×

Data store access permission system with interleaved application of deferred access control filters

  • US 10,198,466 B2
  • Filed: 03/22/2017
  • Issued: 02/05/2019
  • Est. Priority Date: 05/14/2015
  • Status: Active Grant
First Claim
Patent Images

1. A system for automatically applying access control deferred filters to a first table object, the system comprising:

  • one or more hardware processors;

    a computer readable data storage device coupled to the one or more hardware processors, the computer readable data storage device having stored thereon software instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations including;

    receiving a user request submitted from a computing device for data from the first table object;

    requesting, from an access control list source stored in a computer medium, access control groups for a user;

    requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;

    determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;

    for each determined filter generator, executing the determined filter generator to create a generator filter for the first table object;

    combining each of the generated filters for the first table object into an access control filter;

    creating a second table object in memory that references the first table object;

    associating the access control filter with the second table;

    making the second table object available for user operations;

    receiving a second user request from a computing device to perform a filtering operation on the second table object;

    accessing metadata of the second table object;

    retrieving a tree-based table storage structure from the metadata;

    traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;

    when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree;

    when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and between the first and a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;

    retrieving the access control filter from the metadata;

    extracting filters from the access control filter that apply to the access control groups for the user;

    choosing a filter from the extracted filters;

    applying the chosen filter to the second user request;

    applying on the second pass one or more second grouping column filters based on a first filter request contained in the second user request;

    applying one or more normal filters contained in the second user request to identify a filtered data source result; and

    returning a final set of data.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×