U.S. patent application number 10/743214 was filed with the patent office on 2004-07-15 for database access method and system for user role defined access.
Invention is credited to Annadata, Anil, Brodersen, Karen, Chen, Mingte J., Malden, Matthew S., Rothwein, Thomas M..
Application Number | 20040139075 10/743214 |
Document ID | / |
Family ID | 24154855 |
Filed Date | 2004-07-15 |
United States Patent
Application |
20040139075 |
Kind Code |
A1 |
Brodersen, Karen ; et
al. |
July 15, 2004 |
Database access method and system for user role defined access
Abstract
Method and system for determination and granting of access to
data and files by the file or database creator, owner or manager or
by group or user access profiles. The database is partitionable
among data owners, and access is awarded based upon the requestor's
organizational attributes.
Inventors: |
Brodersen, Karen; (Redwood
City, CA) ; Rothwein, Thomas M.; (San Jose, CA)
; Malden, Matthew S.; (San Francisco, CA) ; Chen,
Mingte J.; (Fremont, CA) ; Annadata, Anil;
(Milpitas, CA) |
Correspondence
Address: |
PERKINS COIE LLP
PATENT-SEA
P.O. BOX 1247
SEATTLE
WA
98111-1247
US
|
Family ID: |
24154855 |
Appl. No.: |
10/743214 |
Filed: |
December 22, 2003 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
10743214 |
Dec 22, 2003 |
|
|
|
09540299 |
Mar 31, 2000 |
|
|
|
6732100 |
|
|
|
|
Current U.S.
Class: |
1/1 ;
707/999.006 |
Current CPC
Class: |
Y10S 707/99935 20130101;
Y10S 707/99936 20130101; Y10S 707/99939 20130101; G06F 21/6227
20130101; Y10S 707/99932 20130101 |
Class at
Publication: |
707/006 |
International
Class: |
G06F 017/30 |
Claims
We claim:
1. A database management system having an access control subsystem,
said database management system comprising: a) a plurality of user
entries representing users seeking access to data items, each of
said user entries having at least one organizational access
attribute; and b) a plurality of data items, each of said data
items being a data file, a data field within a data file, or a view
of data items, and selected ones of said data items have at least
one organizational access attribute; said access control subsystem
being configured to: a) receive a database query from a user
requesting one or more data items; b) read the user's
organizational access attributes; c) read the data item's
organizational access attributes; and d) present data items to the
user to which the user, based on the user's access attributes, has
access.
2. The database management system of claim 1 in which access is
granted to the user by determining whether the user's
organizational access attributes and the data item's organizational
attributes include a match.
3. The database management system of claim 1 wherein a plurality of
organizations exclusively own individual data files in the database
management system, whereby an individual data file has a single
owner.
4. The database management system of claim 3 wherein said access
control subsystem is configured to authorize a customer of an owner
organization having access to a data item to grant access to the
data item to an additional user while the customer accesses the
data item.
5. The database management system of claim 4 wherein said access
control subsystem is configured to authorize the customer of the
owner organization to access the data item and to thereafter
authorize the additional user to access and update the data
item.
6. The database management system of claim 1 wherein said
organizational access attributes are configured hierarchically,
such that each organizational access attribute has a hierarchical
level and a hierarchical branch, and each user access attribute has
a hierarchical level and a hierarchical branch, and said access
control subsystem is configured to grant access based on one or
both of (a) the hierarchical levels of the user and data item, or
(b) the hierarchical branch of the user and data item.
7. The database management system of claim 6 wherein said
hierarchical levels correspond to ranges of organizations, and to
data items identified thereto.
8. The database management system of claim 7 wherein the data items
are chosen from the group consisting of data fields, data files,
and views.
9. The database management system of claim 6 wherein said
hierarchical branches correspond to virtual or real organizations
and data items identified thereto.
10. The database management system of claim 9 wherein said data
items are chosen from the group consisting of data files and
views.
11. The database management system of claim 6 wherein hierarchical
levels correspond to access to data fields and data views, and
hierarchical branches correspond to access to data files and data
views.
