System and method for providing security mechanisms for data warehousing and analysis

US 20050022029A1
Filed: 04/29/2004
Published: 01/27/2005
Est. Priority Date: 04/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method of providing restricted access to data contained in a business intelligence system using a database and having an application with user input, the method including the steps of:

a) defining one or more security roles;

b) associating the one or more security roles with business intelligence data stored in the database;

c) deriving one or more security filters from the security roles and storing the one or more security filters;

d) selecting for a user requiring a report the one or more user security roles from the stored one or more security roles and thereby selecting one or more user security filters from the one or more related security filters;

e) accepting, from the user requiring the report, input defining an original data access language statement, to determine the information required to be selected from the database;

f) combining the stored one or more related security filters with the original data access language statement to produce a modified data access statement, to limit the data accessed by the data access statement in accordance with the previously selected security roles;

g) accessing the data stored within the database by interpreting the modified data access statement; and

h) presenting the user requiring the report with business intelligence data accessed by the modified data access statement.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses a method for using a relational database management system to support on-line analytical processing (OLAP) systems by providing a security access mechanism. The method of restricting access to data contained in a business intelligence system, comprises the steps of defining one or more security roles, associating the security roles with business intelligence data, selecting one or more security roles from the one or more security roles, combining the one or more security filters with a data access language statement, and interpreting the data access statement.

36 Citations

View as Search Results

16 Claims

1. A method of providing restricted access to data contained in a business intelligence system using a database and having an application with user input, the method including the steps of:
- a) defining one or more security roles;
  
  b) associating the one or more security roles with business intelligence data stored in the database;
  
  c) deriving one or more security filters from the security roles and storing the one or more security filters;
  
  d) selecting for a user requiring a report the one or more user security roles from the stored one or more security roles and thereby selecting one or more user security filters from the one or more related security filters;
  
  e) accepting, from the user requiring the report, input defining an original data access language statement, to determine the information required to be selected from the database;
  
  f) combining the stored one or more related security filters with the original data access language statement to produce a modified data access statement, to limit the data accessed by the data access statement in accordance with the previously selected security roles;
  
  g) accessing the data stored within the database by interpreting the modified data access statement; and
  
  h) presenting the user requiring the report with business intelligence data accessed by the modified data access statement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the step c) is replaced by the step of deriving one or more security filters from the security roles and storing the one or more security filters in a separate system.
  - 3. The method of claim 1 including the further step of combining information from a separate database with information from the business intelligence database to define the security levels and to derive the security filters.
  - 4. The method of claim 1 including the further step of storing the business intelligence data in one or more relational databases.
  - 5. The method of claim 1 wherein the step f) is replaced by the step of combining the one or more security roles using OR functions within the modified data access language statement to combine the security filters, to provide the user with the union of the access rights of each of the one or more roles, and wherein this union intersects the data defined by the on original data access statement.
  - 6. The method of claim 1 including the step of constructing the one or more security filters to include a reference to a second security filter.
  - 7. The method of claim 6 wherein the second security filter is reused.
  - 8. The method of claim 1 wherein the data access language is SQL.

9. A computer-based system for providing restricted access to data contained in a business intelligence system having an application with user input, the system comprising:
- a) means for defining one or more security roles;
  
  b) means for associating the one or more security roles with business intelligence data stored in the database;
  
  c) means for deriving one or more security filters from the security roles and storing the one or more security filters;
  
  d) means for selecting for a user requiring a report the one or more user security roles from the stored one or more security roles and thereby selecting one or more user security filters from the one or more related security filters;
  
  e) means for accepting, from the user requiring the report, input defining an original data access language statement, to determine the information required to be selected from the database;
  
  f) means for combining the stored one or more related security filters with the original data access language statement to produce a modified data access statement, to limit the data accessed by the data access statement in accordance with the previously selected security roles;
  
  g) means for accessing the data stored within the database by interpreting the modified data access statement, and h) means for presenting the user requiring the database with business intelligence data accessed by the modified data access statement.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9 wherein the c) means for deriving is replaced by:
    - means for deriving one or more security filters from the security roles and storing the one or more security filters in a separate system.
  - 11. The system of claim 9 including means for combining information from a separate database with information from the business intelligence database to define the security levels and to derive the security filters.
  - 12. The system of claim 9 including means for storing the business intelligence data in one or more relational databases.
  - 13. The system of claim 9 wherein the f) means for combining is replaced by;
    - means for combining the one or more security roles using OR functions within the modified data access language statement to combine the security filters, to provide the user with the union of the access rights of each of the one or more roles, and wherein this union intersects the data defined by the original data access statement.
  - 14. The system of claim 9 including means for constructing the one or more security filters to include a reference to a second security filter.
  - 15. The system of claim 14 wherein the second security filter is reused.
  - 16. The system of claim 9 wherein the data access language is SQL

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Cognos Incorporated (International Business Machines Corporation)
Inventors
Potter, Charles M., Seeds, Glen M.

Granted Patent

US 7,555,786 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 16/284   Relational databases

G06F 21/6227   where protection concerns t...

G06F 2221/2113   Multi-level security, e.g. ...

Y10S 707/99939   Privileged access

System and method for providing security mechanisms for data warehousing and analysis

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method for providing security mechanisms for data warehousing and analysis

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others