Search

US-12627672-B2 - Enforcing granular access control policy

US12627672B2US 12627672 B2US12627672 B2US 12627672B2US-12627672-B2

Abstract

An example method of enforcing granular access policy for embedded artifacts comprises: detecting an association of an embedded artifact with a resource container; associating the embedded artifact with at least a subset of an access control policy associated with the resource container; and responsive to receiving an access request to access the embedded artifact, applying the access control policy associated with the resource container for determining whether the access request is grantable.

Inventors

  • Peter Wilczynski
  • Arseny Bogomolov
  • Alexander Mark
  • Teofana Hadzhiganeva
  • Kevin Ng
  • Nathaniel Klein
  • Sharon Hao

Assignees

  • Palantir Technologies Inc.

Dates

Publication Date
20260512
Application Date
20240715

Claims (17)

  1. 1 . A method for providing granular access control, comprising: receiving an embedded artifact including a first part and a second part, the first part being associated with a first access control policy, the second part being associated with a second access control policy, the second access control policy being different from the first access control policy; receiving an association of the embedded artifact with a resource container, the first access control policy being a subset of an access control policy of the resource container; receiving an access request to access the embedded artifact; applying the first access control policy to determine whether the access request is grantable for the first part; applying the second access control policy to determine whether the access request is grantable for the second part; and in response to determining that the access request is grantable for the first part and the access request for the second part, granting the access request; wherein the method is performed using one or more processors.
  2. 2 . The method of claim 1 , wherein the granting the access request comprises: generating a redacted first part based on the first part and the first access control policy; and granting an access to the redacted first part.
  3. 3 . The method of claim 2 , wherein the first part includes a first data that is omitted or changed in the redacted first part.
  4. 4 . The method of claim 1 , wherein the applying the first access control policy further comprises: identifying a permission associated with a user group associated with a user for whom the access request is submitted; and determining whether the permission matches an access type specified by the access request.
  5. 5 . The method of claim 1 , wherein the subset of the access control policy of the resource container includes an intersection of the access control policy of the resource container and an initial access control policy of the embedded artifact; wherein the initial access control policy is retrieved based on an access control policy pointer in metadata of the embedded artifact.
  6. 6 . The method of claim 1 , further comprising: creating a copy of the subset of the access control policy; associating the embedded artifact with the copy of the subset of the access control policy; and disassociating the embedded artifact from the resource container.
  7. 7 . The method of claim 1 , further comprising: creating a restrictive version of the first access control policy; associating the embedded artifact with the restrictive version of the first access control policy; redacting the embedded artifact to generate a redacted embedded artifact based on the restrictive version of the first access control policy; and sharing the redacted embedded artifact with a user that is authorized to access the embedded artifact based on the restrictive version of the first access control policy.
  8. 8 . A system for providing granular access control, comprising: one or more memories comprising instructions stored thereon; and one or more processors configured to execute the instructions and perform operations comprising: receiving an embedded artifact including a first part and a second part, the first part being associated with a first access control policy, the second part being associated with a second access control policy, the second access control policy being different from the first access control policy; receiving an association of the embedded artifact with a resource container, the first access control policy being a subset of an access control policy of the resource container; receiving an access request to access the embedded artifact; applying the first access control policy to determine whether the access request is grantable for the first part; applying the second access control policy to determine whether the access request is grantable for the second part; and in response to determining that the access request is grantable for the first part and the access request for the second part, granting the access request.
  9. 9 . The system of claim 8 , wherein the granting the access request comprises: generating a redacted first part based on the first part and the first access control policy; and granting an access to the redacted first part.
  10. 10 . The system of claim 9 , wherein the first part includes a first data that is omitted or changed in the redacted first part.
  11. 11 . The system of claim 8 , wherein the applying the first access control policy further comprises: identifying a permission associated with a user group associated with a user for whom the access request is submitted; and determining whether the permission matches an access type specified by the access request.
  12. 12 . The system of claim 8 , wherein the subset of the access control policy of the resource container includes an intersection of the access control policy of the resource container and an initial access control policy of the embedded artifact; wherein the initial access control policy is retrieved based on an access control policy pointer in metadata of the embedded artifact.
  13. 13 . The system of claim 8 , wherein the operations further comprise: creating a copy of the subset of the access control policy; associating the embedded artifact with the copy of the subset of the access control policy; and disassociating the embedded artifact from the resource container.
  14. 14 . The system of claim 8 , wherein the operations further comprise: creating a restrictive version of the first access control policy; associating the embedded artifact with the restrictive version of the first access control policy; redacting the embedded artifact to generate a redacted embedded artifact based on the restrictive version of the first access control policy; and sharing the redacted embedded artifact with a user that is authorized to access the embedded artifact based on the restrictive version of the first access control policy.
  15. 15 . A non-transitory computer readable storage medium comprising executable instructions for providing granular access control that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving an embedded artifact including a first part and a second part, the first part being associated with a first access control policy, the second part being associated with a second access control policy, the second access control policy being different from the first access control policy; receiving an association of the embedded artifact with a resource container, the first access control policy being a subset of an access control policy of the resource container; receiving an access request to access the embedded artifact; applying the first access control policy to determine whether the access request is grantable for the first part; applying the second access control policy to determine whether the access request is grantable for the second part; and in response to determining that the access request is grantable for the first part and the access request for the second part, granting the access request.
  16. 16 . The non-transitory computer readable storage medium of claim 15 , wherein the granting the access request comprises: generating a redacted first part based on the first part and the first access control policy; and granting an access to the redacted first part.
  17. 17 . The non-transitory computer readable storage medium of claim 15 , wherein the applying the first access control policy further comprises: identifying a permission associated with a user group associated with a user for whom the access request is submitted; and determining whether the permission matches an access type specified by the access request.

