Data access authorization for dynamically generated database structures
First Claim
1. A method comprising:
- identifying a first area of a storage facility to store a subject database, the subject database comprising a set of subject data;
identifying a second area of the storage facility to store a set of subject database metadata, the set of subject database metadata comprising one or more subject database attributes characterizing the subject database;
identifying at least one user, wherein the at least one user has authorization to access a first portion of the set of subject data, and wherein the at least one user does not have authorization to access a second portion of the set of subject data;
receiving one or more subject database statements from the at least one user to perform an analysis over the set of subject data;
selecting at least one virtual multidimensional data model representing the subject database, the at least one virtual multidimensional data model comprising one or more virtual cubes derived from the one or more subject database attributes;
generating a first set of planned subject database statements to perform the analysis corresponding to the one or more subject database statements, the first set of planned subject database statements based at least in part on the at least one virtual multidimensional data model;
detecting at least one data structure reference associated with the first set of planned subject database statements, the at least one data structure reference corresponding to at least some of the second portion of the set of subject data; and
generating, in response to detecting the at least one data structure reference, a second set of planned subject database statements to perform the analysis corresponding to the one or more subject database statements, the second set of planned subject database statements based at least in part on the at least one virtual multidimensional data model, the second set of planned subject database statements generated to determine an authorization response.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for determining user authorization to access data in dynamically generated database structures are presented. A method can commence upon receiving database statements from a user that is authorized to access a set of data in a database. A physical plan derived from the received database statements to operate on the database is inspected for references to dynamically generated data structures such as aggregates. A modified physical plan having no aggregates and/or other altered database structures is used to issue low latency database statements to operation on the database for verifying user access authorization to the underlying data. In some cases, the foregoing database statements are based on a virtual multidimensional data model. In other cases, a low latency directive is included in the modified physical plan to facilitate a low latency authorization response.
-
Citations
20 Claims
-
1. A method comprising:
-
identifying a first area of a storage facility to store a subject database, the subject database comprising a set of subject data; identifying a second area of the storage facility to store a set of subject database metadata, the set of subject database metadata comprising one or more subject database attributes characterizing the subject database; identifying at least one user, wherein the at least one user has authorization to access a first portion of the set of subject data, and wherein the at least one user does not have authorization to access a second portion of the set of subject data; receiving one or more subject database statements from the at least one user to perform an analysis over the set of subject data; selecting at least one virtual multidimensional data model representing the subject database, the at least one virtual multidimensional data model comprising one or more virtual cubes derived from the one or more subject database attributes; generating a first set of planned subject database statements to perform the analysis corresponding to the one or more subject database statements, the first set of planned subject database statements based at least in part on the at least one virtual multidimensional data model; detecting at least one data structure reference associated with the first set of planned subject database statements, the at least one data structure reference corresponding to at least some of the second portion of the set of subject data; and generating, in response to detecting the at least one data structure reference, a second set of planned subject database statements to perform the analysis corresponding to the one or more subject database statements, the second set of planned subject database statements based at least in part on the at least one virtual multidimensional data model, the second set of planned subject database statements generated to determine an authorization response. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer readable medium, embodied in a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when stored in memory and executed by a processor causes the processor to perform a set of acts, the set of acts comprising:
-
identifying a first area of a storage facility to store a subject database, the subject database comprising a set of subject data; identifying a second area of the storage facility to store a set of subject database metadata, the set of subject database metadata comprising one or more subject database attributes characterizing the subject database; identifying at least one user, wherein the at least one user has authorization to access a first portion of the set of subject data, and wherein the at least one user does not have authorization to access a second portion of the set of subject data; receiving one or more subject database statements from the at least one user to perform an analysis over the set of subject data; selecting at least one virtual multidimensional data model representing the subject database, the at least one virtual multidimensional data model comprising one or more virtual cubes derived from the one or more subject database attributes; generating a first set of planned subject database statements to perform the analysis corresponding to the one or more subject database statements, the first set of planned subject database statements based at least in part on the at least one virtual multidimensional data model; detecting at least one data structure reference associated with the first set of planned subject database statements, the at least one data structure reference corresponding to at least some of the second portion of the set of subject data; and generating, in response to detecting the at least one data structure reference, a second set of planned subject database statements to perform the analysis corresponding to the one or more subject database statements, the second set of planned subject database statements based at least in part on the at least one virtual multidimensional data model, the second set of planned subject database statements generated to determine an authorization response. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A system comprising:
-
a non-transitory computer readable storage medium having stored thereon a sequence of instructions; and a processor that executes the sequence of instructions to cause the processor to perform a set of acts, the set of acts comprising; identifying a first area of a storage facility to store a subject database, the subject database comprising a set of subject data; identifying a second area of the storage facility to store a set of subject database metadata, the set of subject database metadata comprising one or more subject database attributes characterizing the subject database; identifying at least one user, wherein the at least one user has authorization to access a first portion of the set of subject data, and wherein the at least one user does not have authorization to access a second portion of the set of subject data; receiving one or more subject database statements from the at least one user to perform an analysis over the set of subject data; selecting at least one virtual multidimensional data model representing the subject database, the at least one virtual multidimensional data model comprising one or more virtual cubes derived from the one or more subject database attributes; generating a first set of planned subject database statements to perform the analysis corresponding to the one or more subject database statements, the first set of planned subject database statements based at least in part on the at least one virtual multidimensional data model; detecting at least one data structure reference associated with the first set of planned subject database statements, the at least one data structure reference corresponding to at least some of the second portion of the set of subject data; and generating, in response to detecting the at least one data structure reference, a second set of planned subject database statements to perform the analysis corresponding to the one or more subject database statements, the second set of planned subject database statements based at least in part on the at least one virtual multidimensional data model, the second set of planned subject database statements generated to determine an authorization response. - View Dependent Claims (17, 18, 19, 20)
-
Specification