Security configuration systems and methods for portal users in a multi-tenant database environment

US 9,355,270 B2
Filed: 12/21/2010
Issued: 05/31/2016
Est. Priority Date: 04/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising the steps of:

receiving a data request at a server with an application platform from a user via a user device, the data request being associated with a respective data object of a plurality of data objects stored in a database;

determining when the user is an internal user from a plurality of internal users of the application platform or when a portal user from a plurality of portal users of the application platform, the user additionally having a group membership in at least one of a plurality of groups;

consulting an organizational wide default table that stores a list of the data objects and, for each of the data objects, a first default security setting for all of the plurality of internal users regardless of the group membership and a second default security setting for all of the plurality of portal users regardless of the group membership, wherein the consulting step includesconsulting, when the user is the internal user, the first default security setting for the respective data object in the organizational wide default table to determine when the requested data is public or private, andconsulting, when the user is the portal user, the second default security setting for the respective data object in the organizational wide default table to determine when the requested data is public or private;

providing, when the user is the internal user and the requested data is public, access information to the user via the user device;

providing, when the user is the portal user and the requested data is public, access information to the user via the user device;

consulting, when the user is the internal user and only when the requested data is private, a membership table that includes a first listing of the groups associated with the user and a share table that includes a second listing of the groups that have access to the requested data, wherein the membership table and the share table are formed from tenant metadata, and providing the requested data to the user when the membership table and the share table indicates that the group membership of the user has access; and

consulting, when the user is the portal user and only when the requested data is private, the membership table and the share table, and providing the requested data to the user when the membership table and the share table indicates that the group membership of the user has access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method includes method includes receiving a data request for data in a database from a user; determining if the user is an internal user or a portal user; consulting, if the user is the internal user, a first security setting associated with the data to determine if the requested data is public or private, and if the user is the portal user, consulting a second security setting separate from the first security setting to determine if the requested data is public or private; providing, if the requested data is public, access information to the user; performing, if the requested data is private, additional processing to determine if the user has access to the requested data.

127 Citations

13 Claims

1. A method, comprising the steps of:
- receiving a data request at a server with an application platform from a user via a user device, the data request being associated with a respective data object of a plurality of data objects stored in a database;
  
  determining when the user is an internal user from a plurality of internal users of the application platform or when a portal user from a plurality of portal users of the application platform, the user additionally having a group membership in at least one of a plurality of groups;
  
  consulting an organizational wide default table that stores a list of the data objects and, for each of the data objects, a first default security setting for all of the plurality of internal users regardless of the group membership and a second default security setting for all of the plurality of portal users regardless of the group membership, wherein the consulting step includesconsulting, when the user is the internal user, the first default security setting for the respective data object in the organizational wide default table to determine when the requested data is public or private, andconsulting, when the user is the portal user, the second default security setting for the respective data object in the organizational wide default table to determine when the requested data is public or private;
  
  providing, when the user is the internal user and the requested data is public, access information to the user via the user device;
  
  providing, when the user is the portal user and the requested data is public, access information to the user via the user device;
  
  consulting, when the user is the internal user and only when the requested data is private, a membership table that includes a first listing of the groups associated with the user and a share table that includes a second listing of the groups that have access to the requested data, wherein the membership table and the share table are formed from tenant metadata, and providing the requested data to the user when the membership table and the share table indicates that the group membership of the user has access; and
  
