Search

US-12625990-B2 - Activity-based content object access permissions

US12625990B2US 12625990 B2US12625990 B2US 12625990B2US-12625990-B2

Abstract

Methods, systems and computer program products for content management systems. The techniques of the methods, systems and/or computer program products automatically determine activity-based content object access permissions and/or make a recommendation of activity-based content object access permissions. A machine learning model is formed from observations of user interactions over a plurality of content objects. The model is continually updated based on ongoing observation and analysis of user interaction events. When a collaborative relationship is formed between an invitor and one or more invitees, the activity-based permissions model is accessed to determine a set of access permissions to assign to the collaborative relationship. A single collaborative relationship may cover many collaboration objects. In some cases, a set of access permissions are automatically assigned to the collaborative relationship. In other cases, a set of access permissions is presented to the invitor as a recommendation. A user can accept or reject any recommendation.

Inventors

  • Alok Ojha

Assignees

  • Box, Inc.

Dates

Publication Date
20260512
Application Date
20230814

Claims (20)

  1. 1 . A method, comprising: generating a filtered set of vector data at least by filtering a plurality of collaboration relationship features into a smaller subset of collaboration relationship features, the smaller subset used in forming the filtered set of vector data, the filtered set describing characteristics of a plurality of collaborative relationships, and the characteristics comprising a set of access permissions and a collaboration action that is to be performed on one or more of a plurality of content objects; training a model into a trained model at least by providing the filtered set as an input training dataset to adjust one or more model parameters of the model, the filtered set further describing first interaction events between a plurality of users and the plurality of content objects and second interaction events among the plurality of users; and after receiving a request for initiating a collaborative relationship between an inviter and a plurality of invitees among the plurality of users to collaborate on a content object of the plurality of content objects, performing a set of actions for the request, the set of actions comprising: generating one or more user clusters from the smaller subset of collaboration relationship features; and assigning, by the trained model using at least the one or more user clusters, respective access roles and respective access permissions for the plurality of invitees to the collaborative relationship for collaborating on the content object, based at least in part upon an analysis result of one or more activity attributes of the first and the second interaction events and one or more new attributes of the collaborative relationship.
  2. 2 . The method of claim 1 , wherein the filtered set used in training the model includes first vector data that is varied from original first vector data in the filtered set and a second vector data that remains original in the filtered set, the plurality of collaborative relationship features comprises the set of access permissions associated with the plurality of collaborative relationships, one or more collaborative actions associated with the plurality of collaborative relationships, and at least one of a user identifier or a content object identifier of the content object, the first or the second interaction events pertain to a plurality of entities, the plurality of entities comprises a plurality of users and the plurality of content objects, an entity comprises a user of the plurality of users or a content object of the plurality of content objects, the first interaction events comprise an entity-to-entity interaction event, and the respective access permissions respectively allow for at least two different types of access to the content object.
  3. 3 . The method of claim 2 , wherein the entity-to-entity interaction event includes a user-to-user interaction event in the second interaction events or a user-to-object interaction event in the first interaction events, and the one or more activity attributes comprise a user-to-object interaction attribute, a user-to-user interaction attribute, or an access permission that has been assigned to one or more entities of the plurality of entities.
  4. 4 . The method of claim 3 , the set of actions further comprising: generating a set of vector data from at least some of the first or the second interaction events, wherein a piece of vector data in the filtered set of vector data corresponds to a respective user interaction event of the at least some of the first or the second interaction events and comprises a respective set of one or more interaction attributes associated with the respective user interaction event, and the respective set of one or more interaction attributes comprises one or more user identifiers, or one or more content object identifiers, or a timestamp.
  5. 5 . The method of claim 4 , the set of actions further comprising: determining one or more interaction event groups for the at least some of the first or the second interaction events based at least in part upon a similarity measure between at least two pieces of vector data in the filtered set of vector data; generating one or more user interaction groups based at least in part upon the one or more interaction event groups; and generating a collaboration network data structure for each respective user interaction group of the one or more user interaction groups based at least in part upon the each respective user interaction group and the one or more interaction event groups, the collaboration network data structure characterizing a plurality of entities and one or more entity relationships among the plurality of entities that constitute an interaction event group of the one or more interaction event groups.
