Access controlled queries against user data in a datastore
First Claim
1. A memory device having instructions stored thereon that, in response to execution by a processing device, cause the processing device to perform operations comprising:
- identifying one or more grants of permission corresponding to one or more first objects, respectively, wherein the one or more first objects comprise only a subset of a plurality of objects of a datastore for a cloud service, wherein the one or more first objects includes a business object and the one or more grants of permission are by a subscriber of the cloud service;
translating information about the one or more first objects to mapping information comprising tables and columns of second objects of the plurality of objects;
constructing a reverse multimap to map between the second objects and attributes of the one or more first objects, including applying the tables and columns to build the reverse multimap;
generating an access control entry for at least one of the second objects using at least one of the identified grants of permission, wherein the second objects are not exposed to the subscriber; and
in responsive to receipt of a query for data corresponding to the objects, determining whether to grant access to the data based on the generated access control entry, wherein determining whether to grant access to the data based on the generated access control entry includes querying the reverse multimap.
2 Assignments
0 Petitions
Accused Products
Abstract
In an example, a processing device of a datastore system may be configured to identify one or more grants of permission corresponding to one or more first objects, respectively, wherein the one or more first objects comprise only a subset of objects of a datastore, wherein the one or more grants of permission are by a user of the datastore; generate an access control entry for a second object of the objects using at least one of the identified grants of permission, wherein the second object is not exposed to the user; and in responsive to receipt of a query for data corresponding to the objects, determine whether to grant access to the data based on the generated access control entry.
-
Citations
25 Claims
-
1. A memory device having instructions stored thereon that, in response to execution by a processing device, cause the processing device to perform operations comprising:
-
identifying one or more grants of permission corresponding to one or more first objects, respectively, wherein the one or more first objects comprise only a subset of a plurality of objects of a datastore for a cloud service, wherein the one or more first objects includes a business object and the one or more grants of permission are by a subscriber of the cloud service; translating information about the one or more first objects to mapping information comprising tables and columns of second objects of the plurality of objects; constructing a reverse multimap to map between the second objects and attributes of the one or more first objects, including applying the tables and columns to build the reverse multimap; generating an access control entry for at least one of the second objects using at least one of the identified grants of permission, wherein the second objects are not exposed to the subscriber; and in responsive to receipt of a query for data corresponding to the objects, determining whether to grant access to the data based on the generated access control entry, wherein determining whether to grant access to the data based on the generated access control entry includes querying the reverse multimap. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A memory device having stored thereon:
-
an instruction control entry including executable instructions to read tagging data of a first object of a plurality of objects responsive to storage of the first object in a datastore of a cloud service or modification of the first object in the datastore, to generate an access control entry for at least one second object of second objects of the plurality of objects based on a result of the reading; a mapping translator module to translate the first object and an attribute of the first object to mapping information comprising tables and columns of the second objects, to construct a multimap to map the attribute of the first object to the second objects, including applying the tables and columns to build the reverse multimap; wherein the access control entry is generated based on the reverse multimap; and an instruction control interface module to determine whether to grant access to data that is of the datastore and associated with the second objects based on the reverse multimap, to return a result for the query based on a result of the determination. - View Dependent Claims (13, 14, 15)
-
-
16. A method, comprising:
-
generating a user interface to enable one or more users of a subscribing entity of a cloud service to select, to tag as readable or writable or both, only objects of a first subset of a plurality of objects of a datastore of the cloud service; translating the objects of the first subset and their attributes to mapping information for objects of a second different subset of the plurality of objects, the mapping information comprising tables and columns of objects of the second subset; building a reverse multimap corresponding to the objects of the second different subset using the mapping information, including applying the tables and columns to build the reverse multimap; and in response to receipt of a request by a user of a hosting entity of the cloud service, identifying a portion of data of the datastore to which the request corresponds and determining whether to grant access to the user of the hosting entity access to that portion of the data using the reverse multimap. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A memory device having instructions stored thereon that, in response to execution by a processing device, cause the processing device to perform operations comprising:
-
identifying one or more grants of permission corresponding to one or more first objects, respectively, wherein the one or more first objects comprise only a subset of a plurality of objects of a datastore, wherein the one or more grants of permission are by a user of the datastore; translating information about the one or more first objects to mapping information comprising tables and columns of second objects of the plurality of objects; constructing a reverse multimap to map between the second objects and attributes of the one or more first objects, including applying the tables and columns to build the reverse multimap; generating an access control entry for at least one of the second objects using at least one of the identified grants of permission, wherein the second objects are not exposed to the user; and in responsive to receipt of a query for data corresponding to the objects, determining whether to grant access to the data based on the generated access control entry, wherein determining whether to grant access to the data based on the generated access control entry includes querying the reverse multimap. - View Dependent Claims (22, 23, 24, 25)
-
Specification