Composing abstract queries for delegated user roles

US 9,679,031 B2
Filed: 09/15/2008
Issued: 06/13/2017
Est. Priority Date: 09/14/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of abstract query composition based on user roles defined in a database abstraction model, the computer-implemented method comprising:

providing the database abstraction model, which contains a plurality of logical field definitions defining a plurality of logical fields that map to a plurality of physical fields of one or more underlying physical databases, each of the plurality of logical field definitions specifying;

(i) a logical field name and (ii) an access method comprising a function of one or more of the plurality of physical fields;

wherein the database abstraction model further defines a set of user roles;

the plurality of logical field definitions specifying at least two types of access methods selected from;

(i) a simple access method mapping to a specified physical field;

(ii) a filtered access method applying a specified filter to a physical field; and

(iii) a composed access method mapping to a set of values generated from one or more physical fields based on a specified formula;

prior to selecting any logical field to include in an abstract query desired to be composed, selecting, from the set of user roles, a plurality of user roles desired to have permission to execute the abstract query once composed, wherein the plurality of user roles is selected based on input from an administrative user of the database abstraction model;

subsequent to selecting the plurality of user roles, determining, by operation of one or more computer processors, a group of permitted logical fields to which access is permitted for at least one of the selected plurality of user roles;

generating output conveying;

(i) the group of permitted logical fields as being permitted based on the selected plurality of user roles and (ii) a group of non-permitted logical fields as being non-permitted based on the selected plurality of user roles;

subsequent to generating the output, selecting, from the group of permitted logical fields and based on input from the administrative user responsive to the generated output, one or more logical fields to include in the abstract query desired to be composed;

composing the abstract query based on the selected one or more logical fields; and

responsive to receiving, from a non-administrative user, a request to execute the composed abstract query, and upon determining that the non-administrative user has a role that matches at least one of the selected plurality of user roles defined in the database abstraction model, executing the composed abstract query in order to generate a set of query results, whereafter the set of query results is output for the non-administrative user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a database administrator composing an abstract query with visibility to logical fields that are permitted for the delegated roles. In one embodiment, a query interface is configured to receive administrator selections of delegated roles (i.e., the user roles to be provided with access to the finished abstract query). The query interface may then present the administrator with logical fields that are permitted for each delegated role. Providing such information may enable the administrator to verify that all intended users will have access to the finished abstract query.

18 Citations

21 Claims

1. A computer-implemented method of abstract query composition based on user roles defined in a database abstraction model, the computer-implemented method comprising:
- providing the database abstraction model, which contains a plurality of logical field definitions defining a plurality of logical fields that map to a plurality of physical fields of one or more underlying physical databases, each of the plurality of logical field definitions specifying;
  
  (i) a logical field name and (ii) an access method comprising a function of one or more of the plurality of physical fields;
  
  wherein the database abstraction model further defines a set of user roles;
  
  the plurality of logical field definitions specifying at least two types of access methods selected from;
  
  (i) a simple access method mapping to a specified physical field;
  
  (ii) a filtered access method applying a specified filter to a physical field; and
  
  (iii) a composed access method mapping to a set of values generated from one or more physical fields based on a specified formula;
  
  prior to selecting any logical field to include in an abstract query desired to be composed, selecting, from the set of user roles, a plurality of user roles desired to have permission to execute the abstract query once composed, wherein the plurality of user roles is selected based on input from an administrative user of the database abstraction model;
  
  subsequent to selecting the plurality of user roles, determining, by operation of one or more computer processors, a group of permitted logical fields to which access is permitted for at least one of the selected plurality of user roles;
  
  generating output conveying;
  
  (i) the group of permitted logical fields as being permitted based on the selected plurality of user roles and (ii) a group of non-permitted logical fields as being non-permitted based on the selected plurality of user roles;
  
  subsequent to generating the output, selecting, from the group of permitted logical fields and based on input from the administrative user responsive to the generated output, one or more logical fields to include in the abstract query desired to be composed;
  
  composing the abstract query based on the selected one or more logical fields; and
  
  responsive to receiving, from a non-administrative user, a request to execute the composed abstract query, and upon determining that the non-administrative user has a role that matches at least one of the selected plurality of user roles defined in the database abstraction model, executing the composed abstract query in order to generate a set of query results, whereafter the set of query results is output for the non-administrative user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, further comprising:
    - upon determining that the non-administrative user does not have any of the selected plurality of user roles defined in the database abstraction model, returning an error indication to communicate that the non-administrative user is not permitted to execute the composed abstract query.
  - 3. The computer-implemented method of claim 1, further comprising:
    - upon determining that the non-administrative user does not have any of the selected plurality of user roles defined in the database abstraction model, modifying the composed abstract query to remove at least one logical field in order to render the composed abstract query executable for the non-administrative user.
  - 4. The computer-implemented method of claim 1, wherein the set of query results is output to the non-administrative user via the query interface.
  - 5. The computer-implemented method of claim 1, further comprising, prior to composing the abstract query:
    - upon determining that a first of the one or more logical fields to include in the abstract query is not included in all of the groups of permitted logical fields determined for the plurality of user roles, returning a warning message to convey to the administrative user that the first logical field that is not permitted for at least one user role.
  - 6. The computer-implemented method of claim 1, wherein the output is conveyed to the administrative user, wherein the computer-implemented method further comprises:
    - prior to generating the output, determining the group of non-permitted logical fields, to which access by the selected plurality of user roles is not permitted;
      
