Database access method and system for user role defined access

US 6,732,100 B1
Filed: 03/31/2000
Issued: 05/04/2004
Est. Priority Date: 03/31/2000
Status: Expired due to Term

First Claim

Patent Images

1. A database management system that controls access to stored data items of an organization based on a hierarchical structure of the organization, the hierarchical structure of the organization including multiple hierarchical organization levels that each include multiple hierarchical organization branches at that hierarchical organization level, each of the hierarchical organization branches deriving its own access attributes from the hierarchical organization level with which it is associated, the database management system comprising:

a plurality of user entries representing users seeking access to data items, each of the user entries having multiple associated organizational access attributes that are hierarchically configured to represent the organization in such a manner that each organizational access attribute corresponds to one of the hierarchical organization branches at one of the hierarchical organization levels of the organization; and

an access control subsystem that is configured to repeatedly use the associated organizational access attributes of users to manage access to data items of the organization, the data items each associated with multiple of the organizational access attributes, the managing of the data item access by;

receiving a database query from a user requesting one or more data items;

reading the multiple organizational access attributes associated with the user;

reading the multiple organizational access attributes associated with each of the requested data items;

for each of the requested data items, determining based on the organizational access attributes of the user and of the data item whether to grant the user access to the data item by comparing the hierarchical organization levels for those organizational access attributes and by comparing the hierarchical organization branches for those organizational access attributes; and

presenting to the user the data items to which the user is determined to have access.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and system for determination and granting of access to data and files by the file or database creator, owner or manager or by group or user access profiles. The database is partitionable among data owners, and access is awarded based upon the requestor'"'"'s organizational attributes.

2227 Citations

53 Claims

1. A database management system that controls access to stored data items of an organization based on a hierarchical structure of the organization, the hierarchical structure of the organization including multiple hierarchical organization levels that each include multiple hierarchical organization branches at that hierarchical organization level, each of the hierarchical organization branches deriving its own access attributes from the hierarchical organization level with which it is associated, the database management system comprising:
- a plurality of user entries representing users seeking access to data items, each of the user entries having multiple associated organizational access attributes that are hierarchically configured to represent the organization in such a manner that each organizational access attribute corresponds to one of the hierarchical organization branches at one of the hierarchical organization levels of the organization; and
  
  an access control subsystem that is configured to repeatedly use the associated organizational access attributes of users to manage access to data items of the organization, the data items each associated with multiple of the organizational access attributes, the managing of the data item access by;
  
  receiving a database query from a user requesting one or more data items;
  
  reading the multiple organizational access attributes associated with the user;
  
  reading the multiple organizational access attributes associated with each of the requested data items;
  
  for each of the requested data items, determining based on the organizational access attributes of the user and of the data item whether to grant the user access to the data item by comparing the hierarchical organization levels for those organizational access attributes and by comparing the hierarchical organization branches for those organizational access attributes; and
  
  presenting to the user the data items to which the user is determined to have access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The database management system of claim 1 in which the determining of whether to grant access to the user includes determining whether the user'"'"'s organizational access attributes and the data item'"'"'s organizational access attributes include a match.
  - 3. The database management system of claim 1 wherein a plurality of organizations exclusively own individual data files in a database associated with the database management system, such that each of the individual data files has a single organization owner.
  - 4. The database management system of claim 1 wherein said hierarchical levels correspond to ranges of organizations, and to data items identified thereto.
  - 5. The database management system of claim 4 wherein the data items identified thereto are chosen from the group consisting of data fields, data files, and views.
  - 6. The database management system of claim 1 wherein said hierarchical branches correspond to virtual or real organizations and data items identified thereto.
  - 7. The database management system of claim 6 wherein the data items identified thereto are chosen from the group consisting of data files and views.
  - 8. The database management system of claim 1 wherein hierarchical levels correspond to access to data fields and data views, and hierarchical branches correspond to access to data files and data views.
  - 9. The database management system of claim 1 wherein each of the data items is a data file, a data field within a data file, or a view of data items.
  - 10. The database management system of claim 1 wherein each of the data items is stored in one or more databases associated with the database management system.
  - 11. The database management system of claim 1 wherein two of the hierarchical organization levels correspond to divisions and departments within the organization.
  - 12. The database management system of claim 1 wherein each of the hierarchical organization branches are functional owners of the data items that have an organizational access attribute corresponding to that hierarchical organization branch.

