Method and system for granting access to secure data

US 9,361,468 B2
Filed: 02/28/2013
Issued: 06/07/2016
Est. Priority Date: 04/17/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for granting access to private customer data, the method comprising:

receiving, by a database system, an electronic format request on behalf of a customer, the electronic format request being a request to perform a task using a subset of private data of the customer, the private data being cloud data stored on the database system;

identifying, by the database system, a plurality of potential delegates corresponding to the electronic format request, the plurality of potential delegates having no access to the private data unless authorization is provided to the plurality of potential delegates, the plurality of potential delegates being identified based on an ability to resolve the electronic format request;

determining, by the database system, attributes corresponding to the plurality of potential delegates, the attributes relating to the identity of a corresponding potential delegate;

determining, by the database system, at least one authorization filter, the at least one filter including customer-specific authorization criterion pertaining to desired attributes;

applying the at least one authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes to at least one of the authorization criterion;

determining, by the database system, from the set of authorized delegates, at least one delegate to be assigned to resolve the electronic format request, andissuing an authorization to the at least one delegate to be assigned to the electronic format request, wherein issuing an authorization includes providing authorization for reviewing the subset of private data of the customer and providing a link facilitating login as the at least one delegate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques described herein can be implemented as one or a combination of methods, systems or processor executed code to form embodiments capable of improved protection of data or other computing resources based at least in part upon limiting access to a select number of delegates. Limited access to cloud data based on customer selected or other criterion, reducing the possibility of security exposures and/or improving privacy is provided for.

Citations

21 Claims

1. A computer-implemented method for granting access to private customer data, the method comprising:
- receiving, by a database system, an electronic format request on behalf of a customer, the electronic format request being a request to perform a task using a subset of private data of the customer, the private data being cloud data stored on the database system;
  
  identifying, by the database system, a plurality of potential delegates corresponding to the electronic format request, the plurality of potential delegates having no access to the private data unless authorization is provided to the plurality of potential delegates, the plurality of potential delegates being identified based on an ability to resolve the electronic format request;
  
  determining, by the database system, attributes corresponding to the plurality of potential delegates, the attributes relating to the identity of a corresponding potential delegate;
  
  determining, by the database system, at least one authorization filter, the at least one filter including customer-specific authorization criterion pertaining to desired attributes;
  
  applying the at least one authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes to at least one of the authorization criterion;
  
  determining, by the database system, from the set of authorized delegates, at least one delegate to be assigned to resolve the electronic format request, andissuing an authorization to the at least one delegate to be assigned to the electronic format request, wherein issuing an authorization includes providing authorization for reviewing the subset of private data of the customer and providing a link facilitating login as the at least one delegate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein providing authorization for reviewing at least a subset of private data of the customer includes:
    - granting to the delegate a permission of the customer.
  - 3. The method of claim 2, further comprising:
    - tracking activities of the delegate.
  - 4. The method of claim 1, wherein determining at least one authorization filter, the at least one filter including authorization criterion corresponding to the customer, includes:
    - determining an authorization filter including at least one authorization criterion chosen by a customer.
  - 5. The method of claim 1, wherein determining at least one authorization filter, the at least one filter including criterion corresponding to the customer, includes:
    - determining an authorization filter including at least one authorization criterion chose by a non-customer.
  - 6. The method of claim 1, wherein the applying the at least one authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes to at least one of the criterion includes:
    - determining whether a potential delegate can be added to the set of authorized delegates based at least in part upon the correspondence between at least one of the attributes to at least one of criterion.
  - 7. The method of claim 1, wherein the applying the at least one authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes to at least one of the criterion, includes:
    - determining whether a potential delegate is to be deleted from the set of authorized delegates based at least in part upon the correspondence between at least one of the attributes to at least one of the criterion.
  - 8. The method of claim 1, wherein issuing an authorization to the at least one delegate to be assigned to the electronic format request, includes:
    - providing a link facilitating login as the delegate.
  - 9. The method of claim 1, further comprising:
    - determining, by the database system, a second delegate; and
      
      tracking, by the database system, activities of each delegate.
  - 10. The method of claim 1, further comprising:
    - receiving, by the database system, a second electronic format request;
      
      determining, by the database system, at least one element in the second electronic format request common to the first electronic request; and
      
      issuing, by the database system, a second authorization to the at least one delegate to be assigned to the second electronic format request, based at least in part on determining that the at least one element in the second electronic format request is common to the first electronic request.
  - 11. The method of claim 1, wherein receiving an electronic format request includes:
    - receiving at least one of a request expressed in electronic format, and a request converted into a request expressed in electronic format.
  - 12. The method of claim 1, further comprising:
    - terminating, by the database system, authorization when the customer is not subscribed to a support service.
  - 13. The method of claim 1, wherein the applying the at least one authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes to at least one of the criterion, includes:
    - determining correspondence between an attribute and a geo-graphical or geo-political criterion.
  - 14. The method of claim 1, wherein the applying the at least authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes to at least one of the authorization criterion, includes:
    - determining correspondence between an attribute and at least one of;
      
      citizenship, residency, employment status, employer, business, and criminal history.
  - 15. The method of claim 1, further comprising:
    - invoking, by the database system, an exception handling strategy for the request in the event that a suitable delegate cannot be determined.
  - 16. The method of claim 15, further comprising:
    - tracking, by the database system, an exception handling process thereby enabling exceptions to be auditable.
  - 17. The method of claim 14, wherein invoking an exception handling strategy for the request includes:
    - providing a status message indicating which criterion could not be satisfied in the event that a suitable delegate could not be determined.
  - 18. The method of claim 14, wherein invoking an exception handling strategy for the request includes:
    - shifting a time to service the request so that a suitable delegate is available in the event that no delegate meets all criteria.