12. A method of managing a database having: a) a plurality of user
entries representing users seeking access to data items, each of
said user entries having at least one organizational access
attribute; and b) a plurality of data items, each of said data
items being a data file, a data field within a data file, or a view
of data items, and selected ones of said data items have at least
one organizational access attribute; said method comprising: a)
receiving a database query from a user requesting one or more data
items; b) reading the user's organizational access attributes; c)
reading the data item's organizational access attributes; and d)
presenting data items to the user to which the user based on the
user's access attributes has access.
13. The method of claim 12 comprising determining whether the
user's organizational access attributes and the data item's
organizational access attributes include a match, and if so,
granting access.
14. The method of claim 12 wherein a plurality of organizations
exclusively own individual data files in the database management
system, and an individual data file has a single owner.
15. The method of claim 14 comprising a customer of an owner
organization having access to a data item granting access to the
data item to an additional user while the customer is accessing the
data item.
16. The method of claim 15 comprising the customer of the owner
organization accessing the data item and to thereafter authorize
the additional user to access and update the data item.
17. The method of claim 12 wherein said organizational access
attributes are configured hierarchically, such that each
organizational access attribute has a hierarchical level and a
hierarchical branch, and each user access attribute has a
hierarchical level and a hierarchical branch, said method
comprising granting access based on one or both of (a) the
hierarchical levels of the user and data item, or (b) the
hierarchical branch of the user and data item.
18. The method of claim 17 wherein said hierarchical levels
correspond to ranges of organizations, and to data items identified
thereto.
19. The method of claim 18 wherein the data items are chosen from
the group consisting of data fields, data files, and views.
20. The method of claim 17 wherein said hierarchical branches
correspond to virtual or real organizations and data items
identified thereto.
21. The method of claim 20 wherein said data items are chosen from
the group consisting of data files and views.
22. The method of claim 17 wherein hierarchical levels correspond
to access to data fields and data views, and hierarchical branches
correspond to access to data files and data views.
23. A method of managing a database system having a plurality of
files, said files having a plurality of fields, said database being
divisible into multiple sets of file and field entries having views
visible to users having personal, positional, or organizational
attributes associated with the said views, said users being
divisible into multiple membership sets based upon organizational
attributes, which method comprises: (a) determining the personal,
positional, and organizational attributes of users; and (b) when a
users queries the database: (i) accessing files and fields within
the database to which the user has access based upon the user's
attributes; and (ii) presenting a view to which the user has access
based upon the user's attributes.
24. The method of claim 23 comprising determining access to files
based upon one attribute and determining access to fields based
upon another attribute.
25. The method of claim 23 comprising determining access to files
based upon a first organizational attribute and determining access
to fields within the files based upon one of a personal attribute
or a second organizational attribute.
26. The method of claim 23 comprising determining access to a file
based upon an attribute and to at least one field in the file based
upon the same attribute.
27. The method of claim 26 comprising determining access to a file
based upon an organizational attribute and to at least one field in
the file based upon the same organizational attribute.
28. The method of claim 25 wherein one of said users is an internal
user having access to first portions of a view, and wherein another
one of said users is an external user having access to second
portions of the view.
29. The method of claim 28 wherein said first and second portions
of the view are partially overlapping and partially
non-overlapping.
30. A database system comprising a database having a plurality of
files, said files having a plurality of fields, said users having
personal, positional, and organizational attributes, and being
divisible into multiple membership sets based upon organizational
attributes, said database having views visible to said users based
upon the personal, positional, and organizational attributes
thereof.
31. The database system of claim 30 wherein the multiple sets of
files and fields are overlapping across organizations.
32. The database system of claim 30 wherein the multiple sets of
files and fields are disjoint across organizations.
33. The database system of claim 30 wherein the multiple sets of
users are in overlapping organizations.
34. The database system of claim 30 wherein the multiple sets of
users are in disjoint organizations.
35. The database system of claim 30 wherein views visible to a user
are determined by the user's organizational and positional
attributes.
36. The database system of claim 35 wherein view files are
determined by a user's organizational attributes.
37. The database system of claim 35 wherein view fields are
determined by a user's positional attributes.
38. The database system of claim 35 wherein view files are
determined by a user's organizational attributes, and view fields
are determined by a user's positional attributes.
