Techniques for processing group membership data in a multi-tenant database system

US 8,473,518 B1
Filed: 07/03/2008
Issued: 06/25/2013
Est. Priority Date: 07/03/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request for access to a sub-portion of content represented as an account stored within a multi-tenant database system to be processed as a query on the multi-tenant database system, the request having requester identification data;

identifying a group having access to the sub-portion of content represented as the account based on an associational data registry which associates groups with accounts and further identifying a sub-group having a user of a higher permission level dictated by a contractual relationship of the user with other users within the group of a lower permission level;

determining that access should be granted to the sub-portion of the content represented as the account based on a comparison of the requester identification data of the user that provided the request with the user associated with the sub-group identified as having access to the sub-portion of the content represented as the account due to the user'"'"'s higher permission level dictated by the contractual relationship of the user with the other users within the group; and

granting the access requested in response to determining that access should be granted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with embodiments, there are provided techniques for processing group membership data in a multi-tenant database system. These techniques for processing group membership data in a multi-tenant database system may enable embodiments to provide great flexibility to a tenant of the architecture to select the content that may be perceived by the tenant users while allowing the owner of the architecture control over the content.

Citations

18 Claims

1. A method comprising:
- receiving a request for access to a sub-portion of content represented as an account stored within a multi-tenant database system to be processed as a query on the multi-tenant database system, the request having requester identification data;
  
  identifying a group having access to the sub-portion of content represented as the account based on an associational data registry which associates groups with accounts and further identifying a sub-group having a user of a higher permission level dictated by a contractual relationship of the user with other users within the group of a lower permission level;
  
  determining that access should be granted to the sub-portion of the content represented as the account based on a comparison of the requester identification data of the user that provided the request with the user associated with the sub-group identified as having access to the sub-portion of the content represented as the account due to the user'"'"'s higher permission level dictated by the contractual relationship of the user with the other users within the group; and
  
  granting the access requested in response to determining that access should be granted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1:
    - wherein the associational data registry which associates individual users with groups organizes relationships between groups and users amongst multiple tables; and
      
      wherein the method further comprises;
      
      performing a join operation which produces a table that includes information concerning any user of the sub-group having access to the sub-portion of content within the multi-tenant database system for which the access is sought.
  - 3. The method as recited in claim 2 further including generating first and second classes of object tables, with joining further including joining the first and second classes of objects.
  - 4. The method as recited in claim 2 further including generating a first table having transitive information indicating additional users of additional groups that may access the sub-portion based upon contractual relationships with the requester identification data.
  - 5. The method as recited in claim 4 further including generating a second table having data that is independent of transitive information, with transitive information identifying additional users of additional groups that may access the sub-portion based upon contractual relationships with the requester identification data.
  - 6. The method as recited in claim 5 further including the second table having a normalized data structure associating users to groups and sub-groups.
  - 7. The method as recited in claim 4 further including the first table having data that is independent of user to group and user to sub-group association information.
  - 8. The method as recited in claim 1 wherein the determining that access should be granted further includes generating a results table and ascertaining whether the requestor identification data matches an entry in the results table.

9. A non-transitory machine-readable storage medium having instructions stored thereon that, when executed by one or more processors, the instructions cause a multi-tenant database system to perform operations comprising:
- receiving a request for access to a sub-portion of content represented as an account stored within a multi-tenant database system to be processed as a query on the multi-tenant database system, the request having requester identification dataidentifying a group having access to the sub-portion of content represented as the account based on an associational data registry which associates groups with accounts and further identifying a sub-group having a user of a higher permission level dictated by a contractual relationship of the user with other users within the group of a lower permission level;
  
  determining that access should be granted to the sub-portion of the content represented as the account based on a comparison of the requester identification data of the user that provided the request with the user associated with the sub-group identified as having access to the sub-portion of the content represented as the account due to the user'"'"'s higher permission level dictated by the contractual relationship of the user with the other users within the group; and
  