  consulting, when the user is the portal user and only when the requested data is private, the membership table and the share table, and providing the requested data to the user when the membership table and the share table indicates that the group membership of the user has access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising the step of evaluating the data request to determine a type of requested operation.
  - 3. The method of claim 2, wherein the consulting step includes consulting the first default security setting or the second default security setting with respect to the type of requested operation.
  - 4. The method of claim 3, wherein the evaluating step includes evaluating the data request to determine a first type of requested operation that includes updating the requested data and a second type of requested operation that includes reading the requested data.
  - 5. The method of claim 4, wherein the consulting step includes consulting the first default security setting or second default security setting with an access checker when the data request is the first type of requested operation and consulting the first default security setting or the second default security setting with a sharing provider when the data request is the second type of requested operation.
  - 6. The method of claim 1, further comprising the step of providing, when the requested data is public, the requested data to the user without consulting the membership table and the share table.
  - 7. The method of claim 1, further comprising administering, by a tenant, the plurality of data objects stored in the database, wherein the portal users are external to the tenant and the internal users are internal to the tenant.
  - 8. The method of claim 1, further comprising administering, by a tenant, the plurality of data objects stored in the database, wherein the portal users are customers or suppliers of the tenant and the internal users are employees of the tenant.
  - 9. The method of claim 1, wherein the organizational wide default table includes a plurality of rows, each representing one of the data objects,wherein, for each of the rows, a first column identifies the first default security setting for the respective data object for all of the plurality of internal users and a second column identifies the second default security setting for the respective data object for all of the plurality of portal users.
  - 10. The method of claim 9, wherein the first default security setting is the single security setting for all of the plurality of internal users for the respective data object, and wherein the second default security setting is the single security setting for all of the plurality of portal users for the respective data object.

11. A multi-tenant data processing system, comprising:
- a database that stores data specific to each one of a plurality of tenants such that at least two of the tenants store at least a portion of data specific to the at least two tenants as data objects in a common structure within the database, wherein each individual tenant is permitted access only to data associated with the individual tenant, and wherein a first tenant of the plurality of tenants is affiliated with an internal user from a plurality of internal users and a portal user from a plurality of portal users; and
  
  an application server that receives, from one of the internal user or the portal user, a data request associated with a respective data object of the data objects stored in the database, the one of the internal user or the portal user additionally having a group membership in at least one of a plurality of groups,wherein application server includes an organization wide default table that stores, for each data object, a first default security setting for all of the internal users regardless of the group membership and a second default security setting for all of the portal users regardless of the group membership,wherein the application server is configurable to access a membership table that includes a listing of group memberships for each of the internal users and the portal users and a share table that includes access characteristics of each of the group memberships, the membership table and the share table being formed from tenant metadata;
  
  wherein the application server is configured toconsult, when the user is the internal user, the first default security setting for the respective data object in the organization wide default table to determine when the requested data is public or private, and when the user is the portal user, consult the second default security setting for the respective data object in the organization wide default table to determine when the requested data is public or private;
  
  provide, when the requested data is public, the requested information based on the first default security setting for the respective data object or the second default security setting for the respective data object without performing additional security processing;
  
  consulting, when the user is the internal user and only when the requested data is private, a membership table that includes a first listing of the groups associated with the user and a share table that includes a second listing of the groups that have access to the requested data, wherein the membership table and the share table are formed from tenant metadata, and providing the requested data to the user when the membership table and the share table indicates that the group membership of the user has access; and
  
  consulting, when the user is the portal user and only when the requested data is private, the membership table and the share table, and providing the requested data to the user when the membership table and the share table indicates that the group membership of the user has access.
- View Dependent Claims (12, 13)
- - 12. The multi-tenant data processing system of claim 11, wherein the application server is configured to identify the data request as being received from the internal user or the portal user.
  - 13. The multi-tenant data processing system of claim 11, wherein all of the portal users are customers or suppliers of the first tenant and all of the internal users are employees of the first tenant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Vieira, Alfred, Wu, Yongsheng, Grignon, Yanik, Jain, Punit
Primary Examiner(s)
HUANG, MIRANDA M

Application Number

US12/974,248
Publication Number

US 20110270885A1
Time in Patent Office

1,988 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/805   using a security table for ...

Security configuration systems and methods for portal users in a multi-tenant database environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

127 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Security configuration systems and methods for portal users in a multi-tenant database environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

127 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others