39. A database system comprising a partitionable database of a
plurality of separate virual databases, each of said separate
virtual databases having a unique database owner, and wherein a
user can only access files in a virtual database to which the said
user has access authorization from the database owner.
40. The database system of claim 39 wherein said separate virtual
databases are disjoint.
41. The database system of claim 40 wherein said separate, disjoint
virtual databases have unique owners.
42. The database system of claim 41 wherein a user requires
authorization from a database owner to access the owner's separate,
virtual database.
43. The database system of claim 42 wherein a user requires
authorization from the owner of a file within the separate, virtual
database to access the file owner's file.
44. The database system of claim 43 wherein a user's access
authorization to a particular file in the virtual database is
granted by the file owner's initiation of a database call through
an associated computer telephony integration (CTI) system.
45. The database system of claim 44 wherein the database is a
multi-tenant database having a plurality of tenants, each tenant
being the owner of a separate virtual database, at least two of the
tenants utilizing a common call center service.
46. A method of managing a database system having a partitionable
database of a plurality of separate virtual databases, each of said
separate virtual databases having a unique database owner, said
method comprising the owner of a separate virtual database granting
access authorization to a user, and the user thereafter accessing a
file in the virtual database to which the said user has been
granted access authorization from the database owner.
47. The database management method of claim 46 wherein said
separate virtual databases are disjoint.
48. The database management method of claim 47 wherein said
separate, disjoint virtual databases have unique owners.
49. The database management method of claim 46 wherein a user
requires authorization from the owner of a file within the
separate, virtual database to access the file owner's file.
50. The database management method of claim 49 wherein the file
owner grants access authorization to the file owner's file in the
virtual database to a user.
51. The database management method of claim 50 wherein the file
owner's initiation of a database call through an associated
computer telephony integration (CTI) system grants access
authorization to the file owner's file to a user.
52. The database management method of claim 51 wherein the database
is a multi-tenant database having a plurality of tenants, each
tenant being the owner of a separate virtual database, at least two
of the tenants utilizing a common call center service.
Description
FIELD OF THE INVENTION
[0001] The invention relates to determination and granting of
access to data and files by the file or database creator, owner or
manager or by group or user access profiles.
BACKGROUND
[0002] Current database management applications and especially the
access subsystems thereof support what could be called a "Single
Organization Model". This means that all users of a system, even
though they may work in various divisions of a company or various
channels of a marketing organization, or even different entities
leasing portions of the same database through a common vendor or
service organization, are deemed to ultimately work for the same
organization, and that organization is at the root of the
organizational hierarchy.
[0003] Present access control mechanisms, built on the "Single
Organization Model," are cumbersome when applied to
multi-divisional or multi-channel organizations or to multi-tenant
databases. This is because present access authorization systems are
adapted to: (1) partition data to show users only those records
that they or their position have been granted visibility to, and
(2) show users all "global" data in a particular dataset. However,
absent cumbersome "work arounds" present access authorization
subsystems do not have the ability to partition data at the
organizational or channel level. This makes it impossible, for
instance, for companies using the "e-channel marketing" paradigm
that do business in multiple countries in Europe to maintain
separate price lists for each country and have only those price
lists that are appropriate for a region or country be accessible.
This cumbersome access control also makes it difficult for multiple
small financial service organizations to outsource database and
telephone support operations to a common vendor while preserving
customer confidentiality.
SUMMARY
[0004] The invention is a database management system and a method
of using the system. The system has an access control subsystem,
and is characterized by a plurality of user entries representing
users seeking access to data items, where each of the user entries
has at least one organizational access attribute. The data stored
in the underlying database has a plurality of data items. Each of
the data items may be a data file, a data field within a data file,
or a view of a data items. Selected ones of the data items have at
least one organizational access attribute. This organization
attribute is used by the access control subsystem. The access
control subsystem receives a database query from a user requesting
access to one or more of the data items. The access control
subsystem reads the user's organizational access attributes, and
reads the data item's organizational access attributes. The access
control subsystem then presents data items to the user to which the
user has access authorization.
