US2004139075A1PendingUtilityA1

Database access method and system for user role defined access

45
Priority: Mar 31, 2000Filed: Dec 22, 2003Published: Jul 15, 2004
Est. expiryMar 31, 2020(expired)· nominal 20-yr term from priority
G06F 21/6227Y10S707/99932Y10S707/99939Y10S707/99936Y10S707/99935
45
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Method and system for determination and granting of access to data and files by the file or database creator, owner or manager or by group or user access profiles. The database is partitionable among data owners, and access is awarded based upon the requestor's organizational attributes.

Claims

exact text as granted — not AI-modified
We claim:  
     
         1 . A database management system having an access control subsystem, said database management system comprising: 
 a) a plurality of user entries representing users seeking access to data items, each of said user entries having at least one organizational access attribute; and    b) a plurality of data items, each of said data items being a data file, a data field within a data file, or a view of data items, and selected ones of said data items have at least one organizational access attribute;    said access control subsystem being configured to:    a) receive a database query from a user requesting one or more data items;    b) read the user's organizational access attributes;    c) read the data item's organizational access attributes; and    d) present data items to the user to which the user, based on the user's access attributes, has access.    
     
     
         2 . The database management system of  claim 1  in which access is granted to the user by determining whether the user's organizational access attributes and the data item's organizational attributes include a match.  
     
     
         3 . The database management system of  claim 1  wherein a plurality of organizations exclusively own individual data files in the database management system, whereby an individual data file has a single owner.  
     
     
         4 . The database management system of  claim 3  wherein said access control subsystem is configured to authorize a customer of an owner organization having access to a data item to grant access to the data item to an additional user while the customer accesses the data item.  
     
     
         5 . The database management system of  claim 4  wherein said access control subsystem is configured to authorize the customer of the owner organization to access the data item and to thereafter authorize the additional user to access and update the data item.  
     
     
         6 . The database management system of  claim 1  wherein said organizational access attributes are configured hierarchically, such that each organizational access attribute has a hierarchical level and a hierarchical branch, and each user access attribute has a hierarchical level and a hierarchical branch, and said access control subsystem is configured to grant access based on one or both of (a) the hierarchical levels of the user and data item, or (b) the hierarchical branch of the user and data item.  
     
     
         7 . The database management system of  claim 6  wherein said hierarchical levels correspond to ranges of organizations, and to data items identified thereto.  
     
     
         8 . The database management system of  claim 7  wherein the data items are chosen from the group consisting of data fields, data files, and views.  
     
     
         9 . The database management system of  claim 6  wherein said hierarchical branches correspond to virtual or real organizations and data items identified thereto.  
     
     
         10 . The database management system of  claim 9  wherein said data items are chosen from the group consisting of data files and views.  
     
     
         11 . The database management system of  claim 6  wherein hierarchical levels correspond to access to data fields and data views, and hierarchical branches correspond to access to data files and data views.  
     
     
         12 . A method of managing a database having: 
 a) a plurality of user entries representing users seeking access to data items, each of said user entries having at least one organizational access attribute; and    b) a plurality of data items, each of said data items being a data file, a data field within a data file, or a view of data items, and selected ones of said data items have at least one organizational access attribute;    said method comprising:    a) receiving a database query from a user requesting one or more data items;    b) reading the user's organizational access attributes;    c) reading the data item's organizational access attributes; and    d) presenting data items to the user to which the user based on the user's access attributes has access.    
     
     
         13 . The method of  claim 12  comprising determining whether the user's organizational access attributes and the data item's organizational access attributes include a match, and if so, granting access.  
     
     
         14 . The method of  claim 12  wherein a plurality of organizations exclusively own individual data files in the database management system, and an individual data file has a single owner.  
     
     
         15 . The method of  claim 14  comprising a customer of an owner organization having access to a data item granting access to the data item to an additional user while the customer is accessing the data item.  
     
     
         16 . The method of  claim 15  comprising the customer of the owner organization accessing the data item and to thereafter authorize the additional user to access and update the data item.  
     
     
         17 . The method of  claim 12  wherein said organizational access attributes are configured hierarchically, such that each organizational access attribute has a hierarchical level and a hierarchical branch, and each user access attribute has a hierarchical level and a hierarchical branch, said method comprising granting access based on one or both of (a) the hierarchical levels of the user and data item, or (b) the hierarchical branch of the user and data item.  
     
     
         18 . The method of  claim 17  wherein said hierarchical levels correspond to ranges of organizations, and to data items identified thereto.  
     
     
         19 . The method of  claim 18  wherein the data items are chosen from the group consisting of data fields, data files, and views.  
     
     
         20 . The method of  claim 17  wherein said hierarchical branches correspond to virtual or real organizations and data items identified thereto.  
     
     
         21 . The method of  claim 20  wherein said data items are chosen from the group consisting of data files and views.  
     