  granting the access requested in response to determining that access should be granted.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory machine-readable storage medium as recited in claim 9:
    - wherein the associational data registry which associates individual users with groups organizes relationships between groups and users amongst multiple tables; and
      
      wherein the operations further include;
      
      performing a join operation which produces a table that includes information concerning any user of the sub-group having access to the sub-portion of content within the multi-tenant database system for which the access is sought.
  - 11. The non-transitory machine-readable storage medium as recited in claim 10 wherein the operations further include:
    - generating first and second classes of objects, wherein the joining further includes joining the first and second classes of objects.
  - 12. The non-transitory machine-readable storage medium as recited in claim 10 wherein the first table includes transitive information indicating additional users of additional groups that may access the sub-portion of the content based upon contractual relationships with the requester identification data.
  - 13. The non-transitory machine-readable storage medium as recited in claim 12 wherein the first table includes data that is independent of user to group and user to sub-group association information.
  - 14. The non-transitory machine-readable storage medium as recited in claim 10 wherein a second table includes data that is independent of transitive information, with transitive information identifying additional users of additional groups that may access the sub-portion of the content based upon contractual relationships with the requester identification data.
  - 15. The non-transitory machine-readable storage medium as recited in claim 14 wherein the second table includes a normalized data structure associating members to groups and sub-groups.
  - 16. The non-transitory machine-readable storage medium as recited in claim 9 wherein the associational data registry further includes transitive information relating managerial control of other users over the users associated with the groups identified as having access to the sub-portion of the content and information concerning the user associated with each of the groups.

17. A multi-tenant database system which stores data for multiple tenants in the same physical database object in which tenant data is arranged so that data of one tenant is kept logically separate from that of other tenants so that the one tenant does not have access to the other tenants'"'"' data, unless such data is expressly shared, wherein the multi-tenant database system comprises:
- a processor; and
  
  a memory having a sequence of instructions which, when executed by the processor, the sequence of instructions cause the processor to perform operations comprising;
  
  receiving a request for access to a sub-portion of content represented as an account stored within a multi-tenant database system to be processed as a query on the multi-tenant database system, the request having requester identification dataidentifying a group having access to the sub-portion of content represented as the account based on an associational data registry which associates groups with accounts and further identifying a sub-group having a user of a higher permission level dictated by a contractual relationship of the user with other users within the group of a lower permission level;
  
  determining that access should be granted to the sub-portion of the content represented as the account based on a comparison of the requester identification data of the user that provided the request with the user associated with the sub-group identified as having access to the sub-portion of the content represented as the account due to the user'"'"'s higher permission level dictated by the contractual relationship of the user with the other users within the group; and
  
  granting the access requested in response to determining that access should be granted.

18. An apparatus comprising:
- a processor; and
  
  a memory having a sequence of instructions which, when executed by the processor, the sequence of instructions cause the processor to perform operations comprising;
  
  receiving a request for access to a sub-portion of content represented as an account stored within a multi-tenant database system to be processed as a query on the multi-tenant database system, the request having requester identification dataidentifying a group having access to the sub-portion of content represented as the account based on an associational data registry which associates groups with accounts and further identifying a sub-group having a user of a higher permission level dictated by a contractual relationship of the user with other users within the group of a lower permission level;
  
  determining that access should be granted to the sub-portion of the content represented as the account based on a comparison of the requester identification data of the user that provided the request with the user associated with the sub-group identified as having access to the sub-portion of the content represented as the account due to the user'"'"'s higher permission level dictated by the contractual relationship of the user with the other users within the group; and
  
  granting the access requested in response to determining that access should be granted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Yancey, Scott, Doshi, Kedar, Wu, Yongsheng
Primary Examiner(s)
VU, BAI DUC

Application Number

US12/167,991
Time in Patent Office

1,818 Days
Field of Search

None
US Class Current

707/786
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 16/21   Design, administration or m...

G06F 16/2453   Query optimisation

G06F 21/604   Tools and structures for ma...

Techniques for processing group membership data in a multi-tenant database system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for processing group membership data in a multi-tenant database system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links