently limited) flexibility. This can result in the user being unable to access information which is relevant to them.
  • a user may change roles, or be assigned a task, with an accompanying requirement to have access to certain information.
  • restrictions such as a "need-to-know" access control policy, where access to information in a locked location is granted only if necessary to the conduct of particular duties, the user may have no means of identifying the relevant information let alone accessing it.
  • an information owner may not be aware of the new role or assigned task, and may not therefore be motivated to grant the access to the user.
  • the access permissions may have been correctly withheld before the change of role or task assignment, they may no longer be appropriate thereafter.
  • the user might have the need to access just one or a few relevant documents from the locked location, rather than having access to all documents therein, and may only need temporary or exceptional access in the case of an assigned task.
  • An "information owner”, or a “document owner” may be, but need not be, the person who created the information or document.
  • the information or document owner may be a system administrator, a manager or, indeed, anyone who has the authority and ability to modify the access control policy and/or access permissions to permit a user to access the respective information or document.
  • search engine In the context of searching for information that is subject to one or more access control policies, traditional approaches to search typically may not allow a searcher to become aware of all the information that is relevant to a searcher query.
  • a traditional search engine for instance would typically return search results dictated by an access control policy that is applied to the user requesting the search. In effect, the search engine acquires the privileges or permissions of the user that controls the searching. In this way, the search results would typically not reveal documents to which the user does not have access permissions according to a respective access control policy.
  • One approach to addressing these problems is to provide a system which can provide at least an indication of when a document relevant to a searcher's query has been identified in a document repository, irrespective of the access control policies the document may be subject to, without revealing sensitive or confidential information.
  • the systems and methods described herein allow a searcher to become aware of the existence of a potentially relevant document, and supply to the searcher content to enable the searcher to request access to the document. Accordingly, it may be necessary to provide the system with higher access privileges than the searcher, or even full access privileges, to documents held in an organisation's document repository.
  • identified relevant results for a search query may include all documents of all sensitivities, and an access control module may be deployed to filter the results by removing documents, or information within documents, to which the searcher does not currently have access. For example, permitted content within documents may be streamed to the searcher, whilst content which is not permitted may be removed completely or redacted.
  • FIG. 1 is a simplified schematic diagram of an apparatus 100 for generating search results in response to a searcher's query according to an example.
  • the apparatus 100 comprises a document repository 1 10 coupled to a search module 120 and an access control module 130.
  • the search module 120 is arranged to receive a search query Q 140 from a searcher 150 and compute relevant search results.
  • the search module 120 may be protected by its own access control and, for example, require a searcher to provide credentials, such as a username and password or the like, before a search query from the user would be accepted.
  • the search query Q 140 may comprise a string or strings of alphanumeric characters and symbols.
  • a searcher 150 in this example is a human searcher, although in practice, the searcher 150 may be any entity capable of generating a machine-readable search query Q 140.
  • the search module 120 may be implemented in software or hardware and may be implemented as a collection of separate searching sub- modules across a network of dedicated servers. In any event, the search module 120 is arranged to process the search query Q 140 in response to receipt thereof from searcher 150.
  • Document repository 1 10 may be a database as shown by way of example in Figure 1 or, alternatively, document repository 1 10 may be a collection of databases or a distributed system of storage devices or information services across a number of physical and/or virtual storage entities.
  • document repository 1 10 is a repository storing a plurality of documents.
  • a document may be any electronically stored file, which may for example comprise: a text document, a web page (for example, an html file), an office document (for example, Microsoft Word, Excel, PowerPoint; Adobe pdf) or any other kind of file or media that may be stored and searched for by a search engine.
  • documents stored in document repository 1 10 may be subject to one or more access control policies, which relate to the searcher 150 as well as to other parties (not shown in Figure 1 ).
  • An access control policy may comprise one or more access control rules specifying levels of access to a document or to a collection of documents.
  • an access control policy may be implemented by restricting access, according to the rules specifying access rights contained in the access control policy, to entities (for example, users or automated computer applications) having access to the document repository. Rules contained in an access control policy can be specified in relation to either or both of the document being accessed or the entity accessing the document repository.
