×

Data store access permission system with interleaved application of deferred access control filters

  • US 9,639,570 B2
  • Filed: 05/14/2016
  • Issued: 05/02/2017
  • Est. Priority Date: 05/14/2015
  • Status: Active Grant
0
Associated Cases
0
Associated Defendants
0
Product Citations
0
Petitions
51
Forward Citations
3
Assignments
First Claim
Patent Images

1. A nontransitory computer readable medium having stored thereon software instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:

  • receiving a user request submitted from a computing device for data from a first table object;

    requesting, from an access control list source stored in a computer medium, access control groups for a user;

    requesting, from an access control filter source in the computer medium, a set of filter generators for each access control group;

    determining, for each set of filter generators for each access control group, a filter generator based on first table metadata for the first table object configured to identify a computer medium source of the first table object data;

    for each determined filter generator, executing the determined filter generator to create a generated filter for the first table object;

    combining each of the generated filters for the first table object into an access control filter;

    creating a second table object in memory that references the first table object;

    associating the access control filter with the second table object;

    making the second table object available for user operationsreceiving a second user request from a computing device to perform a filtering operation on the second table object;

    accessing metadata of the second table object;

    retrieving a tree-based table storage structure from the metadata;

    traversing the tree-based table storage structure starting at a table root of the tree-based table storage structure;

    when the second user request requests data from one or more partition columns of the tree-based table storage structure, applying one or more partition column filters based on a partition column structure of the tree;

    when the second user request contains a filtering operation for one or more grouping columns of the tree-based table storage structure, in a first pass, executing user-specified filters on the one or more partition columns that execute only system-specified code, and on a second pass, applying internal access-control filters, thereby removing all rows for which the user does not have authorized access by;

    retrieving the access control filter from the metadata;

    extracting filters from the access control filter that apply to the access control groups for the user;

    choosing a filter from the extracted filters;

    applying the chosen filter to the second user request;

    applying one or more second grouping column filters based on a first filter request contained in the second user request;

    applying one or more normal filters contained in the second user request to identify a filtered data source result; and

    return a final set of data.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×