公开(公告)号：US11574072B2

公开(公告)日：2023-02-07

申请号：US17334315

申请日：2021-05-28

Applicant: Snowflake Inc.

Inventor： Artin Avanes ,  Khalid Zaman Bijon ,  Damien Carru ,  Thierry Cruanes ,  Vikas Jain ,  Zheng Mi ,  Subramanian Muralidhar

IPC: G06F21/62 ,  G06F16/25 ,  G06F16/248 ,  G06F16/22 ,  G06F16/27

Abstract: A shared database platform implements dynamic masking on data shared between users where specific data is masked, transformed, or otherwise modified based on preconfigured functions that are associated with user roles. The shared database platform can implement the masking at runtime dynamically in response to users requesting access to a database object that is associated with one or more masking policies.

公开(公告)号：US11494500B1

公开(公告)日：2022-11-08

申请号：US17655887

申请日：2022-03-22

Applicant: Snowflake Inc.

Inventor： Suraj P. Acharya ,  Damien Carru ,  Vikas Jain ,  Zhen Mo ,  Frantisek Rolinek

IPC: G06F21/00 ,  G06F21/60 ,  G06F16/27 ,  G06F21/62

Abstract: A request to replicate a first account maintained by a data platform is received. Based on the request, account data associated with the account is accessed. The account data comprises security configurations for the first account. In response to the request, the first account is replicated using the account data. A second account results from replicating the first account. The replicating of the first account comprises automatically replicating the security configurations for the first account to the second account. The replicating of the security configurations comprises replicating an identity management configuration of the first account; replicating an authorization configuration of the first account; and replicating an authentication configuration of the first account.

公开(公告)号：US12223082B2

公开(公告)日：2025-02-11

申请号：US18217288

申请日：2023-06-30

Applicant: Snowflake Inc.

Inventor： Vikas Jain ,  Eric Karlson ,  Sepideh Khoshnood ,  Ramana Rao S. Turlapati

IPC: H04L9/40 ,  G06F21/60 ,  G06F21/62

Abstract: Embodiments of the present disclosure provide systems and methods for managing role hierarchies and assignment of permissions by providing secure roles which are roles where the only user that can grant any privilege to the secure role, is the role that owns the secure role. A set of secure roles that defines a role hierarchy may be generated, wherein only a role that owns the set of secure roles can grant any privilege to each of the secure roles. The role that owns the set of secure roles may grant one or more privileges to a first secure role of the set of secure roles. In response to a user other than the role that owns the set of secure roles attempting to grant a privilege to the first secure role or modify a privilege granted to the first secure role, the attempt may be denied.

公开(公告)号：US20240346173A1

公开(公告)日：2024-10-17

申请号：US18756769

申请日：2024-06-27

Applicant: Snowflake Inc.

Inventor： Artin Avanes ,  Khalid Zaman Bijon ,  Damien Carru ,  Thierry Cruanes ,  Vikas Jain ,  Zheng Mi ,  Subramanian Muralidhar

IPC: G06F21/62 ,  G06F16/22 ,  G06F16/248 ,  G06F16/25 ,  G06F16/27

CPC classification number: G06F21/6227 ,  G06F16/221 ,  G06F16/2282 ,  G06F16/248 ,  G06F16/252 ,  G06F16/27

Abstract: A shared database platform implements dynamic masking on data shared between users where specific data is masked, transformed, or otherwise modified based on preconfigured functions that are associated with user roles. The shared database platform can implement the masking at runtime dynamically in response to users requesting access to a database object that is associated with one or more masking policies.

公开(公告)号：US20240171586A1

公开(公告)日：2024-05-23

申请号：US18217288

申请日：2023-06-30

Applicant: Snowflake Inc.

Inventor： Vikas Jain ,  Eric Karlson ,  Sepideh Khoshnood ,  Ramana Rao S. Turlapati

IPC: H04L9/40

CPC classification number: H04L63/105 ,  H04L63/102

Abstract: Embodiments of the present disclosure provide systems and methods for managing role hierarchies and assignment of permissions by providing secure roles which are roles where the only user that can grant any privilege to the secure role, is the role that owns the secure role. A set of secure roles that defines a role hierarchy may be generated, wherein only a role that owns the set of secure roles can grant any privilege to each of the secure roles. The role that owns the set of secure roles may grant one or more privileges to a first secure role of the set of secure roles. In response to a user other than the role that owns the set of secure roles attempting to grant a privilege to the first secure role or modify a privilege granted to the first secure role, the attempt may be denied.

