Row level security integration of analytical data store with cloud architecture
First Claim
1. A method of building an analytic sub-structure from a secure read-only analytic data structure, the method comprising:
- receiving a request to build the analytic sub-structure from the secure read-only analytic data structure, the secure read-only analytic data structure generated from a data set and including a plurality of secured objects and associated security tokens that govern access to the plurality of secured objects by a plurality of users, wherein the request indicates a query for a subset of the plurality of secured objects, wherein each security token indicates one or more of the plurality of secured objects that one or more of the plurality of users are authorized to access;
generating at least one query security token based on an authentication of the request and an application of security translation rules, the at least one query security token qualifying the request to access the subset of the plurality of secured objects;
transmitting, to a query engine, the at least one query security token and the query for the subset of the plurality of secured objects; and
receiving, from the query engine in response to the transmitting, the analytic sub-structure including the subset of the plurality of secured objects of the secure read-only analytic data structure that satisfy the query and security tokens associated with the subset, each secured object of the subset of the plurality of secured objects associated with at least one security token that matches the at least one query security token, wherein the received analytic sub-structure includes the at least one security token.
1 Assignment
0 Petitions
Accused Products
Abstract
A predicate-based row level security system is used when workers build or split an analytical data store. According to one implementation, predicate-based means that security requirements of source transactional systems can be used as predicates to a rule base that generates one or more security tokens, which are associated with each row as attributes of a dimension. Similarly, when an analytic data store is to be split, build job, user and session attributes can be used to generate complementary security tokens that are compared to security tokens of selected rows. Efficient indexing of a security tokens dimension makes it efficient to qualify row retrieval based on security criteria.
116 Citations
24 Claims
-
1. A method of building an analytic sub-structure from a secure read-only analytic data structure, the method comprising:
-
receiving a request to build the analytic sub-structure from the secure read-only analytic data structure, the secure read-only analytic data structure generated from a data set and including a plurality of secured objects and associated security tokens that govern access to the plurality of secured objects by a plurality of users, wherein the request indicates a query for a subset of the plurality of secured objects, wherein each security token indicates one or more of the plurality of secured objects that one or more of the plurality of users are authorized to access; generating at least one query security token based on an authentication of the request and an application of security translation rules, the at least one query security token qualifying the request to access the subset of the plurality of secured objects; transmitting, to a query engine, the at least one query security token and the query for the subset of the plurality of secured objects; and receiving, from the query engine in response to the transmitting, the analytic sub-structure including the subset of the plurality of secured objects of the secure read-only analytic data structure that satisfy the query and security tokens associated with the subset, each secured object of the subset of the plurality of secured objects associated with at least one security token that matches the at least one query security token, wherein the received analytic sub-structure includes the at least one security token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 24)
-
-
12. A non-transitory computer-readable storage medium impressed with computer program instructions for building an analytic sub-structure from a secure read-only analytic data structure, the instructions, when executed on a hardware processor implement a method comprising:
-
receiving a request to build the analytic sub-structure from the secure read-only analytic data structure, the secure read-only analytic data structure generated from a data set and including a plurality of secured objects and associated security tokens that govern access to the plurality of secured objects by a plurality of users, wherein the request indicates a query for a subset of the plurality of secured objects, wherein each security token indicates one or more of the plurality of secured objects that one or more of the plurality of users are authorized to access; generating at least one query security token based on an authentication of the request and an application of security translation rules, the at least one query security token qualifying the request to access the subset of the plurality of secured objects; transmitting, to a query engine, the at least one query security token and the query for the subset of the plurality of secured objects; and receiving, from the query engine in response to the transmitting, the analytic sub-structure including the subset of the plurality of secured objects of the secure read-only analytic data structure that satisfy the query and security tokens associated with the subset, each secured object of the subset of the plurality of secured objects associated with at least one security token that matches the at least one query security token, wherein the received analytic sub-structure includes the at least one security token. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus for building an analytic sub-structure from a secure read-only analytic data structure, the apparatus comprising:
-
a memory storing computer instructions; and a processor configured to execute the stored computer instructions to; receive a request to build the analytic sub-structure from the secure read-only analytic data structure, the secure read-only analytic data structure generated from a data set and including a plurality of secured objects and associated security tokens that govern access to the plurality of secured objects by a plurality of users, wherein the request indicates a query for a subset of the plurality of secured objects, wherein each security token indicates one or more of the plurality of secured objects that one or more of the plurality of users are authorized to access; generate at least one query security token based on an authentication of the request and an application of security translation rules, the at least one query security token qualifying the request to access the subset of the plurality of secured objects; transmit, to a query engine, the at least one query security token and the query for the subset of the plurality of secured objects; and receive, from the query engine in response to the transmitting, the analytic sub-structure including the subset of the plurality of secured objects of the secure read-only analytic data structure that satisfy the query and security tokens associated with the subset, each secured object of the subset of the plurality of secured objects associated with at least one security token that matches the at least one query security token, wherein the received analytic sub-structure includes the at least one security token.
-
Specification