公开(公告)号：US20180165183A1

公开(公告)日：2018-06-14

申请号：US15376992

申请日：2016-12-13

Applicant: SAP SE

Inventor： Juergen Kremp

IPC: G06F11/36

CPC classification number: G06F11/3688 ,  G06F11/3692 ,  G06F21/44

Abstract: Techniques of validating access controls within an application are disclosed. A validation test is performed by receiving test data comprising one or more privilege elements selected from a set of privilege elements representing a privilege scheme defined in an application. The test data and a data set are accessed. The application is executed using the data set according to the one or more privilege elements. A set of interaction indicators is generated representing interactions of the application with a portion of the data set. The set of interaction indicators is presented at a display device of a computing device.

公开(公告)号：US10915649B2

公开(公告)日：2021-02-09

申请号：US16126104

申请日：2018-09-10

Applicant: SAP SE

Inventor： Juergen Kremp ,  Ralf Miko ,  Andreas Riehl ,  Michael Belenki

IPC: G06F16/245 ,  G06F21/62

Abstract: The present disclosure involves systems, software, and computer implemented methods for access control delegation. One example method includes identifying creation of a derived entity from an originating entity. A definition of the derived entity is modified to include an association to the originating entity. A derived access control definition is created based on an originating access control definition. Access control condition(s) in the derived access control definition are identified. Modified access control condition(s) are created by modifying column reference(s) to include a reference to the association to the originating entity. A query is received for the derived entity. A modified query is created by including, in the received query, the modified access control condition(s) and unfolding the association to the originating entity. The modified query is executed, including evaluation of the modified access control condition(s) to determine records of the derived entity that are accessible to a query user.

公开(公告)号：US10120786B2

公开(公告)日：2018-11-06

申请号：US15376992

申请日：2016-12-13

Applicant: SAP SE

Inventor： Juergen Kremp

IPC: G06F11/36 ,  G06F21/44

Abstract: Techniques of validating access controls within an application are disclosed. A validation test is performed by receiving test data comprising one or more privilege elements selected from a set of privilege elements representing a privilege scheme defined in an application. The test data and a data set are accessed. The application is executed using the data set according to the one or more privilege elements. A set of interaction indicators is generated representing interactions of the application with a portion of the data set. The set of interaction indicators is presented at a display device of a computing device.

公开(公告)号：US09467282B2

公开(公告)日：2016-10-11

申请号：US14750791

申请日：2015-06-25

Applicant: SAP SE

Inventor： Juergen Kremp ,  Klaus Kiefer ,  Uwe Bauer

IPC: H04L9/08 ,  G06F21/62 ,  H04L29/06

CPC classification number: H04L9/0822 ,  G06F21/6209 ,  G06F21/6218 ,  H04L9/0869 ,  H04L63/06 ,  H04L2209/24 ,  H04L2463/062

Abstract: An improved key encryption system is provided for encrypting sensitive data on a shared data store. Various embodiments contemplate a system where a plurality of data clients are connected to one or more shared data stores. A secure data storage facility is provided on one or more of the shared data stores by using an encryption scheme. Encryption keys for decrypting the sensitive data are stored on the same data store as sensitive data, which may be decrypted using the encryption keys. To provide another layer of security, the data encryption keys are themselves encrypted using a key encryption key (“KEK”), which is generated by, and stored in a local data store associated with the data clients.

Abstract translation: 提供了一种改进的密钥加密系统，用于加密共享数据存储上的敏感数据。 各种实施例考虑其中多个数据客户端连接到一个或多个共享数据存储的系统。 通过使用加密方案在一个或多个共享数据存储器上提供安全数据存储设施。 用于解密敏感数据的加密密钥存储在与敏感数据相同的数据存储上，可以使用加密密钥解密敏感数据。 为了提供另一层安全性，数据加密密钥本身使用密钥加密密钥（“KEK”）进行加密，密钥加密密钥由“数据客户端”生成并存储在与数据客户端相关联的本地数据存储器中。

公开(公告)号：US20150318987A1

公开(公告)日：2015-11-05

申请号：US14750791

申请日：2015-06-25

Applicant: SAP SE

Inventor： Juergen Kremp ,  Klaus Kiefer ,  Uwe Bauer

IPC: H04L9/08

CPC classification number: H04L9/0822 ,  G06F21/6209 ,  G06F21/6218 ,  H04L9/0869 ,  H04L63/06 ,  H04L2209/24 ,  H04L2463/062

Abstract: An improved key encryption system is provided for encrypting sensitive data on a shared data store. Various embodiments contemplate a system where a plurality of data clients are connected to one or more shared data stores. A secure data storage facility is provided on one or more of the shared data stores by using an encryption scheme. Encryption keys for decrypting the sensitive data are stored on the same data store as sensitive data, which may be decrypted using the encryption keys. To provide another layer of security, the data encryption keys are themselves encrypted using a key encryption key (“KEK”), which is generated by, and stored in a local data store associated with the data clients.

Abstract translation: 提供了一种改进的密钥加密系统，用于加密共享数据存储上的敏感数据。 各种实施例考虑其中多个数据客户端连接到一个或多个共享数据存储的系统。 通过使用加密方案在一个或多个共享数据存储器上提供安全数据存储设施。 用于解密敏感数据的加密密钥存储在与敏感数据相同的数据存储上，可以使用加密密钥解密敏感数据。 为了提供另一层安全性，数据加密密钥本身使用密钥加密密钥（“KEK”）进行加密，密钥加密密钥由“数据客户端”生成并存储在与数据客户端相关联的本地数据存储器中。

公开(公告)号：US20200082107A1

公开(公告)日：2020-03-12

申请号：US16126104

申请日：2018-09-10

Applicant: SAP SE

Inventor： Juergen Kremp ,  Ralf Miko ,  Andreas Riehl ,  Michael Belenki

IPC: G06F21/62 ,  G06F17/30

Abstract: The present disclosure involves systems, software, and computer implemented methods for access control delegation. One example method includes identifying creation of a derived entity from an originating entity. A definition of the derived entity is modified to include an association to the originating entity. A derived access control definition is created based on an originating access control definition. Access control condition(s) in the derived access control definition are identified. Modified access control condition(s) are created by modifying column reference(s) to include a reference to the association to the originating entity. A query is received for the derived entity. A modified query is created by including, in the received query, the modified access control condition(s) and unfolding the association to the originating entity. The modified query is executed, including evaluation of the modified access control condition(s) to determine records of the derived entity that are accessible to a query user.