  • a document may be subjected to an access control policy according to assigned roles or tasks of respective users or other entities, to control access to the document. For example, an employee in a company may be granted access to a document due to their status as an "employee" - the status providing them the same access rights as all other employees. However, depending on their role in the company, certain other documents may be subject to different access control rules with respect to that employee.
  • a document stored in document repository 1 10 may be subject to one or more kinds of access control policy.
  • Search module 120 on receipt of a search query Q 140 from searcher 150 is arranged to establish a relevance of documents contained in the document repository 1 10 to the search query Q 140.
  • search module 120 has a higher level of access permissions to the documents in the document repository 1 10 than the searcher 150.
  • the search module has relatively high 'read' access rights with respect to the documents in the document repository 1 10.
  • Search module 120 may only establish a relevance of documents in document repository 1 10 for which it has suitable access permission. While in some examples suitable access permissions may afford access to all documents that are stored in the repository 1 10, in other examples, access permissions, while being more permissive than those of the searcher 150, may not provide access to all documents that may be relevant to the search query.
  • Document repository 1 10 may contain multiple distributed resources.
  • Figure 1 shows a document repository 1 10 as a cloud containing multiple separate storage entities.
  • Resources such as databases, SharePoint repositories, Wiki sites or on-line document services may be accessed, for example, with individual resources being geographically distributed and/or under control of different organizations, groups and entities.
  • each resource or a group of resources may have their own search and Indexing engines, each running with high privileges for its own data source and/or locally to the corresponding resource.
  • a user's search query may be delegated to each individual search and indexing service, which generate local results and communicate them to the search Module 1 10, which assembles them into a cumulative result that is returned to the searcher.
  • Examples herein are not restricted to any particular way of determining the relevance of a document to a search query. Indeed, one of more of any existing of ways of establishing the relevance of a document to a search query may be used according to examples herein.
  • the search module 120 may first rank documents in the document repository containing instances of "Q1 " by their relevance, by assigning a "relevance score" to those containing a higher number of instances of the substring "Q1 " and also by assigning a relevance score of zero to those which do not contain "Q1 ".
  • search module 120 can then establish which documents also contain "Q2" and assign a higher weighting to those which also contain "Q2" and a larger number of "Q1 ". In this fashion, a cumulative score can be determined, ranking the most relevant to the least relevant documents in the document repository with respect to the search query "Q".
  • a searcher 150 may also instruct search module 120 according to one or more preferences regarding how search results are to be returned and the kind of search which is to be performed.
  • a searcher 150 may request that documents be returned sorted by the owner/author/creator/editor/last editor creation date, type or size of documents, location of the documents in document repository 1 10 or geographical location when documents are stored in physically distributed storage, frequency of accesses to the documents or by meta-data associated to the documents. For example, documents associated with a particular document owner may be deemed more relevant.
  • search module 150 may be arranged to carry out pre-filtering, removing any documents of no relevance to a search query.
  • the relevance of documents to a search query can be established more quickly by reference to pre-computed document indexes.
  • Such indexes may be computed and stored in a known way by a document indexing service, for example illustrated in Figure 1 as an optional indexing module 1 15.
  • Indexing module 1 15 may be implemented in hardware or software and may be implemented across a plurality of servers and as one or more separate sub-modules.
  • the relevant documents may be identified by the search module 120 by reference to the precomputed and stored indexes. A requirement to traverse the document repository 1 10, and scan individual documents during a search operation, may thereby largely be avoided by using an ahead of time precomputed index, which can speed up searching.
  • the search module 120 may access the indexes in the indexing module either via the document repository 1 10, directly, or via any other appropriate means.
  • an indexing module 1 15 of the kind described herein may have appropriate access control permissions to enable it to access and index even sensitive documents that cannot be accessed by the searcher 150.
  • the indexing module 1 15 may have sufficient priority and access privileges to access substantially all documents of all sensitivities that are stored in the document repository 1 10, whereby the indexing module 1 15 can generate and store a comprehensive document index.
  • the indexing module 1 15 can be distributed in the same way document repository 1 10 and search module 120 may be distributed geographically and under the control of one or more organisations.
  • search module 120 is coupled to an access control module 130.
  • access control module 130 may be implemented in hardware or software and may be implemented across a plurality of servers and as one or more separate sub-modules.
  • the access control module 130 according to the present example is shown coupled to the document repository 1 10 and has access to respective access control policies thereof.
  • the access control module 130 is arranged to receive from the search module 120 the results of the search query Q 140 and hone those results according to the access permissions of the searcher 150 relative to the access control policies.