13. A method of managing access to data items in a database for an organization, the organization having a structure that includes multiple hierarchical organization levels that each include multiple hierarchical organization branches, the method comprising:
- for each of multiple user entries associated with the database, associating multiple organizational access attributes with the user entry, the organizational access attributes each corresponding to one of the hierarchical organization branches at one of the hierarchical organization levels of the organization;
  
  for each of multiple data items of the database, associating at least one of the organizational access attributes with the data item; and
  
  after the associating of the organizational access attributes with the user entries and with the data items, using the associated organizational access attributes to manage access to the data items, by receiving a database query from a user requesting one or more data items that each have one or more associated organizational access attributes;
  
  determining the multiple organizational access attributes associated with the user;
  
  determining the organizational access attributes associated with the requested data items;
  
  determining whether to grant the user access to the requested data items by comparing the hierarchical organization branches corresponding to the organizational access attributes of the user and of the data items and/or by comparing the hierarchical organization levels of those hierarchical organization branches; and
  
  providing to the user the data items to which the user is determined to have access.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 33)
- - 14. The method of claim 13 wherein the determining of whether to grant access to the user includes determining if the user'"'"'s organizational access attributes and the data item'"'"'s organizational access attributes include a match.
  - 15. The method of claim 13 wherein a plurality of organizations exclusively own individual data files in the database such that individual data file each have a single owner.
  - 16. The method of claim 15 wherein a customer of an owner organization has access to a data item, and further comprising granting by the customer to an additional user access to the data item while the customer is accessing the data item.
  - 17. The method of claim 16 further comprising the customer accessing the data item and thereafter authorizing the additional user to access and update the data item.
  - 18. The method of claim 13 wherein said hierarchical levels correspond to ranges of organizations, and to data items identified thereto.
  - 19. The method of claim 18 wherein the data items identified thereto are chosen from the group consisting of data fields, data files, and views.
  - 20. The method of claim 13 wherein said hierarchical branches correspond to virtual or real organizations and data items identified thereto.
  - 21. The method of claim 20 wherein the data items identified thereto are chosen from the group consisting of data files and views.
  - 22. The method of claim 13 wherein hierarchical levels correspond to access to data fields and data views, and hierarchical branches correspond to access to data files and data views.
  - 23. The method of claim 13 wherein each of the data items is a data file, a data field within a data file, or a view of data items.
  - 24. The method of claim 13 wherein two of the hierarchical organization levels correspond to divisions and departments within the organization.
  - 25. The method of claim 13 wherein each of the hierarchical organization branches are functional owners of the data items that have an organizational access attribute corresponding to that hierarchical organization branch.
  - 33. The computer-readable medium of claim 22 wherein organization levels correspond to access to the data fields, and wherein organization branches correspond to access to the data files.

26. A computer-readable medium whose contents cause a computing device to manage access to data items in a database for an organization, the organization having a hierarchical structure that includes multiple organization levels and multiple hierarchical organization branches, the managing of the access to the data items by performing a method comprising:
- for each of multiple user entries associated with the database, associating multiple organizational access attributes with the user entry, the organizational access attributes each corresponding to one of the hierarchical organization branches and one of the organization levels of the hierarchical organization;
  
  for each of multiple data items of the database, associating at least one of the organizational access attributes with the data item; and
  
  after the associating of the organizational access attributes with the user entries and with the data items, using the associated organizational access attributes to manage access to the data items, by receiving a database query from a user requesting one or more data items that each have one or more associated organizational access attributes;
  
  determining the multiple organizational access attributes associated with the user;
  
  determining the organizational access attributes associated with the requested data items;
  
  determining whether to grant the user access to the requested data items by comparing the hierarchical organization branches corresponding to the organizational access attributes of the user and of the data items and/or by comparing the organization levels corresponding to the organizational access attributes of the user and of the data items; and
  
