Managing user access to data

US 7,685,644 B2
Filed: 09/17/2004
Issued: 03/23/2010
Est. Priority Date: 05/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method of managing user access to data, the method being implemented using one or more data processors and comprising:

detecting, by at least one of the data processors, that a user seeks access to a data portion within a data hierarchy that belongs to two or more specified categories, each category requiring different authorization in order to access the data portion, at least one of the categories pertaining to a first sub-portion of the data portion and at least one of the categories pertaining to a second sub-portion of the data portion, the first sub-portion differing in scope to the second sub-portion, wherein access to the data portion requires access to both the first sub-portion and the second sub-portion;

associating, by at least one of the data processors, the user with a role;

evaluating, by at least one of the data processors, two or more authorizations based on the role associated with the user, each authorization having an authorization segment corresponding to at least one of the specified categories;

permitting, by at least one of the data processors, the sought access to the data portion if, for each specified category, there is at least one corresponding authorization segment, wherein each specified category identifies the respective data sub-portion to which access is sought; and

limiting, by at least one of the data processors, access to other sub-portions of the data hierarchy by hiding information relating to the other sub-portions of the data hierarchy, when the user navigates through nodes of the data hierarchy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing user access to data includes detecting that a user seeks access to a data portion that belongs to a specified category. One or more authorizations are evaluated, each authorization having an authorization segment corresponding to the specified category. The method includes permitting the sought access to the data portion if at least one of the authorization segments corresponding to the specified category identifies the data portion to which access is sought. The method may permit access to data that falls within a union of granted authorizations. An authorization segment may correspond to a data dimension or to a meta dimension, such as an authorized action or data source, that does not directly relate to a data dimension.

5 Citations

View as Search Results

26 Claims

1. A method of managing user access to data, the method being implemented using one or more data processors and comprising:
- detecting, by at least one of the data processors, that a user seeks access to a data portion within a data hierarchy that belongs to two or more specified categories, each category requiring different authorization in order to access the data portion, at least one of the categories pertaining to a first sub-portion of the data portion and at least one of the categories pertaining to a second sub-portion of the data portion, the first sub-portion differing in scope to the second sub-portion, wherein access to the data portion requires access to both the first sub-portion and the second sub-portion;
  
  associating, by at least one of the data processors, the user with a role;
  
  evaluating, by at least one of the data processors, two or more authorizations based on the role associated with the user, each authorization having an authorization segment corresponding to at least one of the specified categories;
  
  permitting, by at least one of the data processors, the sought access to the data portion if, for each specified category, there is at least one corresponding authorization segment, wherein each specified category identifies the respective data sub-portion to which access is sought; and
  
  limiting, by at least one of the data processors, access to other sub-portions of the data hierarchy by hiding information relating to the other sub-portions of the data hierarchy, when the user navigates through nodes of the data hierarchy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein at least first and second authorizations are evaluated serially.
  - 3. The method of claim 2, wherein the second authorization is evaluated upon determining, by at least one of the data processors, that the authorization segment in the first authorization that corresponds to the specified category does not identify the data portion.
  - 4. The method of claim 2, wherein the data portion belongs to at least first and second categories and wherein the second authorization is evaluated, by at least one of the data processors, upon determining that the authorization segment in the first authorization that corresponds to the first category identifies the data portion.
  - 5. The method of claim 1, wherein evaluating one or more authorizations comprises evaluating, by at least one of the data processors, a first authorization wherein the authorization segment corresponding to the specified category identifies a different data portion and evaluating, by at least one of the data processors, a second authorization wherein the authorization segment corresponding to the specified category identifies the data portion.
  - 6. The method of claim 5, wherein the first and second authorizations have different validities.
  - 7. The method of claim 1, wherein at least one of the authorizations has multiple authorization segments.
  - 8. The method of claim 7, wherein some of the multiple authorization segments correspond to data dimensions.
  - 9. The method of claim 7, wherein at least one of the multiple authorization segments correspond to a meta dimension that does not directly correspond to a data dimension.
  - 10. The method of claim 9, wherein the meta dimension corresponds to authorizing the user to access a data source.
  - 11. The method of claim 9, wherein the meta dimension corresponds to authorizing the user to perform an action.
  - 12. The method of claim 11, wherein the authorized action is at least one selected from the group consisting of:
    - a display action, a change action, an update action, a read action, a write action, a revise action, and combinations thereof.
  - 13. The method of claim 1, wherein at least one authorization segment includes a value that is selected from the group comprising:
    - an interval, a single value, a pattern, a variable, a hierarchy, and combinations thereof.
  - 14. The method of claim 13, wherein the value is the hierarchy, further comprising protecting a hierarchy structure upon permitting access to the data portion.
  - 15. The method of claim 1, wherein the specified category is a measure dimension.
  - 16. The method of claim 15, wherein the data portion is at least one selected from the group consisting of:
    - revenue, discount, net revenue, production costs, and combinations thereof.
  - 17. The method of claim 1, wherein at least one authorization segment specifies a validity of the authorization.
  - 18. The method of claim 17, wherein the validity comprises a periodically granted access permission.
  - 19. The method of claim 1, wherein the role includes at least one authorization for the user.
  - 20. The method of claim 19, wherein the role is included in a higher level role.
  - 21. The method of claim 20, wherein several roles are included in the higher level role, and wherein the higher level role includes authorizations included in the several roles.