  • the search results generated by the search module 120 comprise content, for example an initial list L 155, of documents which is ordered in terms of relevance to the search query 140.
  • Each entry in the list L 155 for example, relates to a document and embodies or is accompanied by a link, such as a hyperlink, by which a respective document may be accessed and from the document repository 1 10.
  • the access control module 130 may refine or modify the content, such as list L 155, according to the access permissions of the searcher 150 relative to the access control policies, to produce a final search result L' 160, which may then be returned to the searcher 150. For example, for any document to which a searcher 150 has access permission, according to the one or more access control policies, the access control module 130 may leave the content, such as a respective entry in a list, including a respective hyperlink 170, unaltered in the final search result L' 160.
  • the access control module 130 may modify the content, for example by replacing the respective entry in final search result L' 160, with content comprising document information 180.
  • the content such as the document information 180, may, for example, enable the searcher to request access to the respective document contained in document repository 1 10.
  • the document information 180 may not provide any other detail of the document (or documents), or may provide some detail, as will be described.
  • the access control module 130 is arranged to evaluate the search results L 155 and, if necessary, hone or modify search results generated by the search module 120
  • the search module 120 and access control module 130 may be more tightly integrated.
  • the search module 120 and access control module 130 may even be embodied as one and the same module, such that appropriate final search results L' may be generated in one step, in which hyperlinks 170 are added to a list for documents that may be accessed, and alternative document information 180 may be added to the list for documents that may not be accessed, according to access control policies of the document repository 1 10 and access permissions of the searcher 150.
  • a third party such as a document owner or higher authority
  • Document information 180 may comprise a summary of the document, which contains non-sensitive and unrestricted content, or at least content that is legitimately viewable by the respective searcher.
  • the summary may be, for example, a section or sections of the document, keywords pertinent to the document or one or more headings from the document, which are deemed not sensitive, for example, by a document owner.
  • the summary may have sensitive information removed from it.
  • a third-party such as a document owner or higher authority may be notified of the search query Q 140 and/or of the results L 155, and request that the certain information is left out of the document information 180.
  • the document owner or higher authority may provide a standing instruction (for example, an access control policy) that certain information in or about a document should be withheld from becoming part of the respective document information 180.
  • a standing instruction for example, an access control policy
  • the document information 180 does not disclose any information from the document other than the existence thereof.
  • the relevance of the document to the searcher's query may initiate a re-evaluation of access control policies in the light of new circumstances and ensure the required access is granted on an individual basis or per-document.
  • the searcher 150 may be able to assess whether the document is relevant to their search, for example, by reference to the indicated relevance and/or the position in the search results L'160.
  • the document 180 information may not even disclose the existence of the document (or documents) As such.
  • the document information 180 may comprise an email address of the document owner without any indication of the existence of the document itself.
  • the document information allows the searcher to request access to a document, the details of which the searcher 150 is unaware when the request to access the document is made.
  • the document information may comprise, for example, an email address of a superior in a management chain or, alternatively, an anonymous submission form allowing the searcher to express their needs to access the document.
  • a form may, for example, be connected to a processing email account and may be automatically routed to the owner of the document by an appropriately configured email server or the like.
  • Figure 2 is a simplified schematic block diagram of an apparatus for retrieving a document that has been identified in search results L' 160.
  • the arrangement in Figure 2 may be used with the apparatus 100 of Figure 1 in a case where a searcher 150 does not have full access permission to a document, according to an example. Only modules relevant to this process are shown in Figure 2.
  • Figure 2 shows a document repository 210 coupled to an access control module 220, similar, respectively, to document repository 1 10 and access control module 130 of Figure 1 .
  • searcher 230 may have received document information, such as document information 180 shown in Figure 1 , as part of a list L' 160 of search results generated in response to a searcher's query Q.
  • Apparatus 200 illustrates a searcher 230 communicating with access control module 220 in order to retrieve a document that is included in the search results L' but which the searcher 230 currently does not have permission to access.
  • access control module 220 receives a request R 245 from searcher 230 to access the document.
  • access control module 220 optionally requires the searcher to authenticate themselves in a known way (for example by entering a username and a password) prior to accepting a request, to prevent the searcher (or, indeed, any third-party) from illegitimately obtaining access to a document. This additional authentication step may be required, for example, since, in practice, the party making the request may not be the same as the searcher who generated the results.
