US 11,811,774 B1
System and method for recursive propagating application access control
Patrick Allen Higgins, Broomfield, CO (US); Justin Lee Hicks, Boulder, CO (US); Thomas Palmer Buzbee, Boulder, CO (US); and Michael Jeffrey Procopio, Boulder, CO (US)
Assigned to Google LLC, Mountain View, CA (US)
Filed by Google LLC, Mountain View, CA (US)
Filed on Jan. 10, 2022, as Appl. No. 17/572,598.
Application 17/572,598 is a continuation of application No. 16/398,198, filed on Apr. 29, 2019, granted, now 11,223,624.
Application 16/398,198 is a continuation of application No. 14/709,179, filed on May 11, 2015, granted, now 10,277,601, issued on Apr. 30, 2019.
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/62 (2013.01)
CPC H04L 63/101 (2013.01) [G06F 21/6218 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, by a cloud storage system that stores a plurality of files for a plurality of user accounts, a request to access a file of the plurality of files from an external content handling application on behalf of a first user account of the plurality of user accounts, wherein the external content handling application is an application provided by an external system that is connected to the cloud storage system via a network;
determining, by the cloud storage system and based on one or more access control lists (ACLs) associated with a shared folder containing the file stored on the cloud storage system, that the external content handling application executing on a user device associated with the first user account is not allowed to access the file on behalf of the first user account, wherein the shared folder is accessible to a set of user accounts including the first user account and a second user account of the cloud storage system, and wherein the one or more ACLs associated with the shared folder do not specify access to files in the shared folder for the external content handling application;
receiving, by the cloud storage system and from the user device associated with the first user account, a message authorizing the external content handling application to access the file on behalf of the first user account; and
responsive to the receiving of the message authorizing the external content handling application to access the file on behalf of the first user account associated with a first user:
modifying, by the cloud storage system and without any further input of the first user, the one or more ACLs associated with the shared folder containing the file and a subfolder on the cloud storage system, wherein modifying the one or more ACLs associated with the shared folder comprises including user information of the first user account and application information of the external content handling application in the one or more ACLs, wherein responsive to the receiving of the message authorizing the external content handling application to access the file on behalf of the first user account, the one or more ACLs are modified for the shared folder and not for the subfolder of the shared folder; and
allowing, by the cloud storage system, the external content handling application to access the file on behalf of the first user account based on the user information of the first user account and the application information of the external content handling application in the modified ACLs associated with the shared folder, wherein the modified ACLs associated with the shared folder prevent the external content handling application to access the file on behalf of the second user account.