DATA ACCESS RULES IN A DATABASE LAYER

US 20170132401A1
Filed: 11/06/2015
Published: 05/11/2017
Est. Priority Date: 11/06/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more hardware processors,at least one database; and

a data access module implemented by the one or more hardware processors and configured to;

receive a query from a user of an application to access a dataset from the database;

identify at least one data access rule that is applicable to the dataset, the at least one data access rule specifying at least one authorized access group;

identify an authorized access group associated with the user; and

based on a comparison between the authorized access group associated with the user and each of the at least one authorized access group;

assembling a modified dataset based on the dataset and the at least one data access rule; and

transmitting the modified dataset to the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The user of an application may query a data storage system with a request to access a dataset from a database of the system. The system identifies at least one data access rule that is applicable to the dataset, with the at least one data access rule specifying at least one user group authorized to access a restricted portion of the dataset. The system identifies an authorized access group associated with the application user and compares it to the at least one user group authorized to access the restricted portion of the dataset. If the authorized access group associated with the user does not match one of the at least one user group authorized to access the restricted portion of the dataset, the system assembles a modified dataset based on the dataset and the at least one data access rule and transmits the modified dataset to the application.

77 Citations

20 Claims

1. A system comprising:
- one or more hardware processors,at least one database; and
  
  a data access module implemented by the one or more hardware processors and configured to;
  
  receive a query from a user of an application to access a dataset from the database;
  
  identify at least one data access rule that is applicable to the dataset, the at least one data access rule specifying at least one authorized access group;
  
  identify an authorized access group associated with the user; and
  
  based on a comparison between the authorized access group associated with the user and each of the at least one authorized access group;
  
  assembling a modified dataset based on the dataset and the at least one data access rule; and
  
  transmitting the modified dataset to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein data access module is further configured to process the query to return the dataset based on the comparison indicating that the authorized access group associated with the user matches one of the at least one authorized access group.
  - 3. The system of claim 1, wherein:
    - identifying an authorized access group associated with the user comprises identifying multiple authorized access groups associated with the user; and
      
      the comparison between the authorized access group associated with the and the at least one authorized access group comprises a comparison between each of the multiple authorized access groups associated with the user and each of the at least one authorized access group.
  - 4. The system of claim 1, wherein:
    - the at least one data access rule is applicable to the dataset based on the at least one data access rule describing a restriction on accessing a portion of data of the dataset;
      
      the comparison indicates that that the authorized access group associated with the user does not match any of the at least one authorized access group; and
      
      assembling a modified dataset based on the dataset and the at least one data access rule comprises assembling the data of the dataset without the restricted portion of the data of the dataset.
  - 5. The system of claim 4, wherein:
    - the restriction on accessing a portion of the data is based on a reference date associated with the restricted portion of the data of the dataset;
      
      the at least one data access rule comprises at least one time limit running from the reference date; and
      
      the at least one data access rule specifies at least one authorized access group for each of the at least one time limit.
  - 6. The system of claim 5, wherein the restriction on accessing a portion of the data is further based on a company code or a document type associated with the restricted portion of the data of the dataset.
  - 7. The system of claim 1, wherein:
    - the at least one database access rule comprises a table in the database; and
      
      the at least one database comprises a relational database and the query is a relational SQL query or the at least one database comprises an XML repository and the query is an XML query.

8. A method comprising:
- receiving a query from a user of an application to access a dataset from at least one database;
  
  identifying, using one or more hardware processors, at least one data access rule that is applicable to the dataset, the at least one data access rule specifying at least one authorized access group;
  
  identifying an authorized access group associated with the user; and
  
  based on a comparison between the authorized access group associated with the user and each of the at least one authorized access group;
  
  assembling a modified dataset based on the dataset and the at least one data access rule; and
  
  transmitting the modified dataset to the application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising processing the query to return the dataset based on the comparison indicating that the authorized access group associated with the user matches one of the at least one authorized access group.
  - 10. The method of claim 8, wherein:
    - identifying an authorized access group associated with the user comprises identifying multiple authorized access groups associated with the user; and
      
      the comparison between the authorized access group associated with the and the at least one authorized access group comprises a comparison between each of the multiple authorized access groups associated with the user and each of the at least one authorized access group.
  - 11. The method of claim 8, wherein:
    - the at least one data access rule is applicable to the dataset based on the at least one data access rule describing a restriction on accessing a portion of data of the dataset;
      
      the comparison indicates that that the authorized access group associated with the user does not match any of the at least one authorized access group; and
      
      assembling a modified dataset based on the dataset and the at least one data access rule comprises assembling the data of the dataset without the restricted portion of the data of the dataset.
  - 12. The method of claim 11, wherein:
    - the restriction on accessing a portion of the data is based on a reference date associated with the restricted portion of the data of the dataset;
      
      the at least one data access rule comprises at least one time limit running from the reference date; and
      
      the at least one data access rule specifies at least one authorized access group for each of the at least one time limit.
  - 13. The method of claim 12, wherein the restriction on accessing a portion of the data is further based on a company code or a document type associated with the restricted portion of the data of the dataset.
  - 14. The method of claim 8, wherein:
    - the at least one database access rule comprises a table in the database; and
      
      the at least one database comprises a relational database and the query is a relational SQL query or the at least one database comprises an XML repository and the query is an XML query.

15. A non-transitory machine-readable storage medium storing instructions which, when executed by one or more hardware processors of a machine, cause the machine to perform operations comprising:
- receiving a query from a user of an application to access a dataset from at least one database;
  
  identifying at least one data access rule that is applicable to the dataset, the at least one data access rule specifying at least one authorized access group;
  
  identifying an authorized access group associated with the user; and
  
  based on a comparison between the authorized access group associated with the user and each of the at least one authorized access group;
  
  assembling a modified dataset based on the dataset and the at least one data access rule; and
  
  transmitting the modified dataset to the application.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The machine-readable storage medium of claim 15, the operations further comprising processing the query to return the dataset based on the comparison indicating that the authorized access group associated with the user matches one of the at least one authorized access group.
  - 17. The machine-readable storage medium of claim 15, wherein:
    - identifying an authorized access group associated with the user comprises identifying multiple authorized access groups associated with the user; and
      
      the comparison between the authorized access group associated with the and the at least one authorized access group comprises a comparison between each of the multiple authorized access groups associated with the user and each of the at least one authorized access group.
  - 18. The machine-readable storage medium of claim 15, wherein:
    - the at least one data access rule is applicable to the dataset based on the at least one data access rule describing a restriction on accessing a portion of data of the dataset;
      
      the comparison indicates that that the authorized access group associated with the user does not match any of the at least one authorized access group; and
      
      assembling a modified dataset based on the dataset and the at least one data access rule comprises assembling the data of the dataset without the restricted portion of the data of the dataset.
  - 19. The machine-readable storage medium of claim 18, wherein:
    - the restriction on accessing a portion of the data is based on a reference date associated with the restricted portion of the data of the dataset;
      
      the at least one data access rule comprises at least one time limit running from the reference date; and
      
      the at least one data access rule specifies at least one authorized access group for each of the at least one time limit.
  - 20. The machine-readable storage medium of claim 19, wherein the restriction on accessing a portion of the data is further based on a company code or a document type associated with the restricted portion of the data of the dataset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
V, Santosh, Herbst, Axel, Gopi, Ajalesh P., Choegyen, Tenzin, Jois, Sharath

Granted Patent

US 10,380,334 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6227 where protection concerns t...

DATA ACCESS RULES IN A DATABASE LAYER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

77 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

DATA ACCESS RULES IN A DATABASE LAYER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others