  • a searcher is authenticated prior accessing the search service, so his identity/role is known by access control module when the search results are filtered accordingly.
  • the access control module 220 may forward a request to access the document 240 to a document owner 250.
  • the document owner 250 may, as has been described, be any party who has permission to modify access permissions in the access control policy with respect to that document.
  • the access to documents maybe established at run-time through an on-line interaction between a searcher and authoritative party who has control over document access.
  • Figure 2 shows the request R 245 being communicated by the access control module 220 to document owner 250.
  • the document information 180 provided in search results 160 may contain, for example, an email address or any other contact information directly associating the document 240 to the document owner 250, in which case the searcher 230 may contact document owner 250 directly (not shown) without sending a request to access control module 220.
  • the document owner 250 may require additional information on the nature of the searcher's assignment, further verification of the searcher's identity or role, management approval, or redaction of sensitive information from the document irrelevant to the search query, before deciding to grant or refuse to searcher 230 access to the document 240.
  • the document owner 250 can communicate with the access control module 220, for example, changing the corresponding access control policy, instructing it to retrieve the document 240 from document repository 210.
  • the access control module 220 may then retrieve and send the document 240 to the searcher 230.
  • the access control module 220 may notify the searcher 230 that they can retrieve the document from the document repository 210.
  • a notification from the access control module 220 may include a hyperlink to enable the searcher 230 to retrieve the document after access has been granted.
  • Either the document owner 250 or the access control module 220 may modify the access control policies to permit such access by the searcher.
  • a requested document may be further redacted prior being released: sensitive material irrelevant to searcher's query maybe removed, whilst relevant information may be retained. This might be performed automatically or manually which will be possible due to a small number of identified relevant documents.
  • the document owner 250 may inform the searcher 230, for example via the access control module 220, that access has been refused.
  • the request to access the document 240 is made by the searcher 230 to the document owner 250 via the access control module 220.
  • the identity of the document owner 250 is known from the document information 180.
  • the document information 180 may simply be sufficient for the access control module 220 to determine the identity of the document owner and attempt to acquire approval from the appropriate document owner 250, without the searcher 230 being informed of who the document owner is.
  • the request can trigger re- evaluation of existing access control policies and their amendments, chained management approval of individual or group access to a particular document repository.
  • searcher 230 may originally have generated the query and search results L' 160
  • searcher 230 may be a different party, for example, who is acting on behalf of the original searcher.
  • a second determination can be made by the access control module 220 as to whether the searcher 230 has legitimate permission to access the search results and documents, for example, by contacting the original searcher and asking them to authorise the requesting searcher 230.
  • FIG 3 is a simplified schematic diagram of an apparatus 300 for generating a sanitised version of a document, to which a searcher does not have full access permission, whereby the sanitised version of the document may be sent to the searcher without revealing sensitive or confidential information.
  • a customer name and contact details maybe removed from a sensitive document, whilst a generic technical description may be retained and communicated to the searcher.
  • Apparatus 300 may be used with apparatus 100 and 200 shown in Figures 1 and 2, after a searcher has requested access to a document. Once again, only modules relevant to this process are shown.
  • access control module 310 is shown retrieving a document 320 from a document repository, such as document repository 210 of Figure 2.
  • the document 320 may have been retrieved, for example, in response to a document owner 250 having granted to a searcher 230 access to the document for which the searcher 230 does not have access permission to read the full document.
  • access control module 310 is shown receiving a set of restrictions 330.
  • the restrictions 330 may comprise one or more rules or instructions specifying that certain information contained in document 320 should not be released to a searcher.
  • restrictions 330 may comprise instructions to remove certain sensitive information from a document, or, in another instance, restrictions 330 may specify that portions or even whole sections of a document 320 be redacted prior to a searcher receiving the document.
  • Access control module 310 is arranged to generate a version 340 of document 320 by implementing the restrictions 330.
  • restrictions 330 are supplied to access control module 310 as computer-readable instructions or code to remove sections of document 320.
  • access control module 310 outputs a version 340 of document 320 with sections of the document removed or redacted (or obscured) and returns the sanitised version 340 to the searcher 230.
  • restrictions 330 are sent by a document owner such as document owner 250 of Figure 2 who has granted permission to a searcher to access the document subject to the application by the access control module 310 of the one or more restrictions 330.
