METHODS AND SYSTEMS FOR CONTROLLING ACCESS TO CUSTOM OBJECTS IN A DATABASE

US 20080082540A1
Filed: 10/02/2007
Published: 04/03/2008
Est. Priority Date: 10/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to custom objects in a database, wherein the database stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants in a common table within the database and wherein each tenant is permitted access only to data associated with that tenant, and wherein each tenant has one or more users, the method comprising(a) receiving, from a user associated with a first tenant, a request to access data of a first custom object in the database, wherein the common table includes at least two custom objects associated with the first tenant, and wherein the at least two custom objects each contain one or more data types specified by the first tenant;

(b) identifying a key associated with the first custom object;

(c) searching only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object;

(d) determining whether the user has permission to access at least a portion of the custom object based at least in part on the access information; and

(e) sending, to the user, the requested data of the first custom object to which the user has permission to access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments, methods and systems for controlling access to custom objects are provided. These techniques for controlling access to custom objects can enable embodiments to utilize a key for the protection of the security of data that is to remain private while not compromising efficiency of a query. The key for a requested custom object is identified and then used so that only an appropriate portion of a custom entity share table is searched to locate access information. It is then determined whether the user can access at least a portion of the custom object, and the appropriate and allowed data is sent to the user.

213 Citations

20 Claims

1. A method for controlling access to custom objects in a database, wherein the database stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants in a common table within the database and wherein each tenant is permitted access only to data associated with that tenant, and wherein each tenant has one or more users, the method comprising(a) receiving, from a user associated with a first tenant, a request to access data of a first custom object in the database, wherein the common table includes at least two custom objects associated with the first tenant, and wherein the at least two custom objects each contain one or more data types specified by the first tenant;
- (b) identifying a key associated with the first custom object;
  
  (c) searching only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object;
  
  (d) determining whether the user has permission to access at least a portion of the custom object based at least in part on the access information; and
  
  (e) sending, to the user, the requested data of the first custom object to which the user has permission to access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein the request includes a request for data of other custom objects, and further compromising repeating steps (b), (c), (d), and (e) for the requested data of the other custom objects.
  - 3. The method of claim 1 wherein the custom entity share table includes access information for each custom object of the first tenant, wherein the access information includes a respective listing of users and/or groups of users that have access rights to each custom object and/or a portion of that custom object.
  - 4. The method of claim 1 wherein the access information includes at least one of information related to the requestor'"'"'s sharing position and count of entities owned.
  - 5. The method of claim 1 wherein the key is contained in the request.
  - 6. The method of claim 1, wherein searching only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object includes:
    - searching the database for the first custom object in a way that is likely to yield results using less search time than any alternate queries that could be formulated based on the request.
  - 7. The method of claim 1, wherein searching only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object includes:
    - selecting at least one from a plurality of row level sharing rules that prevent a user associated with a particular tenant from seeing data in the database associated with the particular tenant to which the user is not permitted to access; and
      
      creating an improved query so that the improved query indicates to the database how to search the data in the database that the user is permitted to search in a way that is likely to be improved over a way that the request received would have been searched in the database.
  - 8. The method of claim 1, wherein searching only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object includes:
    - improving a query for the request by rewriting or generating different SQL based at least in part upon at least one of a tenant-level sharing model, statistics and metadata.
  - 9. The method of claim 8, wherein improving the query received by rewriting or generating different SQL based at least in part upon a tenant-level sharing model, statistics and metadata includes:
    - rewriting or generating the improved query with an extra join in the denormalized-indexed table.
  - 10. The method of claim 1, wherein searching only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object includes:
    - rewriting or generating SQL of a query for the received request to provide a hint in the improved query, wherein the hint instructs a relational database management system to lead the query with an object determined to be likely to produce improved query results when a user has access to only a small percentage subset of rows in a portion of the common table associated with the tenant.
  - 11. The method of claim 1, wherein searching only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object includes:
    - rewriting or generating SQL of a query for the received query to provide an improved query that instructs a relational database management system to perform a hash semi-join against a full set of rows that are visible to a user when the user is not an admin.
  - 12. The method of claim 1, wherein searching only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object includes:
    - rewriting or generating SQL of a query for the received query to provide an improved query that leads with the key and performs a nested loop to the custom entity share table when the query leads with a small number of entity rows.
  - 13. The method of claim 1, wherein determining whether the user has permission to access at least a portion of the custom object based at least in part on the access information includes accessing at least one of:
    - a role hierarchy metadata table that lists the number of people below a user; and
      
      a group membership metadata table that lists the users that belong to a group.

