Access controlled queries against user data in a datastore

US 10,372,934 B2
Filed: 10/17/2016
Issued: 08/06/2019
Est. Priority Date: 07/21/2016
Status: Active Grant

First Claim

Patent Images

1. A memory device having instructions stored thereon that, in response to execution by a processing device, cause the processing device to perform operations comprising:

identifying one or more grants of permission corresponding to one or more first objects, respectively, wherein the one or more first objects comprise only a subset of a plurality of objects of a datastore for a cloud service, wherein the one or more first objects includes a business object and the one or more grants of permission are by a subscriber of the cloud service;

translating information about the one or more first objects to mapping information comprising tables and columns of second objects of the plurality of objects;

constructing a reverse multimap to map between the second objects and attributes of the one or more first objects, including applying the tables and columns to build the reverse multimap;

generating an access control entry for at least one of the second objects using at least one of the identified grants of permission, wherein the second objects are not exposed to the subscriber; and

in responsive to receipt of a query for data corresponding to the objects, determining whether to grant access to the data based on the generated access control entry, wherein determining whether to grant access to the data based on the generated access control entry includes querying the reverse multimap.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a processing device of a datastore system may be configured to identify one or more grants of permission corresponding to one or more first objects, respectively, wherein the one or more first objects comprise only a subset of objects of a datastore, wherein the one or more grants of permission are by a user of the datastore; generate an access control entry for a second object of the objects using at least one of the identified grants of permission, wherein the second object is not exposed to the user; and in responsive to receipt of a query for data corresponding to the objects, determine whether to grant access to the data based on the generated access control entry.

188 Citations

25 Claims

1. A memory device having instructions stored thereon that, in response to execution by a processing device, cause the processing device to perform operations comprising:
- identifying one or more grants of permission corresponding to one or more first objects, respectively, wherein the one or more first objects comprise only a subset of a plurality of objects of a datastore for a cloud service, wherein the one or more first objects includes a business object and the one or more grants of permission are by a subscriber of the cloud service;
  
  translating information about the one or more first objects to mapping information comprising tables and columns of second objects of the plurality of objects;
  
  constructing a reverse multimap to map between the second objects and attributes of the one or more first objects, including applying the tables and columns to build the reverse multimap;
  
  generating an access control entry for at least one of the second objects using at least one of the identified grants of permission, wherein the second objects are not exposed to the subscriber; and
  
  in responsive to receipt of a query for data corresponding to the objects, determining whether to grant access to the data based on the generated access control entry, wherein determining whether to grant access to the data based on the generated access control entry includes querying the reverse multimap.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The memory device of claim 1, wherein the operations further comprise generating a user interface to enable one or more users of the subscriber to select, for tagging as readable or writable or both, only objects of the subset.
  - 3. The memory device of claim 1, wherein the at least one of the second objects comprises a relational datastore storage artifact.
  - 4. The memory device of claim 3, wherein the relational datastore storage artifact includes at least one of a relational database table, a relational database column, a relational database procedure, a relational database view, a relational database function, or a relational database sequence.
  - 5. The memory device of claim 1, wherein the cloud service comprises a PaaS (platform as a service) and the business object comprises modular combinable code blocks.
  - 6. The memory device of claim 1, wherein the identified one or more grants of permission correspond to at least one of read access or write access.
  - 7. The memory device of claim 1, wherein the operations further comprise:
    - using the mapping information to generate the access control entry.
  - 8. The memory device of claim 7, wherein the second objects correspond to at least one of a relational database table, a relational database column, a relational database procedure, a relational database view, a relational database function, or a relational database sequence.
  - 9. The memory device of claim 1, wherein the grants of permission are for renderings of data associated with the one or more first objects.
  - 10. The memory device of claim 1, wherein the operations further comprise:
    - submitting a query to a query parser responsive to the receipt of the query for data corresponding to the objects;
      
      parsing the query to validate a query syntax; and
      
      creating and returning a query object corresponding to the query.
  - 11. The memory device of claim 1, wherein the operations further comprise identifying received tagging information indicating the one or more first objects and their attributes as readable or writable or both.