  • document owner 250 can use apparatus 300 in a setting where a searcher has requested access to a large number of documents for which the searcher does not have full access permission, where sections of the documents are to be censored, removed or redacted.
  • a document owner may require the removal of all personal details such as email addresses from a document.
  • a document owner may send a restriction instruction 330 to access control module 310 to remove all email addresses before granting access to the emails.
  • Figure 4 shows a method, according to an example of generating search results and providing access to documents in accordance with one or more access control policies.
  • the method 400 shown in Figure 4 may be implemented on the apparatus shown in Figures 1 to 3 and can also be used in conjunction with the other methods described herein.
  • method 400 relates to searching a document repository comprising a plurality of documents, where, as previously stated, a document may be any electronically stored file in practice.
  • a search query is received from a searcher.
  • a search query Q 140 may be received at a search module 120.
  • the search query may comprise one or more strings and instructions relating to a searcher's preferences regarding how the search results are to be generated and what kind of search is to be performed. For example, it may be the case that a searcher 150 requests that search results are returned in order of when documents were created, size of documents, location of the documents in a document repository or geographical location when documents are stored in physically distributed storage, frequency of accesses to the documents or by meta-data associated to the documents.
  • the relevance to the search query of documents with one or more associated access permissions stored in a document repository are established.
  • the relevance of the documents are established in relation to a search query and to searcher's preferences regarding any search criteria. For example, a searcher may request that a document which has been accessed more frequently should be deemed to be more relevant than a document which has been accessed less frequently in the past.
  • a search module such as search module 120 implementing method 400, may first establish the relevance of the document to the strings appearing in the search query and then implement the searcher's preference for deeming documents which have been accessed more frequently to be more relevant.
  • the method used to determine relevance may comprise a number of additional steps.
  • various methods may be used to establish the importance or relevance of a document to a queried string.
  • the searcher may specify one or more methods of establishing relevance in addition to user preferences regarding how the search results are to be returned to the user. In this case, the searcher may require more than one search to be carried out, for comparative purposes.
  • establishing the relevance of documents in the search result may be postponed until the search results are generated. In other words, step 420 may be performed after steps 430 or 440.
  • an implementation of method 400 in which a searcher establishes the relevance of documents after receiving a list of search results is also possible with the methods and apparatus disclosed herein.
  • the results of searching a document repository are generated according to the relevance of documents in the repository and the searcher is provided with content to enable them to access documents for which they have access permission.
  • This may be, for example a link provided as a direct link to the documents location in a document repository or, alternatively, a link such as an email address for contacting the owner of the document.
  • step 440 content to enable the searcher to request access to documents for which they do not have access permission is generated.
  • the content generated may provide the searcher with a means to express a need for a document, for example, the content may be an html submission form.
  • the request can be raised to a document owner or relevant management personnel and a respective document owner may be contacted, as described in relation to Figures 1 and 2.
  • Content generated may be used to assist a searcher in learning more about a document prior to raising a request, and thus may be used to avoid an unnecessary request.
  • the content comprises document information which indicates at least the existence of the document within the repository.
  • the document information may provide a summary of the document, in one case, which comprises unrestricted content.
  • document information may include a summary of the document where aspects of the document are deliberately omitted, in the case where portions of the document are sensitive or confidential.
  • the document information provides an indication of the existence of a document which is relevant to the search query and content which can be used to allow the owner of the document to be contacted.
  • the document information may provide no indication of the existence of the document in a document repository.
  • an entity tasked with performing the search on behalf of the searcher may be subject to a separate set of access control policies in relation to documents stored in a document repository which it is searching.
  • the access control policies may restrict the search module from accessing a document which is relevant to the search query.
  • method 400 may be extended to include a sub-step wherein, if it is determined that a search module cannot access a relevant document, the search module returns nothing.
  • method 400 may be used with an apparatus which has higher access privileges than any searcher generating a search query, thus ensuring that any relevant search result may be returned subject, for example, to the access control policies as applied to the searcher.
