Document, as used herein, may refer to any granularity of data which the operating system is capable of recognizing and manipulating as a distinct entity. For example, a document may be an object in a larger set of data, e.g. an object in a personal calendar, web application or web site. For example, a user may mark certain objects in the personal calendar for read access to family members, other objects for read access to co-workers, and yet other objects for read access to only the user. As another example, a user may mark certain files (e.g. photos) stored in an online web application (e.g. a file-sharing application) for access by certain users but not other users. A document may also be the larger set of data (e.g. the personal calendar, web application or web site).
Users often want to control access to documents by allowing or restricting certain actions (e.g. read, write or execute) to certain users or groups of users. Access Control Lists (ACLs) give users a way of controlling access to documents.
Conventionally, an ACL is a data structure, such as a table, that tells a computer operating system the access privileges each user has to a particular document. The access privileges allow the user to perform certain operations, such as read, write and/or execute the document.
A single ACL may control access to all available operations on the document. For example, a single ACL may indicate that a document is writable by one select group of users but readable by a larger group of users. Alternatively, separate ACLs may control access to the different operations. For example, one ACL may indicate that a document is writable by a group of users while another ACL may indicate that the document by readable to another group of users. Therefore a document may have a read ACL that lists users with permission to read the document and a write ACL that lists users with permission to modify the document.
In certain applications, a single ACL may control several documents. For example, everyone in a group (or alias) may read all messages designated for the group. Since ACLs may be or be part of a document, ACLs may also be used to control who may modify other ACLs.
Conventional systems use ACLs to control access to a document by searching the document's ACL when a user requests access. For example, when a user read request access to a document, conventional systems search the document's read ACL to determine if the user appears directly in the list. If the user does not appear directly in the list, conventional systems will recursively examine each group (or alias) appearing in the list in an attempt to find the user. To avoid infinite loops while traversing this membership structure (which includes aliases embedded in other aliases), a list of examined aliases may be kept.
The above data access control technique has several disadvantages. For example, the document's ACL may include aliases which refer to data structures stored on other machines. For example, an ACL may include five aliases, each stored in a different server. Therefore, to determine if a user has access to the document, the different servers may be accessed. That is, intermachine communication may be required.
Additionally, the time to determine whether a user has access to data may increases significantly with the number of users in the system, the number of documents being controlled, and the number of aliases defined. For example, the time to determine whether one user has access to a document can be linear to the depth of the membership structure. The more aliases are embedded in other aliases, the more time it may take to determine if a user has access. Compound this with the time a conventional system may take to determine access for multiple users, each being members of multiple groups and each requesting access to multiple documents, and the result is an access control technique that becomes increasingly resource intensively as the system grows.
Therefore, what is desired is an improved system and method for controlling access to documents.