ROW LEVEL SECURITY INTEGRATION OF ANALYTICAL DATA STORE WITH CLOUD ARCHITECTURE

US 20170161515A1
Filed: 02/22/2017
Published: 06/08/2017
Est. Priority Date: 10/10/2014
Status: Active Grant

First Claim

Patent Images

1. A method of building an analytic sub-structure from a secure read-only analytic data structure, the method comprising:

receiving an authenticated and authorized command to build an analytic sub-structure that satisfies a subset query from the secure read-only analytic data structure, wherein the secure read-only analytic data structure includes security tokens associated with secured objects that govern access to the secured objects;

applying security translation rules to construct at least one query security token based on the authenticated and authorized command, wherein the at least one query security token qualifies the authenticated and authorized command to access one or more secured objects in the secure read-only analytic data structure; and

supplying the subset query and the at least one query security token to a query engine and receiving, as the analytic sub-structure, the one or more secured objects from the secure read-only analytic data structure that satisfy the subset query and that have an associated security token that matches the at least one query security token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A predicate-based row level security system is used when workers build or split an analytical data store. According to one implementation, predicate-based means that security requirements of source transactional systems can be used as predicates to a rule base that generates one or more security tokens, which are associated with each row as attributes of a dimension. Similarly, when an analytic data store is to be split, build job, user and session attributes can be used to generate complementary security tokens that are compared to security tokens of selected rows. Efficient indexing of a security tokens dimension makes it efficient to qualify row retrieval based on security criteria.

Citations

23 Claims

1. A method of building an analytic sub-structure from a secure read-only analytic data structure, the method comprising:
- receiving an authenticated and authorized command to build an analytic sub-structure that satisfies a subset query from the secure read-only analytic data structure, wherein the secure read-only analytic data structure includes security tokens associated with secured objects that govern access to the secured objects;
  
  applying security translation rules to construct at least one query security token based on the authenticated and authorized command, wherein the at least one query security token qualifies the authenticated and authorized command to access one or more secured objects in the secure read-only analytic data structure; and
  
  supplying the subset query and the at least one query security token to a query engine and receiving, as the analytic sub-structure, the one or more secured objects from the secure read-only analytic data structure that satisfy the subset query and that have an associated security token that matches the at least one query security token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - accessing a data set from at least one transactional data management system, wherein data in the data set has security attributes managed by the at least one transactional data management system;
      
      processing security translation rules that accept the security attributes as predicates and generating the security tokens; and
      
      storing the security tokens by association with each secured object in the secure read-only analytic data structure generated from the data set.
  - 3. The method of claim 2, further including:
    - accessing a plurality of heterogeneous transactional data management systems that have divergent security models;
      
      accessing data in the plurality of heterogeneous transactional data management systems and creating objects that merge the accessed data from two or more heterogeneous transactional data management systems of the plurality of heterogeneous transactional data management systems; and
      
      processing security translation rules that accept the security attributes from the two or more heterogeneous transactional data management systems of the plurality of heterogeneous transactional data management systems as predicates and generating one or more security tokens to associate with each secured object that merges the accessed data.
  - 4. The method of claim 2, wherein the security attributes are based on one or more security models used to manage access to the at least one transactional data management system.
  - 5. The method of claim 4, wherein the one or more security models include at least one of:
    - row-based security;
      
      LDAP-based security;
      
      agent-based security;
      
      team-based security;
      
      account-hierarchy-based security;
      
      group-based security; and
      
      sharing-descriptor-based security.
  - 6. The method of claim 2, further including generating a view-all-data initial instance of the secure read-only analytic data structure before the processing of the security translation rules that accept the security attributes as the predicates.
  - 7. The method of claim 1, further including:
    - accessing a data set from at least one transactional data management system, wherein data in the data set lacks a security model;
      
      accessing the data set and creating a new read-only analytic data structure that merges the data lacking the security model with the secure read-only analytic data structure; and
      
      associating the security tokens associated with the secure read-only analytic data structure to the new read-only analytic data structure.
  - 8. The method of claim 1, further including mobilizing the analytic sub-structure from a secure server based platform to a browser based user client platform, the mobilizing of the analytic sub-structure including:
    - receiving a subset query to receive a subset of data in the analytic sub-structure; and
      
      supplying the subset of data to the browser based user client platform that satisfies the subset query with a reduced bandwidth and processing time.
  - 9. The method of claim 1, further including:
    - receiving another authenticated and authorized command to receive a subset of data in the secure read-only analytic data structure that satisfies another subset query;
      
      applying additional security translation rules to construct at least one query security token based on the other authenticated and authorized command to receive the subset of data in the secure read-only analytic data structure that satisfies the subset query, wherein the at least one query security token constructed from the additional security translation rules qualifies the other authenticated and authorized command to access the subset of data in the secure read-only analytic data structure; and
      
      supplying the subset query and the at least one query security token constructed from the additional security translation rules to a query engine and receiving the subset of data from the secure read-only analytic data structure that satisfies the subset query and that has an associated security token that matches the at least one query security token.
  - 10. The method of claim 9, further including mobilizing the subset of data from a secure server based platform to a browser based user client platform, the mobilizing of the subset of data including:
    - receiving a subset query to receive the subset of data; and
      
      supplying the subset of data to the browser based user client platform that satisfies the subset query with a reduced bandwidth and processing time.
  - 11. The method of claim 1, wherein the security tokens define accessibility of respective dimensions and measures of each secured object.