  • Figure 5 shows a method 500, according to an example, of requesting access to a document for which a searcher does not have read access.
  • Method 500 maybe implemented as a company business process or request elevation process, where a searcher upon identifying potentially relevant documents for his task or role needs to follow the process to gain access to the document if there is a genuine need and their organisation can benefit from the information sharing.
  • Method 500 may be implemented on the apparatus 200 shown in Figure 2 in response to a searcher making a search query on an apparatus 100 as shown in Figure 1 .
  • method 500 may be implemented by an access control module 220 in communication with a document repository 210 between a searcher 230 and a document owner 250 as shown in Figure 2.
  • a request is received to access a document for which a searcher does not have full access permission.
  • This request may have been made on behalf of or instead of the searcher by a third party and, in particular, need not have been made by the searcher who originally made the search query.
  • a searcher such as searcher 150 shown in Figure 1
  • access control module 220 is arranged to receive and process the request to access a document.
  • access control module 220 additionally requires the user to authenticate themselves in a known way (for example by entering a username and a password) prior to accepting a request, to prevent a third-party illegitimately requesting access to a document.
  • a third-party with lower access permissions than the searcher may attempt to gain access to a document by impersonating a searcher.
  • additional steps in method 500 may be included whereby a searcher is asked to supply credentials or authenticate themselves.
  • the request to access the document for which the searcher does not have access permission is communicated to the document owner.
  • a searcher may send a request specifying, for example, reasons for the document owner to consider why they should be granted access to the document without having the necessary access permissions.
  • the searcher may not be aware of the document for which they are requesting access.
  • an access control module 230 may be arranged to access the results of a search and determine which documents in the search are relevant to the request, then identify the document owners and communicate the requests to the document owners.
  • the searcher can be provided with a copy of the requested document, with a copy of a redacted version of the document or, in some cases, a data owner/management may decide that the searcher's needs warrant changes in access policies, resulting in the searcher being given access to some part of a repository to which they did not have access. The same could be true to some part of the searcher's organization where his colleagues are also granted extra permissions. The corresponding policies can be adjusted accordingly.
  • a searcher may request access to a plurality of documents contained in a directory to which it does not have full access permission.
  • an access control module 230 may forward the request to the owner or owners of the directory.
  • a request to access a document may be made using a web form, for example, which is communicated by an email server (not illustrated).
  • the request and respective reasons for needing access may be included on the web form.
  • An access control module may add email addresses of the document owners to the form, so that the email server may send the requests automatically to the respective document owners.
  • other content by which the document owners may be contacted may be added to the form, including, for example, mailing address and/or telephone number.
  • Figure 6 shows a method 600, according to an example, of granting access to a document for which a searcher does not have full access permission.
  • Method 600 may be used in conjunction with method 500 to respond to a request from a searcher to grant access to a document, and implemented on apparatus 200 shown in Figure 2.
  • a determination is made of whether a document owner has granted access permission to the searcher to access a document for which a searcher does not have access permission.
  • the document owner may receive a request comprising reasons from the searcher as to why the searcher should be granted access to the document and, correspondingly, grant or deny access.
  • a searcher is provided with a submission box, for example in html format allowing him to submit a request.
  • the "searcher" and/or the document “owner” may be non-human entities, in which case a request to access a document may be automated in response to a searcher receiving for example document information from an access control module as in Figure 1 . Then the document owner may automatically process a request to access the document subject to one or more additional instructions specifying access rights to the documents.
  • a searcher may be granted access to a document (or documents)
  • the document(s) is or are retrieved from the document repository.
  • a document owner sends the confirmation that a searcher has been granted access to for example access control module 220, which will then retrieve the document from the document repository.
  • the document owner may wish to send the document directly to the searcher, for example, via an email or, alternatively, by an offline procedure.
  • An access control module may be adapted to provide such a degree of additional security.
  • a document owner may authorise access to a plurality of documents. For example, in the case where a searcher has requested access to a large number of documents simultaneously for which it does not have full access permission it may be more efficient to grant access simultaneously to all the documents rather than granting access on a case-by- case basis.
  • the document is (or documents are) sent to the searcher.
  • a searcher may be granted access permission and their access rights to a document, documents or to an entire portion of a document repository may be modified accordingly. In this way, documents need not be retrieved and communicated to a searcher by an access control module. Instead, the searcher can retrieve the desired documents.