      wherein the composed abstract query is executed for the non-administrative user in a first instance, in which instance the set of query results is output for the non-administrative user via the query interface, wherein the computer-implemented method further comprises, in a second instance;
      
      upon determining that the non-administrative user does not have any of the selected plurality of user roles defined in the database abstraction model, returning an error indication to convey to the non-administrative user that the non-administrative user is not permitted to execute the composed abstract query;
      
      wherein the generated output conveys, to the administrative user, permitted fields in terms of one or more logical fields in the database abstraction model and not in terms of any physical field in the physical database.
  - 7. The computer-implemented method of claim 6, wherein the generated output conveys, to the administrative user, non-permitted fields in terms of one or more logical fields in the database abstraction model and not in terms of any physical field in the physical database, wherein at least a first of the plurality of logical fields maps to at least a first of the plurality of physical fields, the first physical field having a physical field name different from the logical field name of the first logical field;
    - wherein the group of permitted logical fields is presented in a query interface, at least a portion of the group of permitted logical fields being designated with the indication of which of the plurality of user roles the respective logical field is accessible by, in order to facilitate verification of appropriate access permissions from user roles to groups of logical fields, including avoiding both improperly granted permissions and improperly denied permissions;
      
      wherein at least one user role of the set of user roles is not selected, wherein the user role comprises a first user role.
  - 8. The computer-implemented method of claim 7, wherein the group of logical fields includes a first subset of permitted logical fields to which access by the first user role is permitted but to which access by a second user role is denied, wherein the group of logical fields further includes a second subset of logical fields to which access by the second user role is granted but to which access by the first user role is denied;
    - wherein the group of permitted logical fields to which access is permitted for the at least one of the selected plurality of user roles is determined based on a set of user role definitions stored in the database abstraction model, each user role definition pertaining to a respective user role;
      
      wherein the respective user role definition for each user role specifies;
      
      (i) a user role name for the respective user role and (ii) a set of permitted fields for the respective user role;
      
      wherein the set of permitted fields for each user role is specified in terms of one or more logical fields in the database abstraction model and not in terms any physical field in the physical database.
  - 9. The computer-implemented method of claim 8, wherein the composed access method maps a respective logical field to a set of values dynamically generated from at least two physical fields based on the specified formula, wherein the computer-implemented method further comprises, in a third instance:
    - upon determining that the non-administrative user does not have any of the selected plurality of user roles defined in the database abstraction model, modifying the composed abstract query to remove at least one logical field in order to render the composed abstract query executable for the non-administrative user.
  - 10. The computer-implemented method of claim 9, wherein determining a group of permitted logical fields to which access is permitted comprises analyzing stored properties characterizing the set of user roles, wherein the computer-implemented method further comprises:
    - prior to receiving the selection of a plurality of user roles, displaying the set of user roles in the query interface.
  - 11. The computer-implemented method of claim 10, further comprising:
    - prior to composing the abstract query, and upon determining that a first of the one or more logical fields to include in the abstract query is not included in the group of permitted logical fields, returning a warning message to convey to the non-administrative user that the first logical field is not permitted for at least one user role.

12. A computer-readable storage medium containing a program which, when executed, performs an operation of abstract query composition based on user roles defined in a database abstraction model, the operation comprising:
- providing the database abstraction model, which contains a plurality of logical field definitions defining a plurality of logical fields that map to a plurality of physical fields of one or more underlying physical databases, each of the plurality of logical field definitions specifying;
  
  (i) a logical field name and (ii) an access method comprising a function of one or more of the plurality of physical fields;
  
  wherein the database abstraction model further defines a set of user roles;
  
  wherein the plurality of logical field definitions specifies at least two access methods selected from;
  
  (i) a simple access method mapping to a specified physical field;
  
  (ii) a filtered access method applying a specified filter to a physical field; and
  
  (iii) a composed access method mapping to a set of values generated from one or more physical fields based on a specified formula;
  
  prior to selecting any logical field to include in an abstract query desired to be composed, selecting, from the set of user roles, a plurality of user roles desired to have permission to execute the abstract query once composed, wherein the plurality of user roles is selected based on input from an administrative user of the database abstraction model;
  
  subsequent to selecting the plurality of user roles, determining, by operation of one or more computer processors when executing the program, a group of permitted logical fields to which access is permitted for at least one of the selected plurality of user roles;
  
  generating output conveying;
  