  providing to the user access to the data items to which the user is determined to have access.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 27. The computer-readable medium of claim 26 wherein the determining of whether to grant access to the user includes determining if the user'"'"'s organizational access attributes and the data item'"'"'s organizational access attributes include a match.
  - 28. The computer-readable medium of claim 26 wherein the method includes, after providing access to a data item to a user, granting access to the data item to an additional user while the user is accessing the data item.
  - 29. The computer-readable medium of claim 26 wherein the organization levels correspond to ranges of organizations.
  - 30. The computer-readable medium of claim 26 wherein the organization branches correspond to virtual organizations.
  - 31. The computer-readable medium of claim 26 wherein the organization branches correspond to real organizations.
  - 32. The computer-readable medium of claim 26 wherein each of the data items is a data file, a data field within a data file, or a view of data items.
  - 34. The computer-readable medium of claim 26 wherein two of the organization levels correspond to divisions and departments within the organization.
  - 35. The computer-readable medium of claim 26 wherein each of the hierarchical organization branches are functional owners of the data items that have an organizational access attribute corresponding to that hierarchical organization branch.
  - 36. The computer-readable medium of claim 26 wherein the user has multiple distinct roles within the organization that each have a distinct set of organizational access attributes, and wherein the determining of the multiple organizational access attributes associated with the user includes determining a current one of the multiple roles for the user and selecting at least some of the organizational access attributes from the set for the determined current role.
  - 37. The computer-readable medium of claim 36 wherein the method includes, after the user is provided access to one or more of the data items based on the organizational access attributes for the determined current role of the user, temporarily granting access to at least some of those data items to another user based on an indication received from the user.
  - 38. The computer-readable medium of claim 36 wherein the method includes receiving multiple queries from the user while the user is acting in different roles, such that the current role determined for the user for at least one of the received queries is different from the current role determined for the user for at least one of the other received queries.
  - 39. The computer-readable medium of claim 38 wherein two of the received queries from the user for which different roles are determined relate to a single data item, and wherein the user is granted access to the single data item for one of the two received queries based on the role of the user determined for that query and is denied access to the single data item for the other of the two received queries based on the different role of the user determined for that query.
  - 40. The computer-readable medium of claim 36 wherein the method includes, before the receiving of the query from the user, associating with the user the multiple distinct roles for the user.
  - 41. The computer-readable medium of claim 36 wherein the method includes, before the receiving of the query from the user, associating the sets of organizational access attributes for the roles with those roles.
  - 42. The computer-readable medium of claim 36 wherein the multiple roles for the user are mutually exclusive such that the user has only one current role at a time.
  - 43. The computer-readable medium of claim 36 wherein the roles represent types of activities that the user performs for the organization.
  - 44. The computer-readable medium of claim 36 wherein the database is shared by multiple related organizations that are part of a shared channel in such a manner that different of the organizations have different access authorizations for at least some of the data items.
  - 45. The computer-readable medium of claim 26 wherein the method further includes identifying a combination of information about the user that includes information specific to the user, information based on one or more defined groups of people within the organization to which the user belongs, and information related to one or more positions that the user holds within the organization, and wherein the determining of whether to grant the user access to the requested data items is further based at least in part on the identified combination of information.
  - 46. The computer-readable medium of claim 45 wherein the groups of people within the organization to which the user belongs include one or more organizational sub-structures within the organization.
  - 47. The computer-readable medium of claim 45 wherein the groups of people to which the user belongs and/or the one or more positions that the user holds within the organization are identified based on one or more of the organizational access attributes associated with the user.
  - 48. The computer-readable medium of claim 45 wherein the determining of whether to grant the user access to the requested data items based on the identified combination of information includes comparing the combination of information to additional retrieved information that indicates access controls for the data items.
  - 49. The computer-readable medium of claim 26 wherein the computer-readable medium is a memory of a computing device.
  - 50. The computer-readable medium of claim 26 wherein the contents are instructions that when executed cause the computing device to perform the method.

51. A computing system that manages access to stored data items of an organization based on a hierarchical structure of the organization, the hierarchical structure of the organization including multiple hierarchical organization branches that each have multiple organization levels, the computing system comprising:
- a plurality of stored entries for users of the organization that each have multiple associated organizational access attributes, the organizational access attributes each corresponding to one of the hierarchical organization branches and one of the organization levels of the organization;
  
  a plurality of stored data items for the organization that each have at least one associated organizational access attribute; and
  
  an access control subsystem that is configured to determine whether to grant a user access to one or more data items that each have one or more associated organizational access attributes by determining the organizational access attributes associated with the user and the organizational access attributes associated with the data items and by comparing the hierarchical organization branches'"'"' corresponding to the organizational access attributes of the user and of the data items and/or comparing the organization levels corresponding to the organizational access attributes of the user and of the data items, and that is configured to provide to the user access to the data items when the user is determined to have access to the data items.
- View Dependent Claims (52, 53)
- - 52. The computing system of claim 51 wherein the user has multiple distinct roles within the organization that each have a distinct set of organizational access attributes, and wherein the determining of the organizational access attributes associated with the user includes determining a current one of the multiple roles for the user and selecting multiple of the organizational access attributes from the set for the determined current role.
  - 53. The computing system of claim 51 wherein the access control subsystem is further configured to identify a combination of information about the user that includes information specific to the user, information based on one or more defined groups of people within the organization to which the user belongs, and information related to one or more positions that the user holds within the organization, and wherein the determining of whether to grant the user access to the requested data items is further based at least in part on the identified combination of information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Siebel Systems Inc. (Oracle Corporation)
Inventors
Rothwein, Thomas M., Malden, Matthew S., Brodersen, Karen, Annadata, Anil, Chen, Mingte J.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Woo, Isaac

Application Number

US09/540,299
Time in Patent Office

1,495 Days
Field of Search

707/8, 707/9, 707/10, 707/1, 707/2, 707/3, 707/4, 707/5, 707/6, 713/182, 713/183, 713/185, 713/186
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99935   Query augmenting and refini...

Y10S 707/99936   Pattern matching access

Y10S 707/99939   Privileged access

Database access method and system for user role defined access

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

2227 Citations

53 Claims

Specification

Use Cases

Quick Links

Others

Database access method and system for user role defined access

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

2227 Citations

53 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others