  6. 6 . The method of claim 5 , the set of actions further comprising: determining the filtered set of vector data from one or more collaboration network data structures that respectively correspond to the one or more user interaction groups based at least in part upon one or more collaborative relationship features of the plurality of collaboration relationship features, wherein the one or more collaborative relationship features comprise one or more access permissions associated with the collaborative relationship, a collaborative action associated with the collaborative relationship, and at least one of a user identifier or a content object identifier; forming the training dataset using at least the filtered set of vector data; and training the model further at least by using a first portion of the training dataset as the input to the model that generates an output in response to the input, wherein the output comprises one or more model adjusted parameters that have been adjusted for the one or more model parameters of the model.
  7. 7 . The method of claim 6 , the set of actions further comprising: validating the trained model using a second portion of the training dataset as a separate input to the trained model based at least in part upon one or more target tolerances; and determining the trained model from a plurality of parameters in the learning model, wherein a size of the trained model is smaller than that of the model before the model has been trained.
  8. 8 . The method of claim 1 , the set of actions further comprising: recording the one or more activity attributes from at least one of the first interaction events and the second interaction events; in response to an invitation from an inviting user to an invited user to collaborate on the content object, determining the collaborative relationship; deriving the one or more new attributes for the collaborative relationship from the one or more activity attributes of the at least one of the first and the second interaction events, wherein an activity attribute describes one or more access permissions that correspond to a historical collaborative relationship associated with a historical interaction of the first or the second interaction events; providing the one or more new attributes of the collaborative relationship as an input to the model; determining, by the model that generates activity-based permissions, a set of recommended access permissions at least by applying one or more new attributes of the collaborative relationship to the model; and autonomously assigning the set of recommended access permissions to the invited user, without user intervention.
  9. 9 . A non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by a processor, causes the processor to execute a set of acts, the set of acts comprising: generating a filtered set of vector data at least by filtering a plurality of collaboration relationship features into a smaller subset of collaboration relationship features, the smaller subset used in forming the filtered set of vector data, and the filtered set describing characteristics of a plurality of collaborative relationships, and the characteristics comprising a set of access permissions and a collaboration action that is to be performed on one or more of a plurality of content objects; training a model into a trained model at least by providing the filtered set as an input training dataset to adjust one or more model parameters of the model, the filtered set further describing first interaction events between a plurality of users and the plurality of content objects and second interaction events among the plurality of users; and after receiving a request for initiating a collaborative relationship between an inviter and a plurality of invitees among the plurality of users to collaborate on a content object of the plurality of content objects, performing a set of actions for the request, the set of actions comprising: generating one or more user clusters from the smaller subset of collaboration relationship features; and assigning, by the trained model using at least the one or more user clusters, respective access roles and respective access permissions for the plurality of invitees to the collaborative relationship for collaborating on the content object, based at least in part upon an analysis result of one or more activity attributes of the first and the second interaction events and one or more new attributes of the collaborative relationship.
  10. 10 . The non-transitory computer readable medium of claim 9 , the set of acts further comprising: generating a set of vector data from at least some of the first or the second interaction events, wherein a piece of vector data in the filtered set corresponds to a respective user interaction event of the at least some of the first or the second interaction events and comprises a respective set of one or more interaction attributes associated with the respective user interaction event, and the respective set of one or more interaction attributes comprises one or more user identifiers, or one or more content object identifiers, or a timestamp.
  11. 11 . The non-transitory computer readable medium of claim 10 , the set of acts further comprising: determining one or more interaction event groups for the at least some of the first or the second interaction events based at least in part upon a similarity measure between at least two pieces of vector data in the filtered set of vector data; generating one or more user interaction groups based at least in part upon the one or more interaction event groups; and generating a collaboration network data structure for each respective user interaction group of the one or more user interaction groups based at least in part upon the each respective user interaction group and the one or more interaction event groups, the collaboration network data structure characterizing a plurality of entities and one or more entity relationships among the plurality of entities that constitute an interaction event group of the one or more interaction event groups.
  12. 12 . The non-transitory computer readable medium of claim 11 , the set of acts further comprising: determining the filtered set of vector data from one or more collaboration network data structures that respectively correspond to the one or more user interaction groups based at least in part upon one or more collaborative relationship features of the plurality of collaboration relationship features, wherein the one or more collaborative relationship features comprise one or more access permissions associated with the collaborative relationship, a collaborative action associated with the collaborative relationship, and at least one of a user identifier or a content object identifier; forming the training dataset using at least the filtered set of vector data; and training the model further at least by using a first portion of the training dataset as the input to the model that generates an output in response to the input, wherein the output comprises one or more model adjusted parameters that have been adjusted for the one or more model parameters of the model.
