Managing user access to data

US 20050257066A1
Filed: 09/17/2004
Published: 11/17/2005
Est. Priority Date: 05/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method of managing user access to data, the method comprising:

detecting that a user seeks access to a data portion that belongs to a specified category;

evaluating one or more authorizations, each authorization having an authorization segment corresponding to the specified category; and

permitting the sought access to the data portion if at least one of the authorization segments corresponding to the specified category identifies the data portion to which access is sought.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing user access to data includes detecting that a user seeks access to a data portion that belongs to a specified category. One or more authorizations are evaluated, each authorization having an authorization segment corresponding to the specified category. The method includes permitting the sought access to the data portion if at least one of the authorization segments corresponding to the specified category identifies the data portion to which access is sought. The method may permit access to data that falls within a union of granted authorizations. An authorization segment may correspond to a data dimension or to a meta dimension, such as an authorized action or data source, that does not directly relate to a data dimension.

Citations

29 Claims

1. A method of managing user access to data, the method comprising:
- detecting that a user seeks access to a data portion that belongs to a specified category;
  
  evaluating one or more authorizations, each authorization having an authorization segment corresponding to the specified category; and
  
  permitting the sought access to the data portion if at least one of the authorization segments corresponding to the specified category identifies the data portion to which access is sought.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein the data portion belongs to first and second categories.
  - 3. The method of claim 2, wherein the sought access to the data portion is permitted upon determining that the data portion is identified by the authorization segment corresponding to the first category in a first authorization and that the data portion is identified by the authorization segment corresponding to the second category in a second authorization.
  - 4. The method of claim 2, wherein the sought access to the data portion is permitted upon determining that the data portion is identified, in a first authorization, by the authorization segment corresponding to the first category and by the authorization segment corresponding to the second category.
  - 5. The method of claim 1, wherein at least first and second authorizations are evaluated serially.
  - 6. The method of claim 5, wherein the second authorization is evaluated upon determining that the authorization segment in the first authorization that corresponds to the specified category does not identify the data portion.
  - 7. The method of claim 5, wherein the data portion belongs to at least first and second categories and wherein the second authorization is evaluated upon determining that the authorization segment in the first authorization that corresponds to the first category identifies the data portion.
  - 8. The method of claim 1, wherein evaluating one or more authorizations comprises evaluating a first authorization wherein the authorization segment corresponding to the specified category identifies a different data portion and evaluating a second authorization wherein the authorization segment corresponding to the specified category identifies the data portion.
  - 9. The method of claim 8, wherein the first and second authorizations have different validities.
  - 10. The method of claim 1, wherein at least one of the authorizations has multiple authorization segments.
  - 11. The method of claim 10, wherein some of the multiple authorization segments correspond to data dimensions.
  - 12. The method of claim 10, wherein at least one of the multiple authorization segments correspond to a meta dimension that does not directly correspond to a data dimension.
  - 13. The method of claim 12, wherein the meta dimension corresponds to authorizing the user to access a data source.
  - 14. The method of claim 12, wherein the meta dimension corresponds to authorizing the user to perform an action.
  - 15. The method of claim 14, wherein the authorized action is at least one selected from the group consisting of:
    - a display action, a change action, an update action, a read action, a write action, a revise action, and combinations thereof.
  - 16. The method of claim 1, wherein at least one authorization segment includes a value that is selected from the group consisting of:
    - an interval, a single value, a pattern, a variable, a hierarchy, and combinations thereof.
  - 17. The method of claim 16, wherein the value is the hierarchy, further comprising protecting a hierarchy structure upon permitting access to the data portion.
  - 18. The method of claim 1, wherein the specified category is a measure dimension.
  - 19. The method of claim 18, wherein the data portion is at least one selected from the group consisting of:
    - revenue, discount, net revenue, production costs, and combinations thereof.
  - 20. The method of claim 1, wherein at least one authorization segment specifies a validity of the authorization.
  - 21. The method of claim 20, wherein the validity comprises a periodically granted access permission.
  - 22. The method of claim 1, wherein a role includes at least one authorization for the user.
  - 23. The method of claim 22, wherein the role is included in a higher level role.
  - 24. The method of claim 23, wherein several roles are included in the higher level role, and wherein the higher level role includes authorizations included in the several roles.

25. A computer program product containing executable instructions that when executed cause a processor to perform operations comprising:
- detect that a user seeks access to a data portion that belongs to a specified category;
  
  evaluate one or more authorizations, each authorization having an authorization segment corresponding to the specified category; and
  
  permit the sought access to the data portion if at least one of the authorization segments corresponding to the specified category identifies the data portion to which access is sought.

26. A method of managing user access to data, the method comprising:
- detecting that a user seeks access to data that belongs to at least first and second specified categories;
  
  evaluating one or more authorizations, each authorization having at least one authorization segment corresponding to one of the first and second specified categories; and
  
  permitting the sought access to the data if the authorization segments in the one or more authorizations
  
  1) correspond to the first and second specified categories and
  
  2) identify the data to which access is sought.
- View Dependent Claims (27, 28)
- - 27. The method of claim 26, wherein the sought access to the data portion is permitted upon determining that the data portion is identified by the authorization segment corresponding to the first category in a first authorization and that the data portion is identified by the authorization segment corresponding to the second category in a second authorization.
  - 28. The method of claim 27, wherein the sought access to the data portion is permitted upon determining that the data portion is identified, in a first authorization, by the authorization segment corresponding to the first category and by the authorization segment corresponding to the second category.

29. A computer program product containing executable instructions that when executed cause a processor to perform operations comprising:
- detect that a user seeks access to data that belongs to at least first and second specified categories;
  
  evaluate one or more authorizations, each authorization having at least one authorization segment corresponding to one of the first and second specified categories; and
  
  permit the sought access to the data if the authorization segments in the one or more authorizations
  
  1) correspond to the first and second specified categories and
  
  2) identify the data to which access is sought.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
John, Peter, Muenkel, Christian

Granted Patent

US 7,685,644 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/6227 where protection concerns t...

Managing user access to data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Managing user access to data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links