  • Modification to the access control policy to permit such access may be performed by the access control module on behalf of a document owner or by the document owner or after evaluation to a higher level management/security officer, when the overall benefits for organization are balanced against increased vulnerability of granting access to a wider group.
  • Figure 7 shows a method 700, according to an example of implementing one or more restrictions prior to sending a document to a searcher.
  • Method 700 may be used concurrently with methods 400 to 600 and may be implemented on an apparatus 300 shown in Figure 3.
  • instructions are received to restrict information being sent to a searcher in a document for which the searcher does not have full access permission.
  • method 700 may be implemented by an access control module such as those previously described.
  • one or more restrictions may be executed in relation to the document to prevent content in the document from being sent to the searcher.
  • restrictions may require whole sections of a document to be redacted to prevent, for example, confidential information from reaching a searcher.
  • Restrictions may be due to conditions imposed by a document owner on granting access to a document for which a searcher does not have full access.
  • step 720 the instructions to restrict information being sent to a searcher in a document are implemented.
  • implementing the instructions comprises generating a summary of the document to comply with the restrictions. This may be an automated process, where the restrictions comprise code or computer instructions to remove certain keywords or sections of a document.
  • Figure 3 shows an access control module 310 generating a restricted summary of a document due to restrictions 330.
  • Step 720 may be implemented on access control module 300.
  • the document owner may generate their own summary of a document, redacting sections or keywords prior to sending the document to the searcher.
  • a problem for organizations implementing access control policies is to allow users to attain legitimate and/or exceptional access to services and information to which they are not automatically allowed.
  • the apparatus and methods described in the examples herein provide a solution to this problem by allowing a searcher to become aware of documents relevant to their search query in spite of access control policies restricting access to those documents.
  • This allows organizations implementing access control policies to avoid the creation of data silos in their organizations and removes the inefficiencies that arise because of users duplicating documents in the organization.
  • This provides the document owner with a granular approach to controlling information release in a document.
  • the apparatus and methods disclosed provide a significant improvement over existing systems towards access control and document management providing both searchers and document owner with a greater degree of control.
  • the systems described herein can be implemented on an existing document search architecture by providing a simple additional component such as the exemplary access control modules described herein.
  • FIG. 8 shows an example 800 of a device comprising a machine-readable storage medium 810 coupled to a processor 820.
  • Machine-readable media 810 can be any media that can contain, store, or maintain programs and data for use by or in connection with an instruction execution system.
  • Machine-readable media can comprise any one of many physical media such as, for example, electronic, magnetic, optical, electromagnetic, or semiconductor media. More specific examples of suitable machine-readable media include, but are not limited to, a hard drive, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory, or a portable disc.
  • the machine-readable storage medium comprises program code to effect an access control module 830 and search results data 840 as described in the foregoing examples herein.
  • the access control module 830 may in practice be alternatively provided by a single chip or integrated circuit or plural chips or integrated circuits, optionally provided as a chipset, an application-specific integrated circuit (ASIC), field-programmable gate array (FPGA), etc.
  • the chip or chips may comprise circuitry (as well as possibly firmware) for embodying at least access control module as described above, which are configurable so as to operate in accordance with the described examples.
  • the described examples may be implemented at least in part by computer program code stored in (non-transitory) memory and executable by the processor, or by hardware, or by a combination of tangibly stored code and hardware (and tangibly stored firmware).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Business, Economics & Management (AREA)
  • Computational Linguistics (AREA)
  • General Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne des procédés et un système donnés à titre d'exemple permettant d'effectuer une recherche de document automatique. Dans un exemple, un module de recherche est conçu pour recevoir une demande de recherche. Le module de recherche détermine la pertinence pour la demande de recherche d'un ensemble de documents conservé dans un référentiel, les documents étant soumis à une politique de contrôle d'accès. Un module de commande d'accès fournit un contenu au dispositif de recherche permettant d'accéder à n'importe quel document pour lequel le dispositif de recherche dispose d'une autorisation d'accès selon la politique de commande d'accès et fournit le contenu au dispositif de recherche permettant de demander l'accès à n'importe quel document pour lequel le dispositif de recherche ne dispose pas d'autorisation d'accès.
PCT/EP2015/067807 2015-08-03 2015-08-03 Accès à un document WO2017020947A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2015/067807 WO2017020947A1 (fr) 2015-08-03 2015-08-03 Accès à un document