  13. 13 . The non-transitory computer readable medium of claim 12 , the set of acts further comprising: validating the trained model using a second portion of the training dataset as a separate input to the trained model based at least in part upon one or more target tolerances; and determining the trained model from a plurality of parameters in the learning model, wherein a size of the trained model is smaller than that of the model before the model has been trained.
  14. 14 . The non-transitory computer readable medium of claim 9 , the set of acts further comprising: recording the one or more activity attributes from at least one of the first interaction events and the second interaction events; in response to an invitation from an inviting user to an invited user to collaborate on the content object, determining the collaborative relationship; deriving the one or more new attributes for the collaborative relationship from the one or more activity attributes of the at least one of the first and the second interaction events, wherein an activity attribute describes one or more access permissions that correspond to a historical collaborative relationship associated with a historical interaction of the first or the second interaction events; providing the one or more new attributes of the collaborative relationship as an input to the model; determining, by the model that generates activity-based permissions, a set of recommended access permissions at least by applying one or more new attributes of the collaborative relationship to the model; and autonomously assigning the set of recommended access permissions to the invited user, without user intervention.
  15. 15 . A system, comprising: a non-transitory storage medium having stored thereon a sequence of instructions; and one or more processors that execute the sequence of instructions, execution of the sequence of instructions causes the one or more processors to perform a set of acts, the set of acts comprising: generating a filtered set of vector data at least by filtering a plurality of collaboration relationship features into a smaller subset of collaboration relationship features, the smaller subset used in forming the filtered set of vector data, and the filtered set describing characteristics of a plurality of collaborative relationships, and the characteristics comprising a set of access permissions and a collaboration action that is to be performed on one or more of a plurality of content objects; training a model into a trained model at least by providing the filtered set as an input training dataset to adjust one or more model parameters of the model, the filtered set further describing first interaction events between a plurality of users and the plurality of content objects and second interaction events among the plurality of users; and after receiving a request for initiating a collaborative relationship between an inviter and a plurality of invitees among the plurality of users to collaborate on a content object of the plurality of content objects, performing a set of actions for the request, the set of actions comprising: generating one or more user clusters from the smaller subset of collaboration relationship features; and assigning, by the trained model using at least the one or more user clusters, respective access roles and respective access permissions for the plurality of invitees to the collaborative relationship for collaborating on the content object, based at least in part upon an analysis result of one or more activity attributes of the first and the second interaction events and one or more new attributes of the collaborative relationship.
  16. 16 . The system of claim 15 , the set of acts further comprising: generating a set of vector data from at least some of the first or the second interaction events, wherein a piece of vector data in the filtered set of vector data corresponds to a respective user interaction event of the at least some of the first or the second interaction events and comprises a respective set of one or more interaction attributes associated with the respective user interaction event, and the respective set of one or more interaction attributes comprises one or more user identifiers, or one or more content object identifiers, or a timestamp.
  17. 17 . The system of claim 16 , the set of acts further comprising: determining one or more interaction event groups for the at least some of the first or the second interaction events based at least in part upon a similarity measure between at least two pieces of vector data in the filtered set of vector data; generating one or more user interaction groups based at least in part upon the one or more interaction event groups; and generating a collaboration network data structure for each respective user interaction group of the one or more user interaction groups based at least in part upon the each respective user interaction group and the one or more interaction event groups, the collaboration network data structure characterizing a plurality of entities and one or more entity relationships among the plurality of entities that constitute an interaction event group of the one or more interaction event groups.
  18. 18 . The system of claim 17 , the set of acts further comprising: determining the filtered set of vector data from one or more collaboration network data structures that respectively correspond to the one or more user interaction groups based at least in part upon one or more collaborative relationship features of the plurality of collaboration relationship features, wherein the one or more collaborative relationship features comprise one or more access permissions associated with the collaborative relationship, or a collaborative action associated with the collaborative relationship, and at least one of a user identifier or a content object identifier; forming the training dataset using at least the filtered set of vector data; and training the model further at least by using a first portion of the training dataset as the input to the model that generates an output in response to the input, wherein the output comprises one or more model adjusted parameters that have been adjusted for the one or more model parameters of the model.