19. A computer-implemented method for granting access to private customer data, the method comprising:
- receiving, by a database system, via a computing device an electronic format request on behalf of a customer, the electronic format request being a request to perform a task using a subset of private data of the customer, the private data being cloud data stored on the database system;
  
  identifying, by the database system, a plurality of potential delegates corresponding to the electronic format request, the plurality of potential delegates having no access to the private data unless authorization is provided to the plurality of potential delegates, the plurality of potential delegates being identified based on an ability to resolve the electronic format request;
  
  determining, by the database system, attributes corresponding to the plurality of potential delegates, the attributes relating to the identity of a corresponding potential delegate;
  
  determining, by the database system, at least one authorization filter, the at least one filter including customer-specific authorization criterion pertaining to desired attributes;
  
  applying the at least one authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes to at least one of the authorization criterion;
  
  determining, by the database system, from the set of authorized delegates, at least one delegate to be assigned to resolve the electronic format request;
  
  issuing, by the database system, an authorization to the at least one delegate to be assigned to the electronic format request, wherein issuing an authorization includes providing authorization for reviewing the a subset of private data of the customer;
  
  granting, by the database system, the at least one delegate access to the private data of the customer by providing a link facilitating login as the at least one delegate; and
  
  providing, by the database system, the at least one delegate at least one permission of the customer to enable the at least one delegate to impersonate a user at the customer while tracking activities of the at least one delegate.

20. A non-transitory machine readable medium, storing one or more instructions which when executed by one or more processors cause the one or more processors to perform the following:
- receiving via a computing device an electronic format request on behalf of a customer, the electronic format request being a request to perform a task using a subset of private data of the customer, the private data being cloud data stored on the database system;
  
  identifying, by the database system, a plurality of potential delegates corresponding to the electronic format request, the plurality of potential delegates having no access to the private data unless authorization is provided to the plurality of potential delegates, the plurality of potential delegates being identified based on an ability to resolve the electronic format request;
  
  determining attributes corresponding to the plurality of potential delegates, the attributes relating to the identity of a corresponding potential delegate;
  
  determining, by the database system, at least one authorization filter, the at least one filter including customer-specific authorization criterion pertaining to desired attributes;
  
  applying the at least one authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes to at least one of the authorization criterion;
  
  determining, from the set of authorized delegates, at least one delegate to be assigned to resolve the electronic format request;
  
  issuing an authorization to the at least one delegate to be assigned to the electronic format request, wherein issuing an authorization includes providing authorization for reviewing the subset of private data of the customer;
  
  granting the at least one delegate access to the private data of the customer to enable the at least one delegate to impersonate a user at the customer while tracking activities of the at least one delegate.

21. A computer-implemented method for determining a number of candidates available to meet a criterion of interest, comprising:
- receiving, by a database system, a criterion of interest on behalf of a customer, the criterion of interest pertaining to desired attributes;
  
  identifying, by the database system, a plurality of potential delegates corresponding to the criterion of interest, the plurality of potential delegates having no access to private data of the customer unless authorization is provided to the potential delegate, the plurality of potential delegates being identified based on an ability to resolve a received electronic format request to perform a task using a subset of the private data of the customer, the private data being cloud data stored on the database system;
  
  determining, by the database system, attributes corresponding to the plurality of potential delegates, the attributes relating to the identity of a corresponding potential delegate;
  
  determining, by the database system, at least one authorization filter, the at least one filter including authorization criterion that comprises the criterion of interest;
  
  applying the at least one authorization filter to the attributes corresponding to the plurality of potential delegates to determine a set of authorized delegates, based at least in part on determining a correspondence between at least one of the attributes corresponding to the plurality of potential delegates to the criterion of interest;
  
  determining, by the database system, from the set of authorized delegates, a number of candidates available to meet the criterion of interest; and
  
  issuing an authorization to at least one of the number of available candidates, the authorization allowing the at least one of the number of available candidates to review the subset of private data of the customer and providing a link facilitating login as the at least one of the number of available candidates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Peddada, Prasad
Primary Examiner(s)
JHAVERI, JAYESH M

Application Number

US13/781,139
Publication Number

US 20130276142A1
Time in Patent Office

1,195 Days
Field of Search

726/21, 726 26- 28, 705/26, 705/26.43
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 9/452   Remote windowing, e.g. X-Wi...

G06Q 30/02   Marketing; Price estimation...

G16H 40/20   for the management or admin...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/01   Protocols

H04L 67/535   Tracking the activity of th...

H04M 3/51   Centralised call answering ...

Method and system for granting access to secure data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for granting access to secure data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links