公开(公告)号：US11314875B1

公开(公告)日：2022-04-26

申请号：US17643642

申请日：2021-12-10

Applicant: Snowflake Inc.

Inventor： Suraj P. Acharya ,  Damien Carru ,  Vikas Jain ,  Zhen Mo ,  Frantisek Rolinek

IPC: G06F21/45 ,  G06F21/31 ,  G06F21/60 ,  G06F21/62 ,  G06F16/27

Abstract: A request to replicate a first account maintained by a data platform is received. Based on the request, account data associated with the account is accessed. The account data comprises security configurations for the first account. In response to the request, the first account is replicated using the account data. A second account results from replicating the first account. The replicating of the first account comprises automatically replicating the security configurations for the first account to the second account. The replicating of the security configurations comprises replicating an identity management configuration of the first account; replicating an authorization configuration of the first account; and replicating an authentication configuration of the first account.

公开(公告)号：US20240169086A1

公开(公告)日：2024-05-23

申请号：US18227818

申请日：2023-07-28

Applicant: Snowflake Inc.

Inventor： Vikas Jain ,  Eric Karlson ,  Sepideh Khoshnood

IPC: G06F21/62

CPC classification number: G06F21/6227

Abstract: Embodiments of the present disclosure provide systems and methods for using inherited grants to grant privileges to objects in a container. An inherited grant may be generated that specifies a permission on a first type of object in a container and a grant of the permission to a role. The inherited grant may be attached to the container, wherein the container includes a set of objects of the first type. In response to a first object of the set of objects being referenced via the role, a virtual implied grant may be created based on the inherited grant. Authorization of utilization of the permission on the first object is performed using the virtual implied grant, wherein the virtual implied grant is transient and exists in-memory only for the purpose of authorizing the utilization of the permission on the first object.

公开(公告)号：US20210286894A1

公开(公告)日：2021-09-16

申请号：US17334315

申请日：2021-05-28

Applicant: Snowflake Inc.

Inventor： Artin Avanes ,  Khalid Zaman Bijon ,  Damien Carru ,  Thierry Cruanes ,  Vikas Jain ,  Zheng Mi ,  Subramanian Muralidhar

IPC: G06F21/62 ,  G06F16/248 ,  G06F16/25 ,  G06F16/22 ,  G06F16/27

Abstract: A shared database platform implements dynamic masking on data shared between users where specific data is masked, transformed, or otherwise modified based on preconfigured functions that are associated with user roles. The shared database platform can implement the masking at runtime dynamically in response to users requesting access to a database object that is associated with one or more masking policies.

公开(公告)号：US12105828B2

公开(公告)日：2024-10-01

申请号：US18227818

申请日：2023-07-28

Applicant: Snowflake Inc.

Inventor： Vikas Jain ,  Eric Karlson ,  Sepideh Khoshnood

IPC: G06F21/60 ,  G06F21/62 ,  H04L9/40

CPC classification number: G06F21/6227 ,  G06F21/604 ,  G06F21/6218 ,  H04L63/10 ,  H04L63/102 ,  H04L63/105 ,  H04L63/101 ,  H04L63/104 ,  H04L63/107

Abstract: Embodiments of the present disclosure provide systems and methods for using inherited grants to grant privileges to objects in a container. An inherited grant may be generated that specifies a permission on a first type of object in a container and a grant of the permission to a role. The inherited grant may be attached to the container, wherein the container includes a set of objects of the first type. In response to a first object of the set of objects being referenced via the role, a virtual implied grant may be created based on the inherited grant. Authorization of utilization of the permission on the first object is performed using the virtual implied grant, wherein the virtual implied grant is transient and exists in-memory only for the purpose of authorizing the utilization of the permission on the first object.

公开(公告)号：US20240169077A1

公开(公告)日：2024-05-23

申请号：US18228546

申请日：2023-07-31

Applicant: Snowflake Inc.

Inventor： Vikas Jain ,  Eric Karlson ,  Sepideh Khoshnood

IPC: G06F21/60 ,  G06F21/62

CPC classification number: G06F21/604 ,  G06F21/6218

Abstract: Embodiments of the present disclosure provide systems and methods for using secure schemas to address inconsistencies between standard RBAC rules and the use of inherited grants. A secure schema may be defined that transfers ownership of an object created in the secure schema to a role that owns the secure schema. An inherited grant may be attached to the secure schema, where the inherited grant specifies a permission on a first type of object in the secure schema and a grant of the permission to the role that owns the secure schema. When objects are created in the secure schema, ownership of each of the set of objects is transferred to the role that owns the secure schema to authorize the role that owns the secure schema to manage grants to the set of objects on the secure schema.