  19. 19 . The system of claim 18 , the set of acts further comprising: validating the trained model using a second portion of the training dataset as a separate input to the trained model based at least in part upon one or more target tolerances; and determining the trained model from a plurality of parameters in the learning model, wherein a size of the trained model is smaller than that of the model before the model has been trained.
  20. 20 . The system of claim 18 , the set of acts further comprising: recording the one or more activity attributes from at least one of the first interaction events and the second interaction events; in response to an invitation from an inviting user to an invited user to collaborate on the content object, determining the collaborative relationship; deriving the one or more new attributes for the collaborative relationship from the one or more activity attributes of the at least one of the first and the second interaction events, wherein an activity attribute describes one or more access permissions that correspond to a historical collaborative relationship associated with a historical interaction of the first or the second interaction events; providing the one or more new attributes of the collaborative relationship as an input to the model; determining, by the model that generates activity-based permissions, a set of recommended access permissions at least by applying one or more new attributes of the collaborative relationship to the model; and autonomously assigning the set of recommended access permissions to the invited user, without user intervention.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) The present application is a continuation of the U.S. patent application Ser. No. 16/552,956 titled “ACTIVITY-BASED CONTENT OBJECT ACCESS PERMISSIONS”, now U.S. Pat. No. 11,727,132 filed on Aug. 27, 2019, which claims the benefit of priority to U.S. Patent Application Ser. No. 62/723,314 titled “COLLABORATION SYSTEM SECURITY”, filed on Aug. 27, 2018, which is hereby incorporated by reference in their entirety. FIELD This disclosure relates to content management systems, and more particularly to techniques for activity-based content object access permissions. BACKGROUND The emergence of content management systems, such as cloud-based content management systems, has impacted the way electronically stored content objects (e.g., files, folders, images, videos, etc.) are stored, and has also impacted the way the content objects are shared and managed. One benefit of using content management systems is the ability to securely share large volumes of content objects among trusted users (e.g., collaborators) that access shared content from a variety of user devices (e.g., smart phones, tablets, laptop computers, desktop computers, and/or other devices). In such systems, the content objects are securely shared among the users in accordance with the access permissions associated with the various combinations of content objects and users. Collaboration activity between users that may not involve content objects is also governed by access permissions associated with the users. As such, when certain collaborative relationships (e.g., between users and content objects, between users, etc.) are established, access permissions are assigned to the entities (e.g., users, content objects, etc.) associated with the collaborative relationships to facilitate the collaboration activities that are to be performed over the entities. In some systems, access permissions are assigned based on certain high order relationships between the entities. Specifically, consider a set of content objects that are stored as files in various folders that are arranged in hierarchies that are representative of an organizational hierarchy. For example, an enterprise might have a marketing department folder, an engineering department folder, and/or other folders that have certain files associated with (e.g., stored “in”) the folders. With such a content organization scheme, members of a marketing department might be provisioned access to the files in the marketing department folder (and in any of its subfolders) by assigning a single set of permissions to the files that allow access to the files by any and all constituents of the marketing department. Furthermore, all members of an engineering department might be provisioned access to the files in the engineering department folder (and in any of its subfolders) by assigning a set of permissions to the files that allow access to the files by any and all constituents of the engineering department. As new files are created and/or otherwise added to a particular folder, each file inherits access permissions from its parent folder. As such, the mere addition of a file to a particular folder hierarchy assigns access permissions to the file without requiring user and/or administrator intervention. This mechanism for automatic inheritance of access permissions has practical limitations, however. For example, an owner (e.g., creator) of a file might want to control the access permissions associated with the file at a level (e.g., user-specific level) that is more fine-grained than the aforementioned folder level and/or department level. Implementing such fine-grained access control demands involvement by the owner to select specific access permissions for each respective user who might collaborate over any particular content object. Various simple models and simple user interfaces have been designed to aid a user (e.g., content object owner) in selecting user-specific permissions. In some systems, for example, a permissions selection model might support user specification of access permissions that control (e.g., allow or deny) particular actions (e.g., read, write, modify, delete, etc.) to be performed over a file, or that represent the collaborator's role (e.g., editor, viewer, etc.) as pertains to the collaboration activity. Unfortunately, such simple models for assigning access permissions can become onerous to users of the models when the number of content objects increases, and/or when the number of collaborators over the content objects increases, and/or when the number of actions that can be performed over the content objects increases. Such simple models that rely on content owners to assign access permissions for each particular collaborative relationship (e.g., the combination of collaborator and content object) do not scale as more and more users collaborate over more and more content objects. This is further complicated when users are associated with (e.g.,