22. An article comprising a tangible machine-readable storage medium embodying instructions that when executed cause one or more data processors to perform operations comprising:
- detecting that a user seeks access to a data portion that belongs to two or more specified categories, each category requiring different authorization in order to access the data portion, at least one of the categories pertaining to a first sub-portion of the data portion and at least one of the categories pertaining to a second sub-portion of the data portion, the first sub-portion differing in scope to the second sub-portion, wherein access to the data portion requires access to both the first sub-portion and the second sub-portion;
  
  associating the user with a role;
  
  evaluating two or more authorizations based on the role associated with the user, each authorization having an authorization segment corresponding to at least one of the specified categories; and
  
  permitting the sought access to the data portion if, for each specified category, there is at least one corresponding authorization segment, wherein each specified category identifies the respective data sub-portion to which access is sought, the data portion comprising disjunctive parts of a data hierarchy, wherein information about where the disjunctive parts of the data hierarchy belong are hidden when the user navigates the data hierarchy.

23. A method of managing user access to data, the method being implemented using one or more data processors and comprising:
- detecting, by at least one of the data processors, that a user seeks access to a data portion that belongs to at least first and second specified categories, each category requiring different authorization in order to access the data portion, at least one of the categories pertaining to a first sub-portion of the data portion and at least one of the categories pertaining to a second sub-portion of the data portion, the first sub-portion differing in scope to the second sub-portion, wherein access to the data portion requires access to both the first sub-portion and the second sub-portion;
  
  evaluating, by at least one of the data processors, one or more authorizations based on a role of the user, each authorization having at least one authorization segment corresponding to one of the first and second specified categories; and
  
  permitting, by at least one of the data processors, the sought access to the data portion if the at least one authorization segment in the one or more authorizations
  
  1) correspond to the first and second specified categories and
  
  2) identify the first and second sub-portions to which access is sought, the data portion comprising disjunctive parts of a data hierarchy, wherein information about where the disjunctive parts of the data hierarchy belong are hidden when the user navigates the data hierarchy.
- View Dependent Claims (24, 25)
- - 24. The method of claim 23, wherein the sought access to the data portion is permitted upon determining, by at least one of the data processors, that the data portion is identified by the authorization segment corresponding to the first category in a first authorization and that the data portion is identified by the authorization segment corresponding to the second category in a second authorization.
  - 25. The method of claim 24, wherein the sought access to the data portion is permitted upon determining, by at least one of the data processors, that the data portion is identified, in a first authorization, by the authorization segment corresponding to the first category and by the authorization segment corresponding to the second category.

26. An article comprising a tangible machine-readable storage medium embodying instructions that when executed cause one or more data processors to perform operations comprising:
- detect that a user seeks access to a data portion that belongs to at least first and second specified categories, each category requiring different authorization in order to access the data portion, at least one of the categories pertaining to a first sub-portion of the data portion and at least one of the categories pertaining to a second sub-portion of the data portion, the first sub-portion differing in scope to the second sub-portion, wherein access to the data portion requires access to both the first sub-portion and the second sub-portion;
  
  evaluate one or more authorizations based on a role associated with the user, each authorization having at least one authorization segment corresponding to one of the first and second specified categories, the at least one authorization segment defining a range of authorized values; and
  
  permit the sought access to the data portion if the ranges defined by the at least one authorization segments in the one or more authorizations
  
  1) correspond to the first and second specified categories and
  
  2) identify the first and second sub-portions to which access is sought, the data portion comprising disjunctive parts of a data hierarchy, wherein information about where the disjunctive parts of the data hierarchy belong are hidden when the user navigates nodes associated with the data hierarchy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Muenkel, Christian, John, Peter
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Zee; Edward

Application Number

US10/943,710
Publication Number

US 20050257066A1
Time in Patent Office

2,013 Days
Field of Search

726/28, 726/2, 726/26, 726/27, 726/30, 713/182, 707/9
US Class Current

726/27
CPC Class Codes

G06F 21/6227 where protection concerns t...

Managing user access to data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Managing user access to data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others