  (i) the group of permitted logical fields as being permitted based on the selected plurality of user roles and (ii) a group of non-permitted logical fields as being non-permitted based on the selected plurality of user roles;
  
  subsequent to generating the output, selecting, from the group of permitted logical fields and based on input from the administrative user responsive to the generated output, one or more logical fields to include in the abstract query desired to be composed;
  
  composing the abstract query based on the selected one or more logical fields; and
  
  responsive to receiving, from a non-administrative user, a request to execute the composed abstract query, and upon determining that the non-administrative user has a role that matches at least one of the plurality of user roles defined in the database abstraction model, executing the composed abstract query in order to generate a set of query results, whereafter the set of query results is output for the non-administrative user.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer-readable storage medium of claim 12, wherein the operation further comprises:
    - upon determining that the non-administrative user does not have any of the selected plurality of user roles defined in the database abstraction model, returning an error indication to communicate that the non-administrative user is not permitted to execute the composed abstract query.
  - 14. The computer-readable storage medium of claim 12, wherein the operation further comprises:
    - upon determining that the non-administrative user does not have any of the selected plurality of user roles defined in the database abstraction model, modifying the composed abstract query to remove at least one logical field in order to render the composed abstract query executable for the non-administrative user.
  - 15. The computer-readable storage medium of claim 12, wherein the set of query results is output to the non-administrative user via the query interface.
  - 16. The computer-readable storage medium of claim 12, wherein the operation further comprises, prior to composing the abstract query:
    - upon determining that a first of the one or more logical fields to include in the abstract query is not included in all of the groups of permitted logical fields determined for the plurality of user roles, returning a warning message to convey to the administrative user that the first logical field is not permitted for at least one user role.

17. A system of abstract query composition based on user roles defined in a database abstraction model, the system comprising:
- one or more computer processors; and
  
  a memory containing a program which, when executed by the one or more computer processors, performs an operation comprising;
  
  providing the database abstraction model, which contains a plurality of logical field definitions defining a plurality of logical fields that map to a plurality of physical fields of one or more underlying physical databases, each of the plurality of logical field definitions specifying;
  
  (i) a logical field name and (ii) an access method comprising a function of one or more of the plurality of physical fields;
  
  wherein the database abstraction model further defines a set of user roles;
  
  wherein the plurality of logical field definitions specifies at least two access methods selected from;
  
  (i) a simple access method mapping to a specified physical field;
  
  (ii) a filtered access method applying a specified filter to a physical field; and
  
  (iii) a composed access method mapping to a set of values generated from one or more physical fields based on a specified formula;
  
  prior to selecting any logical field to include in an abstract query desired to be composed, selecting, from the set of user roles, a plurality of user roles desired to have permission to execute the abstract query once composed, wherein the plurality of user roles is selected based on input from an administrative user of the database abstraction model;
  
  subsequent to selecting the plurality of user roles, determining a group of permitted logical fields to which access is permitted for at least one of the selected plurality of user roles;
  
  generating output conveying;
  
  (i) the group of permitted logical fields as being permitted based on the selected plurality of user roles and (ii) a group of non-permitted logical fields as being non-permitted based on the selected plurality of user roles;
  
  subsequent to generating the output, selecting, from the group of permitted logical fields and based on input from the administrative user responsive to the generated output, one or more logical fields to include in the abstract query desired to be composed;
  
  composing the abstract query based on the selected one or more logical fields; and
  
  responsive to receiving, from a non-administrative user, a request to execute the composed abstract query, and upon determining that the non-administrative user has a role that matches at least one of the plurality of user roles defined in the database abstraction model, executing the composed abstract query in order to generate a set of query results, whereafter the set of query results is output for the non-administrative user.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, wherein the operation further comprises:
    - upon determining that the non-administrative user does not have any of the selected plurality of user roles defined in the database abstraction model, returning an error indication to communicate that the non-administrative user is not permitted to execute the composed abstract query.
  - 19. The system of claim 17, wherein the operation further comprises:
    - upon determining that the non-administrative user does not have any of the selected plurality of user roles defined in the database abstraction model, modifying the composed abstract query to remove at least one logical field in order to render the composed abstract query executable for the non-administrative user.
  - 20. The system of claim 17, wherein the set of query results is output to the non-administrative user via the query interface.
  - 21. The system of claim 17, wherein the operation further comprises, prior to composing the abstract query:
    - upon determining that a first of the one or more logical fields to include in the abstract query is not included in all of the groups of permitted logical fields determined for the plurality of user roles, returning a warning message to convey to the administrative user that the first logical field is not permitted for at least one user role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Workday Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Kulack, Frederick A., Dettinger, Richard D.
Primary Examiner(s)
OBERLY, VAN HONG

Application Number

US12/210,723
Publication Number

US 20090006352A1
Time in Patent Office

3,193 Days
Field of Search

707781-788, 707810, 707763
US Class Current
CPC Class Codes

G06F 16/252 between a Database Manageme...

Composing abstract queries for delegated user roles

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Composing abstract queries for delegated user roles

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links