14. A method for transmitting code, over a machine accessible transmission medium, to control access to custom objects in a database, wherein the database stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants in a common table within the database and wherein each tenant is permitted access only to data associated with that tenant, and wherein each tenant has one or more users, the method including:
- (a) transmitting code that causes one or more processors to receive, from a user associated with a first tenant, a request to access data of a first custom object in the database, wherein the common table includes at least two custom objects associated with the first tenant, and wherein the at least two custom objects each contain one or more data types specified by the first tenant;
  
  (b) transmitting code that causes one or more processors to identify a key associated with the first custom object;
  
  (c) transmitting code that causes one or more processors to search only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object;
  
  (d) transmitting code that causes one or more processors to determine whether the user has permission to access at least a portion of the custom object based at least in part on the access information; and
  
  (e) transmitting code that causes one or more processors to send, to the user, the requested data of the first custom object to which the user has permission to access.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein the code that causes one or more processors to search only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object includes:
    - code that causes one or more processors to select at least one from a plurality of row level sharing rules that prevent a user associated with a particular tenant from seeing data in the database associated with the particular tenant to which the user is not permitted to access; and
      
      code that causes one or more processors to create an improved query so that the improved query indicates to the database how to search the data in the database that the user is permitted to search in a way that is likely to be improved over a way that the request received would have been searched in the database.
  - 16. The method of claim 14, wherein the code that causes one or more processors to determine whether the user has permission to access at least a portion of the custom object based at least in part on the access information includes code that causes one or more processors to access at least one of:
    - a role hierarchy metadata table that lists the number of people below a user; and
      
      a group membership metadata table that lists the users that belong to a group.
  - 17. The method of claim 14, wherein the code that causes one or more processors to search only that portion of a custom entity share table appropriate to the key to locate access information for the first custom object includes:
    - code that causes one or more processors to rewrite or generate SQL of a query for the received query to provide an improved query that leads with the key and performs a nested loop to the custom entity share table when the query leads with a small number of entity rows.

18. A multi-tenant database system comprising:
- a database that stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants in a common table within the database, wherein each tenant is permitted access only to data associated with that tenant, and wherein each tenant has one or more users;
  
  an input that receives, from a user associated with a first tenant, a request to access data of a first custom object in the database, wherein the common table includes at least two custom objects associated with the first tenant, wherein the at least two custom objects each contain one or more data types specified by the first tenant, and wherein the database contains a custom entity share table containing access information for the custom objects;
  
  logic for identifying a key associated with the first custom object;
  
  an optimized query module that searches only that portion of the custom entity share table appropriate to the key to locate access information for the first custom object;
  
  logic for determining whether the user has permission to access at least a portion of the custom object based at least in part on the access information; and
  
  an output that sends, to the user, the requested data of the first custom object to which the user has permission to access.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18 wherein the custom entity share table includes access information for each custom object of the first tenant, wherein the access information includes a respective listing of users and/or groups of users that have access rights to each custom object and/or a portion of that custom object.
  - 20. The system of claim 18 wherein the access information includes at least one of information related to the requestor'"'"'s sharing position and count of entities owned.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Weissman, Craig, Jasik, Benji, Oliver, Kevin, Doshi, Kedar

Granted Patent

US 8,095,531 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/9
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 16/289   Object oriented databases

G06F 21/6227   where protection concerns t...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99939   Privileged access

METHODS AND SYSTEMS FOR CONTROLLING ACCESS TO CUSTOM OBJECTS IN A DATABASE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

213 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR CONTROLLING ACCESS TO CUSTOM OBJECTS IN A DATABASE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

213 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links