     
         22 . The method of  claim 17  wherein hierarchical levels correspond to access to data fields and data views, and hierarchical branches correspond to access to data files and data views.  
     
     
         23 . A method of managing a database system having a plurality of files, said files having a plurality of fields, said database being divisible into multiple sets of file and field entries having views visible to users having personal, positional, or organizational attributes associated with the said views, said users being divisible into multiple membership sets based upon organizational attributes, which method comprises: 
 (a) determining the personal, positional, and organizational attributes of users; and    (b) when a users queries the database: 
 (i) accessing files and fields within the database to which the user has access based upon the user's attributes; and  
 (ii) presenting a view to which the user has access based upon the user's attributes.  
   
     
     
         24 . The method of  claim 23  comprising determining access to files based upon one attribute and determining access to fields based upon another attribute.  
     
     
         25 . The method of  claim 23  comprising determining access to files based upon a first organizational attribute and determining access to fields within the files based upon one of a personal attribute or a second organizational attribute.  
     
     
         26 . The method of  claim 23  comprising determining access to a file based upon an attribute and to at least one field in the file based upon the same attribute.  
     
     
         27 . The method of  claim 26  comprising determining access to a file based upon an organizational attribute and to at least one field in the file based upon the same organizational attribute.  
     
     
         28 . The method of  claim 25  wherein one of said users is an internal user having access to first portions of a view, and wherein another one of said users is an external user having access to second portions of the view.  
     
     
         29 . The method of  claim 28  wherein said first and second portions of the view are partially overlapping and partially non-overlapping.  
     
     
         30 . A database system comprising a database having a plurality of files, said files having a plurality of fields, said users having personal, positional, and organizational attributes, and being divisible into multiple membership sets based upon organizational attributes, said database having views visible to said users based upon the personal, positional, and organizational attributes thereof.  
     
     
         31 . The database system of  claim 30  wherein the multiple sets of files and fields are overlapping across organizations.  
     
     
         32 . The database system of  claim 30  wherein the multiple sets of files and fields are disjoint across organizations.  
     
     
         33 . The database system of  claim 30  wherein the multiple sets of users are in overlapping organizations.  
     
     
         34 . The database system of  claim 30  wherein the multiple sets of users are in disjoint organizations.  
     
     
         35 . The database system of  claim 30  wherein views visible to a user are determined by the user's organizational and positional attributes.  
     
     
         36 . The database system of  claim 35  wherein view files are determined by a user's organizational attributes.  
     
     
         37 . The database system of  claim 35  wherein view fields are determined by a user's positional attributes.  
     
     
         38 . The database system of  claim 35  wherein view files are determined by a user's organizational attributes, and view fields are determined by a user's positional attributes.  
     
     
         39 . A database system comprising a partitionable database of a plurality of separate virual databases, each of said separate virtual databases having a unique database owner, and wherein a user can only access files in a virtual database to which the said user has access authorization from the database owner.  
     
     
         40 . The database system of  claim 39  wherein said separate virtual databases are disjoint.  
     
     
         41 . The database system of  claim 40  wherein said separate, disjoint virtual databases have unique owners.  
     
     
         42 . The database system of  claim 41  wherein a user requires authorization from a database owner to access the owner's separate, virtual database.  
     
     
         43 . The database system of  claim 42  wherein a user requires authorization from the owner of a file within the separate, virtual database to access the file owner's file.  
     
     
         44 . The database system of  claim 43  wherein a user's access authorization to a particular file in the virtual database is granted by the file owner's initiation of a database call through an associated computer telephony integration (CTI) system.  
     
     
         45 . The database system of  claim 44  wherein the database is a multi-tenant database having a plurality of tenants, each tenant being the owner of a separate virtual database, at least two of the tenants utilizing a common call center service.  
     
     
         46 . A method of managing a database system having a partitionable database of a plurality of separate virtual databases, each of said separate virtual databases having a unique database owner, said method comprising the owner of a separate virtual database granting access authorization to a user, and the user thereafter accessing a file in the virtual database to which the said user has been granted access authorization from the database owner.  
     
     
         47 . The database management method of  claim 46  wherein said separate virtual databases are disjoint.  
     
     
         48 . The database management method of  claim 47  wherein said separate, disjoint virtual databases have unique owners.  
     
     
         49 . The database management method of  claim 46  wherein a user requires authorization from the owner of a file within the separate, virtual database to access the file owner's file.  
     
     
         50 . The database management method of  claim 49  wherein the file owner grants access authorization to the file owner's file in the virtual database to a user.  
     
     
         51 . The database management method of  claim 50  wherein the file owner's initiation of a database call through an associated computer telephony integration (CTI) system grants access authorization to the file owner's file to a user.  
     
     
         52 . The database management method of  claim 51  wherein the database is a multi-tenant database having a plurality of tenants, each tenant being the owner of a separate virtual database, at least two of the tenants utilizing a common call center service.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.