[0005] In one embodiment of the invention, particularly useful in
channel marketing and in multi-divisional enterprises, the database
files have a plurality of fields, and the users have personal,
positional, and organizational attributes, and are divisible into
multiple membership sets based upon organizational attributes. The
database views are visible to users based upon the personal,
positional, and organizational attributes of the users.
[0006] The data files and fields may extend across organizations,
or they may be disjoint, extending to only one organization.
Likewise, the users may be in overlapping organizations, or in only
one organization.
[0007] According to this embodiment of the invention, the views
visible to a user are determined by the user's organizational and
positional attributes, and the view files are determined by a
user's organizational and/or positional attributes. In a still
further embodiment, the view files are determined by a user's
organizational attributes, and view fields are determined by a
user's positional attributes.
[0008] In an alternative embodiment of the invention a plurality of
organizations exclusively own individual data files in the database
management system. An individual data file has a single owner. The
access control subsystem is configured to authorize a customer of
the owner organization to have access to their own data items and
to grant access to their own data items to an additional user, for
example, a telephone service representative, while the customer
accesses the data items. The customer can authorize the additional
user to access and update the data item.
[0009] In this embodiment, the database system may be regarded as a
partitionable database with a plurality of separate virtual
databases. Each of the separate virtual databases may have a unique
database owner, and a user can only access files in a virtual
database to which the user has access authorization from the
database owner.
[0010] The separate virtual databases may be disjoint, for example
with common ownership or separate and unique owners. Access may
depend upon authorization from the database owner to access either
the database or a file within the database, and where the user
requesting access is not the owner of the file, access may require
authorization from the owner of the file. This situation typically
occurs in a multi-tenant database having a plurality of tenants,
where each tenant is the owner of a separate virtual database, and
at least two of the tenants utilize a common call center service,
as is the case with a large financial institution servicing the
customer accounts of other financial institutions.
THE FIGURES
[0011] The method and system of the invention are illustrated in
the FIGURES.
[0012] FIG. 1 represents a simplified, high level view of the
schema of a database of the "multi-organization support" method and
system of the invention.
[0013] FIG. 2 represents a simplified, high level view of the
schema of a database of the "multi-tenancy support" method and
system of the invention.
OVERVIEW
[0014] This invention relates to database access and more
particularly to methods and systems for controlling database access
through an access authorization subsystem of the database
management system. The access authorization subsystem utilizes user
and data attributes that have utility beyond database access or
visibility; the access authorization subsystem filtering,
screening, and querying these attributes to determine access or
visibility of a user to a data item. The ability to dynamically
support database access based upon the instantaneous role of the
user at the time of access, that is, in real time, requires a user
role defined access authorization subsystem such as the "Multiple
Organization Model," having a schema as shown at a very high level
in FIG. 1, or "Multi-Tenant Model," having a schema as shown at a
very high level in FIG. 2.
[0015] The concept of the "multiple organization model" or
"multi-organizational" support is especially important to e-channel
marketing. The driving force behind e-channel marketing is that
multiple channel partners share a common database, including
business objects and tools, with the main company. Each of the
channel partners should only see data that is relevant to their own
organization. This means that they would not see data for other
channel partners or non-global data from the parent
organization.
[0016] Similarly, the concept of the "Multi-Tenant Model" or
"Multi-Tenant Support" is especially important to small financial
service providers, retailers, and the like. This is because
multi-tenant support enables these businesses to out source, for
example, their credit card operations to a service agency or large
financial services organization, with the telephone support staff
member of the large financial services organization having gaining
real time access to the individual account being serviced during
the service call.
DETAILED DESCRIPTION
[0017] This invention relates to database access where a user's
access rights to specific data items are defined dynamically, that
is, in real time, based upon the user's status at the time of
access request, and data and user attributes having independent
utility and significance apart from access and visibility.
Colloquially, the user has one set of access authorizations while
wearing a red hat and another set of access authorizations while
wearing a blue hat. The hats could represent roles as a telephone
service representative for multiple credit card issuers sharing a
multi-tenant, vendored, database, or roles as a marketing
representative of a company in first and second regions.