Description

RELATED APPLICATIONS This application is a continuation of U.S. application Ser. No. 18/238,871, filed Aug. 28, 2023, which is a continuation of U.S. patent application Ser. No. 17/992,737, filed on Nov. 22, 2022, which is a divisional of U.S. patent application Ser. No. 17/386,060, filed on Jul. 27, 2021, issued as U.S. Pat. No. 11,558,393, which is a continuation of U.S. patent application Ser. No. 16/803,104, filed on Feb. 27, 2020, issued as U.S. Pat. No. 11,089,029, which is a continuation of U.S. patent application Ser. No. 16/521,179, filed on Jul. 24, 2019, issued as U.S. Pat. No. 10,609,041. The above-referenced applications are incorporated by reference herein in their respective entireties. TECHNICAL FIELD This disclosure is related to resource access control, and in particular to enforcing granular access control policies. BACKGROUND A security policy adopted by an organization may require restricting users' access to various documents, software programs, etc. The organization may implement the security policy by imposing access control policies with respect to various computing resources, such as folders, data and executable files, databases, libraries, etc. BRIEF DESCRIPTION OF THE DRAWINGS The present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings of various implementations thereof, which, however, should not be taken to limit the present disclosure to the specific implementations, but are for explanation and understanding only. FIG. 1 schematically illustrates an example composite resource including a container and its embedded artifacts, implemented in accordance with one or more aspects of the present disclosure. FIG. 2 schematically illustrates an example of restricting the container's access control policy for its embedded artifact, in accordance with one or more aspects of the present disclosure. FIG. 3 schematically illustrates an example of modifying access control policy of an artifact upon its association with a container, in accordance with one or more aspects of the present disclosure. FIG. 4 schematically illustrates an example multi-level nested container structure implemented in accordance with one or more aspects of the present disclosure. FIG. 5 schematically illustrates an example multi-part artifact structure implemented in accordance with one or more aspects of the present disclosure. FIG. 6 is a block diagram illustrating a distributed computing system in which the systems and method described herein may operate. FIG. 7 schematically illustrates the main screen of the browser application which may be hosted by an application platform, in accordance with one or more aspects of the present disclosure. FIG. 8 schematically illustrates the main screen of the object explorer application which may be hosted by an application platform, in accordance with one or more aspects of the present disclosure. FIG. 9 schematically illustrates the main screen of the summary application which may be hosted by an application platform, in accordance with one or more aspects of the present disclosure. FIG. 10 schematically illustrates the main screen of the collaboration application which may be hosted by an application platform, in accordance with one or more aspects of the present disclosure. FIG. 11 depicts a flowchart of an example method of providing access control policy for embedded artifacts, in accordance with one or more aspects of the present disclosure. FIG. 12 depicts a flowchart of an example method of disassociating an embedded artifact from its container, in accordance with one or more aspects of the present disclosure. FIG. 13 depicts a flowchart of an example method of sharing an embedded artifact with a user, in accordance with one or more aspects of the present disclosure. FIG. 14 is a block diagram illustrating a computer system, according to an implementation. DETAILED DESCRIPTION The following description sets forth numerous specific details such as examples of specific systems, components, methods, and so forth, in order to provide a good understanding of several implementations of the present disclosure. It will be apparent to one skilled in the art, however, that at least some implementations of the present disclosure may be practiced without these specific details. In other instances, well-known components or methods are not described in detail or are presented in simple block diagram format in order to avoid unnecessarily obscuring the present disclosure. Thus, the specific details set forth are merely exemplary. Particular implementations may vary from these exemplary details and still be contemplated to be within the scope of the present disclosure. Aspects of the present disclosure are directed to enforcing granular access control policies. In an illustrative example, an access control policy associated with one or more computing resources (“artifacts”) may include one or more access control r