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2015/067807 WO2017020947A1 (fr) 2015-08-03 2015-08-03 Accès à un document

Publications (1)

Publication Number Publication Date
WO2017020947A1 true WO2017020947A1 (fr) 2017-02-09

Family

ID=53969341

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/067807 WO2017020947A1 (fr) 2015-08-03 2015-08-03 Accès à un document

Country Status (1)

Country Link
WO (1) WO2017020947A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110008740A (zh) * 2019-03-05 2019-07-12 天津字节跳动科技有限公司 一种文档访问权限的处理方法、装置、介质和电子设备
WO2020236362A1 (fr) * 2019-05-17 2020-11-26 Microsoft Technology Licensing, Llc Partage d'informations dans un environnement collaboratif protégeant la vie privée

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070162417A1 (en) * 2006-01-10 2007-07-12 Kabushiki Kaisha Toshiba System and method for selective access to restricted electronic documents
US20090112868A1 (en) * 2007-10-25 2009-04-30 Nithya Rajamani Real-Time Interactive Authorization for Enterprise Search

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070162417A1 (en) * 2006-01-10 2007-07-12 Kabushiki Kaisha Toshiba System and method for selective access to restricted electronic documents
US20090112868A1 (en) * 2007-10-25 2009-04-30 Nithya Rajamani Real-Time Interactive Authorization for Enterprise Search

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110008740A (zh) * 2019-03-05 2019-07-12 天津字节跳动科技有限公司 一种文档访问权限的处理方法、装置、介质和电子设备
CN110008740B (zh) * 2019-03-05 2022-09-13 天津字节跳动科技有限公司 一种文档访问权限的处理方法、装置、介质和电子设备
WO2020236362A1 (fr) * 2019-05-17 2020-11-26 Microsoft Technology Licensing, Llc Partage d'informations dans un environnement collaboratif protégeant la vie privée
US11443055B2 (en) 2019-05-17 2022-09-13 Microsoft Technology Licensing, Llc Information sharing in a collaborative, privacy conscious environment

Similar Documents

Publication Publication Date Title
US10083309B2 (en) Secure cloud storage distribution and aggregation
JP7402183B2 (ja) 小さいフットプリントのエンドポイント・データ損失防止(dlp)
US10223541B2 (en) Adaptive permission token
US9697373B2 (en) Facilitating ownership of access control lists by users or groups
US20070162417A1 (en) System and method for selective access to restricted electronic documents
US8886672B2 (en) Providing access in a distributed filesystem
US9542563B2 (en) Accessing protected content for archiving
US20120167167A1 (en) Enabling granular discretionary access control for data stored in a cloud computing environment
US20140137273A1 (en) System and method for securing the upload of files from a system server
US8079065B2 (en) Indexing encrypted files by impersonating users
WO2018005874A1 (fr) Accès aux données à contournement
US20230076870A1 (en) Protections for sensitive content items in a content management system
US9202069B2 (en) Role based search
EP3286892B1 (fr) Système et méthode d'association d'actifs numériques apparentés
WO2017020947A1 (fr) Accès à un document
US11425126B1 (en) Sharing of computing resource policies
US10445289B1 (en) Method and apparatus for automatic cleanup of disfavored content
JP2010079444A (ja) メタデータによるファイル管理方法及びシステム
US11010392B1 (en) Collaborative information retrieval across a network of varying permissions
Ferraiolo et al. A system for centralized abac policy administration and local abac policy decision and enforcement in host systems using access control lists
JP2022146426A (ja) 情報処理装置及び情報処理プログラム
CN116029387A (zh) 自动资源访问策略生成和实施
CN117668862A (zh) 鉴权方法、装置、系统及存储介质
JP2006323600A (ja) 情報管理装置、操作権限判定方法、操作権限判定プログラム及び記録媒体

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15753908

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15753908

Country of ref document: EP

Kind code of ref document: A1