公开(公告)号：US12028441B2

公开(公告)日：2024-07-02

申请号：US17509490

申请日：2021-10-25

Applicant: SAP SE

Inventor： Marc Alexander Roeder ,  Roland Lucius ,  Vladislav Dexheimer

IPC: H04K1/00 ,  G06F21/60 ,  H04L9/00 ,  H04L9/06 ,  H04L9/30 ,  H04L9/32

CPC classification number: H04L9/0618 ,  G06F21/602 ,  H04L9/30 ,  H04L9/3247

Abstract: Disclosed herein are system, method, and computer program product embodiments for encrypting and decrypting a sensitive data item using a zero-knowledge encryption protocol. An embodiment operates by receiving a request to decrypt the sensitive data item from a client. The embodiment retrieves the requested sensitive data item from a data store. The embodiment generates a result set by replacing a ciphertext value of the sensitive data item to be stored in the result set with a placeholder identifier. The embodiment retrieves a data encryption key (DEK) block from a DEK manager, wherein the DEK block comprises a DEK associated with the sensitive data item. The embodiment generates and encrypts a cipher ticket comprising the ciphertext value of the sensitive data item. The embodiment then sends the result set, the cipher ticket, and the DEK block to the client for decryption of the ciphertext value of the sensitive data item.

公开(公告)号：US20230125608A1

公开(公告)日：2023-04-27

申请号：US17509490

申请日：2021-10-25

Applicant: SAP SE

Inventor： Marc Alexander ROEDER ,  Roland Lucius ,  Vladislav Dexheimer

IPC: H04L9/06 ,  H04L9/30 ,  G06F21/60 ,  H04L9/32

Abstract: Disclosed herein are system, method, and computer program product embodiments for encrypting and decrypting a sensitive data item using a zero-knowledge encryption protocol. An embodiment operates by receiving a request to decrypt the sensitive data item from a client. The embodiment retrieves the requested sensitive data item from a data store. The embodiment generates a result set by replacing a ciphertext value of the sensitive data item to be stored in the result set with a placeholder identifier. The embodiment retrieves a data encryption key (DEK) block from a DEK manager, wherein the DEK block comprises a DEK associated with the sensitive data item. The embodiment generates and encrypts a cipher ticket comprising the ciphertext value of the sensitive data item. The embodiment then sends the result set, the cipher ticket, and the DEK block to the client for decryption of the ciphertext value of the sensitive data item.

公开(公告)号：US20160379002A1

公开(公告)日：2016-12-29

申请号：US14752417

申请日：2015-06-26

Applicant: SAP SE

Inventor： Bernhard Drabant ,  Bernhard Drittler ,  Roland Lucius ,  Martin Schmid

IPC: G06F21/62 ,  G06F21/31

CPC classification number: G06F21/6236

Abstract: Embodiments manage user authorization to access multiple grouped software applications, via a catalog mechanism. Functionality of related software is divided into semantically meaningful catalogs, representing tasks or sub-processes within a business scenario. These catalogs represent a unit of functionality utilized to structure work and authorization. Functionality and authorizations are associated to system entry points, and assigned to catalogs bundling applications and services. Responsibilities may be defined statically or dynamically in terms of rule-based access restrictions to data structure (e.g., business object) instances. Catalogs may be assigned to business roles, and business roles assigned to users. Based on such assignments, corresponding authorizations are generated and linked to users at compile or deployment time. At run time, access decision and enforcement is granted based on these authorizations and restrictions. Decision and enforcement points are associated with the system entry points within software applications belonging to catalog(s).

Abstract translation: 实施例通过目录机制管理用户授权以访问多个分组的软件应用。 相关软件的功能分为语义有意义的目录，表示业务场景中的任务或子进程。 这些目录是用于构建工作和授权的功能单位。 功能和授权与系统入口点相关联，并分配给捆绑应用程序和服务的目录。 可以根据对数据结构（例如，业务对象）实例的基于规则的访问限制来静态地或动态地定义责任。 目录可以分配给业务角色和分配给用户的业务角色。 基于这样的分配，在编译或部署时，生成相应的授权并链接到用户。 在运行时，根据这些授权和限制授予访问决策和执行。 决策和执行点与属于目录的软件应用程序中的系统入口点相关联。

公开(公告)号：US20180373757A1

公开(公告)日：2018-12-27

申请号：US15630404

申请日：2017-06-22

Applicant: SAP SE

Inventor： Igor Schukovets ,  Gregor Tielsch ,  Erich Schulzke ,  Nils Hartmann ,  Roland Lucius ,  Matthias Buehl ,  Timm Falter

IPC: G06F17/30 ,  G06F21/62

Abstract: A system, method, and computer-readable medium, to receive a query specifying a result set of data from at least one database table; determine whether at least one column of the at least one database table is subject to a column-based authorization restriction; modify the query, in an instance it is determined that at least one column of the at least one database table is subject to a column-based authorization restriction, to restrict the result set of data in accordance with the column-based authorization restriction; and execute, in response to the modifying of the query, the modified query.

公开(公告)号：US09760734B2

公开(公告)日：2017-09-12

申请号：US14752417

申请日：2015-06-26

Applicant: SAP SE

Inventor： Bernhard Drabant ,  Bernhard Drittler ,  Roland Lucius ,  Martin Schmid

IPC: G06F21/32 ,  G06F21/62

CPC classification number: G06F21/6236

Abstract: Embodiments manage user authorization to access multiple grouped software applications, via a catalog mechanism. Functionality of related software is divided into semantically meaningful catalogs, representing tasks or sub-processes within a business scenario. These catalogs represent a unit of functionality utilized to structure work and authorization. Functionality and authorizations are associated to system entry points, and assigned to catalogs bundling applications and services. Responsibilities may be defined statically or dynamically in terms of rule-based access restrictions to data structure (e.g., business object) instances. Catalogs may be assigned to business roles, and business roles assigned to users. Based on such assignments, corresponding authorizations are generated and linked to users at compile or deployment time. At run time, access decision and enforcement is granted based on these authorizations and restrictions. Decision and enforcement points are associated with the system entry points within software applications belonging to catalog(s).

公开(公告)号：US10713246B2

公开(公告)日：2020-07-14

申请号：US15630404

申请日：2017-06-22

Applicant: SAP SE

Inventor： Igor Schukovets ,  Gregor Tielsch ,  Erich Schulzke ,  Nils Hartmann ,  Roland Lucius ,  Matthias Buehl ,  Timm Falter

IPC: G06F17/30 ,  G06F21/62 ,  G06F16/2453 ,  G06F16/22 ,  G06F21/31 ,  G06F16/2455

Abstract: A system, method, and computer-readable medium, to receive a query specifying a result set of data from at least one database table; determine whether at least one column of the at least one database table is subject to a column-based authorization restriction; modify the query, in an instance it is determined that at least one column of the at least one database table is subject to a column-based authorization restriction, to restrict the result set of data in accordance with the column-based authorization restriction; and execute, in response to the modifying of the query, the modified query.