Authorization controlled searching
First Claim
1. A computer program product, tangibly embodied in a computer-readable storage medium, the computer program product being operable to cause data processing apparatus to perform operations comprising:
- receiving a search request; and
searching a database data structure populated with records based on data from a plurality of database data structures, the records comprising data and criteria for authorization to access the data,the searching comprising;
generating a set of results comprising data from the database data structure for which a user is authorized and omitting data from the database data structure for which the user is not authorized, the generating comprising using the criteria to determine which results to include in the set of results; and
presenting the set of results to the user,the database data structure populated with records by;
populating a column of the criteria to be used to determine whether the user is authorized to access a record based solely on the criteria and environment information, the environment information comprising user information, the populating the column comprising accessing two or more layers of associations in a table of business object node instances and the database data structures including authorization information to find the criteria to be used to determine whether the user has access to the record;
wherein an authorization check is used to determine if the user is authorized to access the data from the database structure responsive to the search request, the authorization check applying a set of authorization rules;
wherein the authorization rules are applied to a specific instance of a business object node and/or to a data model of business object nodes such that the authorization rules are applied to all instances of a business object node such that the authorization rules specify at least one authorization check that is required for each corresponding instance of the business object node.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus, including computer program products, for authorization controlled searching. In general, a search request is received, a database data structure is searched where the data structure is populated with records that include data and criteria for authorization to access the data, and a set of results is presented to a user, where the set of results includes data from the data structure for which a user is authorized the criteria is used to determine which results to include in the set of results. The criteria for authorization to access the data may be simple or complex, and may be based on a formation of associations from multiple layers of associations.
-
Citations
20 Claims
-
1. A computer program product, tangibly embodied in a computer-readable storage medium, the computer program product being operable to cause data processing apparatus to perform operations comprising:
-
receiving a search request; and searching a database data structure populated with records based on data from a plurality of database data structures, the records comprising data and criteria for authorization to access the data, the searching comprising; generating a set of results comprising data from the database data structure for which a user is authorized and omitting data from the database data structure for which the user is not authorized, the generating comprising using the criteria to determine which results to include in the set of results; and presenting the set of results to the user, the database data structure populated with records by; populating a column of the criteria to be used to determine whether the user is authorized to access a record based solely on the criteria and environment information, the environment information comprising user information, the populating the column comprising accessing two or more layers of associations in a table of business object node instances and the database data structures including authorization information to find the criteria to be used to determine whether the user has access to the record; wherein an authorization check is used to determine if the user is authorized to access the data from the database structure responsive to the search request, the authorization check applying a set of authorization rules; wherein the authorization rules are applied to a specific instance of a business object node and/or to a data model of business object nodes such that the authorization rules are applied to all instances of a business object node such that the authorization rules specify at least one authorization check that is required for each corresponding instance of the business object node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
receiving a search request; searching a database data structure populated with records based on data from a plurality of database data structures, the records comprising data and criteria for authorization to access the data, the searching comprising; generating a set of results comprising data from the database data structure for which a user is authorized and omitting data from the database data structure for which the user is not authorized, the generating comprising using the criteria to determine which results to include in the set of results; and presenting the set of results to the user; the database data structure populated with records by; populating a column of the criteria to be used to determine whether the user is authorized to access a record based solely on the criteria and environment information, the environment information comprising user information, the populating the column comprising accessing two or more layers of associations in a table of business object node instances and the database data structures including authorization information to find the criteria to be used to determine whether the user has access to the record; wherein an authorization check is used to determine if the user is authorized to access the data from the database structure responsive to the search request; wherein an authorization check associated with a root node of a business object is propagated to all nodes of the business object such that the authorization check associated with the root node is required for each of the nodes of the business object.
-
-
18. A computer program product, tangibly embodied in a computer-readable medium, the computer program product being operable to cause data processing apparatus to perform operations comprising:
-
populating a database data structure with records based on data from a plurality of database data structures, the records comprising data and criteria for authorization to access the data, the populating comprising populating a column of the criteria to be used to determine whether a user is authorized to access a record based solely on the criteria and environment information, the environment information comprising user information, the populating the column comprising accessing two or more layers of associations in database data structures of business object node instances and the database data structures including authorization information to find the criteria to be used to determine whether the user has access to the record; receiving a search request; searching the database data structure, the searching comprising generating a set of results comprising data from the index for which a user is authorized and omitting data from the database data structure for which the user is not authorized, the generating comprising using the criteria to determine which results to include in the set of results; and presenting the set of results to the user; wherein an authorization check is used to determine if the user is authorized to access the data from the database structure responsive to the search request; wherein an authorization check associated with a first business object is propagated to all business objects that are children of the first business object such that the authorization check associated with the first business object is required for each of the first business object and the children of the business object. - View Dependent Claims (19, 20)
-
Specification