Methods and systems for controlling access to custom objects in a database
First Claim
1. A computer-implemented method for controlling access to objects in a database, wherein the database stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants in a common table within the database and wherein each tenant is permitted access only to data associated with that tenant, and wherein each tenant has one or more users, the method comprising:
- (a) receiving, from a user associated with a first tenant, a request to access data of a first object in the common table of the database, the first object having a unique identification, wherein the common table includes a plurality of objects associated with the first tenant, and wherein the plurality of objects includes the first object, a second object, and a third object, each containing one or more data types specified by the first tenant;
(b) using information of the first object to identify a key associated with the first object and the third object, but not associated with the second objectwherein the key includes a key prefix that equals a prefix of the unique identification, the unique identification having additional characters after the prefix;
(c) retrieving the identified key from a table of the database;
(d1) after retrieving the key, searching only that portion of a entity share table appropriate to the retrieved key to locate access information for the first object;
(d2) selecting, by a processor, at least one rule from a plurality of permission rules that prevent a user associated with a particular tenant from seeing data in the database associated with the particular tenant to which the user is not permitted access;
(e) determining whether the user has permission to access at least a portion of the first object based at least in part on the access information; and
(f) sending, to the user, the requested data of the first object to which the user has permission to access.
1 Assignment
0 Petitions
Accused Products
Abstract
In embodiments, methods and systems for controlling access to custom objects are provided. These techniques for controlling access to custom objects can enable embodiments to utilize a key for the protection of the security of data that is to remain private while not compromising efficiency of a query. The key for a requested custom object is identified and then used so that only an appropriate portion of a custom entity share table is searched to locate access information. It is then determined whether the user can access at least a portion of the custom object, and the appropriate and allowed data is sent to the user.
591 Citations
26 Claims
-
1. A computer-implemented method for controlling access to objects in a database, wherein the database stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants in a common table within the database and wherein each tenant is permitted access only to data associated with that tenant, and wherein each tenant has one or more users, the method comprising:
-
(a) receiving, from a user associated with a first tenant, a request to access data of a first object in the common table of the database, the first object having a unique identification, wherein the common table includes a plurality of objects associated with the first tenant, and wherein the plurality of objects includes the first object, a second object, and a third object, each containing one or more data types specified by the first tenant; (b) using information of the first object to identify a key associated with the first object and the third object, but not associated with the second object wherein the key includes a key prefix that equals a prefix of the unique identification, the unique identification having additional characters after the prefix; (c) retrieving the identified key from a table of the database; (d1) after retrieving the key, searching only that portion of a entity share table appropriate to the retrieved key to locate access information for the first object; (d2) selecting, by a processor, at least one rule from a plurality of permission rules that prevent a user associated with a particular tenant from seeing data in the database associated with the particular tenant to which the user is not permitted access; (e) determining whether the user has permission to access at least a portion of the first object based at least in part on the access information; and (f) sending, to the user, the requested data of the first object to which the user has permission to access. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A machine-readable storage medium storing a plurality of instructions for programming one or more processors to control access to objects in a database, wherein the database stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants in a common table within the database and wherein each tenant is permitted access only to data associated with that tenant, and wherein each tenant has one or more users, the instructions including:
-
(a) code that causes the one or more processors to receive, from a user associated with a first tenant, a request to access data of a first object in the common table of the database, the first object having a unique identification, wherein the common table includes a plurality of objects associated with the first tenant, and wherein the plurality of objects includes the first object, a second object, and a third object, each containing one or more data types specified by the first tenant; (b) code that causes the one or more processors to identify a key associated with the first object and the third object, but not associated with a second object, wherein the key is associated with more than one user of the first tenant and the key includes a key prefix that equals a prefix of the unique identification, the unique identification having additional characters after the prefix; (c) code that causes the one or more processors to select at least one rule from a plurality of permission rules that prevent a user associated with a particular tenant from seeing data in the database associated with the particular tenant to which the user is not permitted access and to search only that portion of a entity share table appropriate to the key to locate access information for the first object; (d) code that causes the one or more processors to determine whether the user has permission to access at least a portion of the first object based at least in part on the access information; and (e) code that causes the one or more processors to send, to the user, the requested data of the first object to which the user has permission to access. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A multi-tenant database system comprising:
-
a database including at least one memory device that stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants in a common table within the database, wherein each tenant is permitted access only to data associated with that tenant, and wherein each tenant has one or more users; one or more processors configured to; receive, from a user associated with a first tenant, a request to access data of a first object in the common table of the database, the first object having a unique identification, wherein the common table includes a plurality of objects associated with the first tenant, wherein the plurality of objects includes the first object, a second object, and a third object, each contain containing one or more data types specified by the first tenant, and wherein the database contains a entity share table containing access information for the objects; identify a key associated with the first object and the third object, but not associated with a the second object wherein the key includes a key prefix that equals a prefix of the unique identification, the unique identification having additional characters after the prefix; search only that portion of a entity share table appropriate to the key to locate access information for the first object; select at least one rule from a plurality of permission rules that prevent a user associated with a particular tenant from seeing data in the database associated with the particular tenant to which the user is not permitted access; determine whether the user has permission to access at least a portion of the first object based at least in part on the access information, wherein the access information includes a number of rows of the common table that the user has permission to access; and access the requested data of the first object to which the user has permission to access based on the number of rows; send, to the user, the requested data of the first object to which the user has permission to access. - View Dependent Claims (25, 26)
-
Specification