[0018] The database access system and method of the invention
utilizes a division of the data "owners" either (1) hierarchically,
that is vertically, with horizontal divisions in branches, or (2)
horizontally, that is, separate virtual databases. The database
itself is divided into files, the files are divided into records
within the files, and individual records are divided into fields.
In either mode of division, the (schema and metadata data needed
and would be sophisticated), and user access is based upon user's
relationship to one or more owners in the hierarchy. (for example,
owners could be independent lessees of database capacity or
divisions in a multi-divisional enterprise).
[0019] The method and system of the invention builds upon
partitionability of the individual database files in the database
based upon an attribute of ownership and/or control. For example,
in the multi-tenancy model, the database might be partitionable
into separate and distinct individual virtual databases, as in the
case of financial services organizations, for example competing
financial services organizations, vendoring database capacity,
database management services, and telephone support services for a
service provider. By way of contrast, in the multi-organization
support model, the database's parent organizational owner is
hierarchically and organizationally divisible, for example into
divisions, departments, and offices, where each branch point may be
a hierarchical level and each branch may be a functional owner of a
portion of the enterprise database.
[0020] In both embodiments user access is triggered by a "need to
know" or "convenient to know." In the multi-tenancy embodiment, the
access is typically triggered by an incoming call to a vendored
call center, and the view is the customer's computer telephony
integration (CTI)-identified account number. Similarly, in the
multi-organization support embodiment, the access is triggered end
user action, and the specific view is triggered by the end-user's
logon, that is, which division or channel or reporting chain is
used for this task.
[0021] Multi Organization Support
[0022] In a large organization where the same products and/or
services are rendered through different employees and/or rendered
to different customers, or where some goods, services, or customer
sets are prohibited to some employees or organizations and
permitted to others (for example, sale of encryption equipment or
code to the PRC, or the sale with English only
labeling/instructions in Quebec), and the product set is too large
and/or unwieldy to maintain separate databases, there is a definite
productivity advantage to organizationally limiting access so that
the marketing representative is not inundated with "useless"
information. This is accomplished by assigning access authorization
organizationally, including regionally. This way, when a sales or
service rep or a channel partner enters a "MYLIS" command, he or
she is only presented with a virtual database of the products
and/or services that he or she can actually render. This is the
"single database-multiple independent users" embodiment, also
referred to as the "multi-organization support" method and system.
FIG. 1 is a very high level view of the database schema of a
"multi-organization support" model. The schema, 1, has, for
purposes of illustration, five fields in each record. These fields
are the Sales Rep, 11, the Division, 13, the Profit Center (within
the Division, 13), 15, the customer 17, and the sales to that
customer in the year 2000, 19. Sales Representative Patterson, 21,
is in the Microelectronics Division 21A, 21B, and sells in two
profit centers of the division, cards, and chips. Hennessey, 23 is
in only one Division, the Server Division, 23A, and sells the goods
of only one profit center, RISC 6000. Also in the Server Division,
25B, is Streetman, 25, who only sells the product of one profit
center, the AS400 profit center. Sales Representative Sze, 27, is
also in the Server Division, here 27A, and only sells the products
of one profit center, the ENT 9000 profit center.
[0023] The multi-organization support utilizes new types of
visibility attributes called "organization" and "organization team"
visibility. In the multi-organization support method and system of
the invention, the records that a user sees with "organization" and
"organization team" visibility are restricted based upon the
organization(s) that the user has been given visibility into, while
the ones the end user sees with "position" and "position team"
visibility are restricted based upon the user's current position.
While there may be some overlap between "organization" attributes
and "position" attributes, they may confer different rights. For
example, "organization" attributes may only confer "read"
authorization, while "position" attributes may confer "read,"
"write", and "delete" authorization. The "organization" and
"organization team" visibility is used in a series of "My
Organization's" views that show all of the data that the user's
organization has been granted visibility to. In this way, multiple
organizations can share the same database but see a partitioned set
of data that is pertinent to them. It is also to be understood,
that there may be inheritance of access up and down and across a
hierarchy.