12. A non-transitory computer-readable storage medium impressed with computer program instructions for building an analytic sub-structure from a secure read-only analytic data structure, the instructions, when executed on a hardware processor implement a method comprising:
- receiving an authenticated and authorized command to build an analytic sub-structure that satisfies a subset query from the secure read-only analytic data structure, wherein the secure read-only analytic data structure includes security tokens associated with secured objects that govern access to the secured objects;
  
  applying security translation rules to construct at least one query security token based on the authenticated and authorized command, wherein the at least one query security token qualifies the authenticated and authorized command to access one or more secured objects in the secure read-only analytic data structure; and
  
  supplying the subset query and the at least one query security token to a query engine and receiving, as the analytic sub-structure, the one or more secured objects from is the secure read-only analytic data structure that satisfy the subset query and that have an associated security token that matches the at least one query security token.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The non-transitory computer-readable storage medium of claim 12, wherein the method further comprises:
    - accessing a data set from at least one transactional data management system, wherein data in the data set has security attributes managed by the at least one transactional data management system;
      
      processing security translation rules that accept the security attributes as predicates and generating the security tokens; and
      
      storing the security tokens by association with each secured object in the secure read-only analytic data structure generated from the data set.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein the method further comprises:
    - accessing a plurality of heterogeneous transactional data management systems that have divergent security models;
      
      accessing data in the plurality of heterogeneous transactional data management systems and creating objects that merge the accessed data from two or more heterogeneous transactional data management systems of the plurality of heterogeneous transactional data management systems; and
      
      process security translation rules that accept the security attributes from the two or more heterogeneous transactional data management systems of the plurality of heterogeneous transactional data management systems as predicates and generating one or more security tokens to associate with each secured object that merges the accessed data.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the security attributes are based on one or more security models used to manage access to the at least one transactional data management system.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the one or more security models include at least one of:
    - row-based security;
      
      LDAP-based security;
      
      agent-based security;
      
      team-based security;
      
      account-hierarchy-based security;
      
      group-based security; and
      
      sharing-descriptor-based security.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the method further comprises generating a view-all-data initial instance of the secure read-only analytic data structure before the processing of the security translation rules that accept the security attributes as the predicates.
  - 18. The non-transitory computer-readable storage medium of claim 12, wherein the method further comprises:
    - accessing a data set from at least one transactional data management system, wherein data in the data set lacks a security model;
      
      accessing the data set and creating a new read-only analytic data structure that merges the data lacking the security model with the secure read-only analytic data structure; and
      
      associating the security tokens associated with the secure read-only analytic data structure to the new read-only analytic data structure.
  - 19. The non-transitory computer-readable storage medium of claim 12, wherein the method further comprises mobilizing the analytic sub-structure from a secure server based platform to a browser based user client platform, the mobilizing of the analytic sub-structure including:
    - receiving a subset query to receive a subset of data in the analytic sub-structure; and
      
      supplying the subset of data to the browser based user client platform that satisfies the subset query with a reduced bandwidth and processing time.
  - 20. The non-transitory computer-readable storage medium of claim 12, wherein the method further comprises:
    - receiving another authenticated and authorized command to receive a subset of data in the secure read-only analytic data structure that satisfies another subset query;
      
      applying additional security translation rules to construct at least one query security token based on the other authenticated and authorized command to receive the subset of data in the secure read-only analytic data structure that satisfies the subset query, wherein the at least one query security token constructed from the additional security translation rules qualifies the other authenticated and authorized command to access the subset of data in the secure read-only analytic data structure; and
      
      supplying the subset query and the at least one query security token constructed form the additional security translation rules to a query engine and receiving the subset of data from the secure read-only analytic data structure that satisfies the subset query and that has an associated security token that matches the at least one query security token.
  - 21. The non-transitory computer-readable storage medium of claim 20, wherein the method further comprises mobilizing the subset of data from a secure server based platform to a browser based user client platform, the mobilizing of the subset of data including:
    - receiving a subset query to receive the subset of data; and
      
      supplying the subset of data to the browser based user client platform that satisfies the subset query with a reduced bandwidth and processing time.
  - 22. The non-transitory computer-readable storage medium of claim 12, wherein the security tokens define accessibility of respective dimensions and measures of each secured object.

23. An apparatus for building an analytic sub-structure from a secure read-only analytic data structure, the apparatus comprising:
- a memory storing computer instructions; and
  
  a processor configured to execute the stored computer instructions to;
  
  receive an authenticated and authorized command to build an analytic sub-structure that satisfies a subset query from the secure read-only analytic data structure, wherein the secure read-only analytic data structure includes security tokens associated with secured objects that govern access to the secured objects;
  
  apply security translation rules to construct at least one query security token based on the authenticated and authorized command, wherein the at least one query security token qualifies the authenticated and authorized command to access one or more secured objects in the secure read-only analytic data structure; and
  
  supply the subset query and the at least one query security token to a query engine and receive, as the analytic sub-structure, the one or more secured objects from the secure read-only analytic data structure that satisfy the subset query and that have an associated security token that matches the at least one query security token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Schneider, Donovan A., Chakravarthy, Vijayasarathy, Silver, Daniel C., Im, Fred

Granted Patent

US 10,671,751 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/1865   Transactional file systems

G06F 16/254   Extract, transform and load...

G06F 21/6227   where protection concerns t...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

ROW LEVEL SECURITY INTEGRATION OF ANALYTICAL DATA STORE WITH CLOUD ARCHITECTURE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

ROW LEVEL SECURITY INTEGRATION OF ANALYTICAL DATA STORE WITH CLOUD ARCHITECTURE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links