Authorization controlled searching

US 7,809,751 B2
Filed: 08/27/2007
Issued: 10/05/2010
Est. Priority Date: 08/27/2007
Status: Active Grant

First Claim

Patent Images

1. A computer program product, tangibly embodied in a computer-readable storage medium, the computer program product being operable to cause data processing apparatus to perform operations comprising:

receiving a search request; and

searching a database data structure populated with records based on data from a plurality of database data structures, the records comprising data and criteria for authorization to access the data,the searching comprising;

generating a set of results comprising data from the database data structure for which a user is authorized and omitting data from the database data structure for which the user is not authorized, the generating comprising using the criteria to determine which results to include in the set of results; and

presenting the set of results to the user,the database data structure populated with records by;

populating a column of the criteria to be used to determine whether the user is authorized to access a record based solely on the criteria and environment information, the environment information comprising user information, the populating the column comprising accessing two or more layers of associations in a table of business object node instances and the database data structures including authorization information to find the criteria to be used to determine whether the user has access to the record;

wherein an authorization check is used to determine if the user is authorized to access the data from the database structure responsive to the search request, the authorization check applying a set of authorization rules;

wherein the authorization rules are applied to a specific instance of a business object node and/or to a data model of business object nodes such that the authorization rules are applied to all instances of a business object node such that the authorization rules specify at least one authorization check that is required for each corresponding instance of the business object node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, for authorization controlled searching. In general, a search request is received, a database data structure is searched where the data structure is populated with records that include data and criteria for authorization to access the data, and a set of results is presented to a user, where the set of results includes data from the data structure for which a user is authorized the criteria is used to determine which results to include in the set of results. The criteria for authorization to access the data may be simple or complex, and may be based on a formation of associations from multiple layers of associations.

Citations

20 Claims

1. A computer program product, tangibly embodied in a computer-readable storage medium, the computer program product being operable to cause data processing apparatus to perform operations comprising:
- receiving a search request; and
  
  searching a database data structure populated with records based on data from a plurality of database data structures, the records comprising data and criteria for authorization to access the data,the searching comprising;
  
  generating a set of results comprising data from the database data structure for which a user is authorized and omitting data from the database data structure for which the user is not authorized, the generating comprising using the criteria to determine which results to include in the set of results; and
  
  presenting the set of results to the user,the database data structure populated with records by;
  
  populating a column of the criteria to be used to determine whether the user is authorized to access a record based solely on the criteria and environment information, the environment information comprising user information, the populating the column comprising accessing two or more layers of associations in a table of business object node instances and the database data structures including authorization information to find the criteria to be used to determine whether the user has access to the record;
  
  wherein an authorization check is used to determine if the user is authorized to access the data from the database structure responsive to the search request, the authorization check applying a set of authorization rules;
  
  wherein the authorization rules are applied to a specific instance of a business object node and/or to a data model of business object nodes such that the authorization rules are applied to all instances of a business object node such that the authorization rules specify at least one authorization check that is required for each corresponding instance of the business object node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The product of claim 1, wherein the database data structure is generated from a join of two or more of the database data structures to include the data and the criteria in the records, the two or more of the database data structures having the data and the criteria in separate data structures.
  - 3. The product of claim 1, wherein the database data structure is generated from the database data structures where the criteria is specific to an attribute of one of the database data structures.
  - 4. The product of claim 3, wherein the database data structure is generated from the database data structures where the criteria is specific to an attribute of a node of a business object instance.
  - 5. The product of claim 1, wherein the data comprises unstructured data.
  - 6. The product of claim 1, wherein the data comprises structured data.
  - 7. The product of claim 6, wherein the structured data comprises business objects.
  - 8. The product of claim 1, wherein the data comprises a combination of structured and unstructured data.
  - 9. The product of claim 1, wherein the records represent instances of nodes of business objects.
  - 10. The product of claim 1, wherein the criteria comprises names of users, roles, profiles, or groups.
  - 11. The product of claim 1, wherein the generating the set of results comprises modifying a query of the search request to include user information corresponding to the criteria.
  - 12. The product of claim 1, wherein the generating the set of results comprises filtering the set of results based on user information and the criteria.
  - 13. The product of claim 1, wherein the user information comprises a name of the user.
  - 14. The product of claim 1, wherein the database data structure has structured data and the operations further comprise:
    - performing a search of another database data structure having unstructured data in response to the search request; and
      