[0024] One access attribute specifies the visibility attributes of
the higher level organization, for example a division. This means
that the number of distinct organizational partitions will be
relatively small compared to the overall number of divisions in the
hierarchy. Also, organizational partitions should be relatively
high in the hierarchy. Therefore, most of the lower level entities
in a large enterprise, for example a domestic marketing division of
a large international enterprise may reference the US division as
their visibility organization. This would enable all people who
work for any of those lower level product or marketing
organizations to see the same partition of data.
[0025] The relationship between divisions and positions is normally
a 1-to-many relationship, although the system and method of our
invention can support a many-to-many relationship. That is, a
position belongs to exactly one division. If a user needs to have
access to data in multiple organizations, then the user would be
required to have positions in the appropriate organizations, or, in
an alternative embodiment of our invention, to have personal or
positional access to the data separate and apart from but in
addition to his or her organizational access to the data. This
could be done by having positions specifically for granting
visibility to users outside of the organization.
[0026] Single organization ownership is added to an entity by
adding a foreign key to the owning organization and configuring the
business component appropriately. Organization teams are added to
an entity by adding an intersection table between that entity and
organization and a foreign key to the primary owning organization,
and configuring the business component appropriately.
[0027] During login, while the system is collecting information
about the positions a user is associated with, the system looks at
the user's division or divisions and collects the set of
organizations those divisions have visibility into. If a user has n
positions, that is, n positional attributes, the user will have
between 1 and n organizations for visibility.
[0028] The organization and organization team visibility's are used
for "My Organization's" views to show the user all of the records
for the entity where the user's "current" organization is either
the owner, or on the organization team. The user's "current"
organization will be the visibility organization assigned to the
division of the user's current position. When a user changes
current position, the current organization will be changed
automatically.
[0029] Channel Partners may be administered by creating a division
node or hierarchy as the visibility organization in the appropriate
table. All sub-organizations for that channel partner should
specify the root channel partner division node as the visibility
organization. Similarly, the Pick Lists and association lists for
entities that are "multi-org'd" will show the appropriate
organization specific data.
[0030] Channel partners may either assign access authorization to
their own users or request the database owner to assign access
authorization.
[0031] Multi Tenancy Support
[0032] An alternative embodiment of our invention is the "multiple
tenancy" model described with respect to CTI applications. This
embodiment solves problems associated with the situation of a
plurality of merchants and/or financial services organization
vendoring out their telephone service and data processing
operations to a common vendor. The common vendor stores the
merchants' and institutions' customer accounts in an access
controlled database while also providing customer telephone support
service for the customer accounts. That is, the CTI
(computer-telephony integration) automatically switches the agent
to the correct slice (that is, customer files) of the database.
Access to a customer account is authorized in real time during the
individual telephone support session with the customer. During the
individual customer support session, the telephone support
representative has access to the individual merchant's or financial
institution's business objects, queries, and views, as well as
those of the database service provider.
[0033] FIG. 2 shows a very high level view of the "multi-Tenant"
database schema, 1. This schema shows three banks in the Bank
column 31, CITI 43, MBNA, 45, and BankOne, 45. In the customer
column, 33, each bank is shown with only two customers, McCabe 43A
and Smith 43B for CITI, 43, Van Ness 45A and Bird, 45B for MBNA,
45, and Stewart, 47A, and Lightfoot, 47B, for BankOne 47. Each
customer has an account number, shown in column 35, and space for
the last three transactions, shown in columns 37, 39, and 41. In
operation, if VanNess were to call the Vendor's support center on
the appropriate access number, and properly enter the account
number shown for VanNess in column 35, line 45, VanNess's account
would come up on the CTI operator's screen, and both VanNess and
the CTI operator would have access to account information.
[0034] To be noted is that when a caller calls in to an outsourcing
call center or multi-tenancy call center, the gets switched to the
slice of the database for that tenant (for example, the slice of
the database assigned to their financial service provider) not just
the particular file for that particular caller or customer. This is
important because in this way the customer can access information
about Products, Price Lists, Service Requests and Sevices of their
tenant that is being provided by the tenant, either directly or
through outsourcing.
[0035] While the invention has been described with respect to
certain preferred embodiments and exemplifications, it is not
intended to limit the scope of the invention thereby, but solely by
the claims appended hereto.
* * * * *