12. A memory device having stored thereon:
- an instruction control entry including executable instructions to read tagging data of a first object of a plurality of objects responsive to storage of the first object in a datastore of a cloud service or modification of the first object in the datastore, to generate an access control entry for at least one second object of second objects of the plurality of objects based on a result of the reading;
  
  a mapping translator module to translate the first object and an attribute of the first object to mapping information comprising tables and columns of the second objects, to construct a multimap to map the attribute of the first object to the second objects, including applying the tables and columns to build the reverse multimap;
  
  wherein the access control entry is generated based on the reverse multimap; and
  
  an instruction control interface module to determine whether to grant access to data that is of the datastore and associated with the second objects based on the reverse multimap, to return a result for the query based on a result of the determination.
- View Dependent Claims (13, 14, 15)
- - 13. The memory device of claim 12, wherein the returned result includes a grant of access to the data or user messaging indicating no access to the data.
  - 14. The memory device of claim 12, wherein the returned result is to be presented on a web page.
  - 15. The memory device of claim 12, wherein the determination is for access by a first category of user and the memory device further having stored thereon:
    - an object access tagging module to generate the tagging data based on a user selection of a second category of user that is different than the first category of user.

16. A method, comprising:
- generating a user interface to enable one or more users of a subscribing entity of a cloud service to select, to tag as readable or writable or both, only objects of a first subset of a plurality of objects of a datastore of the cloud service;
  
  translating the objects of the first subset and their attributes to mapping information for objects of a second different subset of the plurality of objects, the mapping information comprising tables and columns of objects of the second subset;
  
  building a reverse multimap corresponding to the objects of the second different subset using the mapping information, including applying the tables and columns to build the reverse multimap; and
  
  in response to receipt of a request by a user of a hosting entity of the cloud service, identifying a portion of data of the datastore to which the request corresponds and determining whether to grant access to the user of the hosting entity access to that portion of the data using the reverse multimap.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - after the user interface is displayed, receiving tagging information identifying the objects of the first subset and their attributes as readable or writable or both, wherein the objects of the first subset and their attributes comprise one or more business objects and business object attributes, respectively;
      
      submitting a query to a query parser responsive to the receipt of the request;
      
      parsing the query to validate a query syntax; and
      
      creating and returning a query object corresponding to the query.
  - 18. The method of claim 17, further comprising:
    - validating that the query has a filter specified for a target organization;
      
      wherein the tables and columns correspond to the target organization.
  - 19. The method of claim 17, further comprising:
    - analyzing the query object for columns of the objects of the second subset that directly or indirectly appear in the query;
      
      analyzing corresponding tables and columns for each of the columns that directly or indirectly appear in the query for a set of corresponding business object attributes;
      
      creating an accesses set corresponding to the set of corresponding business object attributes comprising accesses granted to each of the business object attributes, the accesses granted of said tagging information;
      
      applying system rules or a configuration to select, for the query, a single accesses value which is either a first value or a second value that is different than the first value; and
      
      stopping further processing of the query and generating an indication that the query violates access rights if the first value is selected.
  - 20. The method of claim 19, further comprising:
    - submitting the query to the datastore for execution to return a result of execution of the query by the datastore if the second value is selected.

21. A memory device having instructions stored thereon that, in response to execution by a processing device, cause the processing device to perform operations comprising:
- identifying one or more grants of permission corresponding to one or more first objects, respectively, wherein the one or more first objects comprise only a subset of a plurality of objects of a datastore, wherein the one or more grants of permission are by a user of the datastore;
  
  translating information about the one or more first objects to mapping information comprising tables and columns of second objects of the plurality of objects;
  
  constructing a reverse multimap to map between the second objects and attributes of the one or more first objects, including applying the tables and columns to build the reverse multimap;
  
  generating an access control entry for at least one of the second objects using at least one of the identified grants of permission, wherein the second objects are not exposed to the user; and
  
  in responsive to receipt of a query for data corresponding to the objects, determining whether to grant access to the data based on the generated access control entry, wherein determining whether to grant access to the data based on the generated access control entry includes querying the reverse multimap.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The memory device of claim 21, wherein the operations further comprise generating a user interface to enable the user to select, for tagging as readable or writable or both, only objects of the subset of the objects.
  - 23. The memory device of claim 21, wherein the at least one of the second objects comprises a relational datastore storage artifact.
  - 24. The memory device of claim 23, wherein the relational datastore storage artifact includes at least one of a relational database table, a relational database column, a relational database procedure, a relational database view, a relational database function, or a relational database sequence.
  - 25. The memory device of claim 21, wherein the grants of permission are for renderings of data associated with the first objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Mathur, Rohitashva, Veeramani, Prem, Collins, Jesse
Primary Examiner(s)
Bullock, Joshua

Application Number

US15/295,288
Publication Number

US 20180025174A1
Time in Patent Office

1,023 Days
Field of Search

707781
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 67/02   based on web technology, e....

H04L 67/1097   for distributed storage of ...

Access controlled queries against user data in a datastore

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

188 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Access controlled queries against user data in a datastore

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links