      adding results of the search of the another database data structure of unstructured data to the set of results.
  - 15. The product of claim 1, wherein the operations further comprise storing the set of results in volatile memory.
  - 16. The product of claim 1, wherein the presenting comprises displaying the set of results to the user.

17. A method comprising:
- receiving a search request;
  
  searching a database data structure populated with records based on data from a plurality of database data structures, the records comprising data and criteria for authorization to access the data, the searching comprising;
  
  generating a set of results comprising data from the database data structure for which a user is authorized and omitting data from the database data structure for which the user is not authorized, the generating comprising using the criteria to determine which results to include in the set of results; and
  
  presenting the set of results to the user;
  
  the database data structure populated with records by;
  
  populating a column of the criteria to be used to determine whether the user is authorized to access a record based solely on the criteria and environment information, the environment information comprising user information, the populating the column comprising accessing two or more layers of associations in a table of business object node instances and the database data structures including authorization information to find the criteria to be used to determine whether the user has access to the record;
  
  wherein an authorization check is used to determine if the user is authorized to access the data from the database structure responsive to the search request;
  
  wherein an authorization check associated with a root node of a business object is propagated to all nodes of the business object such that the authorization check associated with the root node is required for each of the nodes of the business object.

18. A computer program product, tangibly embodied in a computer-readable medium, the computer program product being operable to cause data processing apparatus to perform operations comprising:
- populating a database data structure with records based on data from a plurality of database data structures, the records comprising data and criteria for authorization to access the data, the populating comprising populating a column of the criteria to be used to determine whether a user is authorized to access a record based solely on the criteria and environment information, the environment information comprising user information, the populating the column comprising accessing two or more layers of associations in database data structures of business object node instances and the database data structures including authorization information to find the criteria to be used to determine whether the user has access to the record;
  
  receiving a search request;
  
  searching the database data structure, the searching comprising generating a set of results comprising data from the index for which a user is authorized and omitting data from the database data structure for which the user is not authorized, the generating comprising using the criteria to determine which results to include in the set of results; and
  
  presenting the set of results to the user;
  
  wherein an authorization check is used to determine if the user is authorized to access the data from the database structure responsive to the search request;
  
  wherein an authorization check associated with a first business object is propagated to all business objects that are children of the first business object such that the authorization check associated with the first business object is required for each of the first business object and the children of the business object.
- View Dependent Claims (19, 20)
- - 19. A computer program product as in claim 18, wherein the records in the index each represent a node of the business object and the columns are key attributes that represent attributes the node of the corresponding business object.
  - 20. A computer program product as in claim 18, wherein a rule with the index defines that two checks must be satisfied to grant access to records, the two checks including whether a user is of an authorization group of the corresponding node and the user has access to a material type of the node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Hofmann, Juergen, Finke, Thomas, Istrate, Ionut, Koch, Marieta, Kresser, Florian, Fuerst, Karl
Primary Examiner(s)
Vo; Tim T.
Assistant Examiner(s)
Gortayo; Dangelino N

Application Number

US11/845,631
Publication Number

US 20090063490A1
Time in Patent Office

1,135 Days
Field of Search

707/1, 707/3, 707/9, 707/10, 707/100, 707/104.1, 707/999.001, 707/999.009, 707/999.01, 707/999.107, 713/166, 713/190
US Class Current

707/783
CPC Class Codes

G06F 16/24   Querying

G06F 21/6227   where protection concerns t...

Y10S 707/99931   Database or file accessing

Y10S 707/99939   Privileged access

Y10S 707/99948   Application of database or ...

Authorization